Sony uses blackhat style rootkit in its DRM

[TankGirl]

Sony uses blackhat style rootkit in its DRM

Source: Mark Russinovich's blog at Sysinternals

Mark Russinovich, a software specialist from Sysinternals.com, got some real nasty software installed into his PC after playing a Sony music CD in it. The software captured the root level control of his computer with methods used by malicious hackers for controlling their armies of compromised 'zombie computers'. It took some serious detective work and professional skills from him to get rid of this sneakily installed malware that would have compromised both the security and the efficiency of his PC in unpredictable ways.

Quote:

"Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden."

...

"At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad."

...

"The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far."

Anti-virus software vendor F-Secure warns about the security risks related to Sony's rootkit:

Quote:

When you insert such a CD to a Windows-based PC, the record will display a license agreement and then install a song player software and a rootkit to the system. Even if you uninstall the player, the rootkit stays in the system. The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed.

They have a free tool available for the detection of rootkits here. To remove Sony's rootkit, they recommend you to contact Sony to request a removal tool:

Quote:

If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form and ask for directions on how to remove the software from your system. We've test driven this and they will provide you with tools to do this.

- tg

[theknife]

...as if i needed another reason not to buy cd's...

[multi]

wont be running any sony cds in xp myself ever again..

i wonder if a windows user with only user privileges would be affected in the same way when they put one of these cd's in

i have set up a few xp installs like this now and seem to be the safest way to have windows
using the run as... to run adminsitrator level stuff ,make system changes etc..
maybe just a side effect of running linux...



they are making the ripped and shared versions of the songs sound much more appealing..this sort of spyware crap is reason to get people angry
so some will upload the songs..that maybe never shared anything ever before
just because they will find this shit and get pissed off..

[Mazer]

I used that F-Secure tool and it found 82 hidden files, 80 of them in a folder Windows says doesn't exist (I guess that's the whole point). The thing is that I don't know which files I should worry about, if any. Does anyone have an idea to find out which files to remove?

[TankGirl]

The story has already found its way to Washington Post and seems to be making ever bigger waves:

Quote:

Study of Sony Anti-Piracy Software Triggers Uproar

File-Hiding Technique Alarms Security Researchers; Developer Offers Patch

Irate music fans who posted to dozens of online blogs vowing to never again buy Sony CDs as long as the company keeps using a suddenly beleaguered anti-piracy software program may find that their outbursts have been partially rewarded today.

On the heels of the Internet uproar over security concerns with its copyright-protection measures, the company that developed the software for recording-industry giant Sony BMG Music Entertainment says it is providing computer users with a "patch file" that will mitigate some of the features that alarmed security researchers when they were discovered earlier this week -- especially the program's built-in ability to hide files on the user's system.

Privacy and security experts charged that the technology built into many of Sony's music CDs since March is unnecessarily invasive and exposes users to threats from hackers and virus writers.

"Here you have one of the biggest name-brand corporations on the planet getting into what many people in other circumstances would consider hacking," said Richard Smith, a security and privacy consultant based in Boston. "That's just not acceptable."

A software patch needed to cure your PC from its one-time exposure to a Sony music cd? Gee... we consumers need this sort of 'products' like a hole in our head.

[JackSpratts]

just when the endless discussions with copyright nuts begin to exhaust the reasons for not buying content, sony’s arrogant executives lash out with the most persuasive argument yet: loading a store-bought cd running this program is so sinister sony simply must expect reasonable people to swap their songs instead of buying them.

i will happily oblige. i trust you will too.

- js.

[TankGirl]

PCWorld takes a similar stand on it:

Quote:

The bigger question people have got to ask is, does Sony not respect the integrity of the computers of its customers? This cavalier act of sneaking software onto PCs not only violates our own Prime Directive -- it's our PC, dammit -- but threatens the entire music industry.

After all, if you suspect that a commercial CD will install software secretly, which you won't be able to remove and which, itself, may increase the already-great security problems of your Windows PC, would you continue to buy CDs?

I'll tell you right now, I won't. I'd much rather buy an unrestricted copy of a song electronically, using iTunes, or Rhapsody, or one of the other music services that offer this feature, than take a chance that some music disc will stick some hidden files in my Windows folder, which I can't see or remove.

Sony has dealt itself a serious blow, and the best thing it -- and the rest of the music publishers -- can do right now is condemn this practice, apologize to the customers that were affected, provide a method to get this junk off affected PCs, and make declarations that they will never, ever do this again.

I don't think they will. And if they don't, I simply won't buy CDs anymore. Period. From any publisher. And I recommend that you don't, either. As a fan of music who respects the need for artists to make a living, and a security-savvy PC user, I'm incensed that Sony -- any company -- would think it's OK to do this. It's not. But the only way (I can see) to send that message effectively to Sony BMG executives is to vote against CDs with my wallet.

Sony was crucial in creating the CD format more than 25 years ago. In this age where every purchasing choice we make affects the level of control we have over our PCs, they seem to be committed to killing it.

Here is an update from F-Secure regarding the situation. Sony is now distributing the promised software update (available from here). The update removes a rootkit driver and makes the previously cloaked files visible but unfortunately still does not help the consumer to uninstall the product in any automatic way. Therefore F-Secure has to conclude:

Quote:

Automatic uninstallation of the software is still not possible without additional tools, and removing it manually is difficult. If you want to remove the software from your computer, we still recommend that you contact Sony BMG using their web form and ask for permission to uninstall it.

"Dear Sony, can you please give me a permission to remove your DRM from my PC?" Great added value to what the vanilla CDs used to be, eh?

- a van Zant album from Amazon: $ 14.99
- spending 2 hours of your time trying to figure out how to get the music into your iPod: $ 100.00
- spending 3 hours of your time trying to figure out the new security risks of music CDs: $ 150.00
- having your CD drive rendered useless while trying to get rid of Sony's rootkit: priceless