Log in

View Full Version : Sony rootkits and DRM (sysinternals)


Silver
November 3rd, 2005, 09:09
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Interesting.

Kayaker
November 4th, 2005, 13:40
I've been following this since it came out on Mark's Blog the other day, definitely an interesting story. Steve Gibson from GRC has a 15-20 minute mildly entertaining audio broadcast that is a good summary of the whole ugly affair as well.

The audio broadcasts are at
http://www.grc.com/securitynow.htm

If you don't mind the highest quality 12Mb mp3, here's a direct link to the Sony rootkit story
http://media.grc.com/sn/SN-012.mp3

goggles99
November 4th, 2005, 15:27
does anyone have the installer for this, and can upload it here???
I'd like to poke around with it a little. (disassembling and such)

Thanks

0xf001
November 4th, 2005, 16:00
hehe,

i was also shocked by these news. this i find rather funny what the wolrd of
warcraft hackers do haha

http://www.securityfocus.com/brief/34

cheers, 0xf001

LLXX
November 4th, 2005, 22:03
Very interesting. I've seen this news item a few times before. But the "protection" itself is trivial, the rootkit is what's really concerning.

Those of us that set to Off the AutoPlay option on our CD-Rom drives will be completely unaffected, as well as those of us who use Win9x, as the rootkit only functions under WinNT systems. The CD is composed of standard Audio tracks as well as a partition holding the rootkit binaries, and if the rootkit does not get installed, the CD can simply be thought of as a standard Audio CD with some malware on it, and can be copied very easily. So much for "copy protection".

I'd like to see the following phrase on Sony's site:
Sony is now giving away a free undetected rootkit with the purchase of any copy-protected CD!

Silver
November 5th, 2005, 09:02
Quote:
Steve Gibson from GRC has a 15-20 minute mildly entertaining audio broadcast that is a good summary of the whole ugly affair as well.


Steve Gibson.. *choke* The Howard Stern of security

If Sony do this to their CD's, makes you wonder what's preinstalled on their laptops. I'll have a poke around on my vaio when I get a chance...

naides
November 5th, 2005, 09:49
I cannot help but smirk and chuckle. This is going to deliver a blow to SONY sales
Right below the bottom line where it hurts
Trying to save a few pennies in lost revenues from music piracy (if indeed this stunt would save any) they stand to lose millions by scaring legitimate customers!!
Ha, that will teach them sneaky, stingy, bastards

Kayaker
November 10th, 2005, 11:52
You *almost* feel sorry for Sony


Sony digital boss - rootkit ignorance is bliss

The President of Sony BMG's global digital business division Thomas Hesse has weighed into the storm over the 'rootkit'-style copy restriction software introduced on some recent audio CDs.

Sony's software installs itself by stealth, conceals itself, then intercepts low level Windows systems calls. Removing it causes the CD drive to be rendered inoperable. The only cure is to reformat the disk and reinstall Windows.

What responsibility did Hesse feel for the havoc his CDs had caused?

"Most people, I think, don't even know what a rootkit is, so why should they care about it?" he huffed.

http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/


First Trojan using Sony DRM spotted

Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs.

Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory.

http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/


Sony hit by lawsuits over root kit

Sony BMG is facing a class action suit from Californian consumers who claim the music giant's rootkit DRM technology damaged their computers and breaks three separate Californian laws.

A second case has been started in New York on behalf of anyone who's bought one of the CDs.

Sony is also facing possible action from the Electronic Frontier Foundation in Italy - the lobby group has filed papers with the Italian authorities alleging Sony is guilty of "illicit acts".

http://www.theregister.co.uk/2005/11/10/sony_sued_for_rootkit/

doug
November 10th, 2005, 14:36
good.
I hope they make an example out of sony's irresponsible behaviour, so teach all those other copy protections that wreck a perfectly fine Windows installation by installing drivers that hook file / IO / scsi / ide drivers, the SST, the IDT, and so on.

CluelessNoob
November 11th, 2005, 09:41
Quote:
[Originally Posted by doug]a perfectly fine Windows installation


Sorry, you lost me there...


0xf001
November 14th, 2005, 10:26
*ggggggggg* indeed it affects probably only windows users - and there the "not so experienced" crowd (which should be the mass) - or simply anybody who just wants to play a f*ckin CD on the PC without thinking about all possibly security issues that could arise.
i mean this stupid OS makes it possible to implement this shit lol. default run applications from CD *ggggg* sorry - i can't help myself LOOOOL
(please try to ignore the little offense about windows, but what will come next? )

its the whole principle that is f*cked up with these DRM approaches anyway.
i wait for the day they give up these more and more stupid approaches to restrict copying - they start at the wrong end in my opinion. argh money money money - lool

cheers, 0xf001

naides
November 14th, 2005, 12:08
Quote:
[Originally Posted by 0xf001]
its the whole principle that is f*cked up with these DRM approaches anyway.
cheers, 0xf001


This reminds me of the Trusted Computing stunt of copyright protection that LLXX was mentioning in another post: These geniuses came up with a CPU that has a private key. The user obtains a Decode key from the software vendor and the CPU decodes the software code in an unreachable, protected RAM and runs the program from there.
In other words we would buy a highly restrictive computer, and the software vendors become omnipotent, they can run whatever fucking spyware they please in that obscure, untouchable protected RAM, with no hope for the users to find out what is going on in their machines.

YEAH RIGHT, that is the computer I want to buy. dream on. . .

0xf001
November 14th, 2005, 12:24
uuh that reminds me on the CPUID instruction on some intels

0xf001

Polaris
November 14th, 2005, 13:20
This SONY affair has gone too far... They'll regret their attempt to fool users as soon as their sales will drop more than what are dropping now. They made run away the only persons that actually were buying their stuff... Pirate users downloading from emule are completely safe!

Btw, we'll hear more about that...

JMI
November 14th, 2005, 18:26
SONY has already agreed to drop they protection system. Presumably they will chose another that doesn't endanger the user's system.

Regards,

Aimless
November 15th, 2005, 00:33
I am scared for Mark. Hope they don't hire assasins (read triads and tongs) to wipe him off.

Mark, now may be a good time to go on that WITNESS PROTECTION PROGRAM...



Have Phun

CluelessNoob
November 15th, 2005, 00:51
Quote:
[Originally Posted by JMI]SONY has already agreed to drop they protection system. Presumably they will chose another that doesn't endanger the user's system.

Regards,


Ummm, no they haven't.

They have agreed to temporarily stop shipping discs with the rootkit virus. Presumably they will restart shipments with a "new and improved" version that is less hostile to the user's PC.

On a different but Sony related note...

If you do not agree to a EULA that forbids reversing, but the software is installed anyway (and in fact before the EULA is even displayed) are you bound by the terms in any way?

Sony's "other" DRM technique from Sunncomm does just that...

hxxp://www.freedom-to-tinker.com/?p=925

JMI
November 15th, 2005, 20:40
Actually, SONY offered a "Patch" that was supposed to allow them to remove the rootkit provisions they had installed. Unfortunately, that seems to have opened an entirely "new" can of worms and complaints.

Sony Copy Protection Patch Can Crash Windows

http://news.yahoo.com/s/cmp/20051108/tc_cmp/173500370

That is from November 7th and the National news today was broadcasting that SONY's "patch" was opening the computer to attack by others who wanted to take control of affected machines. Not very bright or good news for SONY.

Regards,

Woodmann
November 15th, 2005, 22:38
Howdy,

I have also read that the Sony patch program involves 3 emails and you still have to reveal personal information to get access to the patch.

The RIAA has to take a it for this bullshit, is not Sony a part of that group ??

Woodmann

LLXX
November 16th, 2005, 01:16
I'd prefer to remove the rootkit manually, who knows what other crap Sony's "removal" patch (~3MB?) installs. Just boot to a console prompt, delete a few files, change some registry keys, and the machine is rootkit-free again. I also do the same with my software - I never trust the "Uninstaller" that comes with them.

As well, it seems Micro$oft is going to add detection/removal for this rootkit in their antispyware... even M$ doesn't like rookits:

http://www.eweek.com/article2/0,1759,1886122,00.asp?kc=EWRSS03129TX1K0000614

SiGiNT
November 16th, 2005, 16:51
OMG!

I need to run out and buy a bunch of Sony CD's immediately, otherwise I might not get in on the class action suit ( $$$$$$$).

Sony recalls copy-protected music CDs - http://www.msnbc.msn.com/id/10069563/

Yeah! I'm still waiting for my money (certificates), from M$ for that one..

SiGiNT

Silver
November 21st, 2005, 09:20
Adds no value, but funny nonetheless...

http://www.bash.org/?577451

Polaris
November 21st, 2005, 15:04
HAHAHAHHAHA

0xf001
November 26th, 2005, 12:18
I don't just wanna increase my post count, but ....
Silver: baaaaaaahahahahahahahaaaa GREAT idea!

regards, 0xf001

SiGiNT
January 4th, 2006, 18:10
Damn!!!

I never followed thru on buying those CD's - geesh I could have 3 for every one now!

http://www.newsfactor.com/story.xhtml?story_id=40603

SiGiNT