Mark's Sysinternals Blog: Sony, Rootkits and Digital Rights Management...

Discussion in 'privacy general' started by nick s, Oct 31, 2005.

Thread Status:
Not open for further replies.
  1. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,658
    Location:
    Sydney, Australia
    I'm sure they have taken steps internally to punish the people responsible for the bad publicity.

    Whether or not they actually appreciate the severity of what they have done remains to be seen. If the FAQ entry provided above (not my sarcastic one) is an example of their response, there's not much evidence of either understanding or remorse on their part.

    The more I think about this, I'm actually more annoyed by the FAQ entry than anything else. "No, its not spyware or malware... but, a security problem exists with the code and we recommend you remove it using this tool." would have been a far more appropriate response.

    People have a hard enough problem with their PC security without sony implying that this huge security problem is safe.

    Again, if someone has this code - please let me have it. I'd love to add it to the OA dangerous app list.
     
  2. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    I am sure that the PR department in Sony would instantly balk on reading as technical a thread as this one, or Mark R.'s synopsis and analysis of the problem. The problem is that these large corporations do not seem to direct technical staff to technical problems very accurately. In order to best know how to delegate a technically-challenging feat, one must have some technical knowledge in the first place. But most managers who do the delegating, always seem to delegate to the wrong people (within or outside their organisation). The job never gets done properly, and the, for example, space shuttle crashes.

    Perhaps we ought to give Sony a better idea of how to accomplish DRM. But they'd never dream of consulting external security specialists, even though those are the very people who could do a really good job for them.
     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Can people file a lawsuit against Sony in a court of law for using unscrupulous methods for installing rootkits? I think this incident about Sony installing rootkits will spark off a major.... sigh, no words to describe it.
    And who knows whether the rootkit may have gathered people's personal information and send it to an unknown source. :eek:
     
  4. tlu

    tlu Guest

    I agree that this is a scandal, and I hope that a lawsuit will be filed against Sony.

    Another aspect is how this mess could have happened on Mark's computer. I'm not familiar with the Sony CD, and so I don't know if some software had to be installed. If yes, a program like ProcessGuard should have prevented the installation of this rootkit. If not (i.e. the rootkit was installed simply by the autorun function), the only explanation (besides the lack of PG) is that Mark must have been logged in as administrator. Which would prove again that it's very risky not to surf and work under a user account with restricted rights.
     
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Yes, he should have used a user account with restricted rights so that the rootkit will not have enough system privileges to install itself.
     
  6. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I remember with my last setup I got a new CD (Sony)
    placed it in my CD drive to listen (not copy) the music - soon took it out as a message appeared on my desktop:
    'Your system files are not updated, click to update now....' words to that effect. I did not click and never again did I try to listen to music CD's via my computer system. (maybe 1 1/2 years ago)

    I have new hard drives etc now but this was my one and only experience with Sony.
    Thankfully I did not listen to a friend who just last week told me they weren't allowed to do this now and there was no reason not to listen to my CD's :(
    I use my CD player and will continue to after reading this - looks like they are employing a very nasty install now :'(

    Edit: just checked the CD in question and it was not a Sony one it was BMG :oops:
     
    Last edited: Nov 3, 2005
  7. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    I know the Internet. Word gets around. Once people learn the truth about Sony's faux pas with rootkit DRM, watch Sony's CD sales plummet into the basement or further.

    If you need to remove this from your PC, get a Security Expert who really knows what they are doing or you will have a broken platform. The only other way to remove it (without the expert) is to fully erase the HD, do a complete reformat and new install. Ouch. :rolleyes:
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,078
    Location:
    Texas
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I would assume PG's anti-execution protection would prevent the autorun. I decided to test mine (Anti-Executable).

    I'm looking for a copy of the Sony CD to test.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    And the great and wonderful thing is that this isn't the kind of software that you get updates for.. so everyone that's listened to those CDs on their computer will remain vulnerable until their next format. Super fantastic! :rolleyes:


    LOL, looking for a copy of the copy protected CDs? :D :D
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Yes, because it's not clear that Autorun had anything to do with the installation of the copy protection software, and I'm curious to find out for sure. In his article he states,

    "The next phase of my investigation would be to verify that the rootkit and its hidden files were related to that CD’s copy protection, so I inserted the CD into the drive and double-clicked on the icon to launch the player software, which has icons for making up to three copy-protected backup CDs:"

    He double-clicked; it did not auto-run, unless I misunderstand.

    If the user permits the software to be installed, then the rootkit stuff installs along with everything else w/o your knowledge, and there is nothing you can do about it. If PG or some other program flags a driver-install, you are likely to permit it thinking it's part of the player software.

    Your only recourse is if you are running in some type of virtual environment, or have a reliable restore or image program in place.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    In this case, an attempt by a CD-player to install a driver named $sys$DRMServer should provide a useful warning...
     
  13. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I wouldn't allow an audio cd to install a driver, there wouldn't be any need.. you should already have all the multimedia drivers you need.

    Just a joke, Rmus.. you said you were looking for a copy of a CD that can't be copied ;)
     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I understand what you mean, but in this case, a driver, Aries.sys device driver, was installed as part of the software installation. Had you selected to install the software and then denied that driver, the installation would have aborted.
     
  15. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  16. StevieO

    StevieO Guest

    Hi,

    A very interesting and unexpected turn of events. Who would have thought that an otherwise good company who have been making many excellent products since the sixties, would be the start of Rootkit fever !

    As has been mentioned turning off CD Auotorun is always a sensible idea anyway, and is a MUST to attempt the following.

    There is a workaround solution to this which should work if you have NOT run the CD yet, inconvenient, but if you want those sounds without the " Extras " then try this.

    Launch your CD Burner software and select ONLY the cda files on the CD, and burn them to a new disk. Failing that convert the cda tracks to high quality WAV files and then burn those as a new CD.


    StevieO
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,251
    Location:
    The land of no identity :D
    I was about to buy a Sony Optical drive a few days ago, but after reading this and a some other news about Sony cutting many jobs (=possible reduction in quality), I chose not to buy Sony and took a Samsung instead. And I'm happy I did that.
     
  18. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
  19. MikeyBikey

    MikeyBikey Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    10
  20. ~~~~

    ~~~~ Guest

    Well now that you have read about it yeah. But before then? Seriously i don't believe people think looking at the name of a driver can let them decide whether to allow or not. What's so suspicious about the name? That it has $sys$ ? That part of it says DRM? or that it has the word "server"?

    Most of it comes down to trust issues, most people trust big companies, no matter what the driver is named, they would accept it.

    I bet even most people here (who are more paranoid than the usual) would allow unless he had some hatred of DRM but that's another issue. So perhaps they would deny it, see an error, then try the installation again and allow it.
     
  21. Tom772

    Tom772 Guest

    Music
    fanboyslayer writes "Switchfoot's new album Nothing Is Sound shipped from Sony with copy protection software on the CD, much to the dismay of thousands of iPod-wielding fans. The band posted a response on their official forum apologizing for the protection and detailing ways to circumvent the protection and rip their songs to PC. Switchfoot linked to open-source program CDex's download page with instructions on disabling the autorunning protection and ripping the files to MP3. Many of Switchfoot's fans have been upset by the copy protection measures, and it's nice to know the artists seem to care about the issue."

    Not a fan, but a while ago on there forum they, explained that you could by pass the Protection and use a program like CDex!! Tom

    http://www.cnn.com/2005/TECH/ptech/1...eut/index.html -see this link; I'm pretty sure this works as Sony has removed the link on how to do this from the Switchfoot forum,

    T
     
  22. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    772
    Location:
    Toronto
    It seems that CDex has been removed from all the Sourceforge US download mirror sites. The most recent version, 1.51 September 9, 2003 is available on non-US sites. For how long? good question.
    CDex was mentioned in the article as a means to protect youself from the Sony 'rootkit'.
     
  23. dog

    dog Guest

    Sourceforge Mirrors for CDex for those needing a link, as mentioned above the file is removed from the US mirrors, but available at the others. Should those disappear too; you can also dab it here -> http://cd-to-mp3.audiolaunch.com/cd-ripper/
     
  24. Graphic Equaliser

    Graphic Equaliser Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    421
    Location:
    London England UK
    Most people here would not allow an audio CD to install software on their PCs. It does appear that Sony's DRM install prompts the user to allow it to happen. If so, then most people here would choose not to allow software to be installed simply to play a ruddy audio CD, for Christ's sake!

    I get through a fair load of demos, CDs and other paraphernalia, with my budding kids, but if I'm asked to install something on my PC, and I let it happen, MJ Registry Watcher records every move that is made, so I can undo everything, if needs be, afterwards.

    http://www.jacobsm.com/mjsoft.htm#rgwtchr
    https://www.wilderssecurity.com/showthread.php?t=54666
     
  25. iceni

    iceni Guest

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.