More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including USA Today and the BBC. This is the case of the blogosphere having an impact, at least for the moment. But, there’s more to the story, like how Sony’s patch can lead to a crashed system and data loss and how Sony is still making users jump through hoops to get an uninstaller. At the core of this story, however, is the issue of what disclosure should be required of software End User License Agreements (EULAs) and how the requirements can be made Federal law.

The Uninstaller
Despite a chorus of criticism over Sony not delivering an uninstaller with their DRM software, Sony refuses to admit blame and to make an uninstaller readily available. The uninstall question on Sony’s FAQ page directs you to another page that asks you to fill out a form requesting for uninstall directions to be emailed to you:

There’s no way to access the uninstaller without providing this information, and clicking on the Sony privacy policy link at the bottom of the page takes you to a notice that your email address can be added to various Sony marketing lists.

A few minutes after submitting the form I received an email assigning me a case ID and directing me to another page on Sony’s site where I would have to submit an uninstall request a second time:

I’ve filled out the second form and am waiting for the follow-up email.

The Patch
You can the get to the patch supplied in the above email from the same Sony support site under Software Updates:

The download text claims that the rootkit does not pose any “potential security vulnerabilities,” however it’s obvious that any software that cloaks files, directories and Registry keys beginning with a certain string of characters is a clear security risk. An innovating exploit of the rootkit utilizes it to compromise the World of Warcraft anti-cheat system.

The download of what should be a small patch is around 3.5 MB because it includes updated drivers and executables for the DRM software that the patch also installs (again, no mention of this is made in the download description). Interestingly, after installing the patch a new entry showed up in the Windows Add and Remove Programs utility, but it’s only because I checked immediately after I ran the patch that I knew it was related to Sony:

Nowhere up to now have I seen the Sony Player or DRM software referred to as “MediaJam”. I looked in the Program Files directory and the only file in the new MediaJam subdirectory was Unicows.dll, a Microsoft DLL:

Assuming that uninstalling MediaJam would uninstall the DRM software, I attempted to do so but was greeted with this dialog:

It looks like their rush to get the patch out precluded any kind of testing.

The actual decloaking, which is the only value the patch advertises, simply performs the equivalent of the following Windows command:

net stop “network control manager”

“Network Control Manager” is the misleading name the developers assigned to the Aries driver so the command directs the Windows I/O system to unload the driver from memory. After the patch had completed I dumped the system call table in LiveKd and noted that the redirected entries had returned to their standard values and that the driver had unloaded from memory:

However, Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss. The risk is small, but I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running:

It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described.

If the developers had heeded this warning the decloaker would have required the system to reboot so that the Aries driver could remain active through the shutdown, but then not load on the next reboot.

I urge Sony to make a real uninstaller readily available for download and to make both the de-cloaking and uninstaller unload the driver safely. In the meantime users can perform a safe decloaking by opening the Run dialog from the Start menu, entering “sc delete $sys$aries”, and then rebooting. This sequence deletes the driver from the Windows Registry so that even though its image is still present on disk, the I/O system will not load it during subsequent boots.

EULAs and Disclosure: Sony’s Player Phones Home
There’s more to the story than rootkits, however, and that’s where I think Sony is missing the point. As I’ve pointed out in press interviews related to the post, the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There's no way to ensure that you have up-to-date security patches for software you don't know you have and there's no way to remove, update or even identify hidden software that's crashing your computer.

The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony’s site and sends the site an ID associated with the CD.

I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID:

In response the Sony web site reports the last time a particular file was updated:

I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.

The media has done a great job of publicizing this story, which has implications that extend beyond DRM to software EULAs and disclosure, and I hope that the awareness they’re creating will result in Congressional action. Both the software industry and consumers need laws that will clearly draw lines around acceptable behaviors.

The story continues with Sony's Rootkit: First 4 Internet Responds.

Originally by Mark Russinovich on 11/4/2005 12:04:00 PM
Migrated from original Sysinternals.com/Blog

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

"It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code."

Isn't it possible to allocate some non-pagable memory, write a couple of assembly instructions to it that checks a state variable and jumps to the detour or to the original function?

The service dispatch table would point to this assembly code instead of pointing directly to the detour function. Then the driver could be unloaded without any risk.

11/4/2005 1:19:00 PM by Eternal Idol

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Another excellent and informative article. These latest confirmations on 'phone home' activity and system stability yet again bring criminal liability into play in the UK under the Sale of Goods and Services Act, as yet again, they are clearly misleading the consumer about the product.

Thanks.

11/4/2005 1:58:00 PM by Alexander Hanff

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

@ Mark - you write: "I’ve filled out the second form and am waiting for the follow-up email"

Another place wrote this:
"In a test of the form late Wednesday, an e-mail confirming receipt was quickly returned by Sony BMG customer service, but it included no instructions on how to remove the software. The message promised another reply "shortly."
Link: http://www.foxnews.com/story/0,2933,174452,00.html

I am waiting for ANYONE to get this so-called follow up email from Sony to find out if what they send is successful or not in completely removing this DRM garbage.

PLEASE keep up posted..and thank you so much for your hard work on all this!

11/4/2005 1:58:00 PM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Hi Mark,

As usual, another excellent post.

Nick.

11/4/2005 2:09:00 PM by Nick Whittome

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark,
Thank you very much for finding and publishing this information. I am greatly disturbed by the mindset of people behind this.
If I purposely hid software on another person/s PC that reported information back to me(or my company) would I not be subject to Federal laws against hacking?

You say there needs to be stricter laws explaining EULA's, but I think the law is pretty clear on fraud, hacking, and gaining access under a false pretense.

I think the Sony Exec who authorized this should see jail time.

-AG

11/4/2005 3:00:00 PM by Adam Gates

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Did anyone click on the link MARK provided and actually LISTEN to the audio??

In this Audio, you will hear a comment from Thomas Hessa (not sure of spelling), PRESIDENT of Sony BMG's Global Digital Business. In this Audio and he says "Most people, I think, do not even know what a Rootkit is, so why should they care about it?"

FREAKING UNBELIEVEABLE!

Click on the LISTEN button on this link here to HEAR it yourself!
http://www.npr.org/templates/story/story.php?storyId=4989260

11/4/2005 3:06:00 PM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

You go to a website.

You click thru some intro page that solemnly swears you to benevolent visitorness, i.e., you're not going to damage, deface, or illicitly access what you shouldn't oughtta.

Upon connecting, you have just installed - quite without your knowlege or explicit consent, which is what the bogus clickthrough was all about - a rootkit that monitors you for hacking activity, what you DL from the site, what commands you SEND the site, etc. and so on. And while it's there, hey, might as well pack up some marketing info and forward it to the website's databases. And their friends and partners. And parent co.

Am i to understand there's absolutely nothing technical stopping this from occurring right now? If buying a CD wins you this prize...

What SONY and Blizzard and all these other fascist shortsighted narrowminded idiots don't consider, of course, is that THEIR app is not the only one you run! Conflicts and version control on above-board apps is a hard enough task; when a small army of secret, self-interested programs begin to wage war on one another... intentionally or accidentally, makes no difference.

I don't know how to express what i'm seeing, but visualize the above: every app, every website you visit, every time any device you own makes contact with someone else's network, brushes up their 'intellectual property,' it will, in the name of DRM and the DCMA, with the RIAA and MPAA cheering it on, pick up any number of unknown riders, all looking after the interests of its corporate master.

Perfectly benign, of course. Nothing to get all lefty hysterical about, I'm sure. If you aren't a criminal you've nothing to fear, citizen.

'course i'd feel safer about it all if the world didn't keep growing to resemble every outlandish old SciFi short story i ever read.

11/4/2005 3:15:00 PM by spacefiddle

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Never explain by malice what can be explained by incompetence

I don't believe that Sony management has a clue what really went on the CD and what the issue really is. I think this is actually worse than some of the conspiracy theories I've seen on the subject. Some top management guy told a lower echelon drone to "do something about copy protection, I've heard about this DRM thingy". Drone instructs sub-drone, who instructs sub-sub-drone, who ends up asking a number of companies how much it would cost to make this. The sub-sub-drone ends up making a choice by looking at technical capability of companies involved... not. The bid goes to the lowest bidder, whose account manager thought it would look good on his yearly bonus if he bagged Sony as a client. They then pick their first available programmer who starts putting something together. After too much time and money is spent, the software is rushed into production.

In my view this is not so much a DRM conspiracy issue, as much as it is the usual tale of miscommunication and incompetence in large corporations. The difference is that the cock-up is so visible and has such a wide impact.

Instead of passing it off as an easy "executive decision", it might be good if Sony management actually took a serious interest in the complex issues of digital rights. Who knows, we might even get intelligent discussion and decisions on the issue...

11/4/2005 3:55:00 PM by Serge Beaumont

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark,

Is there anyway some testing can be done for the following?

1. What happens when you UPDATE this mess, and make it NOT hidden, and you do a "System Restore" when it was hidden, or you restore a backup like Ghost for an example?

2. If you completly remove it and then do a "System Restore" whe it was hidden or do restore a backup like Ghost for an example?

In any of these cases, is your system screwed up, and could you end up having a Hidden and Non-Hidden version?

11/4/2005 4:20:00 PM by ZOverLord

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

It seems that a California based Law firm GREEN WELLING LLP has taken up this issue , good for them.

" We would be interested in speaking to all U.S. residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme. "

There Website is here http://www.classcounsel.com/
Look under Cosumer Protection.

You can contact us at gw@classcounsel.com.
# posted by Green Welling : 3:35 PM, November 04, 2005

11/4/2005 4:26:00 PM by Nathen

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

@ Green .. how cool that California law is interested in this! Thank you for this info. I plan to let my friends know about this that live in Cali.

However, this is something that EVERY USA STATE should be interested in as well (as well as around the WORLD) And Mark, I certainly do hope that a "Congressional action" takes place!

I am glad to see the mainstream media pick up on this (finally).. such as Washington Post, Associated Press, BBC, Foxnews, MSNBC to name a few.. however I am VERY disappointed that CNN reports absolutely nothing on this! I sent a nasty gram regarding that but I doubt they care! It sure makes me wonder who is "partnered" in with Sony!

11/4/2005 5:25:00 PM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Didn't CNN (Time Warner) and Sony/BMG (Bertelsmann Media Group) maried (or are on the way to do so?) That would explain it.

11/4/2005 6:14:00 PM by Venceremos

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark, thanks for bringing all of this out. Sony says no one reported any problems until your blog came out with it- that's no doubt because the people having computer problems as a result of this had no idea it was due to their legally purchased CD.

I bet many formats have been carried out only to be damaged again with this CD because they had no idea that it could be Sony's disc.

Johnny gets a call from his mother again about BSoDs. It even fails in safemode. He assumes that it's spyware again and formats, reinstalls her PC. Immediately after he leaves- she starts playing her favourite music again...

I think the reg and inq are writing their new articles as we speak.
hmmm- let's see "Sony rootkit/spyware combo phones home"

Sony needs to recall these discs and Amazon needs to take them off their website. Here's a copy of a user review:

Vivian [CONTENT/COPY-PROTECTED CD] [CONTENT/COPY-PROTECTED CD]
~ Vivian Green

NOT GOOD FOR 64bit USERS, October 9, 2005
Reviewer: tvideo (NJ, USA) - See all my reviews
Since, I don't care about stealing any music, the "Copy Protected" warning didn't bother me in the least. I am a Hardcore gamer I have a high end 64bit PC running Windows XP Pro. The CD claims it is compatible with Windows XP, it does NOT specify which versions so I assumed I was OK.

I installed this CD and I was forced to accept some agreement and then it installed some lousy music player. Everything seemed fine until next time I rebooted my PC both my DVD and CD drives had literally disappeared! That's right this so-called copy protection destroyed access to my drives!!! The copy protection REALLY works great they just disable all your CD/DVD drives so you can't use them with ANY discs anymore - UNBELIEVABLE!!!

http://www.amazon.com/gp/product/customer-reviews/B0007Y4TV0/ref=cm_cr_dp_2_1/103-1243566-0680626?%5Fencoding=UTF8&s=music

11/4/2005 6:22:00 PM by geek27

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

One think I have not seen mentioned is what happens if a user had a file or directory with the $sys$ prefix -before- the rootkit is first unstalled.

I suspect that XCP does not scan for that before installing.

From the users view the file would simply disapear, probably would not be noticed for a while.
If that is not trashing someones system I dont know what is.

Unlikely but not impossible since some programs create arbitray file names at times...

All your files are belong to us.

11/4/2005 6:23:00 PM by moe-dog

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

"however I am VERY disappointed that CNN reports absolutely nothing on this!"

I know it's not this simple but CNN is part of Time-Warner, who HAPPENS to be a RIAA and MPAA member. That's probably why.

11/4/2005 6:27:00 PM by amdrokz

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Another point is how can anyone possibly claim that this garbage that happens to be b0rking Windows boxes across the US protects their music when it can be defeated with the SHIFT key?

Maybe the new DRM compliant keyboards don't have SHIFT keys..

11/4/2005 6:36:00 PM by geek27

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

In responding to the specific comments in this blog we set out the following comments which I hope clears things up.

1) Blog: "The Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."

Answer: The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities.

2) Blog: "The download of what should be a small patch is around 3.5 MB because it includes updated filters for the DRM software that the patch also installs (again, no mention of this is made in the download description)."

Answer: In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point.

3) Blog: He states that the patch installs something called MediaJam which he was not expecting and could not uninstall.

Answer: Service Pack 2 does not install the MediaJam player on the user's hard drive. The only MediaJam related file installed on the user's drive is a standard Windows file (unicows.dll) used to support multiple languages. When this standard Windows file is installed by Service Pack 2, it creates a MediaJam group in the Add or Remove Programs list -- even though no MediaJam player is installed. Attempting to 'uninstall' this program results in a dialog box which confirms that this program had never been installed in the first place.

4) Blog: He claims that the patch itself could cause a blue-screen, although he says the risk is small.

Answer: This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more.

5) Blog: As part of the uninstall process he notes that "clicking on the Sony privacy policy link at the bottom of the page takes you to a notice that your email address will be added to various Sony marketing lists."

Answer: An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.

11/4/2005 6:39:00 PM by xcp support

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This post has been removed by the author.

11/4/2005 6:54:00 PM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Hmmm.. Obviously it sounds like SOMEONE at First4Internet got our nasty grams!

11/4/2005 6:58:00 PM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

xcp support.

Care to comment on:

What would happen if a system restore was done that had the hidden version after it was removed?

What would happen if a system restore was done that had the hidden version after it was updated to non-hidden?

Was ANY testing done to check?

11/4/2005 7:01:00 PM by ZOverLord

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

What xcp support said is VERY informative.

To summarize it, customers need to trust them regarding whatever was installed, whatever they provide for uninstall and whatever information's been sending back to their server.

11/4/2005 7:05:00 PM by amdrokz

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

"In responding to the specific comments in this blog we set out the following comments which I hope clears things up.

Answer: The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities."

There is no such thing as one way communication on the internet, all packets sent must receive an acknowledgement, if they don't it is not a communication. The network packet sniffer has determined that and ID is sent to 2 different Sony websites, the logs of these website will also include the IP of the computer that sent the this ID. Why should anyone trust that these logs will not be correlated and used for dubious purposes.

"Answer: In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point."

Due to the subterfuge already shown by your company and also the comment in the press from Sony stating they have now found new ways to hide DRM software, why should anyone believe a single word you say?

"Answer: This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more."

And as he has explained, this can cause a blue screen crash. Microsoft has also been reported as having told consumers with crash issues that your software is responsible. Again, why should we believe a single word you say.?

Answer: An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.

No an email address is not required, you can release the uninstall utility on the Sony or your own website, there is no need for you collect anymore details on these consumers whatsoever.

Now XCP Support, my turn. I spoke to your CEO on the telephone, I gave him 7 very specific questions via an email which he stated on the telephone he would answer in 24 hours. He failed to answer any of the questions.

I have reported you to the law enforcements agencies in the UK including Scotland Yard, Trading Standards and High tech Crime Unit. I believe you are guilty of violating the Sale of Goods and Services Act and the Computer Misuse Act (as do others). You have failed to disclose information about your product, this is a criminal offense in the UK under the Sales of Goods and Services Act (ammended), furthermore because you have broken the legislation required to be met for the contract of sale to be legal, the EULA means absolutely nothing, it is void. Thus the result of this is you are also highly likely to be in breach of the Computer Misuse Act.

I also doubt very much that the changes to EULAs and FAQs over the past 3 days will do you any favours in the eyes of a jury.

I asked your CEO what about people without internet access or people who know nothing about the massive security risks your software causes. How do they "upgrade" to SP2? So far you have failed to answer this question at any junction.

Finally, I will say You and Sony are BOTH liars (sue me if you dare). F4I are liars because they have claimed that the original software posed no security threat whatsoever. However, you and everyone else who is aware of this issue, know that by simply prefixing the name of malicious 3rd party software with the $sys$ will cloak it under the same rootkit your software installed. this is a serious issue as regards potential identity theft and internet fraud. By stating that the original software posed no security risk you have once again breached the Sale of Goods and Services Act by misrepresenting your product to your consumers.

Sony is a liar because they have been reported in the press as stating that there are absolutely NO copyprotected CDs in the UK from the Sony/BMG label, it took me less than 30 seconds to find 3 in my own collection of CDs and Sony also stated on their website in the FAQs that ALL music cds provided by Sony contain content/copy protection.

You sir, and your company, will be held accountable in court. Not a civil litigation (although I expect there will be a few of those too) but a criminal prosecution at which point you will be judged by a Jury of your peers and in light of the evidence, I highly doubt you will be found not guilty.

11/4/2005 7:07:00 PM by Alexander Hanff

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Is this a joke?

1) So the communication is only one way? So... when you said there was zero communication you admit that you were lied. Now we're supposed to believe you? joke, right?

2) In order to uninstall the DRM you have to upgrade it? You'll have to explain that one in more detail I'm afraid...

3) Did you just say that your uninstall program purposely does not uninstall anything? Did you really just say that?

4) Did you just accuse Dr. Russinovich of pure conjecture? It seems to me that either this procedure is safe or it is not. If you're 'lucky' and it doesn't crash does not mean that it's a safe procedure.

5) It's required to send you the information as you say and now you want us to 'just trust' that you aren't going to do anything? What in the past has shown us that you are worthy of trust? Anything? I just don't see it...

11/4/2005 7:21:00 PM by ThisAJoke

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I am extremely dismayed with the Los Angeles Time, New York Times, and PC Magazine. Each of these magazines avoids any article that exposes unethical business practices such as that done by SONY. Below is the Associated Press article that appeared in the Los Angeles Times. You will be pleased to note how Sony has "offered" to assist its customers.
-----------------------------------
IN BRIEF/MEDIA
Sony Offers Patch for Its Anti-Piracy Software
From Associated Press

After a chorus of criticism, Sony Corp.'s music division said it was distributing a free software patch to reveal hidden files that automatically installed onto hard drives when some of its music CDs were played on personal computers.

The offending technology was designed to thwart music piracy.

Sony BMG Music Entertainment and its partner, Britain-based First 4 Internet, said they decided to offer the patch as a precaution, not because of any security vulnerability, which some critics had alleged

11/4/2005 7:49:00 PM by srynas

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Without doubt, xcp support does not understand race conditions as he answers Item 4 in his response.

See Here:

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html#113115114916278358

When the System Service Table was modified to jump to the address of the "Sony DRM Root Kit" for these systems calls:

NtCreateFile
NtEnumerateKey
NtOpenKey
NtQueryDirectoryFile
NtQuerySystemInformation

As the driver is being stopped, other aplications may have the modified addresses and attempt to JUMP to them yet that driver is gone.

So, this is not a joke, and depending on what is going on at the time this driver is stopped it is very possible and NOT conjecture that this can happen.

11/4/2005 8:18:00 PM by ZOverLord

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

"The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities."

TCP and HTTP traffic, the 'language' used on the web, has a lot of header information. It's like CallerID on steriods. As reported: your ip, time you connected, CD id is sent. Sony can collect this information if they choose. Since it's Sony running these servers not yourself how would you know what they keep?

"When this standard Windows file is installed by Service Pack 2, it creates a MediaJam group in the Add or Remove Programs list"

Why would 'installing' a DLL create a folder and add/remove entry for itself? Wouldn't just copying the file in the correct location (like the program's folder) work fine? I don't have XCP installed on my system so I wasn't able to look at this particular file but the existing unicows.dll I already have has no mention of MediaJam within it (via Strings) so even if I was to register the dll it wouldn't create those items.
--
"F4I is using standard Windows commands (net stop) to stop their driver. Nothing more."

The patch tells windows to tell your driver to unload. Cause and Effect. Yes the patch doesn't directly cause the crash but it indirectly tells your driver to do something possibly risky. And what is "their driver"? It's F4I's driver, not windows or anyone else's.
--
"An email address is required in order to send the consumer the uninstall utility"

Why?
--
----
--
"In order to uninstall the DRM you have to upgrade it?"

I was confused on this for a bit also. They haven't released an uninstaller yet. They just updated the software to not hide. It's easy to miss that.
--
----
--
P.S. Mark: MediaJam instead of 'Media Jump'.

"I looked in the Program Files directory and the only file in the new Media Jump subdirectory was Unicows.dll, a Microsoft DLL:"

11/4/2005 8:22:00 PM by halfdone

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

On a NPR.org news item

Thomas Hesse president of Sony BMG's Global Digital Business division state the following two quotes:-
“Most people I think don't even know what a root kit is so why should they care about it” and
“No information ever gets gathered about the user’s behaviour, no information ever gets communicated back to the user. This is purely about restricting the ability to burn MP3 files in an unprotected manner”

11/4/2005 8:58:00 PM by Stephen

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I just checked my XP-Home SP2 machine and there is No MediaJam software in the add/remove programs list. It wasn't installed during M$'s SP2 updates.

11/5/2005 12:29:00 AM by Menehune

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Regarding risk of crash, this is not just theoretical. Imagine two drivers which hook the same service, and then perform: load 1, load 2, unload 1, unload 2. The final step will BSOD the system because "load 2" saves service table entry that points to first driver, while "unload 2" restores it even though driver 1 has been unloaded already. Mark, you can confirm this right? Care to try to hex edit the driver to change the device name and try out what happens with two copies of this beast?

Also, go check Contents\GO.EXE in the cd and search for string "LAME". This is possible LGPL violation, since LAME mp3 library has been statically linked against the executable. You can see that version.c has been compiled in since it generates those version strings, and I found tables.c as well. Didn't locate any code though, apparently removed by optimizing compiler due to being unreferenced, but I couldn't test for all LAME code as I don't have proper tools available (such as sabre-security bindiff)

11/5/2005 12:56:00 AM by Matti Nikki

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This post has been removed by the author.

11/5/2005 4:18:00 AM by Matti Nikki

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I have just tested the bluescreening upon unloading, although using a more obvious problem than the race condition. I didn't even have to change the driver as it was a lot simpler than I thought, it doesn't create a device, it just hooks stuff. So, just make a copy of the driver and load it by any means you choose to (such as using w2k_load.exe), after that use the "net stop" command provided in the article above and unload the second driver. This will result in an immediate bluscreen, demonstrating that two copies of this very same, unmodified rootkit indeed can and will crash the system upon unloading. Rootkits are only safe to unload in LIFO order, attempting to do it in FIFO order will cause a crash.

Mark can probably provide better description after he reproduces these results. In summary, two rootkits of this very nature would be too much for a system and that's now been tested.

11/5/2005 4:40:00 AM by Matti Nikki

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

To remove safely the rootkit, you just have to unpatch the SDT without removing the rootkit himself from memory (what you can do later, when enough time has passed so that any thread which might execute it will have finished).

11/5/2005 5:12:00 AM by jj

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

One of the BBC's Tech reporters has posted a damming record of Sony's activites, my personal favorite line is:

"What Sony has done is stupid, but I am willing to accept that they did not really understand what they were getting into."

http://news.bbc.co.uk/1/hi/technology/4406178.stm

11/5/2005 6:34:00 AM by Akyan

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

"I have just tested the bluescreening upon unloading, although using a more obvious problem than the race condition. I didn't even have to change the driver as it was a lot simpler than I thought, it doesn't create a device, it just hooks stuff. So, just make a copy of the driver and load it by any means you choose to (such as using w2k_load.exe), after that use the "net stop" command provided in the article above and unload the second driver. This will result in an immediate bluscreen, demonstrating that two copies of this very same, unmodified rootkit indeed can and will crash the system upon unloading. Rootkits are only safe to unload in LIFO order, attempting to do it in FIFO order will cause a crash."

This is absolutely another risk of the unload, but requires that two system-call hook drivers are loaded and redirecting the same functions.

11/5/2005 8:17:00 AM by Mark Russinovich

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Here's Sony's instruction on how to remove the copy protection provided in the context of how to get this run with an iPod:

If you have a PC place the CD into your computer and allow the Sony BMG audio player on the CD to automatically start. If the player software does not automatically start, open your Windows Explorer. Locate and select the drive letter for your CD drive. On the disc you will find either a file named LaunchCD.exe or Autorun.exe. Double-click this file to manually start the player.

TIP: If your CD does not contain either the LaunchCD.exe or
Autorun.exe files, it may not be compatible with this iPod
solution. Please reply to this letter for more information.

Once the Sony BMG player application has been launched and the End User License Agreement has been accepted, you can click the Copy Songs button on the top menu.

Follow the instructions to copy the secure Windows Media Files (WMA) to your PC. Make a note of where you are copying the songs to, you will need to get to these secure Windows Media Files in the next steps.

Once the WMA files are on your PC you can open and listen to the songs with Windows Media Player 9.0 or higher (or another fully compatible player that can playback secure WMA files, such as MusicMatch, RealPlayer, and Winamp). You can then burn the songs to a standard Audio CD. Please note that in order to burn the files, you will need to upgrade to, or already have, Windows Media Player 9 or 10.

11/5/2005 8:39:00 AM by Boycott Sony

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark, since F4I has proven clueless to do this safely I distrust whatever uninstaller they might produce. In addition what you noted, the following:

http://66.249.93.104/search?q=cache:hDmbqX5yahgJ:www.osronline.com/showThread.cfm

is further proof of their cluelessness.

Could you provide a safe uninstaller for the good of the community?

11/5/2005 8:56:00 AM by Boycott Sony

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

To avoid the multiple unloading problem the Rootkit should always store the original function, the one that the Windows Kernel sets at start up and not the current function.

11/5/2005 9:23:00 AM by Eternal Idol

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I personally do not want anything on my computer that I don’t know about. Anything that drops anything on my computer that I don’t know about increases my liability given that the average survival time for a PC on the internet is 20 minutes. If someone successfully breached one of my computers, and used aries.sys to block the calls, I won’t know about it, and it no longer becomes my computer, but I am liable for those things on the computer. That is what worries me, what is now on those computers that has been hidden by the handy little tool provided. Personally I don’t want to burn for Sony’s cloaking mechanism, and what happens when the happy little forensics people come along and take a look at a computer at work and finds a root kit. Will they think Sony DRM? No, they will think compromise, they will think evil, and someone goes down the tubes for playing a Sony CD on their work computer. That is the core issue, the cost of liability to other people, companies, and the legal system. That is the concept that I think most people are missing, there is a human cost to all this, the forensics bubba’s won’t know, nor will they care, they will report findings. There is a lot more to this than meets the eye, and it would behoove everyone to have this off their systems.

11/5/2005 9:49:00 AM by JASG

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Thomas Hesse president of Sony BMG's Global Digital Business division:

“Most people I think don't even know what a root kit is so why should they care about it”

So you're saying what people don't know about can't come back to bite you in the arse? Hasn't our good friend Mark taught you otherwise over the past week?

When are you going to revise the labels on your slimey CDs?

---------------------------
WARNING: This software stands a good chance of hosing the following operating systems including but most certainly not limited to:

Windows XP Media Center Edition
Windows XP 64bit edition
Windows Vista beta

Other random BSoDs and sudden unexpected features are also possible with our enhanced CD software. Please look for the latest service pack for our wonderful software. Service Pack 2 is available at the time of this writing but we're currently working on so many more new features!

Please ensure autoplay is enabled and absolutely do not use the SHIFT key or you may be liable for the circumvention of a copyprotection mechanism under the DMCA (We paid a lot of money to license this protection and the SHIFT key is such a cheap shot.)

We like to reward our honest customers. Thank you for choosing Sony and we hope you enjoy your enchanced CD audio experience.
---------------------------

Don't forget to check out Steve Gibson's special Security Now podcast covering this mess- (the "Shields Up guy".)

http://www.grc.com/securitynow.htm

11/5/2005 10:13:00 AM by geek27

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Sony really just does not have a clue. Rootkit technology actually is not intrusive if you believe them.

From Sony's official FAQ:

6. I have heard that the protection software is really malware/spyware. Could this be true?

Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.

http://cp.sonybmg.com/xcp/english/faq.html

11/5/2005 10:21:00 AM by geek27

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

How much more "intrusive to your computer system" can you get than hacking/hooking into the kernel.

I guess it's not intrusive when you compare it to firmware and BIOS updates to your hardware. Is that what they're working on right now?

11/5/2005 10:34:00 AM by geek27

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Oh no! Now look what's happened to the innocent that PURCHASED the RETAIL CD's!

http://img45.imageshack.us/img45/8397/evilsesamestreetc2yz.jpg

Good people turned evil..Shame on YOU Sony! LMAO

11/5/2005 11:12:00 AM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

It is another security threat that consumers have to download so called SP2 from "updates.xcp-aurora.com" ,
because they don't know what "xcp-aurora.com" is. How can you trust xcp-aurora.com ?

SP2 download should be placed in sonybmg domain.

Spammers can send you an email with disguised header infomation, which claims you should download SP2 from some unfamiliar URL. What you can download from the URL might be a malware.
Furthermore, the uninstall request form (from which you have to send emai address) is not https-protected.

11/5/2005 12:55:00 PM by Kogawa Masaki

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This post has been removed by the author.

11/5/2005 1:25:00 PM by JohnDoeStudent

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Posted by Matti Nikki:
If you want a more concrete proof, try to rename your favourite ripping software as $sys$whatever.exe and then run it again. You'll notice that the DRM system can no longer detect it, and thus you'll get good copy of the track you try to rip instead of one filled with noise.

Thats just hilarious. I think everyone should simply not worry about removing the rootkit, as this is too difficult, and then just do at Matti says, and use the rootkit to make your favorite ripping tool immune to the DRM. On second thought, is their software breaking the DMCA? It provides a method to bypass copyright protection that they install? Hmm...

11/5/2005 3:52:00 PM by Brad Green

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I think the fun starts at that point, you insert another copyprotected CD Disk of that kind.

After 3 or 4 such disks you need a bigger CPU because of all the "inactive if not in use" (sure) and a couple of new CD Rom drives....

Tolomir

11/5/2005 4:56:00 PM by Tolomir

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Sony's offer to let you download a patch to their "rootkit" really is totally unacceptable. Those CDs are still out there and still virulent.

Years or decades from now (I've got lots of CDs over 10 years old) your grandchild is going to pop one of these carriers of the "Sony Flu" into their new computer running a still-to-come version of Windows and what do you think is going to happen?

Well, Mikko Hypponen of F-Secure found out when he popped it into a machine running Windows Vista that the Sony CD "breaks the operating system spectacularly." Who's going to know how to fix it in 2020? Already most of the "weblinks" on my so-called "Enhanced CDs" (provided by these same recording studios) get "404 Not Found" errors only a year or two after release.

Keeping these still-infectious CDs around on your shelf is like keeping a live hand-grenade as a WW2 souvenir. Just hope your kids don't play with it.

The only acceptable solution would be for Sony to recall every one of these virulent CDs out there and take them out of circulation.

11/5/2005 5:19:00 PM by Jasper Jones

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

We Need a NEW Law that says:

("Any Software or Hardware, that attempts and/or succeeds to hide itself, its files, or parts thereof, from ANY operating system function, process or program, which would otherwise be capable to find it, shall be deemed malicious, be default").

11/5/2005 5:29:00 PM by ZOverLord

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

With the AntiVirus vendors soon to decide what definition to call Sony's DRM Rootkit as Spyware or Malware.
Will Sony's own Anti-Virus vendor start sending them security updates to stop their own software from operating???
Will this finally make them admit wrongdoings or will they insist the Anti-Virus & Security vendors have got it wrong?

11/5/2005 6:16:00 PM by Stephen

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

OK quick poll

Q. Do you think that They (1st4Internet & Sony) Know how to remove this crud*

* the understanding is they can do it on a box in a lab but can't build a generic Un-install utility.

1) yes, Of course they know how
2) No, the idiots blew it big time.
3) I dont care I'm using it to cheat while playing WOW.

11/5/2005 6:18:00 PM by Sharpy

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

How can a company claim they had no idea this would cause problems when they knew it would HIDE anything system wide that started with $sys$?

Why could they not have used a table or list inside or outside their program to ONLY cloak their directories, files and registry keys?

Their GREED to protect their own product became their single goal.

It is impossible for me to believe that before this mess if you interviewed the average programmer("making sure you did not tell them it was an International Company installing this") and asked them what COULD be the ramifications of implementing something that could hide anything system wide that starts with $sys$ on a typical PC owners system and would they consider just the installation of such said software, "malicious", the vast majority would say yes, and that the ramifications would only be limited to OTHERS creativity to use this.

So for someone ("Programmers") who have the smarts to create a Root Kit that can hide things attempting to try to convince others that they do NOT know all the uses of "IF THEN ELSE" to hide only their software components, and somehow were forced ("By Operating System Constraints") to implement their Hiding technique System Wide, well they have at least committed "Programming Malpractice" and maybe even earned the titles of "Malicious Programmers".

I think in court, this is as clear as a Doctor walking out of Open Heart Surgery, when all that's left was to close the persons chest, the Dr. knew that's not RIGHT, and these programmers knew this was not right as well.

If an when I go into SURGERY, I don't care what papers I sign, if I am going in for Heart Surgery, I am NOT giving permission to remove a LIMB!

EULA agreements need to be limited in SCOPE, we should NOT think that with the right wording, you lose all legal rights, and that your computer can go into surgery for an Ear Operation, and come out of surgery with a "NOSE JOB!" and nothing can be done about it.

Actually, if ANY case made it to the Supreme Court on EULA this one is the one that should.

Does ANYONE actually think that these methods of "System Wide" were anything but PLANNED?

It seems to me that there may have been thought of implementing NEW features and this is why system wide use was used.

It would be very very interesting to get hold of internal EMAILS and MEMOS to see if any discussions where made about possible liability and choices in making this cloaking system wide.

A good law firm could just request such information to show intent, claiming that they need this information to proceed with their case.

Here is another question:

What if by reviewing the original version, it can be determined that OTHER software could have been installed, on the fly, with no EULA displayed?

Would that construe "Malicious Intent"?

Should Forensic review on the original version stop?

I mean not really trying to be political but....

The CIA agent has been OUTED....do we want to know for what purpose? or do we assume it was all an ACCIDENT?

11/5/2005 6:26:00 PM by ZOverLord

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

In cruising the internet a couple of obvious points materialized. One, Pandora's box is open. What happens when other vendors take up the rootkit approach to make their product the one and only product to work on your computer? The operating system will be so highly modified, the system will crash without hope of recovery.

Second, over the years I've noticed that certain periodicals: NYTimes, LATimes, and PCMagazine seldom appear to report on bad business practices by computer/music/media companies. They are "full" of articles on the wrongs of piracy but when a media company is caught in the act(Sony rootkit), there is a deafening silence. Where are the truth seeking investigative reporters? These periodicals are reporting a one sided selfserving point of view from industry press releases, not giving us the truth. Kudos on the Washington Post and PC World for reporting this story.

11/5/2005 7:18:00 PM by srynas

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I'm exceptionally worried about Sony BMG's dangerous tactics - but at the same time I'm exceptionally relieved to know that I have someone as knowledgeable as Mark and the SysInternals team to point out these things! Major kudos for your tireless investigative work, you should get a reward for discovering all of this. :D

No-one is above the law, and it's about time the recording industry realises this and realises that they're also culpable for their actions, be they misinformed or not. I hope they get brought down at least a few notches by the repercussions from this fiasco. It's interesting to read Courtney Love's article on the music industry from almost six years ago - nothing much has changed at all in the music industry's attitudes towards piracy, methods of selling their goods, digital rights... All that's changed is that artists are getting smarter and cutting the labels out.

Time for SonyBMG to wake up from their 1980s-style make-money-at-all-costs attitude, I think.

My thoughts on F41's XCP_support comments... These comments are coming from the same company whose programmer (a Ceri Coburn) once requested help in modifying a component supplied as part of a software Developer's Kit to make it load new drivers into Windows' CDAudio interface to make this rootkit work as it does.

A programmer who's asking for help on an open source programmers' mailing list to code a VERY tricky piece of low-level system driver (one which has very little margin for error)... And SonyBMG is willing to mass-market this potentially lethal bit of code? We've all seen the damage it can do to some installations of Windows. This isn't protecting digital rights, this is corporate arrogance on the highest level.

I've copied CDs before, but I've always BOUGHT a CD or a DVD if I've felt that the artist deserves recompense (as with many other people, there's music that I'll listen to maybe a couple of times but never have any intent of buying, be there a download available or not) - but these kind of actions have given me the impression that it's nothing less than an all-out war on anyone and everyone. This is beginning to sound to me like one of the American Government's 'pre-emptive strikes' (and look at the damage they've done) - there should be laws against over-reaching EULAs and increased onus on corporate responsibility.

I hope that these events will kickstart these changes, set the ball rolling and give the common consumer the ability to make the US Government and Congress review all the last-minute, subtle changes to laws passed through the years with an aim to curbing the far-extending reach that the RIAA, music industry and certain individuals seem to have over US Law (Orin Hatch seems to be a name which springs to mind immediately).

This almost makes me want to copy my CDs and share them with friends on a matter of principle, hell, if Sony can do what they like to my PC, I can do what I like to music that I've purchased... But oh no, wait, the music industry managed to get the idea of music as "works-for-rent" codified into the US constitution (and therefore it's now pretty much part of the DMCA, which seems like it can be applied worldwide - how did that happen?), so really, I don't actually own the music at all, I'm just renting it.

Hmm.

On the flipside to all of this, it's both nice to see the little man fight back and get somewhere for a change - and great to see that indie media, bloggers and individuals within a particular sphere of interest can effect massive public media interest (and rightly so) when the time requires it - this has also lent further well-deserved credibility to already-respectable figures, and I again applaud Mark for his efforts. Don't stop now, you caught them with their pants down :D

11/5/2005 10:51:00 PM by Christopher

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

In all the furore over Sony BMG, I think that the First4Internet company should be the one that really takes the heat. They are the company that is purporting to be experts and wrote this dren. When will they be held accountable?

11/6/2005 6:02:00 AM by michael

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I just did a quick lookup on google for F4i, and found another of it's customers at
Preventon
They state, in part (highlights mine):
"
Preventon’s subscription-based platform enables ISPs to increase revenues, loyalty and market share by delivering a ‘highly-sticky’ security service designed for non-expert mass-market users. It has a low Total Cost of Ownership, requiring minimal capital investment and having negligible ongoing support costs. And as a true DRM subscription-based solution, PSID reduces churn by raising the barrier to consumers switching ISP accounts. If the subscription is ended, the software simply ceases to work.

PSID can be easily re-branded, making Preventon completely transparent to end-users, allowing ISPs to retain full ownership and control over their subscribers. It can be deployed quickly and easily, allowing revenues to be recognised in weeks.

Preventon’s ISP customers, which include Tier-1 European service providers such as Wanadoo and Planet Internet, have a combined subscriber-base of over 40 million. "
Interesting, indeed.

On the original subject, it appears F4i may be in violation of a number of UK rules, regulations and laws. They sell a rootkit for commercial purposes, use misleading names for the 'services' they install and hide their installation. That may very well fall under the Computer Misuse Act.

Pete

11/6/2005 8:55:00 AM by PeteS

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This post has been removed by the author.

11/6/2005 9:17:00 AM by Noah

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

It's an unbelievable story and a big downfall for Sony and it's credibility in safety and customer satisfaction. We keep track of your developments on this site in our Dutch Magazine Morpurgo.nl.

11/6/2005 9:21:00 AM by Morpurgo.nl

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

As an IT Manager, I have just set a new policy banning Sony/BMG music CD's from being played on company computers. I see this as a corporate security issue. Here is the content of the email:

I know some of you listen to music CD's on your computer, however, due to Sony/BMG's attempt to protect their copyrights they have instead created a major security risk on your computer. If you install the copyright protection software found on some of the newer copy protected CD's made by Sony/BMG the software is actually a "root kit" which is very much like the technique being used by virus writers to hide and cloak their viruses from the computer system and virus software.

The net result is that Sony has created a pretty major problem and I am sure you will start hearing about it in the news - the class action group should be looking into this. Some news channels are not breaking the news as they have financial ties to Sony/BMG ( ie CNN ). I think over the coming days you will start to hear about it as it seems pretty serious to me. The software has many flaws and in fact from what I have read on the net so far it has been determined that the method it uses to protect the files can in fact be used against itself to allow you to actually copy the music in full 100% digital quality.

Effective immediately - no one is to insert a Sony/BMG branded CD into their computers at work especially if it is known to indicate anywhere on the CD that it has copy protection technology.

I suggest you be careful on any home machines as well until Sony comes up with an uninstall routine ( they have a patch available but apparently it has issues too )

1. If you insert a Sony/BMG recording and it pop's up a license agreement - DO NOT ACCEPT the agreement and DO NOT INSTALL the software. Stick to listening to it on your normal CD player and not on your computer.

2. If you recall seeing a license agreement when inserting a music CD on your work computer please contact me. I want to test to see if it is the Sony rootkit. If so there is no way to remove it and your computer will have to be re-installed. ( until someone or Sony comes up with a way to remove it properly )

11/6/2005 9:22:00 AM by Scott

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This is why I do not ever buy music CDs! Atleast if I download the MP3s and burn my own CD, I know what's on the CD and don't have to mess with crap like this! Good job Sony:

1.) Load gun
2.) Aim at foot
3.) Pull trigger
4.) Complain about pain and blood loss.

11/6/2005 9:52:00 AM by Geminus

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Sign the petition here.

11/6/2005 10:17:00 AM by Gnomalarta

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

for the casual user who hasn't a clue about how to 'fix' their computer, does anyone know if there is a list of the offending cd's ??

11/6/2005 10:42:00 AM by Mary Lou

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

The computer industry crys about all the costs of malicious code, viruses and spyware, and does very little about all the poorly written, iresponsible software vendors.

This though is ideed criminal, though Sony likely never imagined it as such, if they do not get off there iresponsible duffs NOW AND I MEAN RIGHT NOW, they are criminally responsible for this crap!

And I do mean more than lamo apollogies, it is well past time for the man TO STAND UP AND BE A REAL MAN, instead of stinking lying coward!

11/6/2005 11:29:00 AM by Barry

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mary Lou, Here is a Google Search list for CD's with this sowftware on them:

http://www.google.com/search?q=sony+site:amazon.com+intitle:%22%5BCONTENT/COPY-PROTECTED+CD%5D%22&num=100

11/6/2005 11:30:00 AM by ZOverLord

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

OOPS! It appears I was wrong about being able to hide the ripping software with $sys$ prefix! However, during my first test it DID work, so something's going on. Looks like I'll have to disassemble the damn thing to be sure.

11/6/2005 11:36:00 AM by Matti Nikki

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Here's a list of Sony BMG record label sites, I don't expect that it to be complete :) I'm sorry that it's just a cut and paste job.

From http://www.sonymusic.com/labels/index.html and http://www.sonybmg.com/ :

http://www.arista.com/
http://www.bluebirdjazz.com/index.jsp
http://www.bmgclassics.com/
http://www.bmgheritage.com/
http://www.bnarecords.com/
http://www.columbiarecords.com/
http://www.epicrecords.com/
http://www.j-records.com/
http://www.laface.com/
http://www.legacyrecordings.com/
http://rcarecords.com/
http://www.rcavictor.com/index.jsp
http://www.sonyclassical.com/
http://www.sonynashville.com/
http://www.sonywonder.com/
http://www.soso-def.com/
http://www.verityrecords.com/
http://www.windham.com/index.jsp

11/6/2005 12:00:00 PM by Gnomalarta

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Bravo, Mark, but will you by another audio cd again ? Even if it will be not Sony labeled (god knows what the protection could be there) ?

11/6/2005 12:04:00 PM by mv011

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

by
*buy of course

11/6/2005 12:05:00 PM by mv011

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

To: Matti Nikki

I hope you're testing in a vm. As Mark said - safe mode will not help you.

---

Can anyone verify that the s/w uses componments of LAME?
The open source community might be more than a little upset if it does. LAME is LGPL software.

--

Does anyone know if Service Pack 2 of XCP removes the filter driver?

--

Can anyone take and host a digital pic of aries.sys causing bluescreens?

I wonder what XCP will say in response to an unbootable PC.

--

Yet more PCs have been disabled as a result of malware. I wonder if this was the early work of F4I:

Brown Sugar [Copy Protected CD] [CONTENT/COPY-PROTECTED CD] [CONTENT/COPY-PROTECTED CD]
Various Artists

Copy protection VERY problematic, May 27, 2003
Reviewer: Joanne "Reader" (NY USA) - See all my reviews

I knew I wouldn't be able to copy selected songs to my PDA for my own private use when I purchased this CD so I have no complaints about that aspect of the copy-protection. I didn't expect to have a hard time playing it on a computer, however. The 'player' that's supposed to launch when you insert the CD into your drive is adequate *when* it plays. It took awhile to get the player and CD to do their thing the first time but it did eventually play. I had to restart my computer in order to use my standard player for other CDs and no CD is worth that much trouble. When I tried a second time the CD just plain wasn't recognized so I tried it on another computer and that CD drive completely disappeared from 'My Computer', the CD never loaded and now I'm wondering what kind of re-configuring I have to do there. And, guess what - it also proves occasionally problematic on my new CD player which supports mp3s. I'm not a computer newbie and it's not a matter of my not understanding. This is way beyond a minor inconvenience.

The copy protection has so soured me on this soundtrack I kinda loathe it and shy away from attempting to play it. From what I've heard, it's pretty good, maybe worth a 3.

source url:
http://www.amazon.com/exec/obidos/tg/detail/-/B00006JKCG/qid=1131294192/sr=1-1/ref=sr_1_1/103-1243566-0680626?v=glance&s=music

11/6/2005 12:12:00 PM by geek27

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

BUYERS BEWARE of ALL Sony CD's from old releases to the recent releases!!

@ Mary Lou & ZOverloard...

Check this out- on this particular CD called "Live In Tokyo" by G3 LABEL: SONY, released Audio CD (October 25, 2005)
The CD information does NOT have the "[CONTENT /COPY-PROTECTED CD]" blip on Amazon's web site!

http://www.amazon.com/exec/obidos/tg/detail/-/B000B5QWM4/ref=pd_rhf_p_1/103-7296677-5315821?v=glance&s=music&no=*

There is even a review there dated as far back as OCT. 27th - long before this all came out with this recent news.

And on Mark's previous blog someone wrote this problem regarding this same CD:
"Has anyone had the problem of this type of CD breaking their iTunes? After I went through the process with the new G3 Live in Tokyo album my iTunes will not acknowledge any new cd that I put in, if i put in a cd i have already ripped it sees it fine and I can play it. I even installed the supposed fix by Sony and it is still having the same problem. Has anyone else experienced this?
posted by Sam R : 10:35 PM, November 03, 2005"

11/6/2005 12:25:00 PM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

One item to note, there seem to be two flavors of DRM used by Sony/BMG. Ihave followed these threads after getting hit by the DRM on David Gray's "Life in Slow Motion". This is a MediaMAX copy protection that did not present a EULA when I first played the CD. In fact, it just played in iTunes right off. It may be that having iTunes running first, playing other discs, and then inserting the offending disc put up a dialog behind the iTunes window and I didn't see it. Next day, however, I inserted the CD prior to opening iTunes and saw a dialog go by "Updating DLLs" with a thermometer bar as it wrote a bunch of files to my HD. Upon playing in iTunes, of course it's now garbled and MediaMAX throws up a dialog stating that the "Digital Rights database failed to initialize. Contact technical support." Of course there is no TS link provided anywhere. Off to search for what is [not] happening and I find this page: http://www.cs.princeton.edu/~jhalderm/cd3/ which references a file: sbcphid.sys in %systemroot%\system32\drivers\

I locate the file and renamed it, rebooted and the CD plays. Then off to learn more and eradicate this junk without falling for the "use our new uninstaller" scam. This ceoms under the heading: "Fool me once, shame on you. Fool me twice, shame on me."

Part of getting rid of the crap was doing a system restore, as the registry keys were protected. Have not found aries.sys on this system. Only sbcphid.sys and related keys, so I am unsure if it is all REALLY gone but I am continuing to research.

11/6/2005 12:52:00 PM by B.E.Johnson

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

@ Geek27 That "Brown Sugar" CD found on the Amazon link with that review you posted just bugged me as the record LABEL is MCA and this CD was released in Sept. 2002 – the reviewer wrote that in MAY 2003 (link: http://www.amazon.com/exec/obidos/tg/detail/-/B00006JKCG/qid=1131294192/sr=1-1/ref=sr_1_1/103-1243566-0680626?v=glance&s=music )

As I dug a bit deeper, I found this bit: "In 1995, Seagram Company Ltd. acquired 80% of MCA INC. and the following year the new owners dropped the MCA name; the company became Universal Studios, Inc. and it's music division, MCA Music Entertainment Group, was renamed Universal Music Group." (link: http://en.wikipedia.org/wiki/MCA_Records )

And in connecting the dots, First4Internet was founded in 1999 , and their clients include not only Sony but First4Internet's other clients - include Universal Music Group , Warner Music Group and EMI - using the technology. (link: http://www.whatsthedownload.com/music_news/archive58/index.aspx )

So I guess not only should we be concerned with SONY Labels and all it’s other record labels as posted by Gnomalarta earlier here,
but ANY company and their record labels of various names that has ANY involvement with First4Internet!

11/6/2005 2:51:00 PM by CindyRilla

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Another victim of DRM:

http://www.amazon.com/exec/obidos/tg/detail/-/B00006JKCG/qid=1131294192/sr=1-1/ref=sr_1_1/1 03-1243566-0680626?v=glance&s=music
Brown Sugar [Copy Protected CD] [CONTENT/COPY-PROTECTED CD] [CONTENT/COPY-PROTECTED CD]

The CD broke My Computer!!, October 23, 2002
Reviewer: A music fan

I'm guessing it's the "Copy Protected CD" part but when I put the CD into my computer at work (where is the only place I ever listen to CDs) the CD locked up the computer and I had to take the computer in for repair to fix it. I couldn't even start the computer! But since the so called CD had a warning on it, it was my fault the computer broke :( I will now NEVER buy a CD that is copy protected unless it could guarantee that it will act as a real CD and not break my computer. I hope other people don't make the same mistake as I did...

(that's too bad because from the reviews it sounds like a good cd :(

11/6/2005 4:03:00 PM by geek27

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Anyone tested what happens if a computer infected with Sony's rootkit visits a malicious website and downloads $sys$myvirus.exe or some such...

Will the virus scanners be able to deal with it?

11/6/2005 5:32:00 PM by melgish

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

SONY: THE LARGEST ROOTKIT DISTRIBUTOR

11/6/2005 8:52:00 PM by nmaf

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

First off - I didn't get hit by this, my taste in music is sufficiently outre that none of the main stream labels carry anything I like.

However - Sony and F4I may have done us a huge favour by doing what they did, in the way they did it. Computers and their operating systems are a hobby of mine, and I've been playing with them since I got a Timex Sinclair for Christmas one year. It doesn't seem to matter what system I've had, or what operating system, some idiot always tries something stupid, which can muck up the system, and is dangerous if not fatal to a non-technical user.

Well, Sony and F4I have definately done something stupid which can be dangerous if not fatal to a non-technical user. And of course they will decline all responsibility for the probelms created.

Now what they did MAY have been legal in North America. However it may not be much longer. I can see a smart politician latching onto this issue like an octopus, and pushing through a law making this sort of thing illegal.

Which in my personal opinion it should be. In most cases the EULA is there to protect the vendor against their own culpability, not to protect the customer.

11/6/2005 9:40:00 PM by Urban Terrorist

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Dear master,

my name is Katina.
I have a birthday today.
Here in small Bulgaria it's November 7-th.
I want to say THANK YOU :] You are GREAT
I was reading an article on a local site and it led me to the Sony case.
Your detailed investigation written so reader-friendly, full of information and links appeared to be a wonderfull present for my 22-nd birthday. You revealed a whole Universe to me and made me happy to know there are many people like you, though I know not the same as everyone is Unuque :] I myself am a Linux user but I am sure that case concerns me as many bulgarians run Windows workstations. Many of them had never heard about ROOTKITS and their misuse.
Thank you once again, master :]

Best regards
K.

11/6/2005 10:51:00 PM by Gatta Negra

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Just Wondered if others thought these same thoughts?

I am sure as some have already stated, that this Sony Mess, is not considered a "Big Deal" but are we forgetting the possible Fallout from this?

It could go 2 ways:

No Legal Action Or Change Of Laws Because Of This:

1. Others can and will use similar techniques and claim they were protecting their software and not just for Media related software, but for everything!

2. Many folks in these forums, who already are kind enough to volunteer their time to help others will be swamped with very complicated removal instructions.

3. When more than one of these type protection mechanisms is installed on a system, it will be a house of cards to determine, which one to un-install first. There will be NO right way, it will be based on the order the malware was installed, as well as how many of these you are infected with.

4. More systems than ever before will become infected with malware because the mechanism used is now provided by companies providing commercial software which have much more access to the general public and in many different forms than the current malware producers, including hackers.

5. Most people might not even be able to pre-scan the software prior to being installed because it may be compressed or encrypted in such a way that you cannot see what it will look like until fully installed. This would mean you would need to take the chance to install it, and check later.

6. Exploits of holes in these protection methods will allow non-seasoned hackers to take advantage of such said holes with no liability as well. Since in some cases what they did might not have been possible without the commercial companies software.

Legal Action Or Change Of Laws Because Of This:

1. Finally, some sanity comes to the rights of ownership of computer systems, and the ability of International Companies to Join the malware industry will be at least hindered, if not stopped.

Very Dangerous Precedent Exists NOW!

It matters very little if this was oversight, malice or accidental.

We are setting a very dangerous precedent for other companies, and/or individuals who create software.

This actually could be the most important precedent set since the personal computer was created if we are going to allow ANY entity to continue to do this in the future.

We will have almost removed the purpose of EULA and in fact created the "Act Of Downloading" ANYTHING removes the liability of the creator(s) of the software downloaded itself.

I hope people don't think I am going over-board here, because I think after all is said and done, there are many companies that are waiting in the wings to see how this is resolved, and that this moment based on how it all goes down, could be the turning-point of what rights the computer owner has, once they have accepted ANY download.

There are many more possible BAD things that could come out of this, I just tried to think of some major ones.

Comments, Please?

11/7/2005 12:07:00 AM by ZOverLord

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

One major fallout I see from this STUPID move by Sony would happen if some court determines that Sony's software is legitimate DRM. Then any company that makes software that fixes the problems caused by this rootkit exploit could be in violation of DRM laws and face serious consequences. For example, Microsoft could not legally create a patch that prevents this type of behavoir as a security update.

11/7/2005 2:16:00 AM by Tuckers

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I *never* install any software that comes with *any* CD, DVD, or other media. If it's required to use the product on my PC, I just won't do it. (Not to mention that I refuse to by DRM-protected music.)

Anyone who does install the supplied software is asking to be messed with, spied upon, and otherwise inconvenienced as the installed software will invariably misbehave. The 'secret' to keeping a Windows system functioning smoothly is to resist installing everything that is thrown at you.

This Sony junk is just the latest skirmish in an ongoing war. Act accordingly.

11/7/2005 2:41:00 AM by Inactivist

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Hi
why i never manage to delete
Program Files\xerox\nwwia
directory ?

can it be another rootkit?

11/7/2005 4:47:00 AM by obo

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Quick note

Sony has a Rather large share in Napster the online music supplier.

Could a napster user run marks RKR.

11/7/2005 5:00:00 AM by Sharpy

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

So far as I can tell, this falls under the UK "Computer Misuse Act, 1990".

If it does, then as soon the the rookit is executed on a PC in UK this would make Sony guilty of a criminal offence.

11/7/2005 5:02:00 AM by bugmenot

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This kind of shit makes me so angry. I'm no kind of 'computer genius' and I only discovered this today, (ironically through a lyric search from one of my favourite sony artists!) but this really makes me feel helpless. It was a really big achievement when I fixed iTunes latest update. how on earth is anyone not computer gifted supposed to fix this??

11/7/2005 5:34:00 AM by Jessica

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Sony is now Criminal

We now have: Hidden software, rootkits and call-home activity, difficult removal, and possible system damage (not to mention security implications). This all comes without proper user notification. Sony is now officially installing Spyware by just about any legal or coloquial definition I can think of.

Class action suit anyone?

Criminal Prosecution?

11/7/2005 5:54:00 AM by Stephdn Samuel

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This is the security alert I just posted to my Political Party's mailing list. This will catch the attentions of many high profile politicians, technical professionals and consumers.

***************
Those who have read my previous email will know that over the past week it has become known that SonyBMG (the big music record label) has been discovered to have been shipping their new music cd's with embedded software (known as DRM) to prevent the copying of their music. This in itself goes against fair use laws here in the UK, but a matter of much higher importance is the method in which this software was written and installed as well as the huge security implications for computers have that been used to play these CDs.

On October 31st, Mark Russinovic from SysInternals & Winternals (technical websites), reported the issue in his blog on http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

It was discovered that the software installs itself on the users computer when they first install the player that comes with the CD to prevent unauthorised copying of the music. The problem is, the End User License Agreement (EULA) makes no mention of the nature of this software. It does not inform the consumer that the software will make alterations to windows at the core level, intercepting internal system calls and rerouting them through its own device driver. Neither does it inform the consumer that this software will be hidden, not just from the consumer but also from the operating system itself. Furthermore, the software was so poorly written that any 3rd party who wants to write a virus, trojan, spyware or malware (all malicious computer programs) would simply need to make the name of their files start with the prefix $sys$ in order to also be hidden on any machine that has the Sony software installed. By doing this, all the malicious software would also be cloaked under the Sony software making antivirus applications unable to find or remove it, hiding it from system administrators and owners of computers and making it impossible to remove requiring the system to be reinstalled.

Again, due to how badly written the Sony DRM software is, it cannot be uninstalled without causing problems that may cause the computer to stop working (requiring a reinstallation of all the software).

Sony and First 4 Internet (the UK company that wrote the software) have released a patch to force the software to show itself (uncloak it) however, this causes further problems that may render your computer useless see the following link:

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

Other problems with the patch are that it is only available online, so people who do not have internet access are still open to security threats from virus infected compact disks or other media. Furthermore, most people who have bought music cds with this software embedded are unlikely to know about the issue as many of them will not be readers of technology articles on the internet, so whereas the patch is available, many systems will remain compromised.

A full recall of all SonyBMG music CDs currently on sale in the UK is required to prevent potentially millions of people being left wide open to attacks of identity theft and internet fraud. As long as SonyBMG cds remain on the shelves, they are posing a high risk.

Both Sony and First 4 Internet have repeatedly changed the End User License Agreement and the Frequantly Asked Questions sections of their websites over the past week in order to try and cover themselves. They have also made several public announcements that the software is not a security risk, which is untrue as it can be abused by 3rd party malicious software as outlined above. Both companies are attempting to hide behind a EULA that they know 99% of consumers will just click through without reading, but even so, the EULA makes no mention of this particular software nore it faults. This is a violation of the Sale of Goods and Services Act (ammended) by failing to provide the consumer with an accurate representation of the product or any faults with the product, so in essence, due to the fact that the EULA breaks the law, it is in fact Null and Void, leaving the vendors (Sony and First 4 Internet) criminally liable under the Computer Misuse Act.

Furthermore, neither Sony nor First 4 Internet have been able to provide a program to uninstall this software and the patch they do provide simply uncloaks the software and UPDATES the DRM software, this patch can also cause the computer crash. The software also makes connections to Sony servers in the US and sends information such as the CD that is being played, the Internet Protocol address (the address used to locate someone on the internet) of the consumer, the time the cd was being played, the date, the operating system of the computer and much more. This privacy violation is also not mentioned in the EULA.

My advice to ALL people who are responsible for any computer, would be to check if this "rootkit" is installed on the systems you are responsible for. This can be done by right clicking on your desktop, selecting New from the menu, selecting Folder from the submenu and naming the folder $sys$test

If the folder disappears, your system is compromised with the Sony DRM software and you would be advised to seek the assistance of a professional Microsoft Windows technician. I would NOT advise anyone to install the Patch offered by Sony due to the fact that it could cause your computer to crash.

Furthermore, all system/network administrators responsible for the network inside any organisation should put new policy into play that prevents anyone from listening to music cds on their computer due to the fact that should they have this software embedded it would render the network wide open to malicious security threats and could possibly place the company in violation of the Data Protection Act.

It is everyone's responsibility to inform their friends, families and colleagues about this issue. In an age when computer/internet fraud and identity theft are at a high, everyone needs to know about risks such as this in order to protect themselves and their families from such security issues. However, this goes beyond just personal security, if this software is compromised by 3rd party malicious software on a company network, passwords used for access to company systems and databases could be recorded, leaving your company intellectual property assets and other such data, at risk.

I have worked in IT for 14 years and currently work as a consultant for a very large software developer that specialises in enterprise solutions for some of the biggest companies in the world. I would not report this issue to this audience if I did not think it was a significant threat to society as a whole. This software is reported to be on 20 different titles from Sony amounting to millions of CDs on the shelves. Furthermore, First 4 Internet has publically boasted that this software has been sold to other recording industry members for use on their CDs, which laves the potential for 10s of millions of disks on the shelves with this security threat.

It is my belief that in light of the seriousness of this issue, ALL music CDs currently on the shelves of UK retailers which contain DRM software (copy protection software) should be recalled until such time as a full investigation has been carried out of ALL titles to ensure they do not contain software that compromises the security of our population. Once a CD has been shown not to be a risk, it should then be permitted to be sold. Furthermore, all CDs that come with copy protection software embedded in the future should be cleared by security specialists prior to release.

Finally, we need to take a serious look at the use of End License User Agreements as contracts. It is a well known fact that most of these contracts are never read and are agreed to blindly, and whereas I understand that is a problem which needs addressing with the consumers, it should not give the right for corporations to abuse this situation to install software which most users would never agree to if they were aware of the potential effects.

For anymore information, please contact me on my private email address.

Alexander Hanff
*************

11/7/2005 6:08:00 AM by Alexander Hanff

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Ugh.

I'm going to write something up about this, as I know that several staff members at the school that I both go to and work for use their personal laptops for music.

Also, I'm going to write an article for the school paper, which will reach about 100 students, their parents, and the administrators of the school districts that my school services (about 40 districts).

11/7/2005 6:17:00 AM by bhtooefr

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark, I want your babies. Thanks for lookin' out.

11/7/2005 8:20:00 AM by Moof

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

If you have one of these CD's take it back and complain to the shop where you bought it. Kick up a fusss about how it broke your PC, make your complaint loud loud loud and show up the shop at a busy time.

Persuade shops that selling this stuff causes agro and maybe they will start to refuse to stock DRM infected CD's, point out that these CD's are not proper Audio CD's (as Philips Electronics has said) and claim that they deceived you into buying something that is NOT a "proper" CD by putting it in with normal audio CD's.

For once wal*mart may come in handy, if enough people kick up a stink to wal*mart they might bring their might purchasing power and influence to bear on companies like SONY and refuse to stock DRM CD's

I can dream can't I, who knows, it might work.

11/7/2005 9:14:00 AM by fluffytears

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Also...

Take a look at what I did:

Sony is evil!

(Click the "Sony" link to read about it. The "evil" one points to Sony's site.)

11/7/2005 9:51:00 AM by bhtooefr

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark - nice work! If you enjoyed that, how about doing something similar for StarForce? It's a PC copy-protection technology used by UbiSoft and other game producers. Starforce installs itself as a Windows driver and can interfere with normal disc operations. It's not a rootkit, but the intention and the bad side-effects are similar.

11/7/2005 9:53:00 AM by Jeff

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark -

You said "....but is not mentioned in the EULA, is ***refuted*** by Sony, and is not configurable in any way..."

I think you meant it is ***denied*** by Sony.

Cheers
Martin A

11/7/2005 10:27:00 AM by Martin A

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Just mentioning, but the fact that they uses $sys$ as a prefix, opposed to say $sony$ or some other prefix kinda hints at the 'malicious intent' to me.

I mean, simply put, they're trying to misdirect users about what files on their computer do. Even if a layperson *found* them magically, they'd be likely to assume they belonged. I know I've often had to convince someone that just because WIN, SYS, or something similar was in a filename, it was safe to remove it because the malware author just named it that to scare you.

11/7/2005 10:30:00 AM by Paul_The_Nerd

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Methinks the masses (that's us, folks!) miss the entire point. Sony's DRM is just symptomatic of a shift in business. The shift is driven primarily by the USA, as national policy. Here's what I perceive.

The USA is no longer able to manufacture much of anything at a reasonable cost. Manufacturing labor costs in the USA are just too high, especially when compared to third world countries and even countries that have pulled themselves up from the bottom levels (Mexico comes to mind).

So, where is the revenue for business in the USA gonna come from? Intellectual Property (IP). Just have a look at what's happening in the area of patent and copyright law: Copyrights are now extended effectively to perpetuity; software is not patentable in the USA, along with the concept of "business practices"; the USA is pushing the EC to adopt US style copyright and patent law.

The trend is unmistakeable. The USA is out of the manufacturing business and is now into the IP business. This means that the law of the land will become whatever it has to become to protect the IP of its owners. IP law will exempt any business from civil suit, no matter how much damage it does, if it is acting to protect its IP. So, give up on the idea of getting the law on "your" side. That avenue is already rigged.

What is the solution? I have no idea. It is the wave of the future.

I have never bought a CD or DVD. My music collection was complete with the last vinyl I bought oh so many years ago. Yes, I've ripped it all and listen to it on my computer and my stereo. I do not share music and don't partake of others' shared music.

11/7/2005 11:06:00 AM by Loren Bluebear

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Has anyone that filled out the uninstall request forms heard back from Sony yet? If so, how did they instruct you to uninstall it and is it safe? I'm still waiting for them to get back to me.

11/7/2005 11:07:00 AM by Hendrix95

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Way to go Mark. You've done us all a great service, and there's no way they can argue with any of your technical findings. Hats off to you!

11/7/2005 11:35:00 AM by sahir

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Lest we forget, those in UK tend to have dialup (if they're online at all). So, not only do you have to know to go to a third party website to download something that could crap your machine up even more for you, you also have to pay for an extra 8mins of phone call just to download it.

11/7/2005 1:10:00 PM by Mr Bester

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Thanks for taking the time to share your findings with the rest of the world. I definitely appreciate it!

11/7/2005 2:04:00 PM by calebb

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

F4I wrote a lousy piece of software, and should take the brunt of this.

Sony is just trying to protect it's copyrighted works, but should have done it's Due Diligence and discovered that they should have used someone else's DRM software. Though, in the US, DRM may be considered illegal by itself, as it restricts Fair Use as allowed under copyright law.

Microsoft should be the biggest target here, though. Why would they still sell an operating system that allows another piece of software to install itself and take over core functions without some kind of warning? Don't get me wrong, I like Windows more than Linux (yes, I've used both) but I don't like that Windows is so vulnerable. At least you can't update a Linux kernel without realizing it. Hmph!

11/7/2005 2:11:00 PM by Blog Reader

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark

First great job. I got here by reading the Inquirer, and I am learning lots, Thanks.

I have a question or task actually.

A friend borrow me (I returned the cd already)one of those CD with protection "A tribute to Luther Vandross" I noticed right away the legend and logo for copy protected CD.

I tried to played anyway and "something" got installed, I believed the windows media player got updated, although I am not sure, It could had been installed by the LAN Manager and I did not noticed.

I must say I DID NOT accepted the EULA, I did not installed anything on purpose. I DID NOT click the NOT ACCEPT either because that causes the CD tray to open.

I Tried to use some common CD players (i.e. Winamp) it did not work, the songs were playing in segments jumping to another song every 60-90 seconds.

Since the CD it is actually compatible with Red Book specs. (it plays good in the standalone players I have) They are installing something to stop the CD from playing in a computer, regardless if the user accepts the EULA or not.

Which it is another broken law right there.

Mark: If you have the time, Could you tell us what are they installing (before you accept the EULA) and leaving behind in your PC even though you did not accepted the EULA.

Thanks

11/7/2005 3:10:00 PM by notavailable

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

When I connect my laptop to the internet through my mobile phone, it costs me about $8 per megabyte. In my view, any app that connects to the internet without my permission is simply stealing from me.

11/7/2005 3:18:00 PM by Confused Vorlon

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

If Sony can do what it wants to my computer, can I do what I want to their computers?

11/7/2005 8:55:00 PM by SonyKiller

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Mark, Great job! You've done us all a huge favor.

I think what we're all missing here is the Artists side of things. We the fans of music simply want to listen to great music. The Artists simply want to create great music that is listened to and appreciated by their fans. Fans and Artists all want the same thing. We should all be on the same side here.

We're not. Right now, the studios are holding up the musicians as "shields" in this fight. They keep citing the poor starving musicians and how they need to buy shoes for their kids all that kind of shit.

What we fans need to do is totally boycott DRM cds. And then tell the Artists what we have done and why. We need to explain to them that we really want to legally purchase their cd but we can't morally support the DRM issues that the Labels have forced upon us all. We need to explain our ourseleves to the Artists and ask for their support. We need to assure the Artists that our problem is not with them but with the Labels and DRM foisted upon us.

11/7/2005 9:46:00 PM by twmcneil

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

"Microsoft should be the biggest target here, though. Why would they still sell an operating system that allows another piece of software to install itself and take over core functions without some kind of warning? Don't get me wrong, I like Windows more than Linux (yes, I've used both) but I don't like that Windows is so vulnerable. At least you can't update a Linux kernel without realizing it. Hmph!"

You're wrong here and in fact Linux has had more critical security patches then Windows in the past 18 months; go google it.

The problem isn't necessarily with Windows allowing you to run code on your system that can modify the kernel. The problem is with YOU running as an Admin and getting cheated by a company you thought you could respect. It's the same thing as getting riped off by your babysitter. There has to be trust somewhere.

If you were really a security concious person you wouldn't be running as an admin. You should run under a reduced privledged account to play your music. Driver installation fails if you don't have the privledges to install new software under Windows mind you. You just don't use the option.

Instead of blaming MS try learning how to use your computer and learn its features. This whole thing could have been avoided by the security concious. Maybe people will start configuring their systems better.

11/7/2005 9:50:00 PM by LithVXD

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This post has been removed by the author.

11/7/2005 9:52:00 PM by LithVXD

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

TWO CLASS ACTION LAWSUITS HAVE BEEN FILED AGAINST SONY BMG MUSIC ENTERTAINMENT

The first, filed in state court in California, alleges:

1. Violations of the Consumer Legal Remedies Act (Cal Civil Code Section 1750 et seq.);
2. Violations of the Consumer Protection against Computer Spyware Act (Business and Professions Code Section 22947-22947.6); and
3. Violations of the California Unfair Competition law (Business and Professions Code section 17200 et seq.)

The second, filed in the Southern District of New York, alleges:

1. Computer fraud under 18 USC 1030;
2. Deceptive Business Practices under New York Law (Sections 349/350 of the GBL); and
3. Common law fraud.

For information on how to join in these Class Action lawsuits:
Consumerlaw1@earthlink.net

11/7/2005 10:34:00 PM by Consumerlaw1

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

LithVXD : "You're wrong here and in fact Linux has had more critical security patches then Windows in the past 18 months; go google it."

Which just shows that the Linux community tries to fix the security flaws, whilst another OS manufacturer ... Agreed, if they tried to fix them, they would solve all unemployment issues worldwide.

You better all switch to Linux, that would keep Sony out of your systems. But I wonder if I would be able to listen to those CD's.

11/8/2005 1:14:00 AM by ghp

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I just found out that Computer Associates (CA) classifies Sonys Rootkit as Spyware :

http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76345

11/8/2005 2:05:00 AM by Feynor

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Reading about the XCP.Sony.Rootkit on the CA site, they state in the "Reasons For Retention" segment:
"Silently modifies other programs' information or website content as displayed."

What is THAT all about ?
Is this a new aspect of the rootkit this blog haven't been told about or figured out yet ?

11/8/2005 2:33:00 AM by Feynor

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I don't buy CDs. When I can order 100 DVDs (4GB) for around £20 but still am expected to pay £5-15 for new albums which only use 650MB CDs I'm not going to make a fool of myself by throwing away money. Notice that price for 100DVDs also includes distribution. Then there's the fact that sony doesn't use compression, not even lossless. Isn't it amusing how much of an effort Sony will go to to make sure people can't rip them off, but how reluctant it is to deliver value for money. Secondly, why should we be forced to pay for fancy boxes and inlays. I'd be perfectly happy if they came on the disk (jpg/txt). In fact, I'd be happy if they came with no inlays/extraneous art what-so-ever.

Just a quick guide:
Sometimes FAT32 can actually be more secure than NTFS. It has better linux support for maintainance.

Always disable autorun.

Never install proprietry software when popular alternatives are provided free. Don't install those free popup blockers and browsers from your ISP disk. Mozilla is free and so is MS Internet Explorer provided you have a copy of windows.

You shouldn't need any additional applications for media disks as players are again freely available. XMMS, Winamp, etc.

If you see a CD that has copy protection, simply don't buy it, download it on emule. That'll really annoy Sony.

11/8/2005 4:57:00 AM by Orakio

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Well, after reading all this stuff, I am just so glad that I don't use Windows.

I believe in the Four Freedoms; that is the freedom to Enjoy, Study, Share and Improve. I believe I have a right to inspect, and maybe alter, the source code {that is, the human-readable form of a computer programme such as a competent programmer can make use of} of every piece of software that runs on any computer I own, and to help my neighbour {which, if I expect my neighbour to help me, is more of an obligation than a right} by sharing any improvements I make with others. I believe that these freedoms are as fundamental and sacred as any other of my human rights.

That is why I will not use Windows: firstly, it does not come with the source code and secondly, Microsoft would not allow me to share any changes I made with the world at large.

It may come as a surprise to some of you that there is software out there that does allow you to look inside it and that does allow you to share it. And in fact, there is more than enough of it to run a fully-functional computer system. The only awkward bits are where, because of software and hardware manufacturers' attempts at secrecy, sometimes things have to be figured out by experiment. So, oftentimes, brand-new hardware might not have a driver from Day One; but there are many people out there working to get it working!

Open Source is not a new idea: it's actually quite old-fashioned. Back in the days when you had to be an expert to use a computer, everyone helped one another out. And it was normal to supply source code because it had to be altered slightly to work with different makes and models of computer.

Whether you are completely new to GNU/Linux, or you have heard about it but thought it was too complicated, you should check out this site: http://blogs.technet.com/ControlPanel/Blogs/www.ubuntulinux.org - this is a version that has been specifically designed to be easy to install and use, and is backed by an enthusiastic community of users always willing to lend a hand.

One other thing. If you do decide to trash a legally-acquired Microsoft Windows installation and go with Linux full-time, I strongly recommend that you write to Microsoft, stating your Windows serial number, and tell them what you did and why you did it. If nothing else, it will keep them from counting you amongst the Windows userbase.

11/8/2005 5:24:00 AM by ajs

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Actually, I would not count on Sony not doing anything with the phone home requests. This company appears to be mad about DRM and copy protection. I would not put it beyond them to store the IP addresses accessing these URLs and automatically scanning for p2p shared files. That would allow them to detect or stop spreading the music at the source.

11/8/2005 6:10:00 AM by pb

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Hi,
I've seen so many articles, that I'm just going to ask a few questions that I am sure have been asked before so bear with me. The patch according to the article does not appear to work and given the presence of rootkit the patch is suspect anyway so:

a) How do you detect the rootkit. I don't think I have any CD other than Foo Fighters In Your Honor that I bought and while it has copy protection, I am unsure it's the same one. Is it? How do I find out? I'm pretty sure it's a Suncomm based system.

b)I downloaded the "Patch" although given the article, what's the point in running it if it doesn't work?

c)If I run the delete command in the article, what are the other steps necessary to get rid of the software. I buy my CD's, and while I can understand content protection that is reasonable, this particular solution is not.

Thanks for any advice. I probably don't have the rootkit yet, and if so, I count myself lucky. I wonder if the Bruce Springsteen 30th Anniversary Born to Run box set is going to have the rootkit. I like Bruce's music and will buy the CD, but the rootkit is something I do not want.

Thanks,
hselburn

11/8/2005 6:16:00 AM by hselburn

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Feynor: Technically, the CD drivers and the Windows kernel are programs

This most definitely modifies the output of those silently (the whole $sys$ business).

11/8/2005 6:31:00 AM by bhtooefr

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Too complicated the procedures to remove those unwanted and unsolicited programs. I have a much simpler solution: reformat the HD and never again buy something from Sony.

11/8/2005 6:57:00 AM by Paulo

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Being a customer of a government agency and seeing the amoount of people listen to CDs on their PC. How long will it be before the Justic Department comes to the realiztion that government systems have been compromised?

Install software without a licening agreement is against the law and isn't that what Sony is trying to prevent but doing it themselves.

11/8/2005 8:22:00 AM by Tbear

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

bhtooefr: Thanks.
I guess my mind just stalled on the "or website content as displayed." part :-)

11/8/2005 8:28:00 AM by Feynor

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Well it's really simple.

I haven't bought a CD in over two years, mostly because of the bad behavior of record labels. You listen to them whine about how they're going to go bankrupt because everyone steals their music. Well last time I check Justin Timberlake wasn't hurting for cash and his label is certainly getting a good cut.

In short, I don't want someone dictating to me what I can do with a CD a bought. Frnakly it assumes that you will do something illegal when they act like this. So I refuse.

Won't buy them, haven't bought them in over two years.

If each and every one of you would do the same for even a month, you'd have their attention.

In fact this would be a good time to start such a movement.

Purchase NO CD's between now and the end of the year. It should hurt even more during the Holdiay Season.

11/8/2005 9:32:00 AM by TangoTracker

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I think we all owe Mark a huge thank you!

Who knows how long this would have gone unnoticed if not for him?
So on behalf of the community, we appreciate what you're doing and with the combined weight of all the (now angry) Sony (would-be) customers, maybe we can show them a thing or two about fair buisiness practises.
Sony, up yours.
Thanks, Mark. We owe you one.

11/8/2005 10:20:00 AM by Harvey

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Thanks is owed to the guy who published the technique to circumvent Sony's own protection by using its OWN software.

As of now, i have set up a box dedicated to ripping CD's with this particular nasty software on.

If Sony think its OK to potentially cripple my system ( i do in fact have 4 CD's in my collection with this shit on ) then, I think its perfectly ok to rip, copy and distrubute the music just so some other poor sucker doesnt fall for thier crap.

Is that ok Sony? or do you think, that since im not a large corporation then i dont have the right to break existing laws?

I will be interested to see how all this plays out. Thanks Mark. I wouldnt even have known i had this particular rootkit on my system if it wasnt for your curiosity.

11/8/2005 11:26:00 AM by Blaizwolf

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

The problem with the idea that you should never run in admin mode unless you know what you are installing is that at least the XP home edition that shipped with my HP laptop (and which is reinstalled when you do a full restore) initially comes up with one user configured (Owner) and that one, by necessity, with full Administrator privileges.

What that means is that the vast majority of XP (and probably most Windows NT based systems) users never are even aware that they are running on a system where you can (and should) configure multiple users. Rather, they just boot and go. With only one user configured, you don't even get the logon menu - you just go straight to an open session.

Let me repeat this. 98% of the new Windows users are probably unaware of how they could circumvent this. They just boot and go. MSFT has gone out of its way to hide a lot of this complicated stuff from the computer illiterate public in order to sell operating system software to other than the computer super-literate.

11/8/2005 1:07:00 PM by Bruce Hayden

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

In case people are wondering, this is more widespread than just Sony BMG and only compact discs. According to the XCP website press release here:

http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art3

"Sterile burning content protection technology pioneered by First 4 Internet (F4i) has been utilised by Texas based Upstairs Records on its latest album by Lil Rob, "Twelve Eighteen".

Fontana Distribution, part of Universal Music Group and distributors for Upstairs Records Inc., are encouraging the independent records labels they distribute to use content protection on their CDs. "Twelve Eighteen", featuring the hit song "Summer Nights", carries the same content protection currently being used by Sony BMG."

According to another press release here they are already pressing DVD's with XCP2 and all of Sony's CD's will have XCP by the end of 2005. Meaning that most of the CD's the will ship for the holidays will have the copy protection on them:

http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art2

"Sony BMG's copy-protected CDs incorporate First 4 Internet's XCP2 (extended copy protection) technology. The company is the first major label to offer XCP2-protected CDs to consumers, although Sony BMG already ships some CDs using MediaMax copy protection from SunnComm. The new effort uses different technology, but with the same end result for consumers: a limited ability to copy. By the end of this year, Sony BMG says, most of its CDs sold in the United States will incorporate one of these technologies.

XCP2 may affect more than just CDs: The company is currently working on versions for DVDs and online music files, Gilliat-Smith says. Sony BMG will ship the DVD technology to U.S. movie studios for use in prerelease copies of movies by late 2005, he hopes, and will introduce a version for commercial DVDs later. He declines to say which movie studios have expressed interest in using the technology."

From a Disc Duplication conference memo:

'First4Internet have been working with the main 5 record companies developing the XCP protection, which wraps and protects the CD Audio content, while not playing around with standards and still conforming to red book standards."

The British software development company, First 4 Internet, introduced for the first time a new copy protection software called 'XCP' ("Extended Copy Protection") at Midem in Cannes, that works on pressed CDs ("XCP2 Press Protect"), as well as for CDRs ("XCP1 Burn Protect"). The former has already been tested by Bertelsmann, RCA, and Universal.

11/8/2005 1:18:00 PM by Greyfeld

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Thanks for the excellent article.

It's unfortunate that the coveting of the almighty dollar has gotten to this. I'm returning this Neil Diamond CD and have called Sony to see if there is away to have this spyware/malware uninstalled.

11/8/2005 4:09:00 PM by Ziggy

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

mark. were you able to sucesfully remove the DRM and rootkit & anything else that sony, installed, with out messing up windows and returning windows to the state that it was at before putting the cd in the drive? and if so how? I have 5 computers in my house networked and going 24/7 the rootkit is on 2 of them. I mostly just want sony's damage to my computers reversed! A guide would help. I think that it is crap that sony did this and refuses to allow a user to remove it. they decietfully installed it and are refusing to provide a way or instruct users on a safe way to remove it! This is clearly criminal in my oppinion and should be punished severly! also, is there anychance that this rootkit DRM could be network aware?

11/8/2005 6:11:00 PM by falseprophet79

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

did not mean to post twice. oops, sorry

11/8/2005 6:13:00 PM by falseprophet79

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

So, my understanding of this is pretty mid-level at best, but I wonder if booting a Windows machine with a Knoppix boot CD would allow one to see and remove the DRM.

If you think this would work, what files should I look for? Registry entries?

Also, no one's mentioned this yet, but I'm about 99% sure that this program is responsible for some big problems I've been having with my DVD player. Apparently, I "installed" this rootkit about a year ago, and then upgraded my optical drive from CD to DVD. Once getting the DVD drive in, the system locks up any time it tries to autorun from a CD or DVD. Additionally, the system occasionally locks up when reading from the DVD drive while Windows is starting up.

It's possible these things aren't related to the SONY garbage, but I can't find any other cause.

-faust

11/9/2005 12:37:00 AM by faust

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I use a *nix box for all ripping and encoding of audio CDs - NetBSD with cdparanoia and one of either lame, ogg or flac to do the encoding. The couple of "problem" discs I had, Shakira's "Laundry Service" and Celine Dion's "A New Day Has Come" were successfully ripped with the aid of a black CD-R marker pen on the outer edge of the disc. Indeed I had to copy both these CDs to CD-R to make a clean copy to rip in the car... on Sony's MEX-1HD unit! So a clear case of a Sony "CD" not working in a Sony CD player.

What Sony Music are doing here is disgusting, and an off-the-record source from inside Sony's consumer electronics division doesn't like it either. The problem is, we have a company that makes CD players, devices like the Network Walkman, the MEX-1HD in-car hard disk based head unit etc, the latter two require a "ripping" operation. Then on the other hand, Sony Music puts all these "DRM" systems on their releases, which prevent you from using Sony releases in, amongst other things, Sony equipment.

Can see a slight problem here, methinks!

11/9/2005 2:56:00 AM by Squirrel

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

HI Mark:

Thanks so much for all your work on this. What an eye-opener! I just went to the patch link you reference and noticed that you can now dl the patch without having to provide any information. Also it is referenced as a 2a patch which is smaller in size. Interesting. Obviously someone is kinda, sorta listening.

Grant MacDonald

11/9/2005 8:59:00 AM by grantmac

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I wonder why so many ask how to remove it.
mark has written how its done.
and people DON'T just delete the files useing your bootdiscs.
this will render your operating system unusable!
the rootkit is very poor written.
even I could do it better.
1)use your favourite tool to delete the driver's system service.
2)launch regedit with SYSTEM rights to delete the CD-ROM filter driver from registry.
3)reboot
4)delete the now visible folder $sys$
5)take your protected CDs and have some fun smashing them against someone at sony
6)never ever by something from this company again(protected software of any kind)

this makes one thing very clear for me:
I go into jail for downloading 3 movies and what happens to a company thats threads other peoples property as THEIRS?
nothing!
this is my computer, who the *uck do you think you are to do what YOU want with it?
a I forgots "It's a SONY"

11/9/2005 9:51:00 AM by stefan stephan

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I got hit with the whole DRM thing on Switchfoot's "Nothing is Sound" CD. (One of the reasons I started blogging in the first place!) A few weeks later, I found myself re-formatting my hard drive. Related? Who knows--but I'd been working on that install of XP Pro for over a year without any problems. After the re-format, I certainly haven't put that CD back into my PC.

If Sony keeps treating consumers without any respect, they're going to lose a lot of them...

-Andy
http://andypull.blogspot.com

11/9/2005 1:11:00 PM by Andy

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Is there a similar "feature" as the Sony DRM on thier DVD's?

I ask, because I recently had numerous problems after I attempted to play a rental DVD from Blockbuster. The DVD was "Kung Fu Hustle", published by Sony.

When I inserted the DVD, a flash screen poped up, and when I tried to play the DVD it would not play (I have flash blocked, and I run NIS/NAV, Spybot S&D and Spywareblaster) I have tried running similar tests as I have read about here, but I am only a high-end hobbyist and may have missed something.

I was glad I had a disk image to reinstall, as after trying to play the Sony DVD, the computer started acting very wacky, the DVD drive would not allow me to do things I could usually do, and my DSL connection slowed to a 56k crawl.

11/9/2005 5:37:00 PM by Richard Schimelfenig

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

They are keeping all the information that is sent to them - albiet possibly inderectly.

ANY company/corporation that employs a sales team, even if the "sales" team is the CEO him/herself, and that does not use stats are simply not doing their job. Are they gathering information on you personally? Possibly not, but all this activity to a web site is producing a lot of logs, which will be backed up and parsed at a given time for statistics - possibly deleted, but then again they may keep these log files permanently for secuirty reasons if the website is hacked and they need the log files to presecute and find the hacker. If you happen to be in the top 10 people in the world that hit this website (aka - listening to their music), your IP address will apear in the pretty webtrends charts - and also you have to realize that even from an admin point of view, if 1 IP address stands out far more than the rest (say you just abosloutley love the music and play it ALL the time) - from being a security admin in the past, I certainly would have dones some research on who is behind this IP to see if they are trying to do something fishy with my website...

Can you fathom any executive/business person that would NOT want to know how much their product is being used - and where?

What I'm getting at here is that this "phoning home" when you play their music, and WHICH music is being played is being quiried - IS GOLD to marketing and sales execs, anyone who says different simply isnt thinking things through. If they are taking and selling your email address to spammers who can afford their mailing list ,that you apprently have to give to get rid of their rootkit, does anyone really believe that they WOULD NOT be creating stats on all this info they are receiving?

11/10/2005 8:59:00 AM by Penguinbrat

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Here is a known problem from the Sony FAQ..

-----
Player takes up a large percentage of CPU cycles

On slower machines, especially ones running Windows 98 and Windows ME, the player may consume a high amount of CPU cycles even if it is not playing back audio. If you experience audio playback problems try quitting out of other open applications
-----

WHY does it need to take up a high amount of cycles if you're not using it? What else is it doing?

11/10/2005 11:34:00 AM by Dustin Chambers

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Does anyone know for certain that if you install one of the Sony DRM CDs' software on your computer will it stop you from also copying *any* CD or just the one it came with? Will I still be able to copy an older CD (from say year 1998) or does it block it all CDs?

11/10/2005 1:03:00 PM by Sendai

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

All this stuff about someone installing software on someone elses computer reminds me of graffiti. Graffiti is widely recognized as illegal, because writing on the walls destroys or at least reduces the value of other peoples property. Here someone without any consent writes directly in another ones computer, potentially reducing the value therof, because the computer resources are affectes. Clearly this ought to be deemed just as illegal, and sanctioned correspondingly.

11/10/2005 1:58:00 PM by Groenlandshval

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I bought the Neil Diamond & Santana recent CDs. I ran the folder test & don't seem to have the rootkit software. What I did have was MediaMax. I trustingly accepted the EULA. Not as bad as the rootkit stuff, but it still blocked my abilty to play ANY music CD, Sony or not. After most of a day I finally got rid of it. I have posted the procedure at the following site. http://club.cdfreaks.com/showthread.php?t=154811&highlight=mediamax

This is really outrageous. Hopefully, getting this information out will help head this dangerous development off at the pass.

11/10/2005 3:31:00 PM by Frogger

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

here we go folks.. the first bot using "sony's rootkit"

[url]http://www.foxnews.com/story/0,2933,175188,00.html[/url]

AMSTERDAM — A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E Trojan virus to British e-mail addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down the firewall and gives hackers access to a PC.

The malware hides by using software that is also hidden — software which is installed on Windows-based PCs when consumers play Sony BMG's copy-protected music CDs.
~~~~~

and
[url]http://news.zdnet.com/2100-1009_22-5944643.html[/url]

snip..

Luckily for CD buyers, the would-be Trojan horse spotted Thursday, which aims to give the attacker complete remote control over an infected computer, doesn't work well. But more such attacks probably are on the way, experts said.

"This is a poorly written bot, but it is a sign of things to come," said Mikko Hypponen, chief research officer for security company F-Secure. "We expect to see more viruses and bots using the same technique."
~~~

btw, Mark.. I do want to thank you and your partner for all the fine peices of software you guys have produced.. not to mention the "dectective" work you did on this..

11/10/2005 3:48:00 PM by sumnut2

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I'm a geek lawyer in Minnesota, and I'm interested in talking with anyone in Minnesota who has had probems (either on a personal computer or in a work setting) after a Sony music disk (if it's not Red Book, it's not a CD) installed its DRM files on their computer. Contact info: cksandberg@locklaw.com.

11/10/2005 4:51:00 PM by CKSandberg

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

If you weren't windows LAMERS you'd not have this problem. :P

11/10/2005 7:37:00 PM by conspiracycentral.net

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Finally Happy to see someone besides the RIAA making headlines in that type of an industry. Except, this headline is not a positive one for the recording industry. Payback's a Bitch.

11/10/2005 8:11:00 PM by Danny

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Thank you Mark for putting this information out to the public. This really does make the future seem like it's going to be pretty grim. At the very least we are facing a huge fight between consumer and corporation. With Microsoft, TCPA, patents and now Sony and a this decision, it seems we are all in for it. What scares me the most is not the actual malware they are trying to secretly install this time around, it's the mentality behind it and what Sony and others plan to do in the near future. Corporations seem to be getting increasingly desperate and more and more willing to turn to questionable tactics whenever they face a challenge.

11/10/2005 11:03:00 PM by vargusvictor

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

My letter to SonyBMG
--------------------------------
This may not be the best point of contact about this issue. If not, please advise me.

I have recently found that my work laptop has been infected by a rootkit (computer malware) which Sony are apparently bundling with audio CDs to snoop on computers and enforce intellectual property rights. Can you point me to an uninstaller ? The laptop no longer functions correctly.

Also, since this software is almost certainly in contravention of the UK Computer Missuse Act (And I have raised this issue with the Home Office, scotland yard computer crimes division, and my local member of parliment) could you provide me with uninstallers for all versions of this software, both those delivered by audio disk and those delivered by DVD? Actually I insist you do.

As a result of this incident my workplace now has banned the use of any Sony/BMG audio CDs onsite - since they now consider them an IT risk. It may well spread to an outright ban on audio CDs from any label.

Currently, anyone found onsite with an infected audio CD will be summarily dismissed under the security provisions in their contract, whether it has been used on a computer or not.

I really do hope that the class action suits against you (despite your probable US government protection) open your eyes to growing public opinion... just as it has recently opened mine to the validity of fileshare MP3s as an alternative to wicked, deceptive and plain illegal corporate practices.

I certainly shall not be purchasing any more Sony products (And that includes the Vaio I was considering buying my daughter for UNI) or those of its music/video partners. From discussing this matter online I now know many others feel the same. I shall continue to be vocal about this issue until Sony publicly apologise for their actions and start showing that their customers (and the music) matters more than squeezing every last cent by any means neccessary.

I'm not a very political person, neither have I ever been interested in filesharing networks - however, I now see fileshare as an alternative, and am joining a group lobbying government for reform against restrictive and intrusive DRM.

Please provide me with...

- Uninstallers for *ALL* computer based DRM software distributed on Sony audio/video media.
- A complaint contact for this issue
- A contact for your press and legal office

Many thanks for the music you have given me over the years. I look forward to a day when we can do business again.

Regards,
-Monica

11/11/2005 4:13:00 AM by Monica

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Alexander, I have just sent revised versions of your letter to My Prime Minister Mr John Howard, Our Governor General Mr Michael Jeffery, the minister for communications, Mrs Helen Coonan and the opposition leader, Mr Beazley. Revised letter below.

Over the past week it has become known that SonyBMG (the big music record label) has been discovered to have been shipping their new music cd's with embedded software (known as DRM) to prevent the copying of their music. This in itself goes against fair use laws here in Australia, but a matter of much higher importance is the method in which this software was written and installed as well as the huge security implications for computers have that been used to play these CDs.

On October 31st, Mark Russinovic from SysInternals & Winternals (technical websites), reported the issue in his blog on http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

It was discovered that the software installs itself on the users computer when they first install the player that comes with the CD to prevent unauthorised copying of the music. The problem is, the End User License Agreement (EULA) makes no mention of the nature of this software. It does not inform the consumer that the software will make alterations to windows at the core level, intercepting internal system calls and rerouting them through its own device driver. Neither does it inform the consumer that this software will be hidden, not just from the consumer but also from the operating system itself. Furthermore, the software was so poorly written that any 3rd party who wants to write a virus, trojan, spyware or malware (all malicious computer programs) would simply need to make the name of their files start with the prefix $sys$ in order to also be hidden on any machine that has the Sony software installed. By doing this, all the malicious software would also be cloaked under the Sony software making antivirus applications unable to find or remove it, hiding it from system administrators and owners of computers and making it impossible to remove requiring the system to be reinstalled.

Again, due to how badly written the Sony DRM software is, it cannot be uninstalled without causing problems that may cause the computer to stop working (requiring a reinstallation of all the software).

Sony and First 4 Internet (the UK company that wrote the software) have released a patch to force the software to show itself (uncloak it) however, this causes further problems that may render your computer useless see the following link:

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

Other problems with the patch are that it is only available online, so people who do not have internet access are still open to security threats from virus infected compact disks or other media. Furthermore, most people who have bought music cds with this software embedded are unlikely to know about the issue as many of them will not be readers of technology articles on the internet, so whereas the patch is available, many systems will remain compromised.

A full recall of all SonyBMG music CDs currently on sale in Australia is required to prevent potentially millions of people being left wide open to attacks of identity theft and internet fraud. As long as SonyBMG cds remain on the shelves, they are posing a high risk.

Both Sony and First 4 Internet have repeatedly changed the End User License Agreement and the Frequently Asked Questions sections of their websites over the past week in order to try and cover themselves. They have also made several public announcements that the software is not a security risk, which is untrue as it can be abused by 3rd party malicious software as outlined above. Both companies are attempting to hide behind a EULA that they know 99% of consumers will just click through without reading, but even so, the EULA makes no mention of this particular software nore it faults. This is a violation of the Sale of Goods and Services Act (ammended) by failing to provide the consumer with an accurate representation of the product or any faults with the product, so in essence, due to the fact that the EULA breaks the law, it is in fact Null and Void, leaving the vendors (Sony and First 4 Internet) criminally liable under the Computer Misuse Act.

Furthermore, neither Sony nor First 4 Internet have been able to provide a program to uninstall this software and the patch they do provide simply uncloaks the software and UPDATES the DRM software, this patch can also cause the computer crash. The software also makes connections to Sony servers in the US and sends information such as the CD that is being played, the Internet Protocol address (the address used to locate someone on the internet) of the consumer, the time the cd was being played, the date, the operating system of the computer and much more. This privacy violation is also not mentioned in the EULA.

My advice to ALL people who are responsible for any computer, would be to check if this "rootkit" is installed on the systems you are responsible for. This can be done by right clicking on your desktop, selecting New from the menu, selecting Folder from the submenu and naming the folder $sys$test

If the folder disappears, your system is compromised with the Sony DRM software and you would be advised to seek the assistance of a professional Microsoft Windows technician. I would NOT advise anyone to install the Patch offered by Sony due to the fact that it could cause your computer to crash.

Furthermore, all system/network administrators responsible for the network inside any organisation should put new policy into play that prevents anyone from listening to music cds on their computer due to the fact that should they have this software embedded it would render the network wide open to malicious security threats and could possibly place the company in violation of the Data Protection Act.

It is everyone's responsibility to inform their friends, families and colleagues about this issue. In an age when computer/internet fraud and identity theft are at a high, everyone needs to know about risks such as this in order to protect themselves and their families from such security issues. However, this goes beyond just personal security, if this software is compromised by 3rd party malicious software on a company network, passwords used for access to company systems and databases could be recorded, leaving your company intellectual property assets and other such data, at risk.

I would not report this issue to this audience if I did not think it was a significant threat to society as a whole. This software is reported to be on 20 different titles from Sony amounting to millions of CDs on the shelves. Furthermore, First 4 Internet has publically boasted that this software has been sold to other recording industry members for use on their CDs, which laves the potential for 10s of millions of disks on the shelves with this security threat.

It is my belief that in light of the seriousness of this issue, ALL music CDs currently on the shelves of Australian retailers which contain DRM software (copy protection software) should be recalled until such time as a full investigation has been carried out of ALL titles to ensure they do not contain software that compromises the security of our population. Once a CD has been shown not to be a risk, it should then be permitted to be sold. Furthermore, all CDs that come with copy protection software embedded in the future should be cleared by security specialists prior to release.

Finally, we need to take a serious look at the use of End License User Agreements as contracts. It is a well known fact that most of these contracts are never read and are agreed to blindly, and whereas I understand that is a problem which needs addressing with the consumers, it should not give the right for corporations to abuse this situation to install software which most users would never agree to if they were aware of the potential effects.

For anymore information, please contact me on my private email address.

11/11/2005 7:59:00 AM by Bushranger

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I would suggest that ALL people in the US who read this, take the opportunity to visit:

http://www.ala.org/al_onlineTemplate.cfm?Section=alonline&template=/ContentManagement/ContentDisplay.cfm&ContentID=108214

This month, the public are able to post comments which will be considered in the review of DMCA next month. Everyone should take the opportunity to post protest about DRM techniques being used. Judging by the amount of noise this Sony rootkit issue has raised, I expect if enough people post to the comments section below:

http://www.copyright.gov/1201/comment_forms/index.html

They will be forced to listen and act on consumer concerns.

11/11/2005 10:24:00 AM by Alexander Hanff

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

There's a new article on CNN: http://www.cnn.com/2005/TECH/internet/11/10/sony.hack.reut/index.html

Apparantly a new virus has been discovered that uses Sony's DRM , which was one of the big fears about this software.

11/11/2005 12:42:00 PM by Hendrix95

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Good report linked to this story on TWiT podcast this week

11/11/2005 1:12:00 PM by tringster

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Some questions I have not seen asked:

(I wish I could answer them myself but I do not have access to a trashable PC :-(

1. What happens if you accept Sony's DRM for, say, Neil Diamond, patch it, then load, say, Celine Dion's CD? Does Celine's DRM install itself alongside Neil's, so now you have two resource hogs? Does it undo the patch?

2. Does the lack of a generic installer indicate that there are different versions of the DRM on different CD's, different batches of the same CD, even? One can imagine that different versions of the DRM would require different uninstalls, hence (some of) the intrusive questions.

3. What is to stop a hacker from copying the DRM so cheaply and conveniently purchased from Sony into malware they trick users into downloading? Everyone would be vulnerable to this attack because it would deliver & install the rootkit itself, instead of hoping you installed it from a Sony CD.

4. Press reports suggest that only a few people are affected. Leaving
aside the question of the number of Neil and Celine fans out there,
does this not underestimate the damage potential? Surely, one
compromised PC inside a corporate firewall at a major company could do
a lot of damage if it were used, say, to launch denial of service
attacks within the firewall? (Let's not forget, not all IT departments
revoke admin rights from their users.)

Some observations:

1. Neil's, Celine's and the Van Zant brother's music are all available on iTunes. Good news for users who play CD's on PC's and iPods and want the artist to get paid. But this availability makes it nonsensical for Sony to stop iPod users from accessing the CD version.

2. First4Internet claim on their website that XCP works (if that is the right word) on Mac's as well as PC's. that no doubt explains why someone reported finding Mac-compatible files on the CD, but not why Sony apparently decided to exempt Mac owners from restrictions.

3. I have trusted the Sony brand for over thirty years and it saddens me to lose trust in the company, not so much for the initial mistake of unleashing this nonsense on people like me who have always paid artists for their music, but for their head-in-the-sand reaction to consumer reaction. I have had to reluctantly join the throng of people boycotting Sony products until, hopefully, they become trustworthy once more.

Thanks for your work and clear reporting.

11/11/2005 1:38:00 PM by tricknight

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

http://news.ninemsn.com.au/article.aspx?id=71751

READ THIS!

Sony is ceasing production of copy protected cds!

11/11/2005 6:25:00 PM by Jessica

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

READ THIS!

Sony is ceasing production of copy protected cds!

Uh huh.

"Temporarily."

Sony has already demonstrated that we just can't trust them. Why should we believe they have actually learned a lesson from this?

They're only going to stop putting out CDs with the XCP trojan until they can figure out a way to hide it even from tools like Mark's.

I, for one, will not be buying any Sony products ever again.

11/11/2005 7:55:00 PM by Seraphiel

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I tend to agree with the comments about EULAs. Sometimes they contain language that doesn't seem to apply to the software in question, and other times it's difficult to figure out what it's trying to say. And the rest of the time, they're so long that you fall asleep while reading them. Anyone remember Borland's "No Nonsense" agreements?

Would it be feasible to have a generic EULA, in a manner similar to Creative Commons? This gives you both a one-or-two sentence description of what is allowed, and also has a fine-print version which says exactly the same thing. All the publisher would have to do is select the exact variant that they want to use, list exactly what is provided, how it changes the system (if at all), and what connections it requires to the outside world and why (i.e., program vvv uses HTTP protocol to send www to www.xxx.com/yyy in order to zzz). The short version can easily be printed on the box/case (or shown on a website without ten miles of scrolling window), so that you know what you're agreeing to before you fork out money. Use of a restricted number of readable short-form agreements could make it more enforceable.

11/11/2005 8:26:00 PM by KilleenWizard

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Symantec has of Nov 10, 2005 developed a tool to remove it:\

So go here an download it:
http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html

Type: Other

Name: XCP

Publisher: First 4 Internet Ltd.

Systems Affected: Windows 2000, Windows NT, Windows Server 2003, Windows XP

Risk Impact: Medium

11/12/2005 12:22:00 AM by crushelites

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

An interesting thought: could some enterprising hacker rip the conveniently-published rootkit out of a Sony CD and then use it in subsequent attacks on PC's that never loaded a Sony CD? Perhaps to hide a keylogger, for instance?

And if that WERE possible, would Sony be liable for any damage that "piggy-back" haqcker might cause??

11/12/2005 8:35:00 AM by Craig E Ransom

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

There has definitely been a change to Sony's "update".
On Nov 5, I downloaded Update031105.zip which was 3645406 bytes in size.
Today they have Update071105.zip which is 1396754 bytes in size.
The new file is only 38% of the size of the old one.
I wonder what they took out.

11/12/2005 2:04:00 PM by Flashing Cursor

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

In reply to "Flashing Cursor".....

The reason the update is
now smaller is that SONY
had put a reinstall over
the top of the UNINSTALL
of the root kit......

That's right while it did
the root kit removal it
added another version of
DRM software over the top
of the uninstall....

Go figure....

Typlcal SONY cluelessness.

11/13/2005 12:23:00 AM by RaAsGod

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

The corrct Symantec address for the removal tool is at
http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html

I found it revealing that Symantec's advice is to install the new DRM. Since the risk is that it is installed at all, why would they recommend that?

I am still waiting for someone with better skills than I to examine what the Sony DVD's are doing. After I tried (it never did play) to play "Kung Fu Hustle" now I have lost DLA on both of my DVD/CD drives. I also lost Administrative privaleges witin some software.

11/13/2005 7:04:00 AM by Richard Schimelfenig

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Shoot. Now I see why the first attempt to post the uninstall link failed. You will have to copy/past these lines.

http://securityresponse.symantec.com/avcenter/venc/
data/securityrisk.aries.html

11/13/2005 7:05:00 AM by Richard Schimelfenig

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Rumor has it that the music industry
won the right from the courts to
break into our computers?

From Sony's actions, it would seen
true?

B0dvar

11/13/2005 5:05:00 PM by b0dvar

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Yadda Yadda Ya...

Everyone is so obsessed with XCP2 and the damage that it is doing to their home and work pc's, because you paid for it!

What about XCP1 protected discs that are distributed on pre-releases?

Or did you not realise that XCP1 even exists? at the moment being sent around the world to music critics, journo's even radio stations!!!

11/13/2005 8:26:00 PM by Dan

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I've been following Sony's blight for many years. My first encounter was with a mini-disc player and it's accompanying software. The software caused frequent system crashes as well as uninstall problems. Uninstalling caused lost drive recognition, as does the new XPC rootkit uninstall routine. I have posted info on this topic on my website (http://www.3cintelligentsecuritysolutions.com/79852.html), in hopes that people will wise up and start doing something about this obvious security intrusion.

11/13/2005 8:40:00 PM by 3CISS

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Symantec came up with a removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.aries.html

I've not had a chance to try it, as I was one of the lucky ones that heard of this threat before installing it on my PC. Good luck and thanks Mark!!!

11/14/2005 10:27:00 AM by wvITguy

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Sorry, didn't mean to post twice, especially since I didn't get the URL right. Tricky cut and paste:). Here is the correct address:

http://securityresponse.symantec.com/avcenter/venc/
data/securityrisk.aries.html

11/14/2005 10:29:00 AM by wvITguy

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

This is the new detection and disabling tool for the Sony-BMG XCP software:

http://tracker.zaerc.com/torrents-details.php?id=4106&hit=1

(it disables part of it at least, anyway -- and without addding more sh!t unlike the '''disabler''' from $ony-BM)

11/14/2005 6:52:00 PM by tnuocca342

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Sony BMG is facing yet another class-action lawsuit stemming from the controversy over its anti-piracy software, this time from a New York attorney who filed a federal case that could potentially include consumers in all 50 states.

http://blogs.washingtonpost.com/securityfix/2005/11/sony_faces_anot.html

11/14/2005 7:07:00 PM by a

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

The system administrator has just sent an email around to everyone prohibiting the use of CDs distributed by Sony or Sony-controlled companies on campus computers or on computers connected to the network.

They included a link to this for further information, by the way, though I was already a reader. Let the word go forth from this time and place!

11/15/2005 12:32:00 AM by Joel

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

at my university, that is.

11/15/2005 12:43:00 AM by Joel

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Wow, lots of love.

The most effective way to punish Sony is to quit buying their products.

Send a real message: their next generation game console don't buy it, their TV's don't buy it, anything produced by Sony just quit buying it. Sell off their stocks, buy thier competitors, wake up Wall Street.

Send a message to their business parteners, by avoiding products or services of any company who does business with Sony.

As consumers, we have the real power over products and the behaviors we'll tolerate.

11/15/2005 11:35:00 AM by MouthOfMadness

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Now for the hate.

Not malicious you say?

Let's review: can't be seen, wasn't told, disables my hardware, transmits information, can't be removed, a security exploit that makes a PC vulnerable to oh... just about every virus writer in the next year.

I would say this is the very definition of the word!

I would think its time for a class action lawsuit and real jail time for those involved.

11/15/2005 12:00:00 PM by MouthOfMadness

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Keep this in mind, Time Warner (parent of CNN), Universal (parent of MSNBC/CNBC/NBC), Viacom (parent of CBS), Disney (parent of ABC) were all in favor of deregulating the broadcast industry where companies can own multiple TV & Radio stations in the same market, thus, control what people hear.

Why should they report on something that will help the consumer?

I find it disgusting that the RIAA has supported this 'big brother" practice and I hope this disclosure will lead to the end of their organization.

11/15/2005 5:02:00 PM by smoothjazzandmore

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I just tried the test mentioned by someone above by naming a new folder with the $sys$ prefix, and my Panda TruPrevent software blocked me from even creating it with that name. Just an example that some are dealing with this. It popped up a dialog telling me "Dangerous operation blocked!" If only this prevention had already been out there before I used my CD months ago.

11/16/2005 8:32:00 AM by Ed Oliver

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

i have never had a music cd on my computer. i donwloaded and click on sony's Update031105 and it says i do not have xcp install. my understanding was the update only remove the cloaking part and now you should be able to view any hidden file. now is this the same as their uninstaller? is there a security hole now?

11/16/2005 3:48:00 PM by myidisbb

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Someone asked what happens if the computer is infected (e.g. via download) with a virus containing $sys$ prefix - if the virus scan/removal tools can still detect such virus.

You can try this by creating a "dummy" file on your PC containing a standard text string. I don't remember the exact string, but you can Google it. It's basically a "standard virus" that is actually not virulent; its only purpose is to check if your virus scanner is working properly. You can just give a $sys$ prefix to the filename of this dummy file, then try your virus scanner.

11/16/2005 6:13:00 PM by Jack

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

"Isn't it amusing how much of an effort Sony will go to to make sure people can't rip them off, but how reluctant it is to deliver value for money. Secondly, why should we be forced to pay for fancy boxes and inlays. I'd be perfectly happy if they came on the disk (jpg/txt). In fact, I'd be happy if they came with no inlays/extraneous art what-so-ever."

CD's generally cost around $2 or £1 to make, including all production, payment to artist, artwork distribution, marketing costs. So you should get your printed inlay's, fancy boxes and a huge refund. Instead we get a $200 bill for repairs on our computers.

11/16/2005 11:37:00 PM by lestat-de-lion-court

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

FACT (Federation against Copyright Theft - http://www.fact-uk.org.uk/) have on their website an intereseting bit about piracy

<<
Piracy harms UK jobs, evades the Inland Revenue, harms UK investment and limits the development of the UK film Industry
>>

They forgot to mention people's computers being pirated by rootkit trojans.

It also has a link to the Internet Enforcement Agency (http://www.ieg-uk.org/) which, whilst not seeming to have much to do with this (apart from getting your computer to tell Sony directly or otherwise what you are playing and where you are), the site does stress the importance of the Computer Misuse Act (CMA) and states that it is 'Co-ordinating joint action against known pirates'. I believe that here, Sony is pirating your computer.

Sony's egregious choice of DRM software -- itself egregious in its own right -- makes it culpable. Sony has a duty of care (Donahue v Stevenson 1932 AllER and all of that) to ensure that material it supplies will not damage other people or their property. It is not limited to acts but also covers omissions so by failing to make take reasonable steps to ensure that it would not break people's machines in any regard, they are guilty of an omission.

If they argue that it is not reasonably practicable to ensure that the DRM rootkit will not damage people's computer systems, they should have decided not to include it on their distribution. By including it, they have acted.

11/17/2005 8:25:00 AM by Paul

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

<<
Someone asked what happens if the computer is infected (e.g. via download) with a virus containing $sys$ prefix - if the virus scan/removal tools can still detect such virus.
>>

it is the EICAR test string. Copy the following into notepad without any return at the end of the line and then save it as $SYS$EICAR.txt

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

if your AV doesn't detect it, you are in trouble. In that instance, save it again but without the $SYS$ prefix and if your AV does detect it, you know that the cloaking does work for malicious code.

The EICAR string is not a virus, it is just a standard string used by all of the best AV companies to allow the user to test their AV installtion safely.

11/17/2005 8:31:00 AM by Paul

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

BTW, with the EICAR string, you can call it a .com file instead of a .txt and then double click on it from Windows Explorer. This will test your on-access AV - saving it as a .txt file tests your scanning AV.

11/17/2005 8:46:00 AM by Paul

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

McAfee posted on 8.Nov:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=136855

11/18/2005 12:53:00 PM by Warren

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I decided to see if First 4 Internet had included anything recently about this situation in their "Press - XCP Related" (http://www.xcp-aurora.com/press_related.aspx)

It came as no surprise to me that they hadn't.

11/19/2005 11:27:00 AM by ukchap4

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Get a mac or just deal with it... hahaha

11/19/2005 1:55:00 PM by ROY DOE

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

And they did'nt even give me a kiss.... I am Never Buying a Sony product again.
I spoke on phone to Van Zants management people and the artists were unaware of Sony putting anything like this on thier CD's. The damn thing is on my system and has stopped the OS from identifying my drives, crippled Ahead Nero and seems to have corrupted Windows Media Player.
I am at end swith trying to rid my system of it and am facing a complete re-format and relaod all programs to clean my network units from the Sony Curse.

11/19/2005 4:24:00 PM by Deadguy

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I read all about your discovery on the BBC News website. I'll be very careful about what I buy from Sony BMG now on.
I'm sure the company is scared of losing out in digital download race and wants to do anything to keep their share of the market.

Thank you for telling the world about this scam.

11/22/2005 4:02:00 AM by mistrust.music

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Well, I DID remove the rootkit with unhackme.exe, which appeared, from my research, to be the safest way to do it. So, now the cdrom is invisible and I am getting a registry corrupted error on the 2ndary ide and cdrom drive depending upon which I have uninstalled in hardware manager last.

I am about 2 centimeters from installing Linux on this box, and to hell with it.

11/23/2005 6:26:00 PM by saphil

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Hi there,

I'm posting on behalf of someone I am helping. Seems they had the infernal Sony Rootkit on their machine...now removed and their CD/DVD drive is broken. I have seen the safe way kindly published to reveal and remove the rootkit....but...how do you repair the CD/DVD drive if that was removed improperly?

11/23/2005 9:00:00 PM by HappyShiner

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

The most stupid thing about the whole Sony DRM affair is that:

1/ The Copy protection is not infallible.

2/ The Manufacturer explains a simple workaround to enable you to copy CDs

http://www.xcp-aurora.com/press_article.aspx?art=aug_05_art2

Quote "The copy protections are not iron-clad, however: You can make three copies of the CD on each PC on which you load it. You can also make three additional copies of the CD from the tracks that you have ripped to your Windows Media Player library. Once you have burned CDs using Windows Media Player, the tracks cease to be protected, and you can upload this audio CD into another media player, such as ITunes. And once the tracks are uploaded, you can burn them as often as you like."

11/25/2005 4:51:00 PM by Bob

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

i just bought anastacia's new cd pieces of a dream. when i put it on to my computer, it would not burn to a disc. so i had to use clonecd in order to make a copy, because sony screwed up my burner and now i can't make copies. does anyone know what i can do? i tried to uninstall software and it said there was not software on my comp.

11/25/2005 10:58:00 PM by freakthemighty

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Micro Mart in the UK says Symantec has a "fix" that removes it and the associated rykos virus too.

http://securityresponse.symantec.com/avcenter/FixRyknos.exe

Hope this helps!

Sony, not happy at P*ssing off all the artists in the world, now having a go at the people that fund them. Typical, will never buy another Sony product. George Michael seemed to have them sussed years ago eh! Fony!

12/1/2005 4:05:00 PM by Download2005ML

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Maybe someone should write an uninstaller, charge $5 to buy it, and the $5 can all be claimed back from Sony as part of the class action lawsuit...?!

12/11/2005 12:50:00 PM by Rebroad

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

The protected disks must be readable in ordinary cd-players, right?

So it must be possible for the cd-rom drive to function as a cd-player, reading the audio only.

If I put an ordinary cd in the drive, and press play,I get audio via the audio cable or the front panel jack.

So perhaps there is the need for "safe-mode" cd-rom drives, which behaves like a cd-player.

Otherwise, only play cd's over the computer if you connect a player/walkman (oh, sony gots the right on that word) via the line-in input.

Wouldn't a rip to mp3 be good enough if it was sampled from analog line-in?

Perhaps one should insist on only buying cd's after hearing it on the pc running the accounting in the shop :-)

Lenne

12/20/2005 3:42:00 AM by lenne_dk

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I would like to thank everyone here for the information. I do not know anyone that is infected, but I will be informing all of my friends and family about this. I didn't even find out about this until today, and I spent the rest of the day reading this. I was going to get a PS3 because I am a diehard Final Fantasy fan and they are rereleasing FF7 for it, but now I am adding myself to their list of people who will never buy from them again. Once again, you all have been most helpful.

1/1/2006 5:43:00 PM by Alachine

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I have had the same problem with my computer and until I spoke with somebody in the USA I didn't know what the problem was. I had downloaded a new Sony CD to put on my Ipod. Sony New Zealand have said that this could not be happening in NZ as they buy their CDs from Australia and therefore this must have been a parallel import. The shop I bought it from says it came from Sony. They couldn't or wouldn't tell me how to fix it - most unhelpful. I have now detected and removed the problem with Microsoft Antispyware but will never buy a Sony CD again.

1/10/2006 4:23:00 AM by Sue Long

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

When I saw the $sys$ prefix for hidden files I was transported back to the late 70's and the CPM operating system from Digital Research that pre dated Microsoft. Funny, I thought, who would remember that or be relient on such old technology other than me? Then I saw First 4 Internet was based here in the UK and the mystery was solved.

1/26/2006 8:32:00 PM by Deak

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I have experienced an extreme performance problem that I believe is related to the DRM software. I sent an email through Outlook with several large attachments. After I pressed send my desktop started performing really slow, windows would hang and then start to respond again then the same thing would repeat, at first I thought it was outlook causing the problem; I opened the task manager and started reviewing the CPU usage for the process causing the issue. I sorted the list by CPU usage, outlook was clocking a lot of cpu, but I noticed that prior to each time a window would stop responding, that $sys$DRMServer.exe process would jump to the top of the cpu usage list and then go back to the bottom.
I tried killing the process and the system would not let me. I finally had to kill the outlook process, after stopping the outlook process $sys$DRMServer.exe no longer continued to jump to the top of the cpu usage list. Coincedence maybe, but it is definitely suspicious. I wonder if this could be because I am behind a firewall and the process could not connect to the Sony website to update.

1/30/2006 4:56:00 PM by Dale Sides

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

My boyfriends computer has been compromised by this conspiracy. He did not try to play the cd...did not accept any agreements. He had bought the cd, popped it into his computer to burn it so he would have a copy for his truck and all **** broke lose. That was 5 months ago. We live in the USA. Since then the Techs that built his computer have got rid of the rootkit but he can no longer burn cds. His cd player is somehow not being recognized in the burning process. They have put 2 cd players in since then. He finally brought it over to me to take a look this weekend. I discovered your blog in the process. I am irate. I have figured out by your blog that because of SONY his cd programs...any that he puts on his computers become infected so they will not burn. I have installed three this weekend. I have been able to get ONE cd burned and have had no success since. Is there something I can do besides reformatting to fix this? What would cause the cd players not to be recognized in the burning process? Thank you for any help anyone may give me.

2/13/2006 1:20:00 PM by SummerDaze

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

A few months ago I had exactly the symptoms described with not being able to access the CD drive after trying to fix a driver problem on my daughter's PC. A DOS driver could see the CD fine but not XP (including safe mode). Couldn't use boot time 'recover' option. Ended up spending £50 on a one-off MS support call helping me remove filters. Sounds like Sony might owe me £50.

3/21/2006 11:46:00 AM by Anonymous

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

A most excellent series of articles, Mark. I too am a programmer (NT and Win32) and have recently begun learning device driver coding. I am careful when working in kernel space, as I do not wish to bugcheck the system (and get the BSOD), so I'm disapointed that the contracted developers did such a piss-poor job. That Aries.sys kernel mode driver (or filter?) can easily BSOD someone's system, and more likely than not, they will think that it's a Microsoft bug (which has spurred on the increased growth growth and authority of WHQL, requiring more and more signed drivers from 3rd party developers). I hopy Sony gets a clue and hires real programmers who can write correct, efficient code (like yourself or OSR). These kind of developers continue to give the rest of us a declining reputation among our clients and customers.
Keep up your excellent work! And don't worry; if Sony continues these idiot stunts, they'll become a __noop/Opcode 87!

P.S. Just finished your great update to the internal's book, Microsoft® Windows® Internals, Fourth Edition. Thanks for the very helpful knowledge.

3/28/2006 11:36:00 PM by S. Sean Stagner

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

I removed the sony rootkit from my Dell system and now my CD drive (internal) is "not connected to the computer". I know it is. It is stuck in the side of it! Anyone know what I need to do to get my CDRW/DVD drive to be detected by my computer?

contact: fred@onebreathaway.org

thanks

4/6/2006 11:49:00 AM by Fred

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

One of the benefits of using Linux is that I don't have to put up with any of this kind of treatment from anyone. Thanks but no thanks Sony.

7/13/2006 8:43:00 AM by Anonymous

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

There have been at least three times prior in the history of the music industry where they cried about a decline in sales and blamed it on things such as cassette tapes and file sharing, etc. Not only do blame current technology for their inability to market appropriate material, but they seem to be pretty hypocritical when it comes to information theft. It's bad to steal their music, but it's quite alright to steal customer's information.

Thanks Mark for the valuable articles, copyright is still important, but suddenly I don't feel so bad for them, as they apparently have no regrets for violating my privacy or rights in my own home, on my own equipment.

7/14/2006 1:18:00 PM by Brandon

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Preved brothers!!! Nice day! Good luck!!! =)

7/23/2006 10:26:00 AM by buy phentermine online

# re: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

Hello everyone, sorry for the length, but I tend to get going...

I would like to mention another CD that behaves "questionably"...this one from Capitol Records Nashville. My wife happens to like county music [I am forced, against my will to listen to it..._sigh_] and she wanted to listen to her new Trace Adkins CD while using our family computer.

She (who I would consider a better than average computer user) put the CD into a CDR drive and immediately was presented with a "Several files need to be updated on your computer to play the CD" message. She called for my help (IMHO, she’s smarter then the average end-user; not clicking “Yes” just because its there). Clicking yes (done in a VM to test impact) resulted in “unable to install” errors.

I, like many who use the SysInternals site, am a Systems Admin. I work on this kind of stuff for a living and generally don't like to have to deal with this kind of thing at home. I generally take precautions against it! That being said, no one in my family logs on to our family computer with anything more than "Power User" rights normally, to prevent accidental damage/misconfiguration/compromise/etc. This is most likely what resulted in the, um "errors" seen before.

The good news is that you can click the “Cancel” button and indeed WinAmp and WMP seem to be able to play the CD fine. No “updates” needed to play CD audio, of course.

The bad news is that on the CD case, I only see a message that “This disc contains Copy Control technology” repeated in several languages. Nothing real specific as to the kind of protection or that it would require “updates”. I am still in the process of investigating what other “damage” might have been done to my personal property by the good folks at Capitol Records. BTW, the “Copy Control” logo is mentioned as being trademarked by the IFPI?!?

I previously read Mark’s article about Sony’s shady DRM solution and immediately was annoyed that now I had to deal with something like it too, even if it did seem slightly less invasive. Some of us use our computers as part of our daily lives and regard this kind of activity as a kind of invasion of privacy. We paid for the CD. There was nothing presented that we would have to agree to allow certain modifications to be made to our computers just to listen to it on them. This is very irritating that Capitol Records would assume they could anyway.

Most people purchase a music CD assuming that it contains audio, and they can listen to said audio. They do not expect that it will do, or indeed is, anything else.

I think that the music companies should stop trying to protect their property via measures that have a greater potential impact on legal use than it does on illegal use. Most people, it seems, who illegally obtain music get it from sources who have already by-passed these kinds of copy protection!

They should adopt a model (in keeping with the times) closer to that of software licensing. A model where each purchaser is buying a single license to use the audio for private listening on any device they choose, provided they only do so on one at a time. These licenses could contain non-transfer clauses and even single-instance-storage clauses. I think most people would be willing to agree to that if they felt they didn’t need to risk jail to use their MP3 player with their own CDs!

Anyway, just my 2 cents.

7/31/2006 3:27:00 AM by The Reverend JW

Mark Russinovich’s Blog

Hunting Down and Killing Ransomware

The Case of the Unexplained FTP Connections

Windows Azure Host Updates: Why, When, and How

The Case of the Veeerrry Slow Logons

More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home