Slashdot Mirror
BioShock Installs a Rootkit
An anonymous reader writes "Sony (the owner of SecureROM copy protection) is still up to its old tricks. One would think that they would have learned their lesson after the music CD DRM fiasco, which cost them millions. However, they have now started infesting PC gaming with their invasive DRM. Facts have surfaced that show that the recently released PC game BioShock installs a rootkit, which embeds itself into Explorer, as part of its SecureROM copy-protection scheme. Not only that, but just installing the demo infects your system with the rootkit. This begs the question: Since when did demos need copy protection?"
The author even admits that he's just trying to get search engine traffic in the comments. It uses SecureROM, which regardless of your feelings on it, is mis-detected by Microsoft's Rootkit detection program. He even says in the main article it's not malware.
If you RTFA, or specifically its comments, you find that it's not technically a rootkit that it installs, it's just a registry directory that contains a * and so a rootkit detector tags it. It's just a very hard to remove registry directory, and not necessarily an actual rootkit qua rootkit.
Editor Emeritus and Senior Writer, TeleRead.org
So does that mean I'll have to get the cracked version from BittTorrent in order to NOT infect my machine ?
It is very sad that the underground world is nicer than the official one. It's Demolition Man all over again.
The article author seemed to base his conclusion on the fact that the SecureROM software installs a registry key that can't be deleted by normal means. This pops up on the Microsoft Rootkit Revealer (since that's a technique used by rootkits as well.) That's like saying that because rootkits use Windows APIs, any program that uses a Windows API is a rootkit.
As for why it's in the demo, modern copy protection is embedded throughout games. It's too difficult to remove the protection just for a demo that contains so much of the full game engine.
Okay, I was getting myself good and riled up over this piece of news. I was even ready to return the game first thing tomorrow despite it being a lot of fun. Then I did the unthinkable - I RTFA.
Seems this is a big load of nothing. SecureROM installs a service to let those running without admin privileges run the SecureROM stuff. This is kinda bitterweet - yes, SecureROM is bad etc but running as a restricted user is good. This is assuming you trust SecureROM's website which says (from TFA):
SecuROM(TM) will install a Windows(TM) service module called "User Access Service" (UAService) on your system. This is a standard interface commonly used by several other applications as well. It is no spyware or rootkit at all. This module has been developed to enable users without Windows(TM) administrator rights the ability to access all SecuROM(TM) features. Please be assured that this service is installed only for security and convenience purposes. Since it is a standard Windows(TM) service, you can stop and delete this service, like any other Windows(TM) service. If deleted, the access for non-administrator users to SecuROM(TM) protected applications will be affected. As opposed to TFA which makes it sound something sinister. However, I don't trust GamingBOB due to his own admission: Using "rootkit" brings the traffic. It's all about the SEO, and is why this article is on top in Google. I would add my own emphasis, but I don't think it needs it. Someone finds out a service is installed along with a game and demo and calls it a rootkit to gain traffic / links / ad revenue. Slashdot should not link to crap like this. It would be newsworthy if it were true: I think many people here - myself included - would return the game if it had a true rootkit installed along with it. But this...?I don't see the issue here.
If all you have is a grenade, pretty soon every problem looks like a foxhole -- MightyYar
The reason for the !CAUTION! key is to keep an ignorant user from wiping out his key tokens in the SecuROM subkey. That's why there's an "!" at the beginning; it sorts first in the subkey. So if a user stupidly tries to delete the entire SecuROM key (not realizing that it's his DRM) while his game is installed, or even after he's uninstalled, the first attempted deleted subkey will be the !CAUTION! key and Windows will abort.
Thus it is a poor way to keep stupid users from trashing their DRM, not a rootkit.
The reason it shows up in "Rootkit Revealer" is because true rootkits use the embedded null tactic to keep users from deleting keys registering malware dll's, startup settings, etc. That way, the user has no way to deregister the malware or stop its launch.
However, the Rootkit Revealer does not simply point out rootkits. It's not that simple. RR points out suspicious methods and/or hidden files, and requires the user to analyze whether those methods and files indicate an actual piece of malware.
Clearly, a key that simply warns you not to delete other keys is not malware.
It is annoying, however, and the only way to get rid of a key with embedded nulls is with DelRegNull. I didn't like that one bit.
My key was added with the install of Neverwinter Nights 2, however, which also uses SecuROM. This key has been around for a while, folks. Someone is crying "rootkit," when really all it is is a sloppy hack to keep users from eliminating their SecuROM keys.
What's really annoying about this method is that the malformed key is not removed when you uninstall the software that requires it. SecuROM also drops a few malformed files in the directory %userprofile%\Application Data\SecuROM\UserData. They won't delete either, because they are key files which the folks at Sony have deemed MUST NEVER be deleted. Great. The only way I could manage to clean out those was by mounting the partition with NTFS-3g and issuing an rm *.*. Otherwise, another hack keeps Windows from moving the key files, probably because if you could copy them, you could run a game on any machine with the keys.
This is definitely more arrogance, and completely annoying, but certainly not a rootkit. I would love to hear what the suits at Sony have to say about their crapware. I expect nothing less than a true SecuROM removal kit, since it doesn't get removed on uninstall.
--
Toro
AFAIK, the Steam version really comes with Securom. I bought and pre-loaded it as a pre-release, and after the regular Steam decryption (and also regular re-downloading of content - EVERY single game I pre-loaded through Steam always had to download more stuff on release!), it needs to activate. The first time I tried it failed (for obvious reasons - the server should be overloaded as it was 2-3 hours after the release), but after that it worked fine.
BTW, the graphics are very impressive and the atmosphere too, but from the first few levels it seemed good but not all that revolutionary as I kept hearing it was...
As others mention and the FA clearly says, it's not a rootkit, just a regular service. This is a case where I wouldn't mind someone being sued for libel - they really deserve it.
The first time I tried it failed (for obvious reasons - the server should be overloaded as it was 2-3 hours after the release), but after that it worked fine.
:)
Somewhat off-topic, but if this isn't a sign of the times I don't know what is. You shelled out $50-60 of hard-earned money to buy a game immediately after it's released and what's your reward? You sit and wait for hours while the moron publisher's servers get overloaded with "activation" requests. And here in this comment, instead of showing irritation or annoyance, you just accept this as normal (not saying you weren't pissed then of course
Funny, I remember when you would buy a game and could take it home and play it right away. Of course technology has progressed since then - now companies can alienate honest customers while adding a few hours to the time it takes to crack the copy protection. Steam is one of the worst things to happen to computer gaming in a long time.
If that's not progress, I don't know what is.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
Good for certain uses anyway. I've participated in Iowa State University's Cyber Defense competitions as a red team hacker, and I've found they really help to take out the defending teams. Every team is required to run a regular Windows desktop that any user can access (the teams often play the part of universities or other facilities trying to secure a public lab), and it's fun to just walk up like a normal user, put in a "normal" music CD or game (courtesy of Sony), and then BOOM, rootkited. From there on, of course, things get easier... it's hard to remove malicious files when the OS won't let you know they are there :D.
Beware of bugs in the above code; I have only proved it correct, not tried it.
I wouldn't be okay with it, except for the detail that 30 seconds after my first attempt on activation I ran it again and it went through fine.
I was really ready to get angry (I had pre-loaded days before and it had the gall to make me wait another 2 hours since download speeds were awful - but that isn't activation related, AFAIK), but it's hard to make much of an issue of a 30 seconds delay.
Also, I live in Brazil. Sometimes games would take months, sometimes years and on occasion, they would never be available here in a legal form. Buying from the USA is of course possible, but even then it would something like US$20+80% customs taxes. And sometimes it would be translated (poorly) - argh! Prices are about the same as the US, sometimes a bit higher, sometimes a bit lower.
So I consider being able to download major releases (instead of just indie games) and play at the same time as anyone else major progress.
Steam could improve their download client a lot, though. I get 460K/s routinely on Getright with multiple connections, but sub-100K/s is the norm on Steam.
Hey, consumer.
You'll buy what we fucking TELL you to buy. If it crashes your system, then your system requires more RAM.
It's situation fucking normal for a game.
If you don't like it, then millions of idiots will just buy it and install it on their parents' computer anyway. After all, kids are the only ones who play games.
(Not previewing after 5 on a Friday.)
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
Turns out, there is no Rootkit after all. Trash the article, update, whatever, but this is FUD and I smell lawsuit.
That settles it, I will never buy this game again.
I used to buy a fair few more music CDs until the funny games they started playing to stop me playing my entirely-legitimately-purchased CDs on my PC. It was a gradual thing- I just started getting sick of half of my purchased music CDs not working when I got them home to listen to whilst I worked. Over time I just stopped buying them so often.
I used to buy a fair few more PC games. After some of the nastier games the bigger vendors started playing, I stopped buying larger commercial games and moved on to games made by smaller indies (okay, there were some other reasons to, but that's a discussion for another day). They are far less likely to install crap on your system or make you jump through hoops post-purchase.
Until recently. I purchased a game from a larger indie and then found out I had to "activate" it (after they got my money, of course). They "promise" it'll all be okay, they've got money aside in case they go out of business (which they'll never touch, of course, promise promise). But it's okay because "Windows does it too". I'd name-and-shame them but they did make an effort to make it right when I kicked up. And honestly, I don't want this fight. So let's just say it was a good indie game.
So I'll be buying less and less games over time, I guess.
So where are we now? Here I am, along with other paying customers, doing the right thing- and I get shafted as a result. I can get a better copy with less restrictions by going to the local warez-are-us. That copy won't stop working ten years later when the developer shuts down. It won't phone home and refuse to run. It won't refuse to run without a net connection sending God-knows-what to their activation server.
As a software developer I can completely understand the reason to protect your software from being casually distributed, but dammit- CD driver replacements, rootkits, web trojans, privilege elevation servers, surprise "activation". Why are you subjecting your legitimate customers to this nonsense, when the people ripping you off are just going to get it from someone who has already stripped this stuff out? Don't you realise the logical conclusion of making your product considerably worse that the warez version? Of making every software install a risk of hosing the system?
games aren't just for kids. The fact games are a multi billion dollar industry shows this clearly.
no one can make me part with my money if i don't want to. get a clue. Whoosh!
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better." - Unknown
I haven't ever tried to crack copy protection by inserting code from a demo, but I have cracked copy protection without it, and from that experience I don't think having an unprotected demo would help.
Once you get to the point where you can modify the exe, the hard part of the crack is over. Whatever the protection checks, whether it's some data on the CD or a registry key or some more complex signature of your machine, it's just a branch instruction somewhere and can be NOPed out. Finding the branch is easy too, since you can just run the game with and without whatever it checks for, and see where the execution paths diverge.
The (marginally) effective part of a copy protection scheme like SecuROM is use of encryption, compression, and self-modifying code, which make it hard to examine or modify the exe. If you have an unprotected demo exe and a protected retail exe, you can't even compare them until after breaking the protection.
Sure there's the extreme case where the demo and the final version are exactly the same code and differ only in data files, then dropping the whole demo exe into the retail installation would crack it. But as the sibling posters explained, that's rare.
(Remember, we are not your personal army.)
/. wields quite a bit of power in terms of internet outcry. That's why we see so many troll articles; interested parties know that submitting their spin to /. will give their viewpoint a wide audience. That's why its important that we, as a community, take the time to investigate claims and discuss them based on fact (yeah yeah, I know). If we behaved more responsibly as a community, rather than jumping on every rabid bandwagon that comes our way, I think we would see a marked decrease in the amount of crap press releases being posted as "news for nerds". If people with an ax to grind needed to be sure that posting to /. wouldn't expose their lies, instead of just taking for granted the blog will be a group masturbation fest over FUD that affirms our deepest fears, they would think twice (maybe) before posting the more paranoid delusions that we see here.
I think you make an important point that is seldom stressed:
It really is our internet; we have no one to blame for what it is other than ourselves.
...sometimes, in order to hurt someone very badly, you have to tell that person terrible lies. - PA
There's a song....
Fdisk, Format, Re-Install, Do-Dah
I am the unwilling control for my Origin.
The frustrating thing is, this rootkit worry isn't the biggest problem (it's a bit of a stretch). It's that when the game shipped, you only got 2 activations. Yes, you could only install it twice. Ever. Using another user account or install of windows requires another activation. Wipe windows, and try to install a third time? Activation denied. They then proceeded to flat out lie and say uninstalling the game from windows before formatting would give you an activation 'credit' back. It didn't, and according to SecuROM never could.
The outrage over this on the 2K forums made them raise the limit to 5 installs on a given copy of windows, and up to 5 installs on different machines. Ever. Problem solved, right? I mean, who ever installs software they buy more than 5 times, right? Must be pirates. They want to carry on playing in a couple of years, they can go buy a new copy.
Oh, and they'll release a utility at some point in the future that when run, will supposedly uninstall the game and 'deregister' your install with the online securom database, thus giving you the privilege of reinstalling your own game on your own computer one more time. Just hope windows doesn't go belly up before you get to unregister. And I can't wait for the day all games do this, and I have to run round manually deregistering all of them prior to a reinstall with different tools. Then calling support when it doesn't work and won't let me reinstall.
Remember kids, it's all fun and games until someone commits wholesale galactic genocide.
I agree that programmers should be paid for making software, just like musicians should be paid for making music.
But only for making the software/music, not for the copies. So if an artist/programmer spends 100 hours making a song or programming an application, he/she should get paid for the 100 hours they spent, according to their hourly rate. Why do people think it's fair to get paid for work they actually haven't done ?
If you have a plumber install a toilet in your house, you don't have to pay a license fee for every person who wants to take a shit on it, you just pay him for the amount of time he's spent installing it. I don't see how music or software is any different.
First of all, your link to the forums goes to a thread about achievement points on the Xbox version of the game. This thread is much more relevant; it's about the rootkit.
Second of all, I, like many other people, was looking forward to Bioshock's release. I, like I hope many other people will do, refuse to buy it now.
Whether people thing of this as FUD or not, the simple matter of the fact is that:
2K Games has A FAQ about SecuROM that is, at best, contradictory in several places. They say:
However, Sysinternals' RootkitRevealer software begs to differ. Who am I going to trust, a game company that is practicing Defective by Design tactics, or Mark Russinovich, a software engineer who's proven time and again that he is the guru of this stuff, the guy who discovered the infamous Sony rootkit, the guy who knew Windows better than even the Windows people knew Windows, so well that Microsoft bought his company and hired him? I'll gladly cast my lot with Mark any day, even if he does work for Microsoft now.
2K Games also says in its FAQ:
They then go on to say:
Um... If SecuROM doesn't fingerprint my hardware, what is the "machine ID" that a hash is taken of and sent to their servers? And how the hell is it possible that changing several pieces of hardware might result in a required reactivation? The simple answer is, of course, that SecuROM does fingerprint your hardware, and 2K Games lied to our faces in the hopes that computer users who aren't as savvy as us won't get bogged down with the technical details and just read the part where they say that it doesn't fingerprint the hardware.
This is totally inexcusable, and I won't have anything to do with this company. Will the game be cool? Maybe, but nothing is cool enough to install this crap on my computer for. As far as I'm concerned, 2K Games has destroyed its credibility, and they can go to hell for it.
Not exactly, you're buying a LICENSE to play their game. SecuROM is NOT required to play their game, therefore it is NOT a requirement of the license. As such, it has no place in the game.
Worse, SecuROM actually PREVENTS you from using your computer in other commonly used, non-infringing ways. So by buying the game, you're actually buying the crippling of your system along with it.
You need to read again what SecuROM does. Where you have it installed is irrelevant. It actually alters your operating system in a manner that allows non-privileged applications to run as an administrative user. That means that at the very least, it can affect your entire Windows installation. And before you go with your "I've used Linux..." rationale, you should realize that it can also affect your Linux installation.
Here's how it could work. I write a piece of software that uses the elevated privileges that SecuROM grants to normal users without your knowledge or consent that goes in and wipes all non-recognized partitions on your hard drive. Voila, your system has been compromised because playing a stupid game whose publishers willingly opened up a security hole on your system. That's what I mean when I keep saying that even if 2K Games didn't have evil intentions, what they're unleashing on people can most certainly be used for evil purposes.
The thought that you are paying them for the privilege of having a rootkit installed on your computer and that you're okay with it quite disconcerting to me, but by all means, if the service of having your system compromised is worth $50 to you, go ahead. (There are lots of people who would willingly compromise your system for free, incidentally.) Personally, I find it disgusting that anyone can't see the bigger picture and would support a company that engages in these practices, but it's your computer and your money.