Slashdot Mirror

← Back to Stories (view on slashdot.org)

BioShock Installs a Rootkit

Posted by kdawson on from the drm-even-in-the-demo dept.

An anonymous reader writes "Sony (the owner of SecureROM copy protection) is still up to its old tricks. One would think that they would have learned their lesson after the music CD DRM fiasco, which cost them millions. However, they have now started infesting PC gaming with their invasive DRM. Facts have surfaced that show that the recently released PC game BioShock installs a rootkit, which embeds itself into Explorer, as part of its SecureROM copy-protection scheme. Not only that, but just installing the demo infects your system with the rootkit. This begs the question: Since when did demos need copy protection?"

8 of 529 comments (clear)

  1. Not QUITE a rootkit by Robotech_Master · · Score: 5, Informative

    If you RTFA, or specifically its comments, you find that it's not technically a rootkit that it installs, it's just a registry directory that contains a * and so a rootkit detector tags it. It's just a very hard to remove registry directory, and not necessarily an actual rootkit qua rootkit.

    --
    Editor Emeritus and Senior Writer, TeleRead.org
  2. Re:Yet another game by sodul · · Score: 5, Informative

    So does that mean I'll have to get the cracked version from BittTorrent in order to NOT infect my machine ?

    It is very sad that the underground world is nicer than the official one. It's Demolition Man all over again.

  3. It's not a rootkit... by g051051 · · Score: 5, Informative

    The article author seemed to base his conclusion on the fact that the SecureROM software installs a registry key that can't be deleted by normal means. This pops up on the Microsoft Rootkit Revealer (since that's a technique used by rootkits as well.) That's like saying that because rootkits use Windows APIs, any program that uses a Windows API is a rootkit.

    As for why it's in the demo, modern copy protection is embedded throughout games. It's too difficult to remove the protection just for a demo that contains so much of the full game engine.

  4. Not a rootkit by Torodung · · Score: 5, Informative

    The reason for the !CAUTION! key is to keep an ignorant user from wiping out his key tokens in the SecuROM subkey. That's why there's an "!" at the beginning; it sorts first in the subkey. So if a user stupidly tries to delete the entire SecuROM key (not realizing that it's his DRM) while his game is installed, or even after he's uninstalled, the first attempted deleted subkey will be the !CAUTION! key and Windows will abort.

    Thus it is a poor way to keep stupid users from trashing their DRM, not a rootkit.

    The reason it shows up in "Rootkit Revealer" is because true rootkits use the embedded null tactic to keep users from deleting keys registering malware dll's, startup settings, etc. That way, the user has no way to deregister the malware or stop its launch.

    However, the Rootkit Revealer does not simply point out rootkits. It's not that simple. RR points out suspicious methods and/or hidden files, and requires the user to analyze whether those methods and files indicate an actual piece of malware.

    Clearly, a key that simply warns you not to delete other keys is not malware.

    It is annoying, however, and the only way to get rid of a key with embedded nulls is with DelRegNull. I didn't like that one bit.

    My key was added with the install of Neverwinter Nights 2, however, which also uses SecuROM. This key has been around for a while, folks. Someone is crying "rootkit," when really all it is is a sloppy hack to keep users from eliminating their SecuROM keys.

    What's really annoying about this method is that the malformed key is not removed when you uninstall the software that requires it. SecuROM also drops a few malformed files in the directory %userprofile%\Application Data\SecuROM\UserData. They won't delete either, because they are key files which the folks at Sony have deemed MUST NEVER be deleted. Great. The only way I could manage to clean out those was by mounting the partition with NTFS-3g and issuing an rm *.*. Otherwise, another hack keeps Windows from moving the key files, probably because if you could copy them, you could run a game on any machine with the keys.

    This is definitely more arrogance, and completely annoying, but certainly not a rootkit. I would love to hear what the suits at Sony have to say about their crapware. I expect nothing less than a true SecuROM removal kit, since it doesn't get removed on uninstall.

    --
    Toro

  5. Re:Yet another game by stg · · Score: 5, Informative

    AFAIK, the Steam version really comes with Securom. I bought and pre-loaded it as a pre-release, and after the regular Steam decryption (and also regular re-downloading of content - EVERY single game I pre-loaded through Steam always had to download more stuff on release!), it needs to activate. The first time I tried it failed (for obvious reasons - the server should be overloaded as it was 2-3 hours after the release), but after that it worked fine.

    BTW, the graphics are very impressive and the atmosphere too, but from the first few levels it seemed good but not all that revolutionary as I kept hearing it was...

    As others mention and the FA clearly says, it's not a rootkit, just a regular service. This is a case where I wouldn't mind someone being sued for libel - they really deserve it.

  6. Re:Shame on /. for linking to this by c0d3g33k · · Score: 5, Informative

    I've been following this matter on the web since the Bioshock release and monitoring Slashdot's Firehose as the story submissions popped in. This particular story submission was one of the worst of the bunch. There are genuine issues with Bioshock's DRM decision to use Securom which will unfortunately be dismissed due to the poor choice of article. Whether or not this is a rootkit, the fact that the game won't run unless a user completely disables or uninstalls legitimate utilities such as antivirus programs or process monitors is enough to make a security conscious user worry.

    References:

    http://consumerist.com/consumer/punishing--the-one s-that-don.t-steal/bioshock-comes-with-nasty-drm-t hat-sets-off-anti+virus-software-ruins-everyones-d ay-292841.php
    http://forum.sysinternals.com/forum_posts.asp?TID= 11000

  7. Re:But why do they need to install spyware/rootkit by Anonymous Coward · · Score: 5, Informative

    Turns out, there is no Rootkit after all. Trash the article, update, whatever, but this is FUD and I smell lawsuit.

  8. Re:Demos and protection by CryoPenguin · · Score: 5, Informative

    I haven't ever tried to crack copy protection by inserting code from a demo, but I have cracked copy protection without it, and from that experience I don't think having an unprotected demo would help.

    Once you get to the point where you can modify the exe, the hard part of the crack is over. Whatever the protection checks, whether it's some data on the CD or a registry key or some more complex signature of your machine, it's just a branch instruction somewhere and can be NOPed out. Finding the branch is easy too, since you can just run the game with and without whatever it checks for, and see where the execution paths diverge.
    The (marginally) effective part of a copy protection scheme like SecuROM is use of encryption, compression, and self-modifying code, which make it hard to examine or modify the exe. If you have an unprotected demo exe and a protected retail exe, you can't even compare them until after breaking the protection.

    Sure there's the extreme case where the demo and the final version are exactly the same code and differ only in data files, then dropping the whole demo exe into the retail installation would crack it. But as the sibling posters explained, that's rare.