Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Sony CD's Install Root Kits


  • Please log in to reply
40 replies to this topic

#1 DarkRaika

DarkRaika

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Location:Not Alpha Centauri
  • Local time:11:50 PM

Posted 02 November 2005 - 04:21 PM

Sony Music CDs surreptitiously install DRM Trojan horses on PCs

http://www.f-secure.com/weblog/archives/archive-112005.html - Details
http://blogs.zdnet.com/BTL/?p=2092 - Fix


If you don't have BlackLight Rootkit program I advice you get it. Its a very good program that will assist in picking up malware that the usual programs you use to scan your PC for Spyware/Adware/Malware will not. These rootkit trojans are designed to infect and place themself on your system so it can't be detected however BlackLight will pick it up.

Very curious that Sony would purposely implement a Trojan in the CDs, anyhow have read.

31337 is a prime number .... 1337 is not .... go figure!


BC AdBot (Login to Remove)

 


m

#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:08:50 AM

Posted 02 November 2005 - 04:37 PM

This note from F-Secure about the BlackLight Beta program.

Note: The F-Secure BlackLight Beta only works on 32-bit Windows 2000, Windows XP and Windows 2003 Server.
The current F-Secure BlackLight beta does not work on Windows NT, 95, 98, ME, or 64-bit Windows.


The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:50 AM

Posted 02 November 2005 - 09:44 PM

I've edited the topic title. This is not a true trojan but a root-kit. And I don't know that every Sony CD uses this technology. And finally, I didn't see any details on how to "fix" the rootkit other than running BlackLight. That is a tool best left to advanced users. If you don't know what you are doing, you can truly screw up a system. As Mark Russinovich of Sysinternals, who originally broke this story states, and is quoted in the ZDNet article by David Berlind:

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.


Also:
http://www.f-secure.com/weblog/archives/ar...5.html#00000691

If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form and ask for directions on how to remove the software from your system. We've test driven this and they will provide you with tools to do this. However, they will install additional ActiveX components to your system while they are doing this so be adviced.


I strongly suggest everyone read Mark's article/blog entry about this:
http://www.sysinternals.com/blog/2005/10/s...tal-rights.html

Let's not cause a panic. And anyone who doesn't understand what Mark is talking about should in no way try to fix this root kit.

Root kits are not an infection or a trojan in and of themselves. They are often used by trojans to conceal their presence. That's all. Sony is using this as a means of concealing the presence of copyright protection software/files and to prevent it's removal by the somewhat technically savvy. It is a piece of crap installed surreptitiously and everyone has a right to be mad at Sony's draconian tactics, but the files the rootkit hides are not controlled by some remote hacker or used to steal sensitive information or display unwanted ads/popups.

I agree for the most part with Russinovich's level-headed conclusion:

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.


I'm not sure if I believe in the media industry’s "right" to use copy protection mechanisms, but a boycott of Sony products is not a bad idea in my book. :thumbsup:

BTW, Koan, root kits only work on 32-bit NT-based (2000, XP, 2003) systems with NTSF formatting. I.E., files are not hidden (or not hidden in the same way, not sure about this) on Win9X, 64-bit systems, or NT-based systems with Fat32 formatting. So there is no need for detection software such as F-Secure's BlackLight and sysinternals' RootkitRevealer.

RootkitRevealer is a detection tool only. BlackLight deals with the root kit by renaming it. It should also be pointed out that BlackLight is a time limited Beta that will no longer be available for free download after the first of the year. Read the disclaimer on the site--another reason for newbies to be careful with it as betas are still in the testing stage and could still be unstable.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 03 November 2005 - 07:06 AM

Sony Responds with option to remove
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 AM

Posted 03 November 2005 - 07:15 PM

Looks like SONY only offers to remove the cloaking driver. There's still no uninstall for the DRMs :thumbsup:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 07 November 2005 - 08:09 AM

Sony's antipiracy may end up on antivirus hit lists
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 08 November 2005 - 09:32 AM

Sony sued over rootkits
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 10 November 2005 - 11:25 AM

Sony's Patch Brings Up "Blue Screen Of Death"
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:12:50 PM

Posted 10 November 2005 - 11:53 AM

And the virus writers start exploiting it.

Three cheers for Sony. :thumbsup:
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:50 AM

Posted 10 November 2005 - 12:36 PM

Yes they have and it just made the news.

Trojan Horse Hides Using Sony Rootkit
By Nate Mook, BetaNews
November 10, 2005, 11:36 AM

What security experts have warned about Sony's DRM has come to pass, with a new trojan horse attempting to hide itself using techniques enabled by the company's anti-piracy software. Dubbed "Troj/Stinx-E" by Sophos, the application copies itself to a file called: $sys$drv.exe, which is hidden by Sony's copy protection.

betanews.com
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:06:50 AM

Posted 10 November 2005 - 06:47 PM

Doesn't this, technically, make Sony responsible for the computers that became infected because of the installation of their root kit? :thumbsup:
Hmmm, a class action suit, maybe?
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#12 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:06:50 AM

Posted 10 November 2005 - 09:32 PM

I don't have the links, but suits have been filed in at least California, New York, and Italy.
Derfram
~~~~~~

#13 John_McKenna

John_McKenna

    World Class Hairy Chest


  • Members
  • 497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Liverpool
  • Local time:12:50 PM

Posted 11 November 2005 - 05:21 AM

Yep and these folk haven't even been infected yet.

http://news.bbc.co.uk/2/hi/technology/4424254.stm
Want to fight back? Click HERE and learn how to remove spyware.

If I've helped you, please consider donating to the Multiple Sclerosis Society (UK)

#14 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,717 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:06:50 AM

Posted 11 November 2005 - 10:33 AM

http://www.sophos.com/support/disinfection/rkprf.html
Derfram
~~~~~~

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 AM

Posted 11 November 2005 - 04:59 PM

Made the New York Times

http://www.nytimes.com/2005/11/09/technolo...OGUE-EMAIL.html
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users