NOD32 + Latest Starforce "Driver"

Discussion in 'other software & services' started by TBR, Mar 21, 2006.

Thread Status:
Not open for further replies.
  1. TBR

    TBR Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    59
    Are we protected against this?

    This is a rootkit of the foulest terms and i know i would at least expect a warning about this so that any games or demos i get with this can be taken back or deleted?

    In many ways the latest version is worse than the Sony one.

    According to cdfreaks.com the anti-piracy system that Starforce is using installs a driver that runs at the highest level of access on the system. Meaning that this driver has access to basically all same things the operating system itself enjoys (hardware/drivers/processes). Further more this driver runs all the time, regardless of whether or not you are playing a game that used Starforce's DRM. If that wasn't enough to scare you, if the Starforce driver thinks it has detected suspicious activity relating to disc copying the driver will instantly reboot your computer without any notification.

    A step too far.
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    It would be prudent to note that the original cdfreaks item pints to Futuremark as the source, while Futuremark notes that the claim is due to material posted on it's discussion boards and is not the result of their work. Based on this, it is possible that this is simply a self-referential rumor.

    How about bringing some firm facts to the table to start off?

    Blue
     
  3. TBR

    TBR Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    59
    Thanks for your "concern".

    This has been posted on the front pages of Neowin, Warp2search, Engadget, The Inquirer, Osnn.net etc..

    I really didnt think i needed to check any further.

    Your point about linking to the originator of the story is noted however.
     
  4. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Now, such a claim really is a step too far. There has been a lot of rabid scaremongering of the worse kind, based on little or no evidence, misinformation, excessive self-interest and collective hysteria. That Starforce uses a driver in no way justifies the 'rootkit' label. If it did, there would be masses of other legitimate software out there that you would also have to classify similarly.

    If you sift through all the hysterical nonsense that has been written elsewhere, what you are left with is (a) less-than-ideal disclosure by the game publishers about their use of copy protection/DRM, and (b) a small number of people who have experienced speed problems with their DVD/CD drives.

    There are no parallels with the Sony fiasco, despite a growing number of self-serving individuals who would have you believe otherwise.

    There is nothing to be gained - by you, or anyone else - by your attempts to spread the hysteria here.
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    I have no idea whether any of these claims have merit or not, but it is always important to understand where information originates.

    I do feel that many folks are so philosophically opposed to this type of measure that rather than using reason and voting with their wallets, they will grab on to any and all glimmers of a problem, whether related to any protection scheme or not, and channel untold energy into increasingly chaotic rhetoric that creates much commotion among whatever choir one belongs to and little else.

    In the end, this is an area where the market will ultimately work it's way with cold efficiency. If it is in the best financial interests of the vendors to use other approaches, they will. If they see a financial benefit to using StarForce or competing measures, they will go that route. The place a user influencing that dynamic is on the demand side. It really is as simple as that.

    Blue
     
  6. Joliet Jake

    Joliet Jake Registered Member

    Joined:
    Mar 1, 2005
    Posts:
    911
    Location:
    Scotland
    You can reveal Starforce on your system, something you couldn't do with Sony's First4internet DRM 'rootkit'

    As an aside, would I be right in thinking that Starforce is an American 'invention'
     
  7. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    It is Russian, I believe.

    Also, StarForce - the company - has sadly chosen to defend themselves publicly in a very unprofessional way, stooping at times to the same low tactics as used by the mob out to get them. This does seem to have fuelled the controversy somewhat, IMO.
     
  8. TBR

    TBR Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    59
    It is Russian and recently they posted torrent links on their own forums to Galactic Civilizations II who's makers decided to use no copy protection on its disks as an example that the game would be ripped anyway.

    You all missing the point here anyway - this company are now way past the point of being a "trusted" source of software and as such - irrespective of wether the very strong rumors above are held up to be true, i would at least hope i would get some sort of warning if i picked up a game or a demo with StarForce on it.

    And IMO this IS on a par with Sony especiailly if it does reboot your PC.
     
  9. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    No, it is you who is missing the point. Who no longer 'trusts' StarForce? Game players who wouldn't buy games anyway, preferring instead to find the easiest way to make illegal copies? Who would then really care?

    The point is really that you - like others - act to spread rumour and hearsay, without being in possession of any material facts whatsoever...

    ... which you demonstrate quite clearly again. Obviously, when you write things like "especiailly if it does" all you are doing is to repeat unsubstantiatesd claims of others. Even then, to place it on a par with Sony is to completely misunderstand what a rootkit is, and to completely misunderstand why the Sony issue was of such importance.
     
  10. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    TBR,

    Leaving aside the other issues, basically what you are saying is that NOD32 , and by extension any other AV, should flag this specific and valid commercial protection scheme when used in commercial products. That is about as likely to happen as an AV flagging generically subpar software, in other words, it won't. If you have problems with a StarForce driver, they do provide removal tools already.

    Regardless of one's position on this topic, it is clear that you have not thought through the commercial implications of your suggestion.

    Blue
     
  11. TBR

    TBR Registered Member

    Joined:
    Dec 8, 2005
    Posts:
    59
    Ok,
    You've made your point, i still think your wrong though but we will have to agree to differ on that one.

    How anything that installs itself on your PC without your knowledge and interferes with the operation of that PC cannot be seen as malicious is beyond me.

    I have a feeling that within this year this position will change just like it did with Sony.

    And SPM to insinuate that the only people who complain about this are the people pirating games is, well, daft. People pirating the games wouldnt have to worry about Starforce in the first place, as it would have been cracked on their version.

    The only people affected by this are the people who legitimately buy games or download demos with the Starforce software in it.
     
  12. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    I hate when games install all sorts of junk on my PC. Plus they don't remove it when you uninstall them! Protection my ass, legit users have more problems with SF3 than those who get second hand stuff. Thats sad to punish those who pay and reward those who use copies...
     
  13. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    How do they know it reboots the computer on purpose, as opposed to a having a programming bug that causes the reboot?

    If you want to stop Starforce from running, just disable or uninstall the driver. In the Device Manager, go to View --> Show Hidden Devices. A new section entitled "Non-Plug and Play Drivers" will now appear. Look for Starforce in this list and do as you wish. ;)

    I am certainly no fan of having stuff get installed on my computer without my knowledge or permission, especially without an obvious way to remove it (either automatically or through Add/Remove Programs). However, "maliciousness" requires intent; "incompetence" does not.
     
  14. midfingr

    midfingr Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    12
    Hi all.
    I've been following the Starforce debate for some time now.
    Today, I found some rather interesting news about Starforce and it's software.
    The owner of r-force.org has posted an article describing how a SF root admin asked for help on fixing their software. If you're interested, please see this link to view the story.
     
  15. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    Would be nice if R-force would have posted the WHOLE pm chain, not ONE pm. :thumbd:

    This is like doing a two hour interview, then publishing just one out of context quote :D It proves nothing...
     
    Last edited: Mar 26, 2006
  16. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Actually, if you read that single message, it reads like a standard support response to me where the origins of the problem are not clear. It is no different than any software vendor asking for technical input from the impacted individual since compatibility issues are always dependent on the local hardware and configuration.

    Finally, since this thread is unrelated to NOD32 support, or NOD32 at all for that matter, I have moved it to the most appropriate venue at this site, which is the general Software and Services forum.

    Blue
     
  17. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Starforce has shown a willingness to address the issue, but the problem is that in order to fix any software issue you have to be able to reproduce it. So far nobody has been able to reproduce the issue, even with the $10,000 reward (plus a trip to Russia) that Star-Force has offered for anyone that can.

    That all falls perfectly in line with the PM posted by R-Force. If he's claiming to have further insight, then of course they are going to want to communicate with him and work with him to try to find out what's going on. The same kind of request would be given to any beta tester that has an issue that they aren't able to reproduce- cut out the middle man and communicate directly with the developer so the issue can be resolved. This happens quite a bit with beta testing.

    Regardless of your opinion of the software, even if you believe that it does cause serious problems, it's legitimate software that does not try to hide itself, and you can easily obtain their removal tool. There's enough hysteria around about rootkits without going and labeling every piece of software that uses a driver a rootkit just because you don't like it. It doesn't help anyone, it only serves to further confuse the real issues. And there's only so many times that people can cry wolf before people stop paying attention, which is not what we need.
     
    Last edited: Mar 27, 2006
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Here Here Notok. I totally agree. Besides Star-Force is only providing what it's customers the game companies want, and I doubt the game companies would need the star-force protection if it weren't for the people who'd rather steal the product then pay for it.

    Sad part as in many area's the honest folks have to suffer the consequences.

    I get tired of the tirades myself, because dealing with the people on the Safe'n'Sec side of the house I find them upstanding, fair, and more then willing to help their customers.

    Pete
     
  19. midfingr

    midfingr Registered Member

    Joined:
    Jul 6, 2005
    Posts:
    12
    Blue.
    What do the previous two posts have to do with this topic? You were quick enough to shoot down my post and move it. Besides, they are both uniformed one sided comments.
     
  20. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    They are completely on topic.
    I was less commenting on your post than the link you referred to. Basically, not enough information was presented to support the contention of Mr. William Taggart II AdDip.Prof.Con.Phys. As for the move, this thread is not related in any way directly to NOD32 or NOD32 support. My options were to close the thread outright or move it to an appropriate venue, I chose the latter action. Any of the posts following yours would have caused an equivalent action. If you wish to complain of my moderation, feel free to take it up with the site admins via PM.
    No less than your own comments. I'm sure you have strong opinions in this case, it is one side of the argument.

    As I have said repeatedly, if you wish to remove this form of protection from gaming software, there is one efficient way to do it, vote with your wallet. It may take some time, but it is very effective.

    Blue
     
  21. 13thHouR

    13thHouR Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    13
    Lets add some facts to this thread.

    Starforce does represent serious security risks. It's a simple fact based upon reproduced data.

    Setting aside the hardware and other software related problems.

    There is the very specific issue of running a Virtual IDE protection driver in Ring 0 that grants Ring 3 user level access, as a forum frequented by system Security Specialists I should not actually have to go into details here as to why that is such a problem, in fact it would be rather irresponsible of me to do so in public without any fixes out there to resolve these problems.

    What I can say is that very old buffer overflow techniques are all that is required to kill sections of the SF driver and leave that area of the IDE subsystem wide open to attack by any 3rd party malicious application.

    This is why the like of F-Secure are now cashing in on the problem with Blacklight and Windows Defender lists ' to paraphrase' list SF as an undesirable application.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,059
    Gee, I didn't know there was an application named Star Force. I know of a company Star Force that produces several products, one of which I use called Safe'n'Sec. It installs a "driver" so I have a Star-Force driver on my system and it isn't a security risk.

    Yes I am stretching the point, but if you are calling for accuracy and facts, you should be specific so all readers know what you are talking about.

    I would also note that Safe'n'Sec is sold directly to the public and Star Force listens closely to what we want. I suspect on their copy protection product they also are listening to their customer, which isn't the public. The real beef if there is a problem is with the folks who sold the product using what they requested Star Force to build for them.
     
  23. sage386

    sage386 Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    11
    Location:
    null pointer
    13thhour is know as a big SF "fan":
    He has "discovered" that SF resides in Master Boot Record, in partition tables and also SF spreads over network.

    He even managed to find SF on his iMac

    full story here:
    http://www.star-force.com/forum/index.php?showtopic=796
    and his own interpretation
    http://r-force.org/modules.php?name=News&file=article&sid=44&mode=&order=0&thold=0

    http://www.star-force.com/protection/protection.phtml?c=91&id=319

    Nevertheless, the hole he was referring to was fixed years ago, its definetelly does not qualify as buffer overflow attack nor has anything to do with ide subsystem. Well, you got the point. Mumbling exactly!
     
    Last edited: Mar 28, 2006
  24. 13thHouR

    13thHouR Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    13
    You are kidding aren't you? :)

    That has to the biggest load of BS I have ever seen. btw as rule of thumb its not a good idea to quote SF (They have nasty reputation of making it up as they go along, as you know), its definately not a good idea to quote contructive use of an original publication which has been merged, edited of any specifics and presented as part of a bad PR stunt. (Which you know as you where the one that did it)

    Ring 0 exploits where almost plugged years ago by Microsoft, however Security Technologies (Who you work for) decided to ignore standard protocols. They run a virtual driver on top of an already unstable IDE subsystem. They block hardware streams and try to replace them (Badly implemented I may add) with their own virtual streams.

    None of the Publishers that, Use Ring 0 (That SF so like to quote), attempt to block the IDE subsystem. In most instances those 3rd party apps use Ring 0 apps, to try and block the very exploits thats SF use because they are a vulnerability to the system. ( I am not surprised SF likes to bad mouth them at every turn)

    Those virtual streams are wide open for exploits, now assuming that you do have the level of understanding in this matter that you profess to have, then you will be aware why at this stage I will not disclose how and where such exploits can be used.

    I am not asking anybody to support Boycotting SF, I am not saying go out and scaremonger. What I am saying it is highly irresponsible to take the ramblings of PR team and a Troll to be factual evidence of no security issues.

    Especially when they have been proven time and time again to be liars.

    Let you quote you something now.

    The issue on StarForce is obviously sponsored by our competitors or organized crime groups that run CD/DVD piracy operations”. (Dennis Zhidkov in reply to CGW)

    According to this I am being paid by your competitors or I am basically a crime lord.

    That comment is from the exact PR team which you are part of. So just maybe you need to look a bit more closely at where you source your information from. Especially when your post that you reference on the SF forums is actually in Violation of Copyright.

    btw Sage386 any future comments from you will be ignored if you cannot have normal conversation without resorting to PR BS, as I am not going to be drawn into one of your petty flame wars and I am quite sure the Owners of these forums will not tolerate your type of responses either.
     
    Last edited: Mar 28, 2006
  25. 13thHouR

    13thHouR Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    13
    Actually if you want to be that specific they are Security Technologies, and they produce Safe'n'Sec and Starforce.

    I will not even give my opinion on Safer'n'Sec (if end users want to use security software from one of the most prolific Piracy teams of the 80's and early 90's that is their choice, personally I would trust them as far as I can throw them, buts that is a personal opinion) however Starforce is a virtual IDE protection driver that is supposed to prevent games disks being copied in those Vital first few weeks of sales.

    Again this is not an issue I am concerned with, although there is considerable evidence that it does not even meet that target.

    Part of the package which publishers where sold concerning Starforce Protection was that of technical support for the end users.

    The reality is.... rather than reposting that yet again I suggest you go and read this article http://r-force.org/modules.php?name=News&file=article&sid=46&mode=&order=0&thold=0

    I know for a fact these issues exist and where possible I have been creating work arounds for the end users. Which actually is Security Technologies job. However they blamed the publishers, drive manufacturers and everybody else they could think of, rather actually dealing with the issues.

    When further issues arise that they don't like, they still continue to quote my workarounds but then they resort to Copyright violation and libelous comments to try and discredit me.

    Which is rather comical given that we are barely 2.5 weeks down from a situation where their own moderators posted bittorrent links to software produced by Stardock. Stardock refused to use Starforce for its games and insists on releasing its software without invasive DRM's.
     
    Last edited: Mar 28, 2006
Loading...
Thread Status:
Not open for further replies.