Blizzard's Warden Thwarted by Sony's DRM Rootkit

shotfeel writes "First, news of Warden -a bit of code from Blizzard's WoW to trounce game cheats. Then, a Sony rootkit to make your computer safe for music. Now, news that you can use the Sony rootkit to make your game cheats safe from the Warden."

Just goes to show..

[Heem]

Just goes to show that there is indeed a good use for everything.

Re:Just goes to show..

[Jonny_eh]

How is people cheating in an online game a good thing?

Re:Just goes to show..

[B'Trey]

Good or bad depends on your point of view, of course. Wouldn't it be trivial to modify existing worms or viruses to take advantage of the exact same concept, hiding themselves from virus scanners?

Re:Just goes to show..

[rob_squared]

Because it helps the cheater WIN! Silly!

Wait a minute...

Re:Just goes to show..

[networkBoy]

Because now Blizzard (hopefully) will sue Sony for some DMCA violation on breaking their game security device :-)
[/wishful thinking]
-nB

Re:Just goes to show..

[Jonny_eh]

On what grounds? "Their rootkit broke our rootkit!"

Ugly, ugly.

Re:Just goes to show..

[networkBoy]

I do believe that "circumvention of a protection device" may actually apply. . .
-nB

Re:Just goes to show..

A better question is, why don't Antivirus Software remove the Sony Virus(TM) in the first place?

Re:Just goes to show..

[Proaxiom]

Wouldn't it be trivial to modify existing worms or viruses to take advantage of the exact same concept, hiding themselves from virus scanners?

Sort of. Good ones already employ techniques to try to hide themselves. The difficult part is getting into the kernel, as the Sony DRM software does when you install it.

Virus writers might at this point decide to start using file and process names that start with $sys$, in which case anybody who has installed the Sony DRM app (in particular, WoW cheaters) will be especially vulnerable. I doubt that's a large enough population for the technique to be considered useful, though.

Mostly this is useful for hiding things from prying eyes on your own machine. It is remarkably effective. To prevent malicious apps from taking advantage of it, you might hack the Sony DRM software so it uses, say, $-q8f790vpae-$ as the 'hiding' tag instead of $sys$.

Just watch what you're doing, because as Mark Russinovich points out in the original article, it's not hard to nuke your box by accident in messing with the Sony/First4Internet drivers.

Re:Just goes to show..

[Stripe7]

I just love that post by the guy who wants ISO's of the CD so they can use the rootkit. Now SONY will now have their entire product pirated not for the content they are trying to protect but for the content protection system they chose to employ! ROFL

Re:Just goes to show..

[einhverfr]

Just goes to show that there is indeed a good use for everything.

Makes you wonder if you could use Sony's rootkit as a way to hide DRM breaking software. It seems to me that this rootkit might actually be more useful to everyone than it might have previously thought.

Thank you Sony :-)

Unfortunately, I don't run Windows... :-P

Re:Just goes to show..

[Jonny_eh]

A protection device? What is that? Are you referring to the DMCA? Because that is just copyright protection, which the warden doesn't protect.

Nintendo tried to sue the makers of the NES game genie 'game enhancer', but lost. Although, the NES wasn't a multiplayer console, so who knows?

Re:Just goes to show..

[gstoddart]

Because now Blizzard (hopefully) will sue Sony for some DMCA violation on breaking their game security device :-)

Doh! Thats' just too difficult to process in my poor brain.

Would this mean that two wrongs, do in fact, make a right? My other enemy is my enemies enemy? The Axis of evil becomes the Triumvarate of unplanned good?

Norman ... Coordinate.

Re:Just goes to show..

[diagonalfish]

Yes, but then all you have to do is rootkit the virus scanner! Then you can watch (or rather, not watch) the giant shadow war going on behind the scenes as various unseen programs try to thwart each other! It's all in good fun.

Re:Just goes to show..

[punkrokk]

Yea but can't you just look for the $sys$drm file etc.. and if that's found, then you have to remove the rootkit before logging onto WOW?

Re:Just goes to show..

IANAL...

It doesn't for two reasons.

First, Warden is not a copyright protection system. It essentially is a EULA protection system. For example, if I use a third party utility to run a speed hack, I can be banned from the game for violating the EULA. I can't be hit up for thousands of dollars for copyright infringement.

Second, as it is installed it in no way would assist in cheating in WoW. A third party can take advantage of what it does do. In other words Sony is not shipping this DRM software with the primary intent to enable cheating in WoW.

In fact, Warden has a greater chance of violating the DMCA since it could access memory that contains copyrighted material after the DRM system has decrypted the work. Luckily the primary design purpose of Warden is also not copyright infringement.

Of course some lawyer may figure out some way to twist all of this around, so who knows.

Re:Just goes to show..

[IAmTheDave]

$sys$ass_banger_asian_big_tits.asf

hmm...

Re:Just goes to show..

[Tim+C]

No. The Sony rootkit isn't deployed in order to thwart The Warden, just like the knives in my kitchen weren't created and sold to kill humans with.

If I create something to beat The Warden, that uses Sony's rootkit to hide, then *I* am the one liable, not Sony, just like Kitchen Devil aren't liable for any psychotic killing sprees I may go on with their products.

Unfortunately.

Re:Just goes to show..

[igny]

Indeed, I am going to the store for the Sony CD to hide my collection of p0rn. Now, how will I explain what happened to 90% of the harddrive space?...

Re:Just goes to show..

[Jonny_eh]

Hopefully a better answer: "Some root kits modify the running kernel (through loadable modules on Linux and many other forms of UNIX, and possibly through VxDs, virtual external drivers, on MS Windows platforms). The fundamental problem with rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers." From Wikipedia

Re:Just goes to show..

[netcrusher88]

I doubt that's a large enough population [Sony DRM installed] for the technique to be considered useful, though.

Are you sure? Remember, anyone who wants to listen to one of Sony's recent CDs on their computer (unless they have used workarounds) has this rootkit. Be careful in assuming how many people know these workarounds - there are a lot of end users out there, and would you like to be slashdotted by a bunch of zombie end-users because they have a worm that virus scanners can't detect?

Re:Just goes to show..

[w3weasel]

Just as McDonalds hamburgers aren't made for the purpose of causing childrent to be obese, and McDonalds coffee is not sold for the causing 3rd degree burns... but look how the courts went on that one.

Re:Just goes to show..

[spdt]

anybody who has installed the Sony DRM app (in particular, WoW cheaters)

Of course, the 31337 WoW cheaters write their own DRM software... Um, I mean, "rootkits"

It's funny how quickly words can become synonyms of another.

Re:Just goes to show..

[NickFortune]

...in particular, WoW cheaters...

Umm, no... they'll be equally vulnerable as anyone else foolish or unfortunate to be infected with this particular piece of malware.

Honestly, why take a perfectly good and telling point and then weaken it with some unsupportable moralising sneer?

Unless of course you have inside information not mentioned in TFA, in which case, do please share.

Re:Just goes to show..

[darkonc]

why don't Antivirus Software remove the Sony Virus(TM) in the first place?

I can think of two reasons:

1. They didn't know about it.
   The nature of rootkits is that they're hidden. This may be the first time that someone bothered to look
2. They didn't consider it a virus.
   Even if they did know about it, Sony may have 'convinced' a company that found the code that their software wasn't really a virus. Remember the upset about some commercial anti-virus makers deciding not to recognize some spyware as viral because it was from 'friendly' companies.

Re:Just goes to show..

[Red+Alastor]

Whishful thinking indeed. Blizzard might even win considering how current law is worded but if they did so, they'd bring the law to a complete logicial absurdity that even the judge would understand and it might get the law changed which means that Blizzard would not be as free in the future to spy on you.

Re:Just goes to show..

[darkonc]

I think that a better question is:
Now that this hack is known, will anti-virus software makers be flagging this software as 'hostile'? Right now there are tens of thousands (if not millions) of machines out there that have software secretly installed that can help hackers to hide their own code and, generally, make life hell for users. It's also code that, if removed in a straightforward manner, can make important part sof the system unusable.

I'm wondering if Sony is liable to be charged under sine if the 'spyware' statutes that have been recently passed in various states.

Re:Just goes to show..

[Dionysus]

Remember, anyone who wants to listen to one of Sony's recent CDs on their computer (unless they have used workarounds) has this rootkit

According to this BBC report, it only affected Windows users. Everybody else (Mac, Linux, *BSD users) could listen to the CD without problems.

Re:Just goes to show..

[Red+Alastor]

Which brings us to the solution : LiveCDs

We already have tools to remove Linux rootkits, is there any for Windows ? And if there is none, why not ?

Re:Just goes to show..

[Wellspring]

Good or bad depends on your point of view, of course.

Hilarious irony, however, appears to be a universal constant.

Re:Just goes to show..

[clymere]

I recall F-secure mentioning on their blog that their product detects the rootkit, but does not remove it. This is because they have decided that its too dangerous to do so, and are referring users to Sony for instructions on removal...which apparently work.

They've apparently been working closely with Sony and the company who wrote the rootkit to resolve some of these issues, and Sony released some kind of software update tool that removes the rootkit pretty cleanly

Re:Just goes to show..

[Naikrovek]

Although, the NES wasn't a multiplayer console

Two controller ports means that the NES was indeed multiplayer.

Re:Just goes to show..

[F_Scentura]

The court did award a settlement, as policy was to set their coffee far about safe levels, and had ignored previous court rulings that required that McDonalds have a safer product.

Re:Just goes to show..

[Buran]

Uninstalling undesired software isn't illegal. Software that snoops on what you run isn't a "protection device". It's merely unethical software that interferes with the operation of your computer in a way that removes the user from control. I'll sure as hell remove anything that does THAT with extreme prejudice. Sue me for it? Well, I rejected the terms of the license and removed the software, so what are you going to sue me for? Breach of contract? I terminated any obligations to you when I stopped using your app.

Re:Just goes to show..

[KitesWorld]

Because technically, they aren't root kits on a windows machine. They're programs intercepting and redirecting OS system calls, so in that respect they are, but so many other programs and utilities do the same thing with the windwos environment that the number of false-positives would render any such software as damaging as a genuine nuisance like this one. At least, that's my understanding of it. Meh.

Re:Just goes to show..

[mpe]

Makes you wonder if you could use Sony's rootkit as a way to hide DRM breaking software. It seems to me that this rootkit might actually be more useful to everyone than it might have previously thought.

Another possibility would be to use the method the Sony DRM uses to "patch" the CDROM driver to create a method of defeating the "copy protection". After all these discs have to be able to play in regular CD players so they must have the standard audio data on them...

Re:Just goes to show..

[Buran]

Why should I trust the assholes who put their illegal hacking software on my computer in the first place to remove it? They broke my trust when they snuck their crap on in the first place without disclosure or permission.

Also that removal tool won't work without that pile of shit called IE.

Re:Just goes to show..

[prof.morbius]

McDonalds coffee is not sold for the causing 3rd degree burns... but look how the courts went on that one.

From what I can remember, the woman won that suit because McD's had published guidelines about how hot the coffee could be, that McD's knew theirs was running hotter, and just didn't do anything about it. So they actually were negligent in allowing her to be burned.

Re:Just goes to show..

[lgw]

Liability and copyright are unrelated. McDonalds sold coffe with complete indifference to causing 3rd degree burns, and they paid for lack of concern for safety. Eventually a virus will piggyback on Sony's rootkit, and Sony will be smacked around for lack of concern for the side effects of their actions. And it still won't have anything to do with copyright.

Re:Just goes to show..

[kdekorte]

Point #2 is something that really ticks me off. Spyware is a virus in my opinion, but since A/V companies don't consider it a virus you have to buy another product to remove the spyware. Good for them, but a total rip off of the consumer who has to buy and update two products where one should do it all.

Re:Just goes to show..

[darkonc]

Right -- You have to call them up, identify yourself, wait on line and beg for permission to have your computer work the way it's supposed to.

I really do hope that someone takes on suing these creeps.

Re:Just goes to show..

[HAMgeek]

A POX on rootkits, and those who write them. Rootkits, wether they're used by some script-kiddie to try and hack my computer or some corporation to try and monitor what I do, are unethical by thier very nature.

Re:Just goes to show..

[damiam]

Blizzard's software is not a rootkit, so no.

Re:Just goes to show..

[Anti_Climax]

I was totally with you until you got to .asf :D

Re:Just goes to show..

[tradiuz]

So what you're saying is, its like someone being insane. They dont know they're crazy, but everyone else knows, and the only cure is drugs or shock therapy!

Re:Just goes to show..

[aaronl]

Yes, MS has a PE (preinstalled environment), and there is also the free Bart's PE. They create a bootable Windows LiveCD, basically. I've used BartPE, and it works great.

Re:Just goes to show..

[networkBoy]

That has got to be the dumbest troll I've ever seen on /. Even the GNAA trolls are better.
-nB

Re:Just goes to show..

[Red+Alastor]

I meant a Windows rootkit detector / remover on LiveCD. It doesn't really matters on what OS the live CD runs.

Re:Just goes to show..

[toomanyhandles]

Just as McDonalds hamburgers aren't made for the purpose of causing childrent to be obese, and McDonalds coffee is not sold for the causing 3rd degree burns... but look how the courts went on that one.

Actually McD deserved to lose on that one. They were intentionally flaunting/ignoring health department warnings and citations because they had their coffee makers turned up too high, and the liquid was not "safe". Food service code says you can't serve hot liquids at a temp. which causes 3rd degree burns in less than ?20? 30? seconds- time to wipe it off etc. They were serving their stuff at a temp that caused 3rd degree burns in 3 seconds (IIRC). Yes, litigious society, nuisance lawsuits, etc, but this was big evil corp ignoring safety rules that were in place for a reason. HTH.

Re:Just goes to show..

[ikkonoishi]

In fact, Warden has a greater chance of violating the DMCA since it could access memory that contains copyrighted material after the DRM system has decrypted the work. Luckily the primary design purpose of Warden is also not copyright infringement.

Yet. Turnabout however is fair play.

I can see it now.

Blizzard:Those DRM bastards want to make it easier to cheat on our games. Lets include a P2P music sharing client into our next release!
Player:Hey... WTF? Did that monster just drop a Metalica CD?

Re:Just goes to show..

[Red+Alastor]

What about doing it with a rootkit database like we do for viruses ?

Re:Just goes to show..

[Thuktun]

Just as McDonalds hamburgers aren't made for the purpose of causing childrent to be obese, and McDonalds coffee is not sold for the causing 3rd degree burns... but look how the courts went on that one.

Hmm.

(a) Food that can make you fat if you eat it irresponsibly over a long time.
(b) Food that can do immediate, lasting physical damage requiring expensive surgeries if it happens to spill on you.

One of these seems more severe than the other.

Re:Just goes to show..

[bhsx]

I submitted a story that got rejected regarding this type of "rootkit." Somehow (my girlfriend's daughter uses this system in a reletively locked-down mode) I got something installed on my system that slipped past the Spybot S&D, MS AntiSpyware, AVG antivirus, and ewido.
It was a total b*tch just to find. The thing would build its directory/itself on shutdown (it seemed) and load then delete any trace of itself at startup, even in Safe Mode. It hid itself from Windows Task Manager and every other scan a could run. I ran some Sysinternals apps such as RootkitRevealer and Autoruns, and showed nothing over and above anything I could account for. Suspecting it was a rootkit anyway, I found some good apps such as Process Guard, and F-Secure's Blacklight(stand-alone executable, pretty nice), and a CLI app called RkDetector. Once I had ran PG I could see what was happenning to my poor little PC. Explorer launches a program called ddrssapi.exe from System32, then would go onto to launch mchshisn.exe every 3 seconds or so. At one point Process Guard counted mchshisn.exe loading over 350 times before grinding to a crashing halt!
Googling ddrssapi.exe or mchshisn.exe yields no hits (or at least didn't, now it'll probably link to this thread), so I renamed the former (because I knew where it was). I was hoping that was the app that created the directory at startup so I rebooted to see if things calmed down.
Process Guard makes no mention of ddrssapi, but is still continuously launching mchshisn, and I notice that it says it's launching from Program Files/Weslorer... Takes about 4 minutes to bring the box down to it's knees, but that gave me enough time to realize that I could do nothing to find this mysterious directory (Weslorer).
I boot into Knoppix 4.0 and low and behold there is PF/Weslorer. Unfortunately for me, Knoppix didn't want to play nice with NTFS, so I couldn't delete the dir. Then I remembered that I had build the Windows Ultimate Boot Disk based on BartPE a few weeks ago. Booted into it and removed the Weslorer (which also shows no google hits) directory and ran a Spybot S&D scan for good measure. I rebooted into my XP install and all was well. No more popups (which caused the autopsy in the first place), no more stray process launching hundreds of times. Just a new systray icon for Process Guard. That things going onto every removable media I have.
I know I still don't really know how it got in and what process it was using to launch itself initially, and that bothers me; but I do not have any symtoms and will have to live with the thought that I got pwned.

Re:Just goes to show..

[Esion+Modnar]

"Their rootkit broke our rootkit!"

Aw, jeez, people. It's just one goddamned thing after another.

Re:Just goes to show..

[HiThere]

I read that if you follow their instructions, you then aren't able to recognize your CD drive. True? False? Depends on hardware? (I'm not about to install MSWind and buy a Sony "CD" so I can find out.)

Re:Just goes to show..

[udoschuermann]

Maybe Sony's rootkit was meant to target The Warden: Sony (EverQuest) vs. Blizzard (World of Warcraft)? Conspiracy theories are so much fun!

Re:Just goes to show..

[hahiss]

I think that, with a name like `kitchen devil', they are liable for your psychotic killing sprees.

Re:Just goes to show..

[tiptone]

And if I make P2P software I'm not liable for what users do with it....oh wait.

Re:Just goes to show..

[eofpi]

Those with long enough memories to remember the Game Genie may remember that Galoob got out of the game enhancer business long before the DMCA was passed.

However, the continued existence of the makers of the Game Shark would seem to indicate that such devices are either not in violation of the DMCA or the game makers, quite reasonably, don't consider the devices a threat to their sales.

Re:Just goes to show..

[EllynGeek]

Actually McDonald's coffee was designed to cause severe burns. OK, that wasn't the coffee's real purpose, but they had received many complaints (over 700) about it being dangerously hot, and refused to turn the temperature down. http://www.atla.org/pressroom/FACTS/frivolous/Mcdo naldsCoffeecase.aspx

No beverage should be served so hot that it scalds on contact, and especially not fast-food beverages, which are typically served to people on the go.

You are correct about the obesity part. :)

Re:Just goes to show..

[Papineau]

That is why you should install 2 Windows installations side-by-side when you install it in the first place. One is your "normal", work and games related one, the other one is for snooping on the first one if you need to do something it won't let you by itself (like replacing some registry files, etc.).

Works like a charm when you want to restore a system backup too, and there's no need to play with CaptiveNTFS or such.

It worked quite well in NT4 with the NT bootloader (boot.ini), so you can probably do the same with XP's bootloader without resorting to a 3rd party boot loader (like grub :)). Don't forget to have different desktop backgrounds (like a red one for the administrative install), so you don't end up doing stuff you don't want to in the wrong environment.

Re:Just goes to show..

[Haeleth]

Of course, the 31337 WoW cheaters write their own DRM software...

Good lord, are there that many of them? I think a crackdown is long overdue.

Re:Just goes to show..

[XSforMe]

my girlfriend's daughter uses this system in a reletively locked-down mode
This is scary. How locked is her account, part of users, advanced users or are you using a custom profile?

Re:Just goes to show..

[Walkiry]

>The Axis of evil becomes the Triumvarate of unplanned good?

Actually this is a bit like if two warchest-patent companies tried to sue each other and brought out the big guns. M.A.D., and everyone else wins! So it could actually be a good thing and be effective while both remain your enemies ;-)

Re:Just goes to show..

[aaronl]

BartPE plus RootkitRevealer, AdAware, Spybot, AVG, etc. You can customize the preinstalled environment, and most of that software will work off network shares, etc. I don't know of anything yet developed under Linux for doing spyware scans, unfortunately.

Re:Just goes to show..

[VStrider]

Sony released some kind of software update tool that removes the rootkit pretty cleanly.

Sony removes it pretty cleanly? Are you sure? You might be interested in reading this.

Re:Just goes to show..

[jrockway]

Report to the OS that that 90% is actually free (but cause writes to fail when someone writes to that space).

Re:Just goes to show..

[saviorsloth]

McDonald's coffee isn't necessarily sold to cause 3rd degree burns, but when it is company policy to sell coffee at 180-190 degrees Farenheit, as it was at the time of the lawsuit i assume you're referring to, a temperature that can easily cause 3rd degree burns, it can be criminally negligent (or something to that effect, IANAL), especially when it had been brought to their attention numerous times before
http://www.centerjd.org/free/mythbusters-free/MB_m cdonalds.htm

Re:Just goes to show..

[geekoid]

BUt if you put the knife in a room where you know children will be, you WILL be liable for the ensuing damage.

My poorly illistrated point is:
If you provide the means that allow someone to do harm, you are responsible.

Re:Just goes to show..

[tolkienfan]

Actually the DMCA circumvision clauses cover other "protection and control" mechanisms, in addition to copyright protection.

Re:Just goes to show..

[Skater]

I have two comments on your message and the parent:

1. For the parent message: Is it just me, or should an OS prevent that type of behavior? I've never seen something like that happen under Linux - is that because it can't or because it can and I just haven't encountered it?

2. For your message: I love when people claim Linux is harder than Windows. "Oh, just maintain TWO Windows installations!" :)

Re:Just goes to show..

[Papineau]

I love when people claim Linux is harder than Windows. "Oh, just maintain TWO Windows installations!" :)

It was actually my father who did this with NT4. I have no idea if it's still easy/possible to do with XP, as I use RH8 as my primary desktop (plus other computers with everything from RH7.3 to FC4), and the last Windows version I personally installed was 3.11 (not the For Workgroup version) on a P90, about 8 years ago.

But the point is still valid (about the 2 Windows installations). That way, you have all the rights you want on the "not booted" version, and all the power of running native software to examine/modify it, plus enough storage for all you want (which booting from a Windows CD doesn't always offer you, although I could be mistaken on that as I never used one).

Re:Just goes to show..

[catprog]

So long as you don't promote it for illeagle uses

Re:Just goes to show..

[mlrtime]

Just goes to show that there is indeed a good use for everything.

Yea, explain how that works for my hemroids :(

Re:Just goes to show..

[bhsx]

It would definately be possible in Linux, with the wrong security permissions, or by surfing as root. That being said, I certainly don't know of any current distributions that run as root by default. Windows basically does this when you set it up with no login, or you end-up running a piece of software that requires admin access because it was coded poorly. That last bit hasn't crept its way into *nix apps as of yet, and hopefully the design makes it more desirable to keep the current paradigm.
Of course I remember a time when most services ran as root before the "nobody" (or is it noone?)user was introduced in the late 90s.

Re:Just goes to show..

[sunwukong]

Technically, how many licenses does this require? It seems that there may be legal and/or cost barriers to this approach ...

Re:Just goes to show..

[darc]

RKR will not work on BartPE because it reads the registry and system using the WindowsAPI in the running system and checks against low level reads. This is not possible on a LiveCD, because RKR does NOT do sig based hashing or anything.

Re:Just goes to show..

[Spacejock]

Well, it's running on the same hardware and there's only a single user so logic says you're okay. But my money is on the idea being morally bankrupt, a violation of the EULA and the sort of thing only a perverted software pirate would do.

Re:Just goes to show..

[fredklein]

Not this crap again.

From www.stellaawards.com :

The plaintiffs were apparently able to document 700 cases of burns from McDonald's coffee over 10 years, or 70 burns per year. But that doesn't take into account how many cups are sold without incident. A McDonald's consultant pointed out the 700 cases in 10 years represents just 1 injury per 24 million cups sold! For every injury, no matter how severe, 23,999,999 people managed to drink their coffee without any injury whatever.
...
Coffee is supposed to be served in the range of 185 degrees! The National Coffee Association recommends coffee be brewed at "between 195-205 degrees Fahrenheit for optimal extraction" and drunk "immediately". If not drunk immediately, it should be "maintained at 180-185 degrees Fahrenheit".
...
...she did, after all, spill the coffee into her lap all by herself. The car was stopped, so she presumably was not bumped to cause the spill. Indeed she chose to hold the coffee cup between her knees instead of any number of safer locations as she opened it.

It was NOT McDonalds fault. It was the stupid b!+(4's fault for being careless. She should not have gotten a dime!!

Re:Just goes to show..

This is the Internet. You can say "bitch" here.

Re:Just goes to show..

[xerxesdaphat]

OK. Well what about all the P2P networks that are getting shut down because they may be used to committ IP violations, despite not being expressly created for such a reason?

Re:Just goes to show..

[aaronl]

Huh, yeah, will you look at that, I hadn't realized it (obviously ;-). You'd have to know where to look manually, for now. Or convince the spyware/virus scanner developers to add signatures for something they can't normally detect.

Re:Just goes to show..

[ObsessiveMathsFreak]

That is why you should install 2 Windows installations side-by-side when you install it in the first place.

Great. That'll be another $200 for every PC I own, on top of the administrative headache of maintaining two seperate systems.

I think Knoppix is the superior option here. Or you could just use DOS boot disks or whatever.

Re:Just goes to show..

[Jaseoldboss]

First4Internet, a company in Oxfordshire UK. supplied the Rootkit and DRM.

Don't sit there bottling it up! tell them what you think about their wonderful software. Hurry up though, there is a good chance that the order book isn't as full as it they would like :-)

Re:Just goes to show..

[Hillie]

Haven't you been following the MPAA/RIAA crazyness?

They've thrown people in jail who had no intention of violating copyright, simply because what they did "could" be used to circumvent copyright by a third party. ..but then again those people they threw in jail weren't a huge corporation like Sony either.

Re:Just goes to show..

[cagle_.25]

I wish there were a +10 Funny. You deserve it. Best laugh on Slashdot in a year. (*bows in respect*)

Re:Just goes to show..

[Skater]

Processes can be hidden from root? (My message wasn't clear about what should be impossible, so I'm now asking for clarification.)

Sony owns Everquest

[halivar]

Coincidence, or conspiracy? Hrmm...

Re:Sony owns Everquest

[sgant]

I thought the same thing. I wouldn't be surprised if it was...but honestly I think this is just a "happy" coincidence for Sony. Not only are they screwing over a customer but now a major competitor in the MMORPG world.

But again, it's probably just a coincidence

Re:Sony owns Everquest

[harrkev]

But Sony has some MMORPGs too. Any word on using this for the Star Wars RPG?

Re:Sony owns Everquest

[LostCluster]

I doubt this is going to be the last story of this rootkit being used to hide something from process seekers. Online poker gaming sites rely on being able to look at a user's running processes in order to detect bots.

Hmmmm, are you scratching your beard?

[Neil+Blender]

You anti-DRM, pro-cheating and stealing hippies must be really conflicted on this one.

Re:Hmmmm, are you scratching your beard?

[Datamonstar]

Not nessecarily. Right and wrong hasen't changed any.

Re:Hmmmm, are you scratching your beard?

[TelJanin]

Your post makes no sense. How is being anti-DRM being pro-cheating? And how does not wanting to surrender my computer to a third party make me a stealing hippy?

Oh, that's right. You were just blowing it all out your ass.

Re:Hmmmm, are you scratching your beard?

[real_smiff]

yes, i hate Sony for their anti-genuine-consumer (anti the majority) stance, and the cheaters for their anti-genuine-player (anti the majority) stance. it looks like my view is, would you believe it, in the majority. Both groups (Sony and cheaters exploiting this) are in the wrong. Not so hard to follow is it. Now stop trolling please (aimed at grandparent? not parent)

Re:Hmmmm, are you scratching your beard?

[WeeLad]

Not nessecarily. Right and wrong hasen't changed any.

...but now two wrongs can make a right. I think someone said it's like multiplying negative numbers or something. If you do it right, you'll get a positive.

-(Sony Rootkit) X -(The Warden) = -(Cheating) ... hmmm, I think I must've messed up the math.

Re:Hmmmm, are you scratching your beard?

[bughunter]

Your algebraic math isn't working because you're extending the wrong operator from the set operation of "two wrongs don't make a right."

This condition is represented by the Or operator, +, not the And operator:

Wrong1 + Wrong2 = Wrong3,

Where Wrong3 is the set encompassing both Wrong1 and Wrong2. (Do it using Venn diagrams and you will see.)

Thus, extending the metaphor to algebraic operations,

-1 + -1 = -2

Re:Hmmmm, are you scratching your beard?

[Alistar]

No, I am pretty sure it would be AND.

Because it is not one OR two, it both one AND two.

So it would be -1 AND -1 = 1; thus 2 wrongs do make a right.

Re:Hmmmm, are you scratching your beard?

[rworne]

Now I'm confused. Is that supposed to be a logical AND or a bitwise AND?

-1 && -1 = 1
-1 & -1 = -1

Re:Hmmmm, are you scratching your beard?

[Grand+High+Wonko]

Two wrongs making a right? Welcome to my world.

Re:Hmmmm, are you scratching your beard?

[ObsessiveMathsFreak]

-(Sony Rootkit) X -(The Warden) = -(Cheating) ... hmmm, I think I must've messed up the math.
This will only work if the Sony Rootkit and The Warden both contain imaginary parts and The Warden is the complex conjugate of the Sony Rootkit, and vice versa. In this case, the imaginary part of cheating will disappear.

O.o

[Spy+der+Mann]

An error has occured

Sorry, the database is currently unavailable, please try your request again shortly

Wow, this Sony rootkit works MUCH BETTER than I expected! :D

Now can we have a lawsuit?

[rovingeyes]

Please somebody...anybody!

Re:Now can we have a lawsuit?

[Mr2cents]

I'm waiting for the trial accusing some dude of illegally copying the DRM-software. I've already bought the popcorn.

Re:Now can we have a lawsuit?

[identity0]

Why, just recently, I was able to use the Sony DRM to cheat at Warcraft, kill players at will, take their loot, and sell it on eBay for thousands of dollars! I am outraged! I shall file suit against Sony Online Entertainment for their flagrant disregard for other people's property and allowing me to steal shit on Warcraft!

Won't someone please think of the children?!?!

and wait until Blizzard hears about my suit against them for failing to violate my computer throughly enough to stop me from cheating, and being defeated by the Sony DRM!

We have our rights! Our right to be violated!

Re:Now can we have a lawsuit?

[orkysoft]

I read that safe mode won't protect you from the terrible secret of the Sony rootkit...

Do you have optical drives in your PC?

Slashdotted already.

[thepotoo]

Christ, anyone got a link/full text?

Re:Slashdotted already.

[Dugsmyname]

http://mirrordot.com/ has a cached link here

Wow

[interiot]

Somebody is going to owe a LOT of people new monitors once they're all drenched in coke.

Re:Wow

[exi1ed0ne]

Coke? Try Mountain Dew and hot pocket chunks.

Yup... definitely works

[kneecarrot]

I have definitely thwarted Warden. I just created a 13th level unicorn, ate all the remaining rhubarb in the forest, and killed the White Wizard with an AK-47. NICE!

Re:Yup... definitely works

[Shadow+Wrought]

Remember kids, AK-47s don't kill White Wizards, Unicorns do.

Never thought I'd get a chance to say that again!

Re:Yup... definitely works

[sgant]

You've obviously never played World of Warcraft.

There are no AK-47s in the game you noob! Just Colt M16A's...and the rhubarb isn't in the forest. LOL, right right, the rhubarb is in the forest....it's in the fricken meadows.

And everyone knows a level 13 unicorn can't take on a White Wizard...you need a group for that!

Sheesh...

Re:Yup... definitely works

[IdleTime]

For us living in the real world... Is the White Wizard Karl Rove or Scooter Libby? Ohhhh... my head hurts!

Re:Yup... definitely works

[Flying+Over+Trout]

Neither. The White Wizard is Robert Byrd of course.

Re:Yup... definitely works

[rodentia]

You need to move beyond your reality-based thinking.

Re:Yup... definitely works

Never thought I'd get a chance to say that again!

Again?!

Re:Yup... definitely works

[Shadow+Wrought]

AC-47's are even more deadly. Think Puff the Magic Dragon when he's pissed;-)

Re:Yup... definitely works

[william.gunn]

...least I got chicken...

This post has no content but

[Verteiron]

Am I the only one who finds this amusing? I mean... wow. Whatever monkey at Sony that approved this scheme must be soiling their armor by now.

And that the first (known) exploit of this thing should be a game cheat. The world is a strange place; Sony has made it just a bit stranger.

Re:This post has no content but

[Datamonstar]

I'm sure that it's money motivated. It's almost a certain bet that it was an organized effort by some WoW gold peddling outfit that hacked the DRM into their WoW hack so quickly. Also a near-certain bet that they're stepping up their production efforts to milk this thing while they can. Greed really isn't as strange as you may think.

Re:This post has no content but

[Red+Flayer]

FTA: A way to remove the 'cloaking device' without breaking the DRM (or your device driver): URLhttp://cp.sonybmg.com/xcp/english/updates.html>

Sony: We Make Your DRM a Little Less Evil (tm)

Obviously, this was just a way for Sony to try to bring WoW to its knees; after all, that's a lot of potential EQ2 subscribers who might have changed over had Sony been able to cripple the WoW economy.

/tinfoil plate armor, shield, and helm securely equipped

Re:This post has no content but

[AdamWeeden]

What would have been even more amusing is if had been used against a Sony MMORPG like Everquest 2.

Re:This post has no content but

[Minwee]

As opposed to being used against the single largest competitor to Sony's MMORPGs, World of Warcraft? I think it's even more fun this way. "Whoops, sorry we broke your game guys. Have you tried Everquest? Our elves now have handlebars just like yours!"

Re:This post has no content but

[Godin21]

Am I the only one who finds this amusing? I mean... wow. Whatever monkey at Sony that approved this scheme must be soiling their armor by now.

Probably not. Don't forget that World of Warcraft is the largest US MMORPG competitor to Everquest and Everquest 2. One of the major anoyances in EQ was the mudflation caused by scripters and plat sellers.

Sony wouldn't shed a tear at all if they "accidentally" caused Blizzard grief.

YRO?

[LostCluster]

Are we suddenly interested in the rights of game cheaters? Whose rights are being impacted here?

This is just a classic hack. Nothing impacting free speech or even property rights. Yes, it belongs on /., but in a different section...

Re:YRO?

[Experiment+626]

Are we suddenly interested in the rights of game cheaters? Whose rights are being impacted here?

The "rights" issue is with peoples' right to listen to music they've bought without the CD compromising their system and infecting it with rootkits. This article is signifigant more as a new development in that story, than as a "a victory for the rights of online cheaters everywhere!" thing.

To underscore the point, consider that yesterday on GlobeAndMail.com, we have:

The company dismissed the prospect of hackers exploiting its rootkits for their own purposes as an "academic" concern.

I guess it isn't so academic anymore.

Re:YRO?

[mrgreen4242]

Are we suddenly interested in the rights of game cheaters? Whose rights are being impacted here?

Seems like people are more interested in the rights of non-cheating WoW players? People who play WoW SHOULD know that their systems are monitored, and if they don't like it they can quit. Presumably, they are ok with the trade off of "my system is monitored, but so is everyone else's, so at least I can play the game knowing that it is an even field". Sony has given people a way to defeat that, and in doing so taken away all the advantages of having the Warden system, but done nothing to the disadvantages it presents (the fact that it is mildly invasive of your privacy).

Let's bash Sony

[LordSnooty]

OK, so I understand that Sony did a bad thing with the rootkit. But I don't immediately understand the link to Blizzard. Surely there are other "rootkits" around (think Hacker Defender) which can hide files? Why has this suddenly become a problem with the release of the Sony rootkit? Is it a case of "yes, this is definitely bad... now quick, find some way of demonstrating how bad it is!"

Do other cheat protection systems use similar methods to look for files? If so, why are they not affected? Why am I only hearing about Warcraft?

Re:Let's bash Sony

[kertong]

I'm not sure how the Warden "looks for files", but I believe, rather, it pulls the titles/names of the currently running windows and processes them into a hash before sending it out to the blizzard servers.

Now correct me if I'm wrong - but this has isn't (or shouldn't be) reversible, right?

Re:Let's bash Sony

[Helios1182]

Because WoW and the rootkit have been in the news lately. It is easier to pick up on a continuing story than it is to take time digging for new details.

Re:Let's bash Sony

[xSquaredAdmin]

Actually, the way that Warden works (from the analysis I've seen), is that it grabs the window titles, hashes them, and compares them to the hashes of known cheats that it pulls from Blizzard's server. All that it sends to Blizzard is a simple yes/no for whether the player is using hacks.

Re:Let's bash Sony

[$RANDOMLUSER]

Then wouldn't a simple command-line based cheat defeat that?

Re:Let's bash Sony

[xSquaredAdmin]

I just dug up the description of what it actually does. Turns out it also does a brief memory scan of the processes in memory to look for hacks as well. So even if they do that, as soon as Blizzard gets their hands on it, they could just add it's signature to the definition.

I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes - the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' - its written like shellcode in that it's position independant. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):

The warden dumps all the DLL's using a ToolHelp API call. It reads information from every DLL loaded in the 'world of warcraft' executable process space. No big deal.

The warden then uses the GetWindowTextA function to read the window text in the titlebar of every window. These are windows that are not in the WoW process, but any program running on your computer. Now a Big Deal.

I watched the warden sniff down the email addresses of people I was communicating with on MSN, the URL of several websites that I had open at the time, and the names of all my running programs, including those that were minimized or in the toolbar. These strings can easily contain social security numbers or credit card numbers, for example, if I have Microsoft Excel or Quickbooks open w/ my personal finances at the time.

Once these strings are obtained, they are passed through a hashing function and compared against a list of 'banning hashes' - if you match something in their list, I suspect you will get banned. For example, if you have a window titled 'WoW!Inmate' - regardless of what that window really does, it could result in a ban. If you can't believe it, make a dummy window that does nothing at all and name it this, then start WoW. It certainly will result in warden reporting you as a cheater. I really believe that reading these window titles violates privacy, considering window titles contain alot of personal data. But, we already know Blizzard Entertainment is fierce from a legal perspective. Look at what they have done to people who tried to make BNetD, freecraft, or third party WoW servers.

Next, warden opens every process running on your computer. When each program is opened, warden then calls ReadProcessMemory and reads a series of addresses - usually in the 0x0040xxxx or 0x0041xxxx range - this is the range that most executable programs on windows will place their code. Warden reads about 10-20 bytes for each test, and again hashes this and compares against a list of banning hashes. These tests are clearly designed to detect known 3rd party programs, such as wowglider and friends. Every process is read from in this way. I watched warden open my email program, and even my PGP key manager. Again, I feel this is a fairly severe violation of privacy, but what can you do? It would be very easy to devise a test where the warden clearly reads confidential or personal information without regard.

This behavior places the warden client squarely in the category of spyware. What is interesting about this is that it might be the first use of spyware to verify compliance with a EULA. I cannot imagine that such practices will be legal in the future, but right now in terms of law, this is the wild wild west. You can't blame Blizz for trying, as well as any other company, but this practice will have to stop if we have any hope of privacy. Agree w/ botting or game cheaters or not, this is a much larger issue called 'privacy' and Blizz has no right to be opening my excel or PGP programs, for whatever reason.

Re:Let's bash Sony

[bleckywelcky]

This is newsworthy because someone can legitimately use the Sony CD and have the rootkit installed, and then play WoW. So blizzard can't just look for signs of the rootkit and ban that account - people will be pissed for a non-legit ban. At the same time, people can do the same thing AND initiate a cheat on WoW and claim to be pissed for the same "non-legit" ban.

Re:Let's bash Sony

[HavokDevNull]

The reason the "link to Blizzard" is because the guys over at www.wowsharp.net thought to use the rootkit first, and it is so easy to use that anyone who can rename a file can use it. And WOW is very popular in the first place (4 million users now), so this impacts a bunch of people.

Another cheat program http://www.wowglider.com/ is also getting around WOW's Warden technology by running WOW in a normal user profile in xp, removing access to said user in the wowglider folder, then running wowglider as an admin account. But more than likely you could just install Sony's rootkit, rename your wowglider folder and do the above step for double protection against Warden detecting wowglider.

My point being Sony and First4Internet are saying that the rootkit does not compromise a system's security, when in fact it can and does. And the Cheaters are proving it now, next will be the virus writers.

Re:Let's bash Sony

[$RANDOMLUSER]

Holy shit!!
That's just evil.
Your post should be modded +10 informative so that everyone reads it.

Re:Let's bash Sony

[Red+Flayer]

"because the guys over at www.wowsharp.net thought to use the rootkit first"

Hardly. They're just the first to publicize... this has been floating around in some forums for a little while.

There's less of an advantage to cheating if everyone can do it. So those exploiting this have been keeping their mouths shut...

Re:Let's bash Sony

[HTH+NE1]

How accessible are other rootkits to the average WoW cheater? I haven't done any searches, but surely nothing compares to being able to walk in to a record store and buy pluton^H^H^H^H^H^H a rootkit.

And it is always the latest of the breed that would be the most desireable, especially when it could be found on many systems innocently. The rootkit comes with it's own human shield of innocents.

And Blizzard would violate the DMCA if they removed Sony's DRM software that restricts access to Sony's so-protected copyrighted works.

Sony has opened a Pandora's Box distributing and installing the rootkit. Blizzard spies on what programs you run. The question is not whether two wrongs make a right but rather whether two wrongs make an actionable case, and on whom.

I'm sure there are other ways to exploit this rootkit: hiding porn stashes from a nosy spouse would be another one. The Blizzard WoW cheating just happens to relate to recent news stories and rises to the top.

Re:Let's bash Sony

[Raxxon]

I'm on the same page you are. This isn't Sony's "fault". I considered the same tactic with HackerDefender as a "work around" (not that I cheat, but more of a "I thought of this in 2 seconds, how long will it take the idiots who cheat to figure it out?") to get your leet sploits and bots working again.

Interesting twist. Now we're going to have "Music Piracy" by the "Chinese Gold Farmers" so they can make more "Phat Lewt" to sell for hard currency.

Re:Let's bash Sony

[shmlco]

"These strings can easily contain social security numbers or credit card numbers."

Of course, even the newest PHP developer knows better than to pass SSNs and CCNs around as URL variables. And if you're dumb enough to name a file with your social security number [window titles], you're probably beyond help anyway.

Re:Let's bash Sony

[HavokDevNull]

Wrong! How can you say Sony and First4Internet are no way responsible???

Taken from the original article from Mark's blog over at Sysinternals And here is the URL again in case you want to read the whole thing again. http://www.sysinternals.com/blog/2005/10/sony-root kits-and-digital-rights.html

I studied the driver's initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with "$sys$". To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.

If that does not compromise security what does?

Re:Let's bash Sony

[Buran]

Easy. Use a hex editor to change the offending executable so that it can no longer function. No software has the right to examine ANY other application the user is running. Apps need to keep their noses firmly up their own asses.

Re:Let's bash Sony

[Sheepdot]

Actually it's newsworthy for more than just that.

If Warden attempts to scan the "$sys$DRMServer.exe" to do an MD5 hash of it and determine if it is a legit Sony executable or one removed/modified by a cheater, they are circumventing the DMCA. Of course, the user has to agree to the installation of the rootkit, which as far as I know, is installed without user permission anyway.

This REALLY gets involved when you consider that Sony has 4+ MMORPG games (Star Wars Galaxies, Planetside, EverQuest, EverQuest 2) that are of varying levels of competition to World of Warcraft.

I originally mentioned this news on the last Sony DRM rootkit post here.

Re:Let's bash Sony

[ydrol]

I'm sure there are other ways to exploit this rootkit: hiding porn stashes from a nosy spouse would be another one.

Always train said spouse that vigorously watching porn is a rite of passage, and they are free to share in the experience.

Re:Let's bash Sony

[Tim+C]

If you're going to take that stance, you might as well blame the compiler writers for making it possible to compile code to machine executable, or Kernigan and Ritchie for C, or the guys who developed transistors, or Maxwell for his equations...

Sony's rootkit makes this easier. Now, instead of having to develop both the cheat and a way or protecting it from the Warden, one has only to develop the cheat. No, Sony haven't caused cheating, but they've certainly made it easier. More seriously, they've made it easier for malware and viruses to go undetected too. No, this isn't the first or only rootkit available, but it's the first that's been available for the cost of a music CD, the purchase of which is going to look utterly innocent.

Re:Let's bash Sony

[fatcatman]

I'm sure there are other ways to exploit this rootkit: hiding porn stashes from a nosy spouse would be another one.

I see this theme a lot around here. My question would be: If you have to hide your porn from your spouse, and if your spouse is so distrustful of you that you have to take extraordinary measures to hide your porn... Perhaps you married the wrong person?

Re:Let's bash Sony

[Dachannien]

Ah, yes, the infamous analysis written by Greg Hoglund, where he makes the outlandish claim that "OMGZ Blizz is scaning my computar for my pr0ns!!!1"

Right there in the description of his analysis, he talks about how it hashes all the strings it comes across, compares those hashes to a list of known cheat hashes, and only notifies Blizzard whether there's a match. It doesn't phone home with your personal info.

But he inserts his FUD into his story, because he and others were making money off of their WoW cheat software, and when they got caught by Warden and banned, they realized they were risking litigation from both Blizzard and their own customers by continuing to develop the software and charge for it, so they went open-source. He and others want Blizzard to be humiliated into turning off Warden so they can start selling their cheat software again.

It's not spyware.

Re:Let's bash Sony

[p7]

Does getting rid of the so called Sony Rootkit close this hole? The answer of course is no it doesn't. Anyone with sufficient programming skills (And from the description of the code at Sysinternals, it wasn't that impressive) can implement the same functionality in their code.

Sure, it may be harder to clean your system up if you can't see the file, but at that point you have already been compromised and a virus could be patching several function calls to hide itself. The concept isn't new even, a while back I remember reading a story about the Anti-Rootkit program that Microsoft came up with to spot rootkits that commandeer devices, so they can hide their presence.

If anything this should be a wake up call telling us that we may need to implement additional scans preferably outside the OS to detect malicious code.

I don't like what Sony and First4Internet did, but the hole they used has always been there.

Re:Let's bash Sony

[p7]

You're right. Next time I get any email with a copy of a Sony CD attached I will be really careful about any links I go to.

All kidding aside, I don't consider being able to hide a process or file from the Warden to be a security risk. Sure it sucks for WoW, but it doesn't make my system any less secure.

From a virus aspect, if your computer is secure you have no worries. If for some reason you install or a system vulnerability allows software to be installed, you or the OS are the weak link. By the time you are worrying about hidden files, you, your antivirus/spyware software and OS have allowed malicious code to be run on your machine.

Re:Let's bash Sony

[Pinback]

So create a slashdot story with 'WoW!Inmate' in the title, and any WoW player who reads it will get banned? Sounds like an easy sploit.

Re:Let's bash Sony

[bleckywelcky]

Calling Planetside an MMORPG is being very nice. It's a glorified persistent FPS. I played it right around the time it came out for a couple weeks (for free), looked at the monthly price, then laughed and uninstalled the game. I think many others have done the same.

Re:Let's bash Sony

[PlusFiveTroll]

Perhaps I married TWO people, and dont want one to know about the other one!

In this would you never know why you'll want to hide something, but its nice to have the ability.

Re:Let's bash Sony

[big+ben+bullet]

too bad I don't have any mod points left...

ah well, you get a +5 insightful from me ;-)

Re:Let's bash Sony

[Sheepdot]

Yeah, I quit for similar reasons: I already owned Tribes 2, and it had no monthly fee.

Granted, PS was different from Tribes 2 in more than one way, but the *feel* of the game made it similar enough that I couldn't justify $15/month of $12.95 or whatever it was at the time.

I still liked and like it, but I can't justify a monthly fee for massively multiplayer Tribes 2. I've heard it better labeled a MMOFPS, but I used MMORPG because it fit.

On a related note, SWG looks like it is going to be a MMOFPS here soon. I don't know how they can do this with the horrible lag, but, oh well.

Re:Let's bash Sony

[HavokDevNull]

I hate to say it, well no I take that back ...I love to say it. " I TOLD YOU SO " =)

Sorry could not resist...

Cheers,

Sue Sony

Sue sony under the DMCA

$sys$Warcraft and Sony Suxorz$sys$

[sweetnjguy29]

Hmmm...it didn't work.

Re:$sys$Warcraft and Sony Suxorz$sys$

[dkone]

Yes it did, I didn't see it. You must not have bought the CD! Lozer

I for one...

[wastedbrains]

I for one would like to sue sony for hating their costumers and making WOW turn into another game that shows you cant play for fun on battlenet unless you password protect your games and only play with friends you know and trust. Why is it that I cant watch movies on my projector cause my computer blues out the screen thinking I am trying to play to some illegal device? DRM IS NEVER GOOD FOR CONSUMERS!!!

Re:I for one...

[wastedbrains]

sorta, but the warden is only running while your online playing WOW. In that case i think it is a little different where as most DRM is stuck around perminately. But that is a good point... So perhaps the warden is one of the first examples of DRM being used to protect costumers instead of copyrights holders. Definately a valid point though... I was mostly just ranting cause I am pissed at how sony is treating costumers, and how other DRM has not allowed me to do perfectly legal things like view movies on my projector from my computer (which i can't due through the video out to projector), but I have since learned that I can do if I directly hook my monitor cord to my projector, but this doesnt allow me to use both my monitor and projects at the same time like I have wanted.

Two wrongs...

[bl4nk]

So two wrongs do make a right... right? For the cheaters at least... but that's wrong... so two wrongs come together to combat one wrong, and you're left with two wrongs instead of two.. wrongs... Can't we all just get along?

Hell, you knew it was coming.

[Tuxedo+Jack]

If the process is hidden, the Warden can't pick up on it, right?

So hypothetically, ANY rootkit could be used to hide processes - HackerDefender and the others out there would do the job nicely.

Of course, the other edge of the sword is that you don't know just what _else_ is hiding... unless you wrote and compiled the rootkit yourself using your home-brewed compiler.

Re:Hell, you knew it was coming.

[LostCluster]

And, if we're going by Security Now's definition of a "rootkit", Norton SystemWorks is a rootkit because its Undelete component hides files from the operating system that are really still there, SystemWorks just fools all applications into thinking they're not there.

Any program that uses the operating system hooks to find out what is going on risks being fooled. The only way around it is to do what RootkitRevealer does, ignore what the OS is saying and go byte-level reading the disk to see what you get, then if you like compare it with what the OS is reporting to see if there's any differences.

Re:Hell, you knew it was coming.

[someone1234]

Yes, but there are a few problems: 1. other rootkits are not documented so well. 2. other rootkits are not coming with a nice installer 3. other rootkits you may not own legally (is this legal?) 4. other rootkits are not so easily usable, here you just rename a folder to $sys$* Now with this hype every script kiddie will buy a DRM enhanced Sony CD and spice up their own viruses with minimal work.

Re:Hell, you knew it was coming.

[The+MAZZTer]

I think the definition of a rootkit includes the fact that it's presence was not explicitly made known to the user, or the user was not asked whether it should be installed. Norton SystemWorks' Undelete functionality is probably going to be a feature the user will want and use.

did /. just dupe ME?!

[Donniedarkness]

http://slashdot.org/comments.pl?sid=167099&cid=139 32086. Heh...Slashdot duped me, I think.

Re:did /. just dupe ME?!

did /. just dupe ME?!

Depends.. Do you live in Soviet Russia?

Re:did /. just dupe ME?!

[grolschie]

In South Korea, /. only dupes old people

Imagine a beowulf cluster of said old duped South Korean people!

Came up fine for me.

World of Warcraft hackers using Sony BMG rootkit
Published: 2005-11-03

Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.

Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.

Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.

Re:Came up fine for me.

[nofx_3]

It is likely then, that the Warden will simply detect the Sony BMG software and ban all users who have played such copy protected CD's on their machines.

Re:Came up fine for me.

[BillyZ]

That would be the equivilent of arresting you for owning a kitchen knife because someone else used a kitchen nife to murder someone.

as a legit WoW player I'm all for keeping people from hacking and cheating, but blizzard can't hold anyone responsible for the presence of the sony rootkit. they CAN, however, use it as a flag to "monitor" especialy if all of a sudden, there's a lot more accounts showing up with the rootkit processes running.

Re:Came up fine for me.

[God'sDuck]

That would be the equivilent of arresting you for owning a kitchen knife because someone else used a kitchen nife to murder someone.

i'd compare it more closely to barring someone from entering a middle school carrying a kitchen knife. have all the knives you want...just not here.

Re:Came up fine for me.

[HTH+NE1]

detecting it would be a bit troublesome...

Not really. The presence of the rootkit has a measureable effect. They just have to have Warden create a file with a name starting with $sys$ and then test to see if it is still there. If it has disappeared, it has detected the presence of the rootkit.

Re:Came up fine for me.

[a1ok]

Wouldn't that only work if the Sony rootkit was still hiding files using $sys$, and hadn't been hacked to use some other prefix as mentioned in some earlier post?

Re:Came up fine for me.

[yeremein]

Not really. The presence of the rootkit has a measureable effect. They just have to have Warden create a file with a name starting with $sys$ and then test to see if it is still there. If it has disappeared, it has detected the presence of the rootkit.

Yeah, but that doesn't mean the user is cheating. It just means the user bought a Sony/BMG CD.

Re:Came up fine for me.

[iainl]

The presence of ISO-mounting programs like Alcohol 120% don't mean users are pirating either, but that doesn't seem to stop these protection mechanisms from throwing a hissy fit.

Anyway, it doesn't just mean a user bought a Sony/BMG CD, but that they were dumb enough to leave autorun on when they stuck it in the machine, too. Oops.

Re:Came up fine for me.

[HTH+NE1]

That is troublesome. That says you aren't allowed to keep any secrets from Blizzard if they could possibly be related to cheating. It's the old "the innocent have nothing to hide" saw.

I've thought about it more and, technically, removing the Sony rootkit doesn't circumvent a copyright protection device, it just circumvents a detection prevention device for a copyright protection device. They could get hassled over the DMCA, but it wouldn't stick. IANAL.

But what if the rootkit it detects was a government rootkit hiding monitoring software on a terrorism suspect's computer who just happens to also play Blizzard's game? Alerting the user or uninstalling the kit could be a breach of national security. I'd doubt a clause in the EULA banning terrorists from playing the game would satisfy investiagors.

Blizzard is going to have to find a flaw in the kit to penetrate its cloak, but they may have to resort to rootkit tactics themselves to get underneath it.

Warden fix

[n0dalus]

Blizzard just have to write their own code for reading the filesytem/registry and to notice the differences between the raw data and the results from the windows API calls, and Warden can start to check for rootkits.

Re:Warden fix

[ZachPruckowski]

Yeah, but then all they could do without actually changing any settings is determine that you do have a rootkit. And they couldn't ban you for it, because you might be hacked, and it isn't your fault. If they tried to disable it to see what it is hiding, then they are hacking. Although, perversely, they are helping you, it's actually hacking.

AAAHHHH!! Danger! Danger! Daily Irony Limits Exceeded!!

Re:Warden fix

[steve_l]

The problem is, the whole point of a rootkit is kernel-mode code that subverts OS API calls and lies about the results. Even booting to safe mode wont find the sony rootkit (Very naughty that, as it really screws up recovery).

The current best way to find a rootkit is to boot from a CD and scan for them, or just compare disk and registry enumerations made on the 0wned box with the listings that the CD (could be linux) makes. If there is any difference, you have just found a new rootkit.

Maybe the next version of PC games will be bootable CDs with their own linux distros. Of course, then the GPL will require them to release their OS image to make it more hackable.

Re:Warden fix

[n0dalus]

The problem is, the whole point of a rootkit is kernel-mode code that subverts OS API calls and lies about the results.
Actually, most rootkits only hijack the OS API calls that deal with reading files and folders, they don't stop you from reading the raw data on the actual filesystem itself. So if you are reading the data directly from the hard drive, and there is something there that the Windows API isn't reporting, it's a possible rootkit.

Re:Warden fix

[croddy]

should it even matter if it's your fault? if you have a rootkit installed, you are a risk to the in-game economy. and... honestly... if you have a rootkit installed, you're a risk to any network you're on.

the idea that having a kernel rootkit on your system is somehow "okay" either because it's made by Sony, or because you didn't know it was there, or because you're not using it for evil... that's a dangerous security precedent.

blizzard -- like any network administrator worth his salt -- needs to establish a zero-tolerance policy for detectable rootkits. there is NO place in our internet for systems that are compromised at a kernel level, regardless of who's responsible or what their intentions are.

Re:Warden fix

[ZachPruckowski]

I'm saying rootkits = good, I'm saying there is gonna be some majorly piss-off people who get banned because, unbeknownst to them, their computers are zombies. And I meant actual zombies, not just Sony rootkitted. I wouldn't want a rootkit on my network, but I wouldn't want to be Blizzard booting a thousand innocent people.

Not bad,

[Vengeance]

But it would be better if Warden was a product of Sony Online Entertainment, and it was used to protect Star Wars Galaxies. THAT would have made my day.

Re:Not bad,

[Otonotachibana]

Why would they have to protect a game that no one plays?

I pray for the day

[sammy+baby]

I now live in hope for the day that a bunch of the corporations pushing for invasive DRM like Blizzard's Warden and Sony's whatever-it's-called sue each other under the DMCA for circumventing each others technologies, instead of suing us for trying to crawl out from under them.

Re:I pray for the day

[interiot]

Well, once Microsoft's NGSCB ccomes along, games like Warcraft will have two choices:

1. live outside the trusted comping base, and be vulnerable to anybody who manages to crack the NGSCB and run their code in a place that can't be examined by Warcraft, or:
2. convince Microsoft to let WoW cheat-detectors run inside the NGSCB so they can detect everything

First4Internet vs. Warden seems like it's the only possible crazy example of this, but if NGSCB is vulnerable to either crackers or corporate influence, this will only be the beginning.

Re:I pray for the day

[umbrellasd]

Alas, big companies have power and so they try to respect each other and resolve things peacefully (or at least maintain the appearance of this, which usually amounts to the same thing). "You give us $20M and we'll give you $20M worth of advertising through portal XYZ, and then we agree to forget about icky situation ABC." Witness Sun/Microsoft recently. So for big companies in conflict, what you really have is a business opportunity. Whereas when a big company goes after an individual, the company has a tremendous power advantage (if for no other reason than the individual is usually terrified and does not know how to fight back) and the best resolution for them is to suck as much money out of you as you can afford. Hence the reason that the only way to fight back is usually to somehow leverage the media to attract a big enough supporter on your side that it is suddenly in the big company's interest to go into "cooperative and constructive" mode. The evil companies only do what is right when they are forced. For them, "right" is "something that improves my bottom line and that people cannot prevent me from doing".

Comment removed

[account_deleted]

Comment removed based on user account deletion

Time for the whore-off

[Duncan3]

In this corner, the spammers, with thier root for zombies to spam you with...

In this corner, the DRM people, making sure you don't listen to any music you paid for.

And in this corner, the 1337 gamer d00ds, making sure you have to buy it on ebay instead of getting it yourself.

And there is the bell... wait, they don't appear to be fighting... why are they taking off their clothes... what is the Sony guy doing to the spammer... they appear to be... oh my, that's just not right... this fight is called on account of an orgy breaking out...

Meanwhile...

Enjoy the nice cozy comfort of your OSX and Linux boxes :)

I wonder how complete the irony is?

[idontgno]

I don't play Sony's EQ2, but aren't there cheater progs for that? And doesn't EQ2 have memory- and registry-based cheater scans? Wouldn't the tasties irony in the situation be a Sony software product defeating cheat-detection in a Sony game?

Yes, the software industry is the best way of fulfill the Recommended Daily Allowance for irony.

Re:What's the term?

[$RANDOMLUSER]

Democracy. No, wait, that other thing.

Lawsuit anyone?

[Chayak]

I can already see Blizzard taking Sony to court because their rootkit allows people to cheat. Yes it may seem stupid but if you ever look at some court cases a lot of them are very stupid indeed. There's no question that the US legal system is broken and provides just the means to pull off a stunt like this.

Re:Lawsuit anyone?

[RingDev]

Why shouldn't Blizzard be able to sue? If they can show that any player quit because of hackers who managed to cheat because of Sony's DRM they have a pretty good case. Heck, they could even sue for the labor it will take to crack their root kit so they can catch hackers. And they could tack on the cost of a marketing campaign to regain the trust that was lost by the players because of the cheaters. Sony screwed up and someone needs to take them to task. And Blizzard can present a very factual business oriented profit and cost effecting arguement.

-Rick

Re:Lawsuit anyone?

[stlhawkeye]

I can already see Blizzard taking Sony to court because their rootkit allows people to cheat. Yes it may seem stupid but if you ever look at some court cases a lot of them are very stupid indeed. There's no question that the US legal system is broken and provides just the means to pull off a stunt like this.

The legal system is not broken on this level. The courts correctly interpret the laws 99% of the time, and there's an appeals court for when they don't. The problem is that our legislative body passes laws that contradict other laws and it's left up to the courts to figure out which law is going to trump the other in any given situation. It's even more complicated for Fair Use cases because, according to SCOTUS, there can be few or no hard-and-fast rules, and applications of the Fair Use doctrine must be established on a case-by-case basis. This could end up being one of them.

In the long run, the courts get it right most of the time, with rare but much-publicized exceptions that are also later corrected most of the time.

The courts established our Fair Use rights, and then Congress gave us the DMCA. It's a matter of time before a case that involves rich people or corporations causes these two to butt heads, and this could be the lead-up to it. However, do not start thinking that this case has any application to us as far as circumventing the DMCA. Sony will get treated differently than you or I would in court against Blizzard for a DMCA violation in bypassing The Warden.

Sony to Blizzard:

[millennial]

Ha ha!

Re:Cheating?

[KingVance]

civil disobedience is still disobedience

Yeah but...

[Ieshan]

this directly relates to a story that was originally posted under the YRO heading. it makes sense to keep posting information about that story there, because people who read yro.slashdot.org might want to know the latest in the Sony DRM rootkit saga.

Game Cheaters are human beings too!

[xtermin8]

...well, maybe they're not human in the gameworld. ;) WoW uses a rather invasive technique for scanning Gameplayers whether they cheat or not. Sony's DRM scheme also inteferes with the ability for people to make backups of they're own property. In fact, the only interesting thing about this story is these two issues have collided in an unexpected way at a moment in time.

Re:Game Cheaters are human beings too!

[Kredal]

He used "they're" correctly... "Game cheaters are human too, but maybe they are not in the gameworld". See? It's right. Maybe you should learn the difference before you go around correcting other people... especially as an AC.

Re:What's the term?

[Ant2]

Burns Syndrome

(Simpsons reference)

In related news

[$RANDOMLUSER]

Sony's DRM rootkit can be thwarted by not doing business with those evil bastards.

I can't stop laughing

[elrous0]

A piece of evil DRM destroys a piece of evil Spyware. Oh man, that's TOO rich!!!! Talk about poetic justice!

-Eric

Re:I can't stop laughing

[Fishead]

What would be real justice is if WoW packaged a utility in their next update that completely neuters the Sony DRM. I would have to re-install WoW.

Other, similar tactics

[Yoyoson]

Did you know that if you are playing X-Com: UFO Defense while running SETI@home, it speeds up the chances of finding an actual UFO by 0.0005%!?!? ZOMGLOLFTW

Re:Other, similar tactics

[Yoyoson]

Yeah, you're right, the joke sucks, Coward.

Only slightly OT

[Nom+du+Keyboard]

It should be only slightly OT to ask:

1: Why are people celebrating victory because Sony announced they will remove the cloak, they're still leaving all the rest of the crap on your system - including the memory and cpu wasting scan that runs continually, even when you're not playing their DRM infested CD's.

2: Now that the cloak is removed, what was that registry key that keeps track of how many CD's you've burned under their DRM system?

3: Don't you think you're celebrating a bit early since Warden 2.0 should be able to use the same tricks as RootKitRevealer to diagnose your system? And how long will this take to appear?

4: If you detecting and removing this software from your computer violates the DMCA, then the DMCA is so cleary wrong that it should be repealed this afternoon.

5: Profit! Or in other words, who is profiting from this now? I don't see Sony going broke yet.

Re:Only slightly OT

[mpe]

1: Why are people celebrating victory because Sony announced they will remove the cloak, they're still leaving all the rest of the crap on your system - including the memory and cpu wasting scan that runs continually, even when you're not playing their DRM infested CD's.

It probably isn't necessary for their system to install anything anyway. Even removing the hiding the stuff they insert could have other consequences. e.g. what happens if different versions of this software attempt to install on the same machine?

Re:Only slightly OT

[jrockway]

Ever hear of "the sun" or "solar power"?

GLOWING BRIGHTWOOD STAVES FOR ALL

[erik+umenhofer]

booo!
glowing brightwood staves for none!
boooo!
glowing brightwood staves for some, miniature American flags for the others!
YAY!

Applies to other anti-cheat systems?

[DoddyUK]

"Sorry, the database is currently unavailable, please try your request again shortly"

Wow. /.'d within 15 minutes? Now THAT is something.

But yeah, this was pretty much inevitable considering that these are two of the biggest stories of the week. Watcher scans for currently active progams and contents of programs, while the Rootkit hides the said problem. Doesn't take much to figure the link.

I'm wondering now if the same can be applied to other Anti-Cheat systems (VAC and so on). If so, then I believe that Sony may have opened a pandora's box for potential cheaters.

Next fun hack?

[Chordonblue]

Try and get Sony's DRM to interfere with DVD protection. RIAA Vs. MPAA... FIGHT!

Re:Next fun hack?

[harrkev]

What about using Sony's rootkit to hide Alcohol 120%. Does this work?

Re:Next fun hack?

[OverlordQ]

Damn, good idea, get it so Securom wont detect my pira . . . err, legit backup dvd.

Re:Next fun hack?

[nb+caffeine]

Doesnt sony own both record companies AND movie companies? would one division have to sue the other?

Re:Next fun hack?

[Sepper]

Doesnt sony own both record companies AND movie companies? would one division have to sue the other?

To paraphrase Warcraft II:

-Burrp!
-He did it!
-No he did it!

Re:Next fun hack?

[Perky_Goth]

what for? use sf4hide.exe

Re:Next fun hack?

[murfman5000]

This reminds me of something a professor once taught me:

1. Someone creates a problem
2. Someone else finds a way to make the problem affect the creator (tie the problem to the creator)
3. The problem resolves itself
4. PROFIT!!!!

(sorry, made that last one up)

Re:Next fun hack?

Confirmed as YES.

I have now used that wonderful rootkit to hide alcohol, deamon tools *AND* my antivirus program.

Think about it for a minute - I am hiding MY AV program.

Now, any malware that purposely hunts out to shutdown av programs before they propogate will not function. :)

The only thing that has NOT been succesfully hidden in my few tests so far is anything from Zonelabs. (ZoneAlarm, Integrity, etc)

It's like Godzilla versus Mothra!

[Dark+Paladin]

Or, King Kong versus Godzilla - two gigantic forces of destruction battling it out!

I'm going to pop some corn and watch the sparks fly.

Sony products

[msbsod]

Is there a list of all SONY CD's and DVD's online? I really do not want to buy SONY products anymore, but it is a bit difficult to find out which CD's and DVD's are made or distributed by SONY. Any URL?

One theory.

[KitesWorld]

One theory is that this is included on a mass-production CD. Most people are non-technical and wouldn't know what is on their system (until it crashes at any rate), which means that Blizzard couldn't try to ban people for having this particular rootkit on their system, which makes it insanely difficult to retain the integrety of their environment.

Worse still are the other potential applications of this. It wouldn't suprise me if malware vendors are already using this to try to hide their newest crapware, and when the inevitable Virii start moving in, there is going to be a seeeeerious problem.

Profit line

[Nom+du+Keyboard]

1: Install WoW.
2: Install Sony Music CD.
3: Install Cheat Hacks.
4: Win at WoW.
5: Profit!
6: Discover that Sony RookKit drops frame rate to unacceptable levels.
7: Buy new AMD64 gaming system.
8: Discover that game gold no good in the real world.
9: Profit^-1.

Re:Profit line

you can sell Game Gold on eBay. There is an entire industry based on workers in lower income base countries playing these games, and selling the online currency online. In the US, selling this currency might make $40/day, but in other countries, $40/day is a good days' work.

Re:Profit line

[CrazyJim1]

40$ a day is a good alternative to a job at Walmart or Mcdonalds.

What really is scary...

[Skiron]

..for all windows users, ~and I am a bit surprised no blog or tech site picked this up~, is what the hell is it with windows and the way a piece of code can 'hook' into a kernel call and redirect it - and it's all HIDDEN - I mean, what the hell is a sysadmin supposed to do now?

What the hell else is there, running *unknown*.

MS, through their obsession with hidden controls, little or no documentation, a nubilious registry system (what DO all those entries do?) and total disregard to people that buy it, it's a sure eyeopener for all concerned - and windows users should be.

Thanks to Mark Russinovich for this - and if HE struggles to find/remove this type of delibrate (by MS) obscuration to an operating system, what hope does all the mortal 'Harry homeowners' have?

Re:What really is scary...

[sqlrob]

It's not unique to Windows, you can do exactly the same thing in *nix (hence the need for ckrootkit)

Re:What really is scary...

[Skiron]

By running a CD and clicking [OK]? I think not - *nix rootkits need a bit more work - plus *nix rootkits actually change system binaries (ps, free, top etc. etc.) an good ones alter history logs etc. With windows, no need, the OS hides it all for you if you know MS internals.

Re:What really is scary...

[sqlrob]

And you can do *exactly* the same thing with a loadable kernel module. That's basically what the Sony rootkit is. If you know the internals and get root, you can make almost any OS vulnerable.

Now, it is easier to install on Windows, but that's because most people run as root equivalent. A default "make install" could very easily install a rootkit, installing with modprobe then. How hard is that? That's not much more work on the part of the cracker.

Re:What really is scary...

[Guysmiley777]

Ummm, rootkits are OLD news. Scary, yes. New, no. Hell, Leo Laporte brought a guest on the Screen Savers (waaay back when it was TSS and he was on it) to demo a rootkit live. And he basically said the same thing you did. "What the heck are we going to do now?".

What you can do is have a tool that records what the OS tells you about your file system, then boot using something other than your OS and see if your OS is 'lying' to you, in layman's terms.

Re:This Rootkit Not Affecting Mac

[sqlrob]

So, if the disk could root intel Macs, it should have no problem doing so on Intel Linux then, right?

Serendipity

[Billosaur]

Like the proverbial irresistable force meeting the immoveable object.

Blizzard make spyware-thats-not-really-spyware, just to make sure no one's cheating (or perchance playing some other game).

Along comes Sony, trying desparately to keep people from listening to free music whilst ensuring that they can't listen to the music they paid for when they want and how they want.

And so these titans collide, as one's software can be used to bollix up the other's. Will there be lawsuits? Of course! And in the end, both companies will merge, combine their forces, and attack Google. This is so reminiscent of 1930s Germany. Please, let us annex the Sudetenland... we won't cause any trouble...

This whole rootkit business leads one to wonder

[Nom+du+Keyboard]

This whole rootkit business leads one to wonder what happens if you play the Sony CD in an instance of a Virtual Machine (ala VMware). Does it only root the virtual machine? Can you burn endless CD's, 3 at a time? Since Sonly has clearly granted you a licence to burn the number of CD's permitted by the DRM, can you now put them out of business selling yours on the street? Inquiring minds blah blah blah...

And speaking of WoW, you mean there is no game hack that changes it's name each instance so that The Warden will never have it in its signature file?

Re:This whole rootkit business leads one to wonder

[karnal]

Actually, from what I've seen on the Our Lady Peace CD is that you "DECLINE" their EULA and the OS spits out the disc.

Wow, that's hard to get around.

Once you turn off "Autorun", it's just another quick step with EAC to do a rip and convert to any format you want... I had thought of using my laptop to actually install their DRM to see what kind of crappy quality they had the tracks at, but I'm glad I didn't do that after reading yesterday's article.

Anyways, I'm sure the "other" OS I run isn't affected by this attempt to put shit on my computer that I really don't need....

Re:This whole rootkit business leads one to wonder

[DeeKayWon]

Actually, from what I've seen on the Our Lady Peace CD is that you "DECLINE" their EULA and the OS spits out the disc.

Wow, that's hard to get around.

If you do that, the anti-ripping garbage gets installed anyway. The reasoning is that one could rip the CD while the "Do You Accept?" dialog is on-screen, then click No once that's done.

Re:Let's bash Sony - do you want fries with that?

[Nom+du+Keyboard]

OK, so I understand that Sony did a bad thing with the rootkit. But I don't immediately understand the link to Blizzard. Surely there are other "rootkits" around (think Hacker Defender)

Well, for one thing the Sony CD is a lot cheaper than HD-Gold - and you get music along with it.

Sweet, sweet irony

[volpone]

Really, the irony is so richly satisfying.

My only question is, where's the Monty Python foot that belongs next to this article?

Can You See Me?

[$sys$SomeWOWHacker]

f*ck. Back to the drawing board. :(

Sony : Tylenol or FPU

[dmh20002]

Sony should take a page from the Johnson and Johnson book. When the Tylenol poisonings happened, J&J took aggressive action to limit the damage and help the people concerned. They pulled the product off the shelves at a huge financial hit. They turned around a potential PR nightmare by doing the right thing (and the tragedy wasn't even their fault)

Instead, Sony is using the Intel Floating Point strategy of obfuscation, excuses, hard line statements etc.

From BBC News:

"A spokesman for Sony BMG said the licence agreement was explicit about what was being installed and how to go about removing it. It referred technical questions to First 4 Internet.

Mr Gilliat-Smith said Mr Russinovich had problems removing XCP because he tried to do it manually something that was not a "recommended action". Instead, said Mr Gilliat-Smith, he should have contacted Sony BMG which gives consumers advice about how to remove the software.

Getting the software removed involves filling in a form on the Sony website, visiting a unique URL and agreeing to have another program downloaded on to a user's PC that then does the uninstallation. "

Re:Sony : Tylenol or FPU

[HavokDevNull]

You forgot to mention that you have to use IE in order to do the uninstall because it uses ActiveX ;)

Re:Sony : Tylenol or FPU

[skribble]

Sony should take a page from the Johnson and Johnson book. When the Tylenol poisonings happened, J&J took aggressive action to limit the damage and help the people concerned.

lol... Yea, the only problem is that J&J is a traditional American "Family" business (Where in fact the "family" still owns quite a bit of the company and runs it as well) culturally the name and the quality it represents means more then a short term loss. Culturally Japanese companies would never do this, they never admit they are wrong... ever, it would be a huge embarrassment and massive dishonor and more importantly a sign of weakness which other japanese companies would jump all over and it's more important to them to be big strong and correct then whatever fallout this "little misunderstanding" may cause.

Re:Sony : Tylenol or FPU

[arakon]

Shouldn't be a problem since you have to have "Windows" to get the rootkit installed anyway. So unless you've done some serious hacking... you have Internet Explorer, even if it is not your default browser. Remember that little anti-trust suit?

Mentioning the "Evil" Empire's ActiveX abomination doesn't always get you positive Karma on slashdot. And seeing how this problem only plagues windows machines, I find it oddly appropriate/ironic that a windows IE only webpage fixes it.

Re:Sony : Tylenol or FPU

[HavokDevNull]

I have had Excellent Karma on slashdot for years now and don't really care about it, but I oddly find it frightenly/ironic that a windows IE only webpage fixes it, considering you have to turn on ActiveX by default now.

Re:Sony : Tylenol or FPU

[HavokDevNull]

And what are your thoughts on "Evil Empire's" ActiveX now? http://blogs.washingtonpost.com/securityfix/2005/1 1/sony_uninstall_.html

Re:Sony : Tylenol or FPU

[arakon]

Never said I had a good opinion of it in the first place. The comment was more along the lines of, blind leading the blind, etc.

Only time i ever even boot windows is to play games. I sure as hell don't browse the web with it. That would be like having sex with a million 2-dollar whores with no protection. You're bound to catch something.

Re:Sony : Tylenol or FPU

[HavokDevNull]

"Only time i ever even boot windows is to play games. I sure as hell don't browse the web with it. That would be like having sex with a million 2-dollar whores with no protection. You're bound to catch something."

LOL Amen

You can't top the best

[Moo+Moo+Cow+of+Death]

I don't play WoW anymore OR use Sony's rootkit.

I'm just crazy like that.

poker sites

[Main+Gauche]

"Online poker gaming sites rely on being able to look at a user's running processes in order to detect bots."

Not necessarily bots specifically; but more importantly, poker sites do monitor processes to prevent some kinds of cheating. Check out #7 in Party's terms and conditions. Common wisdom is that Party does screen scrapes at least, but I do not know what else they do, or how they act on it. In particular I do not know that they use the same methods as relate to the Sony issue.

Two Great Tastes!

[blueZhift]

This reminds me of the old Reeses commercials...

Sony: Hey! Your spyware's in my rootkit!

Blizzard: Your rootkit's in my spyware!

User (taking a bite): Mmmm, now that's good computing! So liberating...

Announcer Don Pardo: Two great tastes that go together.

This is silly

[Locke2005]

Much as I detest the Sony DRM, this is not a valid criticism of it. Anybody wanting to implement cheats will just use the same method as the Sony DRM directly to hide the cheats, not rely on the Sony DRM having been installed first! This is a flaw in Warden that is independent of the fact that the Sony DRM is a bad thing. It also points out the flaw in the anti-cheat arms race -- since you don't own your customer's machines, any anti-cheating technology you deploy can be quickly circumvented by determined individuals.

Re:This is silly

[MagicMerlin]

wrong. the issue here is that for a 'underground hacker' rootkit, if bllzzard finds a way to detect the rootkit, they can safely ban that account. Fear of banning is a pretty good deterrent for hackers. On the other hand, bliz can't very well ban you for running sony's drm now, can they?

Merlin

Re:This is silly

[LocalH]

Why not? If Sony's DRM is being used to aid in the use of unauthorized hacks, then why couldn't they ban you? It's their network, and they have the legal right to ban you if they just plain don't like you, much less for something like this that can effectively ruin the game.

Re:This is silly

[westneat]

The difference between Sony DRM and a regular rootkit is no one wants to run a spam bot, but a lot of people actually want to listen to Sony music.

Re:This is silly

[DanTheLewis]

If Sony's DRM is being used to aid in the use of unauthorized hacks, then why couldn't they ban you?

Sigh. Of course they can ban you, but the question is whether or not they should. Your solution to Blizzard's solution to their user verification problem is "presumption of guilt" for Blizzard's users. The reason they wrote Warden in the first place, the point of all that process hashing and window-bar-title reading was to find cheaters quietly without interfering with legitimate paying customers. Now that Warden is broken, they're going to start banning people that have run Sony CDs in their drives? Please. That would cause even more false positives than before, drawing so many more legitimate customers into the net (and costing Blizzard valuable subscriptions).

They have the legal right to ban you if they just plain don't like you, much less for something like this that can effectively ruin the game.

Something like what? Playing System of a Down CDs? Backing up your Switchfoot album? There's no easy way now to separate the innocent from the guilty. Blizzard is screwed.

That's the beauty of it.

[$sys$SomeWOWHacker]

It's too damned hard for a non-technical person to remove on their own, and it's going to re-install itself everytime they try to listen to their music. As a result, It's going to seriously peeve people off if they try that.

Then there's the small matter of re-writing the Warden so it can actually SEE the $sys$DRM files in the first place - not quite so trivial.

Re:That's the beauty of it.

[skribble]

As a result, It's going to seriously peeve people off if they try that.

The question is who are the people going to be peeved at? In this case Blizzard could (rightfully so IMO) blame this on Sony. That is if what you are saying was valid... more likely the "non-technical" person wouldn't be going out of there way this much to cheat on WoW without knowing the risks (and if they are then I would hope they did get peeved... don't really want them playing WoW anyway)

Re:That's the beauty of it.

[mpe]

Then there's the small matter of re-writing the Warden so it can actually SEE the $sys$DRM files in the first place - not quite so trivial.

But probably quite trivial to change what the "magic" hidden prefix is.

Re:That's the beauty of it.

[Knetzar]

Blizzard could, and I hope they do, re-write warden to detect the rootkit, and then if it's installed let the user know that sony installed a virus on their machine and that it needs to be removed to play WoW.

Re:That's the beauty of it.

[jrockway]

And what the cheaters could do is modify their rootkit to detect the detection of their rootkit, and act accordingly. You can't stop the user from running code on his machine... he can execute what he wants, when he want, and for any reason he wants. That's how computers work.

Re:That's the beauty of it.

[Knetzar]

Yeah, but Sony Online Entertainment is a competetor of Blizzard, it would be a PR issue.

Re:That's the beauty of it.

[KDR_11k]

The Warden would need to check for any files the API hides like rootkit scanners do then warn the user that he's infected. That would trick the DRMrootkit and any other "hide my processes" tricks a dedicated cheater could use.

Mixed moral messages

[triskaidekaphile]

So two wrongs really DO make a right!

Re:Oblig. Simpsons

[malsdavis]

Thats hilarious, almost wet myself!

Any info on what episode it came from? and more importantly is there a sound clip of it on the web?

Re:This isn't as good as it seems

[flyonthewall]

The Warden looks at window titles and such. The rootkit just hides filenames and registry keys. I'm not quite sure how this would be effective. Afterall, you can easily hide a cheat by not telling WoW about it!

List fo windows titles and such which it gets from the process list. Now, if said process are hidden for it...

This demonstrates ....

[gstoddart]

This demonstates how it will never work in the long-run for every manufacturer to be installing stuff on your PC to make sure you play by their rules.

Before long, if you get 10 or 15 different toolkits which all try to change your system behaviour to ensure no cheating/copying/peeking is taking place, then absolutely NOTHING will keep working.

An arms race of installed crap to keep you honest will just leave everyone with busted machines.

Cheers

Re:This demonstrates ....

[mpe]

Before long, if you get 10 or 15 different toolkits which all try to change your system behaviour to ensure no cheating/copying/peeking is taking place, then absolutely NOTHING will keep working.

Or someone will come out with an "anti-junkware" program which will attempt to keep all these in their own virtual environment :)

Hey Sony

[British]

Hey sony..

c:\My Wallet>Ren Disposableincome.$$$ $sys$Disposableincome.$$$

(ie I ain't buying your CDs with that kind of attitude)

Wanted: Bootable Rootkit Detectors

[davidwr]

We already have bootable CDs for anti-virus, they can easily be modified to do static rootkit detection.

A bit harder but doable is booting a CD that loads a hypervisor which in turn loads the real OS in a virtual environment. The hard parts here are that the virtual environment will have to be seen as identical to the original environment or device drivers and such won't work right, AND that a smart rootkit might detect a slowdown or otherwise realize it's not in the same environment it was when it was installed, at which point it can go to sleep to avoid detection. I'm not claiming this is EASY far from it and the performance hit would be very high if every line of code was examined as it was running, but it is doable in principle.

The real answer is OSes that alert the user before loading any ring-zero code that isn't digitally signed by the OS vendor.

link please

[AnonymousBystander]

so, anyone willing to share a bit of their rootkit?
I want the rootkit but having to buy a protected CD just for the rootkit is too much =(

by the way, wouldn't it be legal to redistribute the rootkit by itself?
Since I don't think it is in the EULA ...

Why should I bother with McAfee?

[lorcha]

I don't need no stinking McAfee... I can just let the various malware programs duke it out amongst themselves.

Also a learning experience.

[Ungrounded+Lightning]

Also: Any new rootkit-writer wannabe can buy a sample rootkit object for the price of a CD, to disassemble and study, while leaving no traces whatsoever (beyond a cash music purchase like a few million other peoples'). Meanwhile the black hat old hands are already all over it, checking for any improvements they can port to their own stuff.

The guy who discovered it and cracked it had a few things to say about some minor flaws. But it's a professionally developed and pretty well-debugged and robust rootkit nontheless. (Note that was "in the wild" for several months before said security expert happened to notice the traces - while working on a tool designed to detect and identify exactly such software.)

Once they crack it they can take his criticisms as bug reports - of things to fix when they do their own version.

OK, black hats: Time to say "7|-|4nx u 50|\|33"

Misunderstood a point.

[KitesWorld]

Sorry, the gimmick AC was mine. Keeping hold of it for the inevitable followup to this thread. Anyway. " more likely the "non-technical" person wouldn't be going out of there way this much to cheat on WoW without knowing the risks " - Missed what I was saying. What I meant was that normal, Non-tech users (IE, 95%+ of PC users) wouldn't realise what the kit was or what it was doing. The WOW cheats could then masquerade as innocent non-tech users and there would be no easy way to seperate the two - So do you start banning the regular users, or let the hackers get away with it? Either way, you are going to end driving your own customers away. This is a lose-lose for Blizzard, and the cheats know it. Worse still, this same argument can be applied to ANY videogame with active cheat detection/prevention that uses standard windows calls to the filesystem.

Rootkits can 0wn the drive too you know

[davidwr]

I don't know if it's been done or not but rootkits can 0wn the drive and have it lie to you, much like the firmware already lies to you when there's a bad block it's remapped.

Funny, really....

[kwieland+in+stl]

Lets see, the sony article was just yesterday, and since we all know that the warden takes three-four days before closing an account.

Ha Ha Ha Ha! Sunday will be a bad day for a lot of people! Perhaps Cmdr TACO does have a sense of humor.

Ignore Other post - formatting.

[KitesWorld]

Sorry, the gimmick AC was mine. Keeping hold of it for the inevitable followup to this thread. And I ballsed up with the defaults. *shakes fist*

Anyway.

" more likely the "non-technical" person wouldn't be going out of there way this much to cheat on WoW without knowing the risks "
  - Missed what I was saying. What I meant was that normal, Non-tech users (IE, 95%+ of PC users) wouldn't realise what the kit was or what it was doing. The WOW cheats could then masquerade as innocent non-tech users and there would be no easy way to seperate the two - So do you start banning the regular users, or let the hackers get away with it?

Either way, you are going to end driving your own customers away.

  This is a lose-lose for Blizzard, and the cheats know it. Worse still, this same argument can be applied to ANY videogame with active cheat detection/prevention that uses standard windows calls to the filesystem, so the implications are pretty bad.

I think I'll use this to pirate Sony Software

[popo]

Thanks Sony. I've been looking for a way to steal SoundForge, ACID and a bunch of other Sony software toys. Now I'll just rip a bunch of ISO's, use Alcohol 120% to create virtual CD drives, and now... {drumroll please} I'll hide the A120% runtime by renaming the executable $sys$*

Now how's that for Irony? Sony's DRM trojan...used to defeat Sony's other CD copy protection...

Party on!

Sony Wins

[NullProg]

http://www.googlefight.com/index.php?lang=en_GB&wo rd1=Sony&word2=Blizzard

Enjoy.

At least in Linux you can disable it

[davidwr]

In Linux you can disable the ability to load kernel modules at compile time. I'm not sure but I think there's experimental code to allow you to load kernel modules UNTIL a certain call is made then never again after that. For all I know that code might even be in the kernel.

Can we use this to cheat on Everquest 2?

[__aazuyo6398]

Not that I play that game, but I'd REALLY laugh if people started cheating at EQ2 with sony's own crap rootkit!

Who's gonna make sure they play nice?

[boltaron_bill]

I am just wondering what will happen when let say geffen creates their own copy protection and it works a lot like sony's only if you have sony's installed it kills your computer? Like any of the big record companies are going to show each other how their copy protection works to keep this from happening. This is bound to be an issue in the future if they go on an allow these companies to create this software and install it without your consent.

I NAME THEE...

[macshune]

mootkit.

noun: software program that interferes with another software program's attempt to interfere with the actions of a given user.
symnonyms: see windows, et al

All it would take...

[TheZorch]

There is a way to stamp out DRM technology like Warden and Sony's DRM. All it would take is a high profile court case, of course the judge would have to make the ruling that DRM software and how it works is the same as illegal wiretaping and criminal invasion of privacy. DRM would be illegal at that point and the companies would be forced to come up with a way to remove the software. Or... You we should all write our Congressmen and ask that they support a bill that makes intrusive software (trojans, worms, DRM, etc.) illegal. Corporations should NEVER EVER be given the kind of power DRM gives them now. It shifts the balance of power away from the consumer where it is supposed to be in a Democratic Society. DRM should be classified in the same category as viruses. This is just wishful thinking. I'm considering a letter to the American Civil Liberties Union about this. All it takes is one man to change the world. :-)

Re:This Rootkit Not Affecting Mac

[706GL]

It was a joke...
And everyone keeps saying how Intel chips will open up Macs to a bunch of new software and better Windows emulators.

WTS [Dwarven Hand Cannon] x 15 PST

[CharAznable]

Yeah, I just bought a Sony CD!

"rootkit"? on XP? lol.

[Wakko+Warner]

Can we stop conflating a worm that runs on Windows with a "rootkit"?

Re:"rootkit"? on XP? lol.

[AndroidCat]

It's certainly more of a rootkit than it is a worm.

Re:"rootkit"? on XP? lol.

[a24061]

But "administratorkit" is harder to say!

This is the Future of Trusted Computing

[darkonc]

Trusted computing means that other companies (e.g. Sony) can trust your computer to do what they want it to do -- whether you're happy with that idea or not.

Sony just jumped the gun. They weren't willing to wait until Microsoft put a formal system for this kind of bullshit to take place. The only difference between this and 'trusted' computing is that there's no formalized mechanism in place .... yet.

Or how about...

[Mashdar]

... running WoW with Wine? Wouldn't the Warden be checking the processes run by Wine, and not find macros etc running in your standard linux environment?

Then you wouldn't have to sell your soul to Sony.

Good, Bad... I'm the one with the GUN

[Mustang+Matt]

Citation: Army of Darkness

Two wrongs...

[RoffleTheWaffle]

Don't usually make a right. This is just too funny to be wrong, though. Invasive anti-cheat software + Invasive and secretive copy-protection software = OMGH4X This is going to be good. Good as in hilarious. I just know it.

What goes around comes around

[narfbot]

Second, as it is installed it in no way would assist in cheating in WoW. A third party can take advantage of what it does do. In other words Sony is not shipping this DRM software with the primary intent to enable cheating in WoW.

While we are talking about blizzard, lets go back to similar incident in blizzard's past. Bnetd, as written, did not support the Warcraft III beta. The authors of bnetd did not want to support the beta and the intent of bnetd was not to support pirating. Some third party (warforge) took the bnetd source, extended for the Warcraft III beta, and it enabled playing of the pirate copy of the beta that was going around. By your logic, the third party that enabled Sony's rootkit to be used to hide the cheats should be sued. By blizzard's logic, bnetd was sued, not the warforge people. Blizzard sued the people who created the original tool that had no bad intentions. If blizzard sticks to their priniciples, they will sue Sony.

But I don't believe blizzard has any morals in regard to their decision to sue bnetd, therefore, they won't sue Sony. And the cheating and pirating continues...

NES Multitap

[hackwrench]

Plus the NES had multitap! http://www.google.com/search?q=nes+multitap

The real problem

[SoSueMe]

Ahhh... no therin lies the real problem.
A call to arms of the polititions to protect us from the corporations.
This is wrong for two reasons:

1. The polititions are beholden to the corporations after large amounts of funding and "lobbying" by the industry associations.
2. You should be protesting with your freakin' wallet and not relying on your congress-critter to "protect you. You have a choice as to whether you "grow a set" or not.

Re:Rootkit = new buzzword?

[jrockway]

Excuse me? It is indeed a fucking rootkit. A rootkit is a program that hooks OS calls so that their behavior is "wrong" in some way. In this case, it hides files. That is, objects physically on the filesystem are no longer visible, thanks to this rootkit's intervention. That's a classic example of a rootkit. (Actually the classic example is hiding processes, and ... this rootkit does that.)

Even better

[geekoid]

Imagine being in a country where the average income is 250 dollars a month.
Now you can make 500 dollars a week sitting at a computer. Now your 'rich'.

And Here is Where Blizzard/Sony Are Equally #$%#&a

[patio11]

So even if they do that, as soon as Blizzard gets their hands on it, they could just add it's signature to the definition.

Yep, and then they condemn their customer support to the fifth circle of CS hell, because Warden is going to immediately start banning thousands of innocent users who have done nothing wrong except run a Sony DRM-protected CD in their computer at some point, ever, and now the included rootkit makes WoW think they are trying to pull a fast one. That generates one account banning, and the world's worst CS situtation -- your temporary worker can't even *understand* the issue that is behind the company policy so he can only follow it to the letter, and if Warden says you're guilty then you're guilty. Remember, WoW has over *one million* US subscribers. The intersection between those one million subscribers and high-selling music is really, really bloody large.

cedega

[Maglos]

I dont know for sure, but id say warden aint got shit on my linux box, if i wanted two right a hack for wow, im sure i could.

Prior Art

[AndroidCat]

Of the news right here

Here's the patch

[grolschie]

but to you trust it?
http://updates.xcp-aurora.com/

Cool

[Flambergius]

Oh, how does this strenghten my believe in the human kind.

Which might be somewhat disturbing in itself ...

I meant 0wn the drives on a live system

[davidwr]

Faking out a non-live system is practically impossible, for the very reasons you cited.

Some live-system rootkit detectors work by comparing the OSes memory structures with what they should be based on a direct read of the disk at the time. I think this works for most or all known rootkits but it may not in the future.