Blizzard's Warden Thwarted by Sony's DRM Rootkit

shotfeel writes "First, news of Warden -a bit of code from Blizzard's WoW to trounce game cheats. Then, a Sony rootkit to make your computer safe for music. Now, news that you can use the Sony rootkit to make your game cheats safe from the Warden."

Just goes to show..

[Heem]

Just goes to show that there is indeed a good use for everything.

Re:Just goes to show..

[Jonny_eh]

How is people cheating in an online game a good thing?

Re:Just goes to show..

[B'Trey]

Good or bad depends on your point of view, of course. Wouldn't it be trivial to modify existing worms or viruses to take advantage of the exact same concept, hiding themselves from virus scanners?

Re:Just goes to show..

A better question is, why don't Antivirus Software remove the Sony Virus(TM) in the first place?

Re:Just goes to show..

[Jonny_eh]

A protection device? What is that? Are you referring to the DMCA? Because that is just copyright protection, which the warden doesn't protect.

Nintendo tried to sue the makers of the NES game genie 'game enhancer', but lost. Although, the NES wasn't a multiplayer console, so who knows?

Re:Just goes to show..

[Tim+C]

No. The Sony rootkit isn't deployed in order to thwart The Warden, just like the knives in my kitchen weren't created and sold to kill humans with.

If I create something to beat The Warden, that uses Sony's rootkit to hide, then *I* am the one liable, not Sony, just like Kitchen Devil aren't liable for any psychotic killing sprees I may go on with their products.

Unfortunately.

Re:Just goes to show..

[netcrusher88]

I doubt that's a large enough population [Sony DRM installed] for the technique to be considered useful, though.

Are you sure? Remember, anyone who wants to listen to one of Sony's recent CDs on their computer (unless they have used workarounds) has this rootkit. Be careful in assuming how many people know these workarounds - there are a lot of end users out there, and would you like to be slashdotted by a bunch of zombie end-users because they have a worm that virus scanners can't detect?

Re:Just goes to show..

[spdt]

anybody who has installed the Sony DRM app (in particular, WoW cheaters)

Of course, the 31337 WoW cheaters write their own DRM software... Um, I mean, "rootkits"

It's funny how quickly words can become synonyms of another.

Re:Just goes to show..

[NickFortune]

...in particular, WoW cheaters...

Umm, no... they'll be equally vulnerable as anyone else foolish or unfortunate to be infected with this particular piece of malware.

Honestly, why take a perfectly good and telling point and then weaken it with some unsupportable moralising sneer?

Unless of course you have inside information not mentioned in TFA, in which case, do please share.

Re:Just goes to show..

[Red+Alastor]

Which brings us to the solution : LiveCDs

We already have tools to remove Linux rootkits, is there any for Windows ? And if there is none, why not ?

Re:Just goes to show..

[Naikrovek]

Although, the NES wasn't a multiplayer console

Two controller ports means that the NES was indeed multiplayer.

Re:Just goes to show..

[Buran]

Uninstalling undesired software isn't illegal. Software that snoops on what you run isn't a "protection device". It's merely unethical software that interferes with the operation of your computer in a way that removes the user from control. I'll sure as hell remove anything that does THAT with extreme prejudice. Sue me for it? Well, I rejected the terms of the license and removed the software, so what are you going to sue me for? Breach of contract? I terminated any obligations to you when I stopped using your app.

Re:Just goes to show..

[Buran]

Why should I trust the assholes who put their illegal hacking software on my computer in the first place to remove it? They broke my trust when they snuck their crap on in the first place without disclosure or permission.

Also that removal tool won't work without that pile of shit called IE.

Re:Just goes to show..

[lgw]

Liability and copyright are unrelated. McDonalds sold coffe with complete indifference to causing 3rd degree burns, and they paid for lack of concern for safety. Eventually a virus will piggyback on Sony's rootkit, and Sony will be smacked around for lack of concern for the side effects of their actions. And it still won't have anything to do with copyright.

Re:Just goes to show..

[tradiuz]

So what you're saying is, its like someone being insane. They dont know they're crazy, but everyone else knows, and the only cure is drugs or shock therapy!

Re:Just goes to show..

[Thuktun]

Just as McDonalds hamburgers aren't made for the purpose of causing childrent to be obese, and McDonalds coffee is not sold for the causing 3rd degree burns... but look how the courts went on that one.

Hmm.

(a) Food that can make you fat if you eat it irresponsibly over a long time.
(b) Food that can do immediate, lasting physical damage requiring expensive surgeries if it happens to spill on you.

One of these seems more severe than the other.

Re:Just goes to show..

[eofpi]

Those with long enough memories to remember the Game Genie may remember that Galoob got out of the game enhancer business long before the DMCA was passed.

However, the continued existence of the makers of the Game Shark would seem to indicate that such devices are either not in violation of the DMCA or the game makers, quite reasonably, don't consider the devices a threat to their sales.

Re:Just goes to show..

Who wants to live somewhere the government mandates coffee must be tepid? Coffee has to be hot enough to burn if it's spilled on you to taste good. Cakes bake at 350 degrees, that's much hotter than coffee, how about a law limiting the temperature of ovens to 150 degrees?

Let's bash Sony

[LordSnooty]

OK, so I understand that Sony did a bad thing with the rootkit. But I don't immediately understand the link to Blizzard. Surely there are other "rootkits" around (think Hacker Defender) which can hide files? Why has this suddenly become a problem with the release of the Sony rootkit? Is it a case of "yes, this is definitely bad... now quick, find some way of demonstrating how bad it is!"

Do other cheat protection systems use similar methods to look for files? If so, why are they not affected? Why am I only hearing about Warcraft?

Re:Let's bash Sony

[xSquaredAdmin]

Actually, the way that Warden works (from the analysis I've seen), is that it grabs the window titles, hashes them, and compares them to the hashes of known cheats that it pulls from Blizzard's server. All that it sends to Blizzard is a simple yes/no for whether the player is using hacks.

Re:Let's bash Sony

[bleckywelcky]

This is newsworthy because someone can legitimately use the Sony CD and have the rootkit installed, and then play WoW. So blizzard can't just look for signs of the rootkit and ban that account - people will be pissed for a non-legit ban. At the same time, people can do the same thing AND initiate a cheat on WoW and claim to be pissed for the same "non-legit" ban.

Re:Let's bash Sony

[HavokDevNull]

Wrong! How can you say Sony and First4Internet are no way responsible???

Taken from the original article from Mark's blog over at Sysinternals And here is the URL again in case you want to read the whole thing again. http://www.sysinternals.com/blog/2005/10/sony-root kits-and-digital-rights.html

I studied the driver's initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with "$sys$". To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.

If that does not compromise security what does?

I for one...

[wastedbrains]

I for one would like to sue sony for hating their costumers and making WOW turn into another game that shows you cant play for fun on battlenet unless you password protect your games and only play with friends you know and trust. Why is it that I cant watch movies on my projector cause my computer blues out the screen thinking I am trying to play to some illegal device? DRM IS NEVER GOOD FOR CONSUMERS!!!

Re:Hmmmm, are you scratching your beard?

[TelJanin]

Your post makes no sense. How is being anti-DRM being pro-cheating? And how does not wanting to surrender my computer to a third party make me a stealing hippy?

Oh, that's right. You were just blowing it all out your ass.

In related news

[$RANDOMLUSER]

Sony's DRM rootkit can be thwarted by not doing business with those evil bastards.

Re:YRO?

[Experiment+626]

Are we suddenly interested in the rights of game cheaters? Whose rights are being impacted here?

The "rights" issue is with peoples' right to listen to music they've bought without the CD compromising their system and infecting it with rootkits. This article is signifigant more as a new development in that story, than as a "a victory for the rights of online cheaters everywhere!" thing.

To underscore the point, consider that yesterday on GlobeAndMail.com, we have:

The company dismissed the prospect of hackers exploiting its rootkits for their own purposes as an "academic" concern.

I guess it isn't so academic anymore.

Only slightly OT

[Nom+du+Keyboard]

It should be only slightly OT to ask:

1: Why are people celebrating victory because Sony announced they will remove the cloak, they're still leaving all the rest of the crap on your system - including the memory and cpu wasting scan that runs continually, even when you're not playing their DRM infested CD's.

2: Now that the cloak is removed, what was that registry key that keeps track of how many CD's you've burned under their DRM system?

3: Don't you think you're celebrating a bit early since Warden 2.0 should be able to use the same tricks as RootKitRevealer to diagnose your system? And how long will this take to appear?

4: If you detecting and removing this software from your computer violates the DMCA, then the DMCA is so cleary wrong that it should be repealed this afternoon.

5: Profit! Or in other words, who is profiting from this now? I don't see Sony going broke yet.

Re:Only slightly OT

[mpe]

1: Why are people celebrating victory because Sony announced they will remove the cloak, they're still leaving all the rest of the crap on your system - including the memory and cpu wasting scan that runs continually, even when you're not playing their DRM infested CD's.

It probably isn't necessary for their system to install anything anyway. Even removing the hiding the stuff they insert could have other consequences. e.g. what happens if different versions of this software attempt to install on the same machine?

Re:I pray for the day

[interiot]

Well, once Microsoft's NGSCB ccomes along, games like Warcraft will have two choices:

1. live outside the trusted comping base, and be vulnerable to anybody who manages to crack the NGSCB and run their code in a place that can't be examined by Warcraft, or:
2. convince Microsoft to let WoW cheat-detectors run inside the NGSCB so they can detect everything

First4Internet vs. Warden seems like it's the only possible crazy example of this, but if NGSCB is vulnerable to either crackers or corporate influence, this will only be the beginning.

Sony : Tylenol or FPU

[dmh20002]

Sony should take a page from the Johnson and Johnson book. When the Tylenol poisonings happened, J&J took aggressive action to limit the damage and help the people concerned. They pulled the product off the shelves at a huge financial hit. They turned around a potential PR nightmare by doing the right thing (and the tragedy wasn't even their fault)

Instead, Sony is using the Intel Floating Point strategy of obfuscation, excuses, hard line statements etc.

From BBC News:

"A spokesman for Sony BMG said the licence agreement was explicit about what was being installed and how to go about removing it. It referred technical questions to First 4 Internet.

Mr Gilliat-Smith said Mr Russinovich had problems removing XCP because he tried to do it manually something that was not a "recommended action". Instead, said Mr Gilliat-Smith, he should have contacted Sony BMG which gives consumers advice about how to remove the software.

Getting the software removed involves filling in a form on the Sony website, visiting a unique URL and agreeing to have another program downloaded on to a user's PC that then does the uninstallation. "

You can't top the best

[Moo+Moo+Cow+of+Death]

I don't play WoW anymore OR use Sony's rootkit.

I'm just crazy like that.

Re:Yup... definitely works

[rodentia]

You need to move beyond your reality-based thinking.

This is silly

[Locke2005]

Much as I detest the Sony DRM, this is not a valid criticism of it. Anybody wanting to implement cheats will just use the same method as the Sony DRM directly to hide the cheats, not rely on the Sony DRM having been installed first! This is a flaw in Warden that is independent of the fact that the Sony DRM is a bad thing. It also points out the flaw in the anti-cheat arms race -- since you don't own your customer's machines, any anti-cheating technology you deploy can be quickly circumvented by determined individuals.

Re:This is silly

[MagicMerlin]

wrong. the issue here is that for a 'underground hacker' rootkit, if bllzzard finds a way to detect the rootkit, they can safely ban that account. Fear of banning is a pretty good deterrent for hackers. On the other hand, bliz can't very well ban you for running sony's drm now, can they?

Merlin

This demonstrates ....

[gstoddart]

This demonstates how it will never work in the long-run for every manufacturer to be installing stuff on your PC to make sure you play by their rules.

Before long, if you get 10 or 15 different toolkits which all try to change your system behaviour to ensure no cheating/copying/peeking is taking place, then absolutely NOTHING will keep working.

An arms race of installed crap to keep you honest will just leave everyone with busted machines.

Cheers

Re:YRO?

[mrgreen4242]

Are we suddenly interested in the rights of game cheaters? Whose rights are being impacted here?

Seems like people are more interested in the rights of non-cheating WoW players? People who play WoW SHOULD know that their systems are monitored, and if they don't like it they can quit. Presumably, they are ok with the trade off of "my system is monitored, but so is everyone else's, so at least I can play the game knowing that it is an even field". Sony has given people a way to defeat that, and in doing so taken away all the advantages of having the Warden system, but done nothing to the disadvantages it presents (the fact that it is mildly invasive of your privacy).

Re:Came up fine for me.

[HTH+NE1]

detecting it would be a bit troublesome...

Not really. The presence of the rootkit has a measureable effect. They just have to have Warden create a file with a name starting with $sys$ and then test to see if it is still there. If it has disappeared, it has detected the presence of the rootkit.

Who's gonna make sure they play nice?

[boltaron_bill]

I am just wondering what will happen when let say geffen creates their own copy protection and it works a lot like sony's only if you have sony's installed it kills your computer? Like any of the big record companies are going to show each other how their copy protection works to keep this from happening. This is bound to be an issue in the future if they go on an allow these companies to create this software and install it without your consent.

This is the Future of Trusted Computing

[darkonc]

Trusted computing means that other companies (e.g. Sony) can trust your computer to do what they want it to do -- whether you're happy with that idea or not.

Sony just jumped the gun. They weren't willing to wait until Microsoft put a formal system for this kind of bullshit to take place. The only difference between this and 'trusted' computing is that there's no formalized mechanism in place .... yet.