Sony uses blackhat style rootkit in its DRM
Source:
Mark Russinovich's blog at Sysinternals
Mark Russinovich, a software specialist from Sysinternals.com, got some real nasty software installed into his PC after playing a Sony music CD in it. The software captured the root level control of his computer with methods used by malicious hackers for controlling their armies of compromised 'zombie computers'. It took some serious detective work and professional skills from him to get rid of this sneakily installed malware that would have compromised both the security and the efficiency of his PC in unpredictable ways.
Quote:
"Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden."
...
"At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad."
...
"The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.
While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far."
|
Anti-virus software vendor F-Secure
warns about the security risks related to Sony's rootkit:
Quote:
|
When you insert such a CD to a Windows-based PC, the record will display a license agreement and then install a song player software and a rootkit to the system. Even if you uninstall the player, the rootkit stays in the system. The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed.
|
They have a free tool available for the detection of rootkits
here. To remove Sony's rootkit, they recommend you to contact Sony to request a removal tool:
Quote:
|
If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form and ask for directions on how to remove the software from your system. We've test driven this and they will provide you with tools to do this.
|
- tg
