Some Sony CD's Install Root Kits

Some Sony CD's Install Root Kits New DRM method "goes too far"

#1 DarkRaika

Member

Group: Members
Posts: 58
Joined: 01-November 05
Location:Not Alpha Centauri

Posted 02 November 2005 - 04:21 PM

Sony Music CDs surreptitiously install DRM Trojan horses on PCs

http://www.f-secure.com/weblog/archives/archive-112005.html - Details
http://blogs.zdnet.com/BTL/?p=2092 - Fix

If you don't have BlackLight Rootkit program I advice you get it. Its a very good program that will assist in picking up malware that the usual programs you use to scan your PC for Spyware/Adware/Malware will not. These rootkit trojans are designed to infect and place themself on your system so it can't be detected however BlackLight will pick it up.

Very curious that Sony would purposely implement a Trojan in the CDs, anyhow have read.

31337 is a prime number .... 1337 is not .... go figure!

#2 KoanYorel

Bleepin' Conundrum

Group: Staff Emeritus
Posts: 19,461
Joined: 26-April 04
Gender:Male
Location:65 miles due East of the "Logic Free Zone", in Md, USA

Posted 02 November 2005 - 04:37 PM

This note from F-Secure about the BlackLight Beta program.

Quote

Note: The F-Secure BlackLight Beta only works on 32-bit Windows 2000, Windows XP and Windows 2003 Server.
The current F-Secure BlackLight beta does not work on Windows NT, 95, 98, ME, or 64-bit Windows.

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Papakid

Guru at being a Newbie

Group: Malware Response Team
Posts: 6,019
Joined: 08-April 04
Gender:Male

Posted 02 November 2005 - 09:44 PM

I've edited the topic title. This is not a true trojan but a root-kit. And I don't know that every Sony CD uses this technology. And finally, I didn't see any details on how to "fix" the rootkit other than running BlackLight. That is a tool best left to advanced users. If you don't know what you are doing, you can truly screw up a system. As Mark Russinovich of Sysinternals, who originally broke this story states, and is quoted in the ZDNet article by David Berlind:

Quote

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

Also:
http://www.f-secure.com/weblog/archives/ar...5.html#00000691

Quote

If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form and ask for directions on how to remove the software from your system. We've test driven this and they will provide you with tools to do this. However, they will install additional ActiveX components to your system while they are doing this so be adviced.

I strongly suggest everyone read Mark's article/blog entry about this:
http://www.sysinternals.com/blog/2005/10/s...tal-rights.html

Let's not cause a panic. And anyone who doesn't understand what Mark is talking about should in no way try to fix this root kit.

Root kits are not an infection or a trojan in and of themselves. They are often used by trojans to conceal their presence. That's all. Sony is using this as a means of concealing the presence of copyright protection software/files and to prevent it's removal by the somewhat technically savvy. It is a piece of crap installed surreptitiously and everyone has a right to be mad at Sony's draconian tactics, but the files the rootkit hides are not controlled by some remote hacker or used to steal sensitive information or display unwanted ads/popups.

I agree for the most part with Russinovich's level-headed conclusion:

Quote

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

I'm not sure if I believe in the media industry’s "right" to use copy protection mechanisms, but a boycott of Sony products is not a bad idea in my book. :thumbsup:

BTW, Koan, root kits only work on 32-bit NT-based (2000, XP, 2003) systems with NTSF formatting. I.E., files are not hidden (or not hidden in the same way, not sure about this) on Win9X, 64-bit systems, or NT-based systems with Fat32 formatting. So there is no need for detection software such as F-Secure's BlackLight and sysinternals' RootkitRevealer.

RootkitRevealer is a detection tool only. BlackLight deals with the root kit by renaming it. It should also be pointed out that BlackLight is a time limited Beta that will no longer be available for free download after the first of the year. Read the disclaimer on the site--another reason for newbies to be careful with it as betas are still in the testing stage and could still be unstable.

And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#4 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,514
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 03 November 2005 - 07:06 AM

Sony Responds with option to remove

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 boopme

To Insanity and Beyond

Group: Global Moderator
Posts: 48,761
Joined: 10-September 04
Gender:Male
Location:NJ USA

Posted 03 November 2005 - 07:15 PM

Looks like SONY only offers to remove the cloaking driver. There's still no uninstall for the DRMs :thumbsup:

How do I get help? Who is helping me?
Staying Updated Calendar of Updates.
For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....
Become a BleepingComputer fan: Facebook

#6 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,514
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 07 November 2005 - 08:09 AM

Sony's antipiracy may end up on antivirus hit lists

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#7 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,514
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 08 November 2005 - 09:32 AM

Sony sued over rootkits

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#8 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,514
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 10 November 2005 - 11:25 AM

Sony's Patch Brings Up "Blue Screen Of Death"

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#9 John_McKenna

World Class Hairy Chest

Group: Members
Posts: 497
Joined: 05-January 05
Location:Liverpool

Posted 10 November 2005 - 11:53 AM

And the virus writers start exploiting it.

Three cheers for Sony. :thumbsup:

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#10 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,514
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 10 November 2005 - 12:36 PM

Yes they have and it just made the news.

Quote

Trojan Horse Hides Using Sony Rootkit
By Nate Mook, BetaNews
November 10, 2005, 11:36 AM

What security experts have warned about Sony's DRM has come to pass, with a new trojan horse attempting to hide itself using techniques enabled by the company's anti-piracy software. Dubbed "Troj/Stinx-E" by Sophos, the application copies itself to a file called: $sys$drv.exe, which is hidden by Sony's copy protection.

betanews.com

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#11 tg1911

Lord Spam Magnet

Group: Site Admin
Posts: 18,573
Joined: 06-May 04
Gender:Male
Location:SW Louisiana

Posted 10 November 2005 - 06:47 PM

Doesn't this, technically, make Sony responsible for the computers that became infected because of the installation of their root kit? :thumbsup:

Hmmm, a class action suit, maybe?

MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, GPU: eVGA GeForce 9800 GTX+, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#12 ddeerrff

Retired

Group: Malware Response Team
Posts: 2,541
Joined: 13-September 04
Gender:Male
Location:Wisconsin, US

Posted 10 November 2005 - 09:32 PM

I don't have the links, but suits have been filed in at least California, New York, and Italy.

Derfram
~~~~~~

#13 John_McKenna

World Class Hairy Chest

Group: Members
Posts: 497
Joined: 05-January 05
Location:Liverpool

Posted 11 November 2005 - 05:21 AM

Yep and these folk haven't even been infected yet.

http://news.bbc.co.uk/2/hi/technology/4424254.stm

Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)