Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management...

Discussion in 'privacy general' started by nick s, Oct 31, 2005.

Thread Status:
Not open for further replies.
  1. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    An interesting read, courtesy of Mark Russinovich's Sysinternals' Blog (31-Oct-2005): Sony, Rootkits and Digital Rights Management Gone Too Far.

    Quoting in part:

    "The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files."

    Nick
     
  2. dog

    dog Guest

    Wow ... Nice :eek: :rolleyes:

    They'll be some backlash over this ... they've gone waaaayyyyyy too far. :mad:
     
  3. MikeyBikey

    MikeyBikey Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    10
    What is really sinister is the lack of any mention in the EULA of what you're installing. This is illegal surely? Whatever, I'm sure that no one who reads Mark's blog will be buying Sony products anytime soon.
     
  4. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    And imagine the backlash once malware distributors start using the Sony DRM rootkit to hide their stuff. Quoting from the blog:

    "I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view."

    Nick
     
  5. Tom772

    Tom772 Guest

    Hi,

    Thanks for the story nick. I cant believe what i have just read about Sony Corp, the whole issue of Digital Rights Management is just going way to far, I understand they want to protect the products etc, but going beyond incripting there content and installing what is basicly a nasty Rootkit is crazy. Imagine a regular home user finding this, like myself they wouldn't stand a change just at what it took Mark Russinovich's at Sysinternals to trace and remove this mess from his system.

    Thanks

    T
     
  6. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
  7. dog

    dog Guest

    Yah, I agree Nick ... I had that in my mind. :mad:
     
  8. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
  9. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    Much naughtyness from Sony.
    There should be laws against this kind of behaviour.
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In many countries there are...

    UK residents should consider reporting this to the Non-Emergency Crime and Hate Crime / Incident Reporting webpage. While I would strongly suggest that people use their own wording, the following is intended as a guide:

    "Sony Corporation are selling CDs with copy protection (see http://www.hmv.co.uk/hmvweb/displayProductDetails.do?ctx=280;-1;-1;-1&sku=385456 for an example). They however implement this by installing a rootkit on users PCs (see http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html) which is in violation of S3 of the Computer Misuse Act 1990. No mention is made of this or authorisation sought and, due to the way the rootkit works, attempted removal (using a rootkit detector/remover) may disable CD-ROM drives. In addition, it compromises computer security since any other malware could use it to hide themselves and prevent removal by anti-virus software. I have not purchased these CDs or been affected but do wish to report this due to the affect it has on Sony customers. "
     
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
  12. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia
    Unfortunately, that's not punishment enough. This needs to become mainstream news in the popular press before Sony would notice the PR blip.

    As others have pointed out, even a barely adequate worm writer would now have much greater chance of success by simply naming the files he drops appropriately. Let Sony's code hide it for him (or her).

    I'd be real, real interested to see if we see anything like that pop up.

    If anyone actually has this code, I would be most interested to receive a copy (for good, not for evil!)

    Mike
     
  13. mrhero

    mrhero Registered Member

    Joined:
    Jul 15, 2005
    Posts:
    297
    Location:
    Ankara , Turkey
  14. dog

    dog Guest

    Well ... I've decided to take some action in regard to this finding. I'm currently crafting an email with a link and also excerpts from Marks Blog; as well as background sources re: rootkit technology, as well as the test sample of the (DFKTS) Threat Simulator, as well as linking the real possibility of malware exploiting this so called DRM enforcement. Hopefully both the local media and political powers will pick up this story and give it proper exposure. :ninja:
     
  15. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Send it to every major paper you can! :D

    I seriously hope this does make mainstream news. This could very well be the blow that causes some re-assesment of the whole issue. How far can they go to make sure we comply with their rules? Well, basically infecting your machine is way too far in my view, and makes it obviously time to draw some lines. I kind of hope that people send Sony the bill for getting their computer formatted. Leaving people that vulnerable to infection of that sort is not at all acceptable, and big business needs to know that.

    I wonder how many business machines were infected...
     
    Last edited: Nov 1, 2005
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    http://www.sysinternals.com/blog/2005/10/s...tal-rights.html

    Yes - and I seriously suggest everyone do three things:

    (1) Use this link: http://www.sonymusic.com/about/feedback.cgi to voice your displeasure to Sony directly


    (2) Spread the word of this to any websites you frequent that have not yet posted this article (or point them to here)

    and

    (3) Immediately and irrevocably boycott - ALL - Sony products until this situation is resolved.

    It's the only possible chance we have of getting this corrected. Pete
     
  17. HD rider UK

    HD rider UK Registered Member

    Joined:
    Feb 16, 2005
    Posts:
    121
    Location:
    Gloucestershire, UK
    Oh thats just peachy:mad:

    Thanks Sony, what you have managed to do here is provide rootkit functionality to every malware vendor on the planet. All they have to do is name their files so as to take advantage of your rootkits protection - they dont need the code, you have already installed it for them.

    HD Rider UK
     
  18. Tom772

    Tom772 Guest

    If you see the Copy Control logo on the package, it is NOT a CD.

    If you see the DualDisc logo on the package, it is NOT a CD.

    If you see the Compact Disc Digital Audio logo on the package, it IS a CD
     
  19. Tom772

    Tom772 Guest

    LONDON--Technology buffs have cracked music publishing giant Sony Music's elaborate disc copy-protection technology with a decidedly low-tech method: scribbling around the rim of a disk with a felt-tip marker.

    http://news.zdnet.com/2100-1009_22-917908.html
     
  20. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland

    I'm not sure if this applies to their latest 'protection' system.

    When you think about it, it's a bit ironic that their 'protection' system could leave users PC's very unprotected.:doubt:
     
  21. Tom772

    Tom772 Guest

    This is what Sony says about it;

    ''I have heard that the protection software is really malware/spyware. Could this be true?

    Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system.

    Also, the protection components are never installed without the consumer first accepting the End User License Agreement.

    If at some point you wish to remove the software from your machine simply contact customer service through this link. You will, though, be unable to use the disc on your computer once you uninstall the component''

    To remove this, you have to install some Active X rubbish,

    Regards T
     
  22. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia

    Well, I suppose that is "technically" true. Is there a corresponding entry on there for:

    "I have heard your protection software is so badly written, it leaves huge security holes on my PC for any malware writer to take advantage of. Could this be true?"
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    As a quick check of the article date shows, this refers to a different scheme that was attempted 2 years ago and has little, if anything, to do with the one being discussed here.

    This one can be avoided by disabling AutoRun (or holding down the Shift key while inserting the CD) but the point here is that if it is not, it is almost impossible to remove.

    Given Sony's response so far, I wonder if their customer service is now going to offer a rootkit removal service.
     
  24. Tom772

    Tom772 Guest

    I didn't really give it a proper read, Wishfull think on my part!!

    Regards T
     
  25. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Questions of rootkit nature aside, and they are legitimate questions, the simple fact the protection mechanism appears to be readily exploitable by malware writers elevates the whole matter to a completely new level. It demonstrates sloppy design, sloppier execution, and a complete failure to fully appreciate the broader implications of the methods being employed. If Sony has any PR savvy at all, they will cut ties to the creator of this software as soon as possible.

    Blue
     
Loading...
Thread Status:
Not open for further replies.