Sony, Rootkits and Digital Rights Management Gone Too Far
Last week when I was testing the latest version of
RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my
“Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:
Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran
Process Explorer and
Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to
LiveKd, a tool I wrote for
Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking.
Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of
Regmon. Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.
It’s relatively easy to spot system call hooking simply by dumping the contents of the service table: all entries should point at addresses that lie within the Windows kernel; any that don’t are patched functions. Dumping the table in Livekd revealed several patched functions:
I listed one of the intercepting functions and saw that it was part of the Aries.sys device driver, which was one of the images I had seen cloaked in the $sys$filesystem directory:
Armed with the knowledge of what driver implemented the cloaking I set off to see if I could disable the cloak and expose the hidden processes, files, directories, and Registry data. Although RKR indicated that the \Windows\System32\$sys$filesystem directory was hidden from the Windows API, it’s common for rootkits to hide directories from a directory listing, but not to prevent a hidden directory from being opened directly. I therefore checked to see if I could examine the files within the hidden directory by opening a command prompt and changing into the hidden directory. Sure enough, I was able to enter and access most of the hidden files:
Perhaps renaming the driver and rebooting would remove the cloak, but I also wanted to see if Aries.sys was doing more than cloaking so I copied it to an uncloaked directory and loaded it into
IDA Pro, a powerful disassembler I use in my exploration of Windows internals. Here’s a screenshot of IDA Pro’s disassembly of the code that calculates the entries in the system service table that correspond to the functions it wants to manipulate:
I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view. Besides being indiscriminate about the objects it cloaks, other parts of the Aries code show a lack of sophistication on the part of the programmer. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described. They’ll have to come up with a new approach to their rootkit sooner or later anyway, since system call hooking does not work at all on x64 64-bit versions of Windows.
After I finished studying the driver's code I rebooted the system. The cloak was gone as I expected and I could see all the previously hidden files in Explorer and Registry keys in Regedit. I doubted that the files had any version information, but ran my Sigcheck utility on them anyway. To my surprise, the majority did have identifying product, file and company strings. I had already recognized Dbghelp.dll and Unicows.dll as Microsoft Windows DLLs by their names. The other files claimed to be part of the “Essential System Tools” product from a company called “First 4 Internet”:
I entered the company name into my Internet browser’s address bar and went to http://www.first4internet.com/. I searched for both the product name and Aries.sys, but came up empty. However, the fact that the company sells a technology called XCP made me think that maybe the files I’d found were part of some content protection scheme. I Googled the company name and came across this article, confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs.
The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies. I scrounged through my CD’s and found it, Sony BMG’s Get Right with the Man (the name is ironic under the circumstances) CD by the Van Zant brothers. I hadn’t noticed when I purchased the CD from Amazon.com that it’s protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known:
The next phase of my investigation would be to verify that the rootkit and its hidden files were related to that CD’s copy protection, so I inserted the CD into the drive and double-clicked on the icon to launch the player software, which has icons for making up to three copy-protected backup CDs:
Process Explorer showed the player as being from Macromedia, but I noticed an increase in CPU usage by $sys$DRMServer.exe, one of the previously cloaked images, when I pressed the play button. A look at the Services tab of its process properties dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows:
I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software:
I still had to confirm the connection between the process and the CD’s player so I took a closer look at each process. Based on the named pipe handles I saw they each had opened when I looked in Process Explorer’s handle view I suspected that the player and $sys$DRMServer communicated via named pipes and so I launched Filemon, checked Named Pipes in the Volumes menu, and confirmed my theory:
At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad.
I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\Control\SafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.
When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad. Windows supports device “filtering”, which allows a driver to insert itself below or above another one so that it can see and modify the I/O requests targeted at the one it wants to filter. I know from my past work with device driver filter drivers that if you delete a filter driver’s image, Windows fails to start the target driver. I opened Device Manager, displayed the properties for my CD-ROM device, and saw one of the cloaked drivers, Crater.sys (another ironic name, since it had ‘cratered’ my CD), registered as a lower filter:
Unfortunately, although you can view the names of registered filter drivers in the “Upper filters” and “Lower filters” entries of a device’s Details tab in Device Manager, there’s no administrative interface for deleting filters. Filter registrations are stored in the Registry under HKLM\System\CurrentControlSet\Enum so I opened Regedit and searched for $sys$ in that key. I found the entry configuring the CD’s lower filter:
I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec: psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back.
The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.
While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.
For an update on the story, read More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home.
Originally by Mark Russinovich on 10/31/2005 11:04:00 AM
Migrated from original Sysinternals.com/Blog
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Very interesting reading... I agree, things are beginning to go too far
10/31/2005 2:40:00 PM by fredlife
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"... system call hooking does not work at all on 64-bit versions of Windows."
This sounds interesting. Why not? Can you explain?
10/31/2005 2:46:00 PM by denis bider
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
10/31/2005 3:12:00 PM by Mark Russinovich
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I think you're being a little genrous to Sony towards the end there... you don't really know what their motives are for permantly hiding services on your system, and they could extend well beyond copy-protection in the future. They have also exposed their customers to the risk of an exploit which leverages this rootkit - if they sell enough of this crap, I can see that being a temptation too hard to re$sys$t : )
10/31/2005 3:49:00 PM by snooze
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Isn't it illegal for Sony to do this without authorization/consent? Seems like good grounds for a lawsuit...
10/31/2005 3:53:00 PM by rwake
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This is shocking! Have you contacted sony? If so, did you get a response?
10/31/2005 4:11:00 PM by ChrisM
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Illegal? I suppose its dependent on the presence of a EULA. Was there one for this installation? Has anyone read it?
10/31/2005 4:13:00 PM by Charlie Don't Surf
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Sony should pay the same fine that individuals are expected to pay if sued by RIAA. Their infringement into your operating system is just as bad as a copyright infringement.
10/31/2005 4:32:00 PM by bob3160
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Here's the EULA.
Note that there's no mention of a rootkit or the inability to uninstall or delete the software (in fact, there's a reference to being able to do so).
10/31/2005 4:37:00 PM by Mark Russinovich
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"Very interesting reading... I agree, things are beginning to go too far"
*beginning?*
10/31/2005 4:46:00 PM by jayKayEss
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad."
He said there was no mention, I would certainly try to get a it of money offa them. :)
10/31/2005 4:48:00 PM by Kyosji
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Outstanding piece of detective work.
Do you think Sony has done the same thing for other OS's (Unix, Mac OSX, etc.)?
10/31/2005 5:09:00 PM by mrkwst
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I'm pretty sure that in the UK this would contravene the Computer Misuse Act..
10/31/2005 5:27:00 PM by David C. Barker
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark, this is indeed an outstanding piece of work, and I agree completley about things starting to go too far. The minute someone starts installing services as deeply embedded in a system like this, it gets to the point it infuriates you, and, this puts DRM in the spotlight. My commendations!
10/31/2005 5:34:00 PM by Draelen
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
It's lawsuit time, guys.
10/31/2005 5:45:00 PM by anonymous
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?
10/31/2005 5:51:00 PM by Chad
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I predict that maybe the next time you're purchasing a music CD with similar DRM software on it, you'll never open the package, instead downloading the MP3 files for that album through (illegal) P2P file sharing.
For some strange reason all DRM software is missing in those P2P downloads, leaving you with just the music to enjoy... :-)
10/31/2005 5:51:00 PM by Henry Skoglund
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark,
Outstanding detective work. Would you be willing to create a clean up script for us mortals who unknowingly installed this?
I can also report that does not happen on OSX. The software that plays the disc on Windows does not work on a mac.
10/31/2005 5:53:00 PM by Ron
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Excellent work! I was about to buy the new Santana CD which comes out tomorrow and is advertised as copy protected. I’ll have to re-think this!
10/31/2005 5:54:00 PM by goober
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Very interesting reading. I've always been in the camp that sees DRM as too limiting to fair use in most cases; this is the second time I've heard of it crippling machines (first I had heard was what TurboTax did to me a couple of years ago with the junk it added to the MBR). This time they have indeed gone too far. I hope someone pushes this with Sony and gets an uninstaller for this thing posted on the Sony front page.
10/31/2005 6:04:00 PM by Jerry Ham
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I have to ask. Do you still have the offending CD ??
If so, why ? We all hear that the recording companies are protecting their profits.
There is NO profit in an item that does NOT sell.
Hit them in their pocketbook. Return the CD for a full refund.
I currently do this with all DVDs that contain advertizing I cannot 'skip'.
I do not buy CDs with copy protection. Especially the SACD format.
Do what you will, but I feel no actions, no complaining.
EXTREMELY great work on this example, B.T.W. !!
===
10/31/2005 6:07:00 PM by Dsbeerf
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I think it's fair to say that since he didn't know what this malware was, and that it isn't mentioned in the EULA, that it's fine to disassemble, reverse engineer, examine or otherwise dissect this piece of crap.
10/31/2005 6:09:00 PM by Chris
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"If you have a Mac computer you can copy the songs using your iTunes Player as you would normally do."
http://bigpicture.typepad.com/comments/2005/10/drm_crippled_cd.html
I am more and more happy to be on a MacIntosh...
10/31/2005 6:19:00 PM by Janean
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Do you suppose the same rootkit is hidden in the music download software Sony forces its MP3 player purchasers to use?
10/31/2005 6:19:00 PM by Lewis Perdue
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Another fine example of why the music industry is loosing support and people would generally just download music off irc or p2p. Good work sony! If sueing 8 year old kids that the RIAA cannot verify to actually exist is in question why not install a backdoor like a common botnet cracker. Dont wait in line for my purchace...
10/31/2005 6:24:00 PM by ali3nx
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This software will be considered spyware under the ASC definition,
The ASC's most recent definition of spyware is:
Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:
* Material changes that affect their user experience, privacy, or system security;
* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information.
I can see it certainly doing the first two, and doesnt need to do the third.
The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC....
Dont think that the Govt wont be taking Sony to court... they took Microsoft to task over anticompetition.,. all it takes is a letter to your Senator!
10/31/2005 6:40:00 PM by Melissa or Russell
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I guess this reinforces the idea of turning off AUTORUN of any CD/DVD deivce.
This should still allow one to listen and rip to MP3's. How so? Accoding the linked article to CNet,
"As for more basic CD player compatibility issues, Gilliat-Smith says the discs are compliant with Sony Philips CD specifications and should therefore play in all conventional CD players."
If you do not allow the CD to perform it's autorun routines, you won't have the software installed, and it should be viewable as a standard audio CD.
10/31/2005 6:43:00 PM by Guz
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
INAL, but this appears to be illegal in the State of California, punishable by a $1000 fine per computer affected.
California Business & Protections Code Section 22947.3, Paragraph C:
A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
...
(c) Prevent, without the authorization of an authorized user, an authorized user's reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(1) Presenting the authorized user with an option to decline
installation of software with knowledge that, when the option is
selected by the authorized user, the installation nevertheless proceeds.
(2) Falsely representing that software has been disabled.
This is some horribly written legislation (difficult to parse), but it appears that you must be able to specifically decline to install software (regardless of EULA conditions).
10/31/2005 6:45:00 PM by Erik Carlseen
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This is exactly the reason that I disable the CD Autorun feature on my systems. It amazes me that this feature is on by default. It allows any arbitrary code to run on your system just by sticking a CD in your drive. This, coupled with the fact that most Windows user accounts run with administrative privileges is a disaster waiting to happen.
-pf
ps Wasn't this a spooooooooky comment?
10/31/2005 6:45:00 PM by PunkFloyd
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Re: patching.mspx...
So, mark, what you're saying is that Windows 64 comes with a rootkit preinstalled.
10/31/2005 6:46:00 PM by President Leechman
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Eric... Bada Bing, Bada Boom....
That has so got it. I'd like to see someone in LA 'unitentionally' install this software and start the class action.... the only real winner is the lawer that wants to take on SOny's goons...
10/31/2005 6:48:00 PM by Melissa or Russell
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
There is a "kind" of legal precedence for this. The case of Sotelo v. DirectRevenue which was recently decided in Chicago says that installing spyware is an invasion of privacy into the home. To get to this point is only a small jump from that case. I think that we should sue the ass off Sony, and I would boycott products except for the fact that Sony has its claws in EVERYTHING (half the movies you see out there are Sony stuff, even if they don't say so). It is unfortunate that this is happening under the auspice of "copyright protection" when all it does is screw over the last honest consumer who actually bought the damn product for their $18.99 Best Buy "sale" price. tsk tsk and shame! This is why free source stuff is the FUTURE!
10/31/2005 6:50:00 PM by MultenCore
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark comments in the article:
"...I’m careful in my surfing habits and only install software from reputable sources..."
Are we entering a Personal Computing world where such assumptions about reputable sources no longer applies?
Forget ghosts and goblins. This scary Haloween story sent shivers up my spine.
10/31/2005 6:52:00 PM by BugCheck 7b
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
At the very least, do consider billing Sony for your time...
10/31/2005 7:04:00 PM by Martin
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Thanks for pointing this problem out. Most of the music I buy is from small, classical and jazz labels so I haven't come across this yet. But I'll keep an eye out for Sony. They have no write to mess with your machine so badly!
10/31/2005 7:51:00 PM by RHFOOTBALL
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
First 4 Internet Ltd. is a British company, hence why the .com tld didn't work. On their page they advertise their XCP Aurora "eXtended Copy Protection" software. Seems to me they extended it a bit too far.
10/31/2005 8:10:00 PM by karson
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Look, the EULA has been modified!
"As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise. "
10/31/2005 8:22:00 PM by oasisob1
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Perhaps if you kernel level developer guys were a little less friendly and helpful on you're mailing lists you could prevent things like this being created.
Ceri Coburn of First4Internet.co.uk asking for help writing a cdrom filter driver
10/31/2005 8:22:00 PM by Edward
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This makes buying DRM'd MP3's off the net a much more viable option.
IE, with ITMS, I know what DRM is there, and what it does and doesnt do. There are no secret root kits or such installed with the song.
Does anyone know what sort of hooks the root kit puts into the PC for remove access? call home features, etc?
10/31/2005 8:24:00 PM by Hellman109
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I see what you did there.
...No, I don't, but it's a nice stab in DRM's back.
10/31/2005 8:32:00 PM by Pichu0102
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Has anyone else done any work on how well XCP is written? From looking at First 4 internet developer Ceri Coburn's post around various mailing lists. I would also be worried that the rootkit is actually badly hacked togeher hence the processor overhead and the half hidden files.
Has anyone checked if it calls home too?
my blog post - http://www.cubicgarden.com/blojsom/blog/cubicgarden/culture/2005/10/31/Make-no-mistake-the-new-battle-lines-have-been-drawn-rootkits-and-all.html
10/31/2005 8:41:00 PM by Ian Forrester
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This story is featured on Digg.com
http://www.digg.com/security/Sony,_Rootkits_and_Digital_Rights_Management_Gone_Too_Far
Please Digg this story and let the word spread.
10/31/2005 8:42:00 PM by TBoMH
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Damn, I thought I was first with the rootkit DRM idea. Just few days ago I wrote a rootkit that acts as a DRM system, as a demonstration about the Finnish law (and EU copyright directive) regarding effective technological measures. I was thinking I could demonstrate that the law will protect malware, too, which is obviously unintended... but to see the same techniques are used in an actual DRM scheme already being deployed, I'm shocked.
Here's a summary about my copyright projects:
copyright_projects_en.txt
10/31/2005 9:45:00 PM by Matti Nikki
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
First 4 Internet Ltd is going to have some very upset clients, after they read Mark's review of the shoddy DRM code they were sold.
10/31/2005 10:00:00 PM by Courier
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
wow, spooky story for this Halloween evening. Glad us Mac users don't have to put up with crap like this.
10/31/2005 11:12:00 PM by David
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Ironically enough, you'll never find this sort of thing happening if you download off of iTunes et all. If the record companies want to try and draw music buyers away from a company they feel is stealing their market share in an "unfair deal" that they themselves cut, they might try not ravaging their customers systems. After Sotelo vs. DirectRevenue, I really think this has class action potential. So, the question is, who's going to get the ball rolling? I vote Mark, as he has all the evidence accumulated from personal experience, and because it will be awesome to read about it in this blog :)
10/31/2005 11:23:00 PM by Taliesin
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I perform an average of 3 virus removals a day. Until two months ago I had never even run into a rootkit on a customer machine but now I now see one every other day (usually the same spyware program). I have a bad feeling that nuber is going to rise significantly after this.
Also, here's an easier way for editing the registry tags for most people. Open regedt32, right click the parent key (if you select the value itself you'll get access denied), select permissions>advanced>owner tab, select your user or group from the list, check 'replace owner', click OK. Now you can add your own access permissions to the key then remove or edit the values.
10/31/2005 11:40:00 PM by A. S.
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Way to go, Sony. You've really made me want to legitimately purchase music, now that it includes worse viruses than I'll find on Kazaa.
10/31/2005 11:46:00 PM by Ruke
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
What will happen if an unsuspecting user have a dozen DRM'ed discs, each with their own player and each using a bit of CPU even if they are not being used, and each adding a filter to the CD/DVD drives ?
I suspect that performance and stability may take a hit.
10/31/2005 11:49:00 PM by Feynor
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
So, here's the really important question. Will this thing install if you are running a limited user account? Does running as a limited user account provide any protection at all against getting rootkitted off a cd like this, or is that just another Windows fallacy.
10/31/2005 11:55:00 PM by partenavia
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
per Sony's own site you need admin rights to install the player. I don't believe this circumvents the DMR/rootkit installation, however. It appears to only make the DMR encrypted media unplayable.
-d/\/
11/1/2005 12:17:00 AM by leniad.ninor
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
The more interesting question is how Microsoft will view this effort of Sony's. They have taken great pains to bend Windows to Hollywood's demands, but this mechanism CANNOT be seen as secure or of benefit to their own customers. Will the XCP signature be included in Microsoft Anti-Spyware, or the monthly Malware Removal Tool? There is no way this supports "trustworthy computing", however according to the Cnet piece Sony appears to have backed this XCP heavily.
I will be fascinated to see if major antivirus/malware outfits start flagging this (the visible evidence at least) - I don't see how they can accept this level of system intrusion, but then Sony is sooo big and this would panic a fair number of users. Maybe a Secunia advisory is warranted, too.
11/1/2005 12:33:00 AM by snooze
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This article has been written up on WFMU's Beware of the Blog.
11/1/2005 12:44:00 AM by Kenzo (last ever)
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"So, here's the really important question. Will this thing install if you are running a limited user account?"
Good question...I wonder about that myself sometimes.
I believe that running as a limited user account does protect oneself against this sort of thing, unless the malware uses nefarious means to install. If there is an unpatched vulnerability in the OS that allows for privilege elevation or otherwise provides access to the areas that are usually admin-only, and the malware author takes advantage of that, all bets are off.
11/1/2005 12:59:00 AM by blogdog
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark, this alert (DRM software) may be activated on Administrator account (or with some additional priviledges for install drivers)?
User account not have risk to install this hidden software?
11/1/2005 1:40:00 AM by Sergey Dindikov
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Being an artist myself, I find this horrific. I own 3 PCs at home, and over 12000 songs. I've basically downloaded an app to convert all these songs into .ogg format, and I've renamed them all through freedb. I think it's a shame that more artists aren't aware of this stuff, as I'm sure some would take a stand - especially now that newer medias are being considered for music distribution. I guarantee you, I will always ask the question to a record company before putting a CD (or any other medium) on a shelf.
Actually, why not get artists to change the way they copyright their music? if they own the rights to it, then the contracts they sign should include clauses to this effect, no?
Anyway, good work!
11/1/2005 2:23:00 AM by couzin2000
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark, you missed to check several things in the article:
- how did the rootkit driver install aniway without windows asking you to install unsigned driver dialog box?
- if the rootkit driver was signed so it installed silently, who signed it?
- can the rootkit driver install on non-administrator unprivileged user account?
11/1/2005 3:05:00 AM by JernejL
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Should anyone ever need a better reason to disable autorun?!
Bad Mark ... BAD!
Add it your "Things to do after installing Windows" List!
11/1/2005 3:09:00 AM by Squiggle
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
First4Internet, eh?... let's see... according to public records, they were incorporated 24/11/1999. In 2004 they had a turnover of £709,941 and operating expenses of £1,301,546 -- meaning an operating loss of £591,605. In the last five years they have, on average, lost £541,067 a year. For 2004, their credit rating is "HIGH RISK" (complete with capitalisation). Meanwhile, the four directors share annual renumeration of £224,413 between them (average £56,103 each).
One of the directors, Nicholas Bingham, (appointed in 2002) was director of "Sony pictures home entertainment Ltd." from 1989 to 1997, and director of "Sony pictures television production UK Ltd." from 1996 to 2000, and director of "Sony digital radio europe Ltd." from 1994 to 2000.
A cynic might say Sony selected this inept copy protection technology because it was supplied by one of thier cronies. The reason this is a bad business practice can be seen by the software's many failings.
11/1/2005 3:20:00 AM by Michael Tandy
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
i don't even use windows, but i'll never buy another sony product after reading both this article and the one concerning the new protected My Morning Jacket CD. sony just lost the purchase of a new stereo receiver and a 55" LCD TV. further, i will never again buy a sony product and for sure NEVER buy another sony CD - where before i may have downloaded a few tracks and then bought the cd if i liked it, i will, well, you know - but not buy the cd. jesus, when will these companies learn that we're not idiots and that WE WILL SUPPORT THOSE THAT ARE GOOD TO US. if you're good, we give you money, if you're a dick, you're faded....
11/1/2005 3:27:00 AM by GSB
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
another question surfaces: what does this rootkit actually do besides hiding itself?
11/1/2005 3:38:00 AM by JernejL
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Interesting article and the EULA is just as interesting , (all third parties are considered authorized licensor's) which would seem to imply that sony takes all responsibility for any and all action (specifically, damages). Obviously there's a waiver in there, but it means crap. What I find especially interesting though (especially in regards to a lawsuit) is the mention of terminating the license. You're required to remove, delete or uninstall the software.
Now here's the thing, if the software is difficult to remove, you might need to hire someone to remove it for you. I'd imagine that this would be covered by strict liability and therefore be billable to Sony.
11/1/2005 3:46:00 AM by Craig
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Wow, I mean, wow. Simply because I don't like the thought of rinky-dink media players galore installed on my machine, if I get any CDs that try's to deploy such software I use ISOBuster (http://www.smart-projects.net/) to rip the audio and ignore anything else on the CD. You can then also use media player to rip to your machine, or burn back to a 'standard' audio cd.
11/1/2005 3:59:00 AM by Nick White (UK)
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"making system recovery extremely difficult if any of them have a bug that prevents the system from booting."
This has already happened:
http://www.microsoft.com/windowsxp/expertzone/chats/transcripts/05_0818_mce.mspx
Apparently it crashes at least some Media Edition PCs.
11/1/2005 4:13:00 AM by Joe Bloggger
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Just out of interest, is there any way of directly playing a digital audio stream, (via fiber from a CD/DVD player) directly in windows?
That way you could listen to your tunes, and not have to deal with such crap.
I figure that most recent PC's, (even my cheapo POS) has a Fibre port on the mobo, but are they bi-directional or output only?
11/1/2005 5:04:00 AM by praxis22
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Hi,
If this is a British company, or one which operates from the UK then they may have fallen foul of UK law, specifically the Computer Misuse Act 1990 as follows:
"3.-(1) A person is guilty of an offence if-
he does any act which causes an unauthorised modification of the contents of any computer; and
at the time when he does the act he has the requisite intent and the requisite knowledge.
(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing-
to impair the operation of any computer;
to prevent or hinder access to any program or data held in any computer; or
to impair the operation of any such program or the reliability of any such data.
(3) The intent need not be directed at-
any particular computer;
any particular program or data or a program or data of any particular kind; or
any particular modification or a modification of any particular kind.
(4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.
(5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.
"
It would seems that this law would apply to any UK citizen who's PC was affected by this software. It would be interesting to see what the consiquences of this would be for the company in question.
Kind Regards
Simon
11/1/2005 5:14:00 AM by Simon Zerafa
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I have refused to buy Sony products for a couple of years now because of their customer unfriendly policies. This is very painful to me, as a geek: after all, Sony make some great products. But, fortunately for us, they do still have competitors. I strongly urge others who are outraged by this behaviour to adopt the same refusal to do business with Sony. Not just for CDs but also TVs, Vaios, etc.
11/1/2005 5:19:00 AM by Graham Cobb
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
11/1/2005 6:02:00 AM by David Navigator
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I still don't agree that consumer music purchases are properly construed as licensed IP content. And in any event, that was certainly never clear to the purchaser of an LP, nor the purchaser of a CD. If these companies want to protect their content using the techniques of shrinkwrap software licensing, they need to make explicit reference to the capablities and limitations of the content on the outside of the package, inlcuding minimum system requirements. That might ruin the pretty cover art consumer expect, but it would also let them know that the rules have changed. They also DEFINITELY need to provide an uninstaller. As it is, Sony is simply resorting to the techniques of computer criminals and disreputable vendors. I would suggest that perhaps they think we're all criminals because that's what they are themselves.
11/1/2005 6:11:00 AM by economy1
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I never have purchased Sony music, and this is a better reason never to.
The odd thing is, this must have been happening for some time. This had to pass under hundreds of noses.
This shows just how poor we're protected by virus scanners, while we pay ~100$ a year to line their wallets.
I think this will see many more people switching to Linux. Just look at Ubuntu (which gives away free live CDs, honestly).
If the Microsoft OS can be hack against the user this easily, they have a major problem. And if an EULA can change that easily to cover their own back sides, the law has a problem.
Robin Monks
Drupal.org Marketing
11/1/2005 6:21:00 AM by Robin Monks
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Interesting article, of course this only applies to Windows O.S.s (does the CD play happily in all versions I wonder?)
Have you tried to play the CD in a Mac or Linux system?
Presumably it plays OK in an ordinary CD player?
11/1/2005 6:25:00 AM by Anonymous Coward
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
11/1/2005 6:36:00 AM by Perttu
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This DRM stuff is getting so out of hand and thanks to Mark for uncovering it. Even though I work in IT myself, I never would have found this lurking piece of software, let alone known how to remove it.
Aren't I glad to be a record collector - yes, I buy actual vinyl LP's. No DRM mess there.
11/1/2005 6:42:00 AM by Perttu
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Now I have one more reason not to buy any copy-protected cd's.
I recommend anyone who would like to buy a copy-protected cd, to download it from p2p-networks.
11/1/2005 6:45:00 AM by Makere
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Thanks Sony!
Now when I write my worm, all I have to do is name it "$sys$" and it'll be "Auto-cloaked" on systems you've compromised.
11/1/2005 6:49:00 AM by Paul Hanson
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
11/1/2005 6:56:00 AM by Melissa or Russell
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
11/1/2005 6:57:00 AM by Melissa or Russell
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This needs to get into the mainstream media. The only way our views are going to have any effect, is for it to become high profile in the press:
BEWARE: ALL SONY MUSIC CD's CONTAIN A VIRUS!
Surely a competitor is willing to get this one plugged......
11/1/2005 6:59:00 AM by Melissa or Russell
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
In Australia, this software contravenes the Cybercrime Act, and does it with intent (=jail time up to 10 years).
EULA's do not trump laws. You cannot contract murder, and you cannot contract your way around laws designed to prevent secret, unauthorized intrusion and modification of a system.
There are at least three sections of the Australian Cybercrime act this software contravenes.
http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001112/sch1.html
Section 477.2 is quite explicit:
"477.2 Unauthorised modification of data to cause impairment
(1) A person is guilty of an offence if:
(a) the person causes any unauthorised modification of data held in a computer; and
(b) the person knows the modification is unauthorised; and
(c) the person is reckless as to whether the modification impairs or will impair:
(i) access to that or any other data held in any computer; or
(ii) the reliability, security or operation, of any such data; "
If Sony BMG sell their CDs in Australia with this malware automatically raping PCs, it's only a matter of time before someone rings the Australian Federal Police and sees if criminal charges can be laid.
UNACCEPTABLE.
I will not be buying any more songs or albums from Sony BMG or any publisher that tries to infect my machines with illegal, offensive malware.
Artists - do you hear me? Jump ship! Insist on no DRM in your contracts or we will NOT buy your stuff.
Andrew
11/1/2005 7:15:00 AM by Andrew van der Stock
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Very nice work. I would certainly not have the skill to find the rootkit, much less remove it and link it to Sony like you did.
*Note to self*: No DRM CDs.
11/1/2005 7:26:00 AM by Erasmus
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This is, I think, the scariest thing I have read in a long time. Since this software was poorly written, Mark was able to find it "easily." How much software do you think is out there that was written by an excellent programmer? Someone smarter than Mark? Just one more reason for me to be paranoid...
Why can't the record companies be more open and honest with the consumers. And don't give the knee-jerk answer of "to protect their profits" because this isn't protecting their profits any more than, say, a small application that you knowingly install on your system to play content protected CD's. If you don't want to install the software, you can't play the CD's. Everything is open and in the clear, and nobody is sneaking around playing cloak and dagger on your computer.
11/1/2005 7:30:00 AM by Arthur Nonamiss
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Last time I checked, there isn't some sacred constitutional right to a pure and virginal Windows. You're all consumers. Build and use your own god-damned OS if you want to know EXACTLY what's where, when, why, and how? Wait... some people already wisened up and did that. Look it up, it's called Linux.
11/1/2005 7:36:00 AM by Danny F. Barnes
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Astonishing article, dear Mr. Russinovich!
But really autorun can avoid this security problem? Thanks in advance.
11/1/2005 7:40:00 AM by crcaicedo
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Danny, it was made years before Linux ...
11/1/2005 7:52:00 AM by posefant
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
There's more information at
http://www.f-secure.com/weblog/
11/1/2005 8:09:00 AM by ed_monton
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Last I checked this is illegal in the Untied States as well. If you didn't agree to it in the EULA, then it is no different than if a script kiddie planted it on your system.
11/1/2005 8:10:00 AM by p0six
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
True: There's no sacred constitutional right to a free and virginal Windows. But there are laws against tampering with computers without the consent of their owners (regardless of whether there is malicious intent), and since this software makes significant changes that are not disclosed in the EULA, I think the actions violate the intent of the law.
By your logic, no one should have any reason to trust any product or service not built or performed with their own hands. We should all build our own cars, our own houses, and perform our own surgeries on ourselves.
That's silly. There are laws to provide some basic protections against fraud, deception, and other maliciousness in commerce. Sony and other music labels are required to abide by them, just as consumers are required to abide by copyright laws.
11/1/2005 8:16:00 AM by Cobra
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
It is also being covered here:
http://www.f-secure.com/weblog/#00000691
It seems that SONY is providing information about removal, on request. So nice of them. :-)
People has to start boycotting products from these companies. If you are considering buying music or games, spend some time investigating them first. I recently thought about buying the latest Splinter Cell Game "Chaos Theory". After a brief search on the net I found out that they area including a new copy protection driver from an infamous company (safedisk) that is creating havoc on users' machines. I'm not interested in the product anymore.
11/1/2005 8:16:00 AM by pennino
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
They have gone to great lengths to protect the software from tampering. The software is a copy protection. By disassembling and reverse-engineering it before finally removing it, you have not only effectively circumvented their copy protection, but you have posted it on the Internet, too. In short, you are in violation of the DMCA. Same applies for any other malware or viruses that you circumvent through the use of anti-virus software.
One anonymous coward suggested to make use of other operating systems or even a normal CD player. Again, this would be a way of circumventing the copy protection software, and thereby be in violation of the DMCA.
11/1/2005 8:16:00 AM by Gard E Abrahamsen
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Thank you for the excellent write up and your diligent work. One question I have as an admin at my company is whether or not you need to be an administrator to install this "player" on your PC. It scares me to think that people will be bringing in their music CDs and installing this onto our machines. The possibilities for exploitation by fourth parties is certainly scary. Thanks.
11/1/2005 8:22:00 AM by Greyfeld
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Great work. Now front paged on The Register.
11/1/2005 8:25:00 AM by rongorongo
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
'ere's a neat link:
http://castlecops.com/postp605449.html
This software is not only poorly written, but it has been causing bluescreens for a while now. And if you delete the offending device drivers, your CD-ROM drive is no longer accessible. Seriously, this has class action lawsuit written all over it. Even if Sony DID go in and modify the EULA after the fact.
11/1/2005 8:29:00 AM by Arthur Nonamiss
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I'm AntiVirus Coordinator for a state agency...
I found the exact same issue about 2 months ago at work. Symantec AntiVirus 10 Corporate Edition's Tamper Protection was throwing a fit about this on a user's computer, and was reporting the name of the offending .dll. I tracked down the issue essentially the same way Mark did, opening the folder with the hidden files, since it was reported by Tamper Protection, then deleting them. I got bunches of errors before I figured out that the files were being loaded from the registry, and also determining the permissions issue. I wish I would have realized how important it was. Oh, I also got the company name, by right-clicking on one of the .dlls, and selecting properties. It shows there, too. I went to the company's web site, looking for an uninstaller, but couldn't find one. I also had to fight to get the CD drive back. Very annoying, and now reported to be a dangerous rootkit. I'm furious!
11/1/2005 8:33:00 AM by DgWills
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
It's kind of Nerd version of an Agatha Christie novel ;)
11/1/2005 8:37:00 AM by ElfQT
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
pennino: Actually, the latest Splinter Cell uses "Starforce", not SafeDisc. That particular version of Starforce doesn't support 64-bit Windows (I dunno about Vista...), so I too didn't bother buying that game.
That doesn't mean SafeDisc is any better. I tried "CloneCD" a couple of years ago, and because the uninstaller left some settings under HKCU, new games (e.g. Battlefield 2) refused to run, accusing me of running "CD/DVD emulation software". Thanks to regmon I quickly located the maverick registry key entry and wiped it.
FWIW, the SafeDisc device driver (secdrv.sys) is even distributed alongside Windows Server 2003. (Probably comes with XP as well) So you don't need to be an administrator to install SafeDisc protected titles... (oh joy)
As for those pointing to this "linux" thing, claiming security superiority... Well, first time I heard of rootkits it was in the context of Linux. As long as the user can install device drivers (i.e. is running as root/administrator), malware can cause serious headache, regardless of OS.
11/1/2005 8:39:00 AM by Rune
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I don't get why Sony do this. Surely they're attacking the genuine user? Won't people be now scared of buying Sony CDs and therefore choose to steal the tracks from file-sharing systems instead - ironically because they can be trusted more! How is that a good thing for Sony to do?!
11/1/2005 8:48:00 AM by Andy
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I noticed the same thing on my recent copy of (Sony published) "Suspicious Activity" by the Bad Plus. (What is it with these overly appropriate disc titles?)
I didn't allow it to install the player... too many memories of "free" players and software that screw up your machine (anybody remember the Radio Shack "cat" scanner?) to make me want to install a player just to play a single CD. Looks like my suspicious instincts were dead on in this case.
11/1/2005 8:55:00 AM by fricklas
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
In regard to the question by JernejL about if the driver was unsigned and if so, why there was no prompt, driver signing is only checked for drivers installed by the User Mode Plug and Play service - NOT for drivers that are installing using standard Windows APIs. This is a weakness in Windows, not something sneaky Sony did - no installation of a non-plug and play driver (e.g. CDROM burner software, antivirus, etc) gets checked if it's signed.
This is supposedly being addressed in Vista/Longhorn.
11/1/2005 8:55:00 AM by David Solomon
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
It seems to ne that if a company as large as SONY were to be strictly repremanded and everyone who's computer was 'Kit-ed, were paid the FULL price of a Computer Geek reformat and re-install plus damages, they may wish to refrain from such behavior.
It's ironic that Sony, the ones who brought us Fair Use in video (lawsuit protecting against Disney in the early 80s (I had beta)) are as draconian as they are now. It's clearly all about money and principal be damned.
How about some action from our legislators?
11/1/2005 9:00:00 AM by SpiritWolf
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Spirit Wolf for President!
11/1/2005 9:03:00 AM by Melissa or Russell
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I'd like to point out that sony also installed a 'software protection service' on my system when I tried a gamedemo, it supposedly checks the legitimacy of game cd's yet obviously the gamedemo did not come on a cd, to make things worse when I uninstalled the demo the service remained.
All of this was done without noticing the user of the action.
Since then I started to boycott sony, I am not supporting a company that tries to hack my system, thank you very much..
Don't think that avoiding only music-cd's from sony will keep you safe from them.
11/1/2005 9:15:00 AM by Wwhat
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Linked to at the Ziggurat of Doom.
11/1/2005 9:35:00 AM by Arashi
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Something which concerns me about programs such as this the access to the harddrive. I found my living room box wakes up a harddrive every 10 mins (sometimes it never sleeps) thanks to badly written taskbar utilities. I eventually found the only way to get drives to sleep permanently was to kill explorer.
If this DRM software is doing the same thing, there is a case of wasting electricity and causing undue wear and tear on equipement...
11/1/2005 9:40:00 AM by Alex Powell
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
As a protest against Sony, I figured I'd download the album from a fileshare system and listen to it for free! But then I found it that it's country and western! Hell, I'm concerned, but not *that* concerned!
;-)
11/1/2005 9:45:00 AM by Andy
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
As always, your articles are as excellent as your software offerings.
small typo (I think) :-)
HKLM\System\CurrentControlSet\SafeBoot
should actually be
HKLM\System\CurrentControlSet\Control\SafeBoot
Regards,
Jack
11/1/2005 10:05:00 AM by Jack
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Thanks for the feedback and the correction.
11/1/2005 10:09:00 AM by Mark Russinovich
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
In the UK, this would be a clear breach of the Computer Misuse Act 1990. So you would not need to initiate any expensive lawsuit. Just dial 999 and let Mr Plod sort it out. If anybody gets a virus onto your computer through a channel created by Sony, this could be construed as "aiding and abetting" and will be a further offence in its own right. In the meantime, the best way you can protect yourself against this sort of thing is to stop using Windows! Think: if they won't let you read the source code of their software, how do you know it is pure?
It's a valid defence to the crime of "bypassing encryption" that you were the intended recipient of the encrypted message. In addition, you have certain statutory rights relating to reverse engineering that cannot be abridged by even a legally-binding contract, much less an unenforcible document written in pseudo-legalese attempting to deceive you into believing it has some standing. Basically, if you are the rightful owner of the disc then no true fact concerning it is a secret from you.
If your PC has plenty of RAM or two CD drives, just use Slax a simple form of Linux which loads from a CD, and includes cdparanoia {for ripping individual tracks as .wav files} and cdrdao {for creating a .toc / .dat pair}.
I might be moved so far as to go on to produce my own self-booting Linux CD which will load an OS into RAM, enable the CD to be ejected and swapped for a music CD; and then rip the CD tracks to a plug-in USB memory storage device.
11/1/2005 10:11:00 AM by ajs
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
If they ever publish a product with that kind of "protection" in germany, I am so gonna sue them. Luckily we still got some laws against that kind of computer sabotage.
11/1/2005 10:24:00 AM by yoda_143
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
As for suggesting a class action suit, this blog entry made it on cyberia-l (a listserve for attorneys interested in this type of law) last night, and I suggested such in my response.
The EULA changes don't seem to do much to help Sony's case, given in particular that they haven't included an uninstaller anywhere. The fact that they go out of their way to hide the software also is going to cut against their defense.
And even with the EULA, they still have problems. After all, what happens if you run into the EULA during installation, and decide not to go ahead with it? Is Sony prepared to refund your money? Or the vendor from which you purchased the CD? Unlikely.
11/1/2005 10:27:00 AM by Bruce Hayden
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
My initial guess is that Sony did this because they had become frustrated with dealing with computer and software companies in trying to get DRM software and hardware incorporated into new computer systems. They essentially took the law into their own hands. Unfortunately, it looks like they violated any number of laws around the world while doing it, plus potentially caused monetary damage to untold numbers of computers under multiple legal theories (remember that trespass to chattels case that came down a week or so ago?)
11/1/2005 10:30:00 AM by Bruce Hayden
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Another option: Let the artist(s) know what you think of their label's behavior. Here's contact info from their site (http://www.thevanzants.com/)
Contacts
Management:
Vector Management
Ken Levitan and Ross Schilling
P.O. Box 120479
Nashville, TN 37212
Phone: 615-269-6600
Fax: 615-269-6002
And thanks for the great article!
11/1/2005 10:38:00 AM by eff
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Found a link to this article on BoingBoing, and read it with trepidation, even though some of the heavier tech was a bit over my head. I think it's the hypocracy that offends me most about it...I'd try to boycott Sony completely if possible, but they have more fingers than there are pies to go around, so fat chance. So I did the next best thing that I could think of, namely link the story and let more people know, albeit in not quite such a code-laden idiom! Good to know people like you are catching these things on behalf of the hapless end-user multitudes. I salute you.
Velcro City Tourist Board
11/1/2005 10:44:00 AM by Armchair Anarchist
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Chad:
"... How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?
How the heck are you supposed to tell what is covered in the EULA without having to stumble across it while cleaning up apparent malware? If Sony was all that interested in keeping people from reverse engineering the software, they should have specified what software they were talking about instead of simply hiding it and crossing their fingers. Thats like being charged for trespassing because someone redrew the property lines around you without your knowledge or consent.
11/1/2005 10:50:00 AM by Digger
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
everyone here talking about stop using windows, what do you think will happen when/if linux becomes the most popular desktop of end users?
do you think virus writers and big corporations will not adapt?
do you realize that this thing doesnt happen to linux not because it cant, but because right now its just not worth it with an end result of only infecting about 3% of the end user/consumer population.
mark,
once again you have effectively delivered valuable information! thank you!
11/1/2005 10:54:00 AM by xBiTReaVeRx
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I just spoke with Chris at Vector Management, who represents the VanZants. He was very apologetic about the whole deal, and apparently his company didn't know Sony was doing this until the story broke last night. He did agree that his company would be contacting Sony to attempt to recify the situation.
I made it quite clear that I would never buy any DRM'ed music CDs and would probably never again buy a Sony Music CD of any kind.
Hopefully someone will do some serious legal bashing of Sony - has anyone contacted the EFF about this?
11/1/2005 11:04:00 AM by Dana Cline
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
If the law will not act (yet to be tested) why not contact the big news companies CNN, the BBC etc get Sony some bad publicity as the big company that has one rule for it and another for everybody else....
11/1/2005 11:20:00 AM by Loboexe
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
In order to combat their installation of crap like this, I wonder if it's possible to charge them for cpu time and disk space?
11/1/2005 11:25:00 AM by Brian
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Sony must be using two versions of this shit because Mediamax is the one I've been seeing here in the states. Hides malware the same way. Wonder if Sony's using different names for their Anti-Rip code in different parts of the world. Damn underhanded if you ask me.
11/1/2005 11:33:00 AM by FlyingV
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
>How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?
I'd say that since he was uninstalling, he was in the process of terminating the license, and under those circumstances I'd say whatever means necessary.
stealthaxe.
11/1/2005 11:42:00 AM by stealthaxe
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I'd be curious to know if you have doen any similiar investigations in the heavy handed world of game copy protection? It's even more insidious here, because you *have* to install the software. Games like Space Rangers use a copy-protection scheme called "Starforce" that already has shown to be broken with Win64:
http://dubiousquality.blogspot.com/2005/10/space-rangers-2-and-windows-xp-64-bit.html
It installs a device driver that, I guess, scans the CDs to make sure it matches a non-pirated version, or some such.
I also had a problem with an JoWooD game that refused to run because I was running Roxio's Copy to CD program, and I got:
Message: Potential Conflict with Disc Emulator Software detected.
when I tried to play my legally purchased game.
11/1/2005 12:00:00 PM by Jonathan
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Is Sony's Blue-ray DVD's going to have this same DRM nonsense? This sonds like a good reason to back HD-DVD's instead of blue-ray.
11/1/2005 12:02:00 PM by Nat
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I'm tempted to install this software, then intentionally break the driver, then call Sony and demand support
11/1/2005 12:04:00 PM by Mike Hudson
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Say, anyone have a copy of the offending device drivers, most notably crater.sys?
XCP doesn't offer a download, and I'm not paying money for a DRM-corrupted CD I probably won't listen to anyway.
11/1/2005 12:09:00 PM by Moriarty
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Sony owns Epic Records too. I bought a Dead 60's record and it installed this crap on my computer and I ranted about it in my blog: shaddupandlisten.com. About a month ago I had some computer crashes and Microsoft told me it was being caused by First 4 Internet. I didn't connect the dots at the time, but I was very pissed. I didn't install anything by First 4, and I just wanted to uninstall it. But I couldn't find it or uninstall it. After about a month, I gave up and reluctantly "updated" the First 4 software. It is still on my computer. Aarrrrrrgh!
Epic has a LOT of artists and this DRM/Malware may be massively distributed on disks by Fiona Apple, Tori Amos, Audio Slave, INXS, Franz Ferdinand, Ben Folds, Shakira, Oasis... and More.
11/1/2005 12:18:00 PM by Geoffrey Mack
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Sony is huge. According this Wikipedia article, http://en.wikipedia.org/wiki/Sony_BMG_Music_Entertainment, they own Arista Records, Columbia Records, Epic Records, J Records, RCA Victor, RCA Records and many more.
I just Googled and found at least 2,160 CDs with copy protection on Amazon.com, and judging by a quick-scan, it looks virtually all are distributed by Sony BMG.
Just do a Google search for site:amazon.com "[CONTENT/COPY-PROTECTED CD]"
11/1/2005 12:45:00 PM by Geoffrey Mack
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
... this is a bit offtopic but...
have you ever heard about the palladium project? sony's DRM is just a little in front of it...
just for the ones who don't know, the control will be in hardware too, not only in software...
google for it...
11/1/2005 12:46:00 PM by Luke
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Rune: you are right, it's not SafeDisc on the latest Splinter Cell but StarForce. Anyway, the entire trend is disturbing. Although a little less heavy handed than SONY, even online game players have to start being careful about the games they choose to play:
http://www.rootkit.com/blog.php?newsid=358
It's a different technique from the "rootkit method" explained by Mark but a scary trend nonetheless.
By the way, to those interested in better understanding the concepts explained by Mark in this post I strongly suggest watching the webcast he presented last june at Teched:
http://urlsnip.com/262439
11/1/2005 12:47:00 PM by pennino
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"I think it's fair to say that since he didn't know what this malware was, and that it isn't mentioned in the EULA, that it's fine to disassemble, reverse engineer, examine or otherwise dissect this piece of crap.
# posted by Chris : 6:09 PM, October 31, 2005"
You what? Who cares about the EULA, oh - am I allowed to check what crap has been installed and keep my PC clean, No! cause I clicked Agree to some bullshit EULA.
Its HIS computer, why shouldn't he remove malware?
11/1/2005 1:15:00 PM by reader
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"I think it's fair to say that since he didn't know what this malware was, and that it isn't mentioned in the EULA, that it's fine to disassemble, reverse engineer, examine or otherwise dissect this piece of crap.
# posted by Chris : 6:09 PM, October 31, 2005"
You what? Who cares about the EULA, oh - am I allowed to check what crap has been installed and keep my PC clean, No! cause I clicked Agree to some bullshit EULA.
Its HIS computer, why shouldn't he remove malware?
11/1/2005 1:15:00 PM by reader
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
More reasons to use a macintosh computer.
11/1/2005 1:32:00 PM by fairplay
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
MAC, Linux, Winders? Come-on... you people are not that stupid. One reader stated it correct. Once Linux or MAC gains market share we will attacking those platforms. then again, don't hold your breath... we have been hearing about the year of UNIx for nearly 25 years. the MAC was released somewhere in 1984. 20 years and less than 5% market share. Aint gonna happen folks!
11/1/2005 1:52:00 PM by ITookTheHighRoad
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
iTunes, at least for me on XP, would not import the Van Zant CD. Had to use the built in software to write (DRM'd) .wma's, burn a CD/RW, and then import into iTunes. PITA.
Sony's latest DVD releases (Bewitched and Lords of Dogtown) also have a new anti-copying scheme using unreadable blocks. Just watching LoDT on my computer gave my LiteOn DVD burner a nice clicking noise whenever a disc is inserted.
Nice catch Mark. Now I need to clean up my computer that had the vanzant CD in it. And never buy Sony products again. None.
11/1/2005 2:03:00 PM by al
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
My scan tools will trip over this as an altered system call. Meaning much more work for me, much more work for the systems administrator and much pain for everyone all the way around in the longer run. So if I have to do forensics on a box, I wonder if I can send the bill to Sony. Or how’s about all those small businesses who will have to deal with this one. Makes a great legal excuse when someone finds a root kit from Sony on the box, and if the hackers find a way to co-opt the software to do what they want it to do, everyone gets off free, no legal recourse, because the evidence of a root kit or Trojan immediately takes the responsibility for doing something bad away from the person you thought was doing something bad. Legally, this ties the Hades out of my hands and managements hands along the way.
11/1/2005 2:05:00 PM by JASG
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"In short, you are in violation of the DMCA. Same applies for any other malware or viruses that you circumvent through the use of anti-virus software."
This is a joke, right? Malware and viruses protected by the DMCA? Let's see some case law, please.
I can't imagine any politician or court protecting virus writers.
11/1/2005 2:07:00 PM by Alan Kline
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
So Mark, you wouldnt want to write a removal app for this evil Sony rootkit, and maybe a nice piece of software that keeps it from getting installed. In fact, this is the way a couple other DRM programs work, so I wonder if someone has ever written a program to protect against all of them?
11/1/2005 2:13:00 PM by Brad Green
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This isn't 'just as bad' as a copyright infringement, it's at least a quadrillian-septillian times worse! Nobody is hurt or loses productivity in the event of copyright infringement. If your computer was exploited by something taking advantage of this however- sensitive information could be stolen, downtime could be detrimental, you see where I'm going with this.
11/1/2005 2:21:00 PM by LarchOye
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
"so I inserted the CD into the drive and double-clicked on the icon to launch the player software"
11/1/2005 2:46:00 PM by kam
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Uhm, what I was trying to say is that all you folks telling Mark to turn off AutoRun, well, he didn't just let it autorun.
11/1/2005 2:47:00 PM by kam
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Microsoft ought to be as pissed as anyone about this. It's just this sort of thing which is largely responsible for the fact that MS Windows is the flakiest OS on the planet. Though I suppose one could argue that it's MS's fault for building an OS where a vendor can get away with this sort of funnybusiness. Another reason to turn off autorun on your CD at any rate...
11/1/2005 2:53:00 PM by Sync
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Arthur Nonamiss 7:30 AM, November 01, 2005 said...
"Someone smarter than Mark?"
Do you belive that is possible?
Not!
Thanks Mark for a great story.
11/1/2005 2:56:00 PM by Kalle S Kaviar
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark - I'm glad to see this. Thought I was the only one steamed about this. I bought a reissue of an obscure jazz trombone album from 1964. It had this DRM on it. Sony has a site in the UK that deals with customer issues regarding this. I returned the CD and asked that they tell me how to remove this software. They have to install MORE software in order to remove this software. After trying with Sony, I wrote First 4 Internet directly (at support@xcp-aurora.com), regarding the removal process of their XCP-Aurora software, and asked what the ActiveX software was they need to isntall in order to remove the XCP software. Here is what they said, on October 27:
Dear Tom:
The updates site initially prompts the user to install an ActiveX control which detects if there is an XCP - Aurora installation and then selects the most appropriate update. To remove this activeX control simply open the folder ‘systemroot\downloaded program files’ (On a windows XP computer with a default installation the systemroot folder will be ‘C:\Windows’) and delete the file ‘codesupport.ocx’.
When the activeX control has been installed the Updates Site will display one of two screens. The updates site will either inform you that it cannot find an XCP installation or it will offer the download of Service Pack 1. Service Pack 1 contains several updates and workarounds but is essentially the same software that was originally installed from your purchased CD. If the Update Site displays the screen informing you it cannot find an XCP installation then the previous uninstall attempts have been successful.
If however the Update Site prompts you to install Service Pack 1 you can follow John’s instructions and the new uninstall should be successful. All you will be left with is ‘codesupport.ocx’ which is from the website not the CD so isn’t part of the uninstall process. ‘Codesupport.ocx’ is easily removed following the instructions above.
The FAQ (Frequently Asked Questions) for the Update Site contains detailed information regarding installing the activeX and downloading updates. The FAQ can be viewed here http://updates.xcp-aurora.com/faq.aspx.
If you have any further issues or the FAQ doesn’t resolve your questions please do not hesitate to reply to this email.
Very Best Regards,
The XCP – Aurora Support Team
http://updates.xcp-aurora.com
11/1/2005 3:07:00 PM by trbuckley
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Nice. I wonder if they like jail time. By your description the program and it's failure to disclose and ask permission to do what it does, would be FELONY COMPUTER TAMPERING. Under Illinois law, what that does is a class 4 felony. Other States have similar laws.
11/1/2005 3:20:00 PM by Methuss
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
the trick is to install it and sue sony in small claims court for removal costs or in regular court for electronic trespass.
i'm tempted to do it.
11/1/2005 3:20:00 PM by Matt
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
What's next?
CD software installing firmware updates to your hardware?
11/1/2005 3:24:00 PM by Wil
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
To David Solomon:
thanks for clearing up the matter, i thought the drivers are much more checked, such as in cases when they are copied to system folders or loaded by the windows.
11/1/2005 3:30:00 PM by JernejL
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Nice work Mark! Always good to read more of your insightful work.
I have to admit I'm not totally against DRM. I think it's good in times of innovational transition like we are with digital music distribution today. However my problem is the fact that not only are you paying for a limited use product in that you could purchase a digital copy or a standard CD, but now YOU the consumer have just paid for a free mal/spyware infection (including decreased system performance, higher internet safety liability, and more) - Unfortunately this is part of a growing precedent.
Simply being taken advantage of hurts - paying for it really just makes me boil.
11/1/2005 3:38:00 PM by inDbiz
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Do you think this rootkit comes standard on Sony PCs and notebooks?
11/1/2005 3:44:00 PM by VixVan
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
My daughter's computer had this crap on it but I was unaware of what it was... I ran Blacklight yesterday which is when I discovered it. Her computer is running W2K and a couple of weeks ago she was a victim of a drive-by installation (visiting a lyrics website) which dumped a bunch of trojans, adware etc. on it. When I finished cleaning the mess (4 hours later) it had broke Windows Update. Fix for that was reinstall (repair didn't work) of the system.
Anyway, great job and I hope someone does something about such behavior in big business. I'm gonna warn the kids not to install any such programs again...
11/1/2005 3:50:00 PM by Greggie B
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
It is a shame to see that F-Secure has likely "borrowed" your hard work without attribution.
Let's see: Mark's analysis came out on Oct 31, and somehow F-Secure has virtually the same info on Nov 1! Coincidence?
11/1/2005 4:12:00 PM by Miles
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
My daughter's computer had this crap on it but I was unaware of what it was... I ran Blacklight yesterday which is when I discovered it. Her computer is running W2K and a couple of weeks ago she was a victim of a drive-by installation (visiting a lyrics website) which dumped a bunch of trojans, adware etc. on it. When I finished cleaning the mess (4 hours later) it had broke Windows Update. Fix for that was reinstall (repair didn't work) of the system.
Anyway, great job and I hope someone does something about such behavior in big business. I'm gonna warn the kids not to install any such programs again..."
They should ideally be setup to only have user level access anyway. Only the Administrator (presumably yourself) should be able to install anything. Not sure how this stacks up with root kits but its a start on Basic Security 101.
11/1/2005 4:20:00 PM by VampiressX
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I think im gonna forward this article onto BBC Watchdog, a TV program in the UK that investigates anti-consumer practises and see if they can get an official comment from Sony. As some of you have said, by doing this Sony are screwing the people who are legally buying their product. Its sickening and something needs to be done.
11/1/2005 4:30:00 PM by Ryster092
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This is absolutely appaling. I was planning on purchasing a Sony CD tonight, but I will now be forced to download the music I want instead. Sorry Sony, your plan just backfired. I don't care if it doesn't do much. Installing a rootkit without notice fundamentally wrong and should be illegal.
11/1/2005 4:37:00 PM by mcc
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Very VERY Interesting.
This action violates many local and international laws. Lets look at some of the ones mentioned.
DMCA anyone? Whos's the one NOW circumventing security? Wouldn't be grand if the DMCA was used AGAINST the RIAA and associated for the very same thing they are sueing other people for?
By sony installing rootkits they are effectly bypassing any security put in place and IF someone uninstalls it, they can completely screw up their computer.
I know someone in fact has installed this on a government computer that has TIGHT security. How do you think they will feel knowing SONY has willingly put on and changed a ROOTKIT.
Great news for computer repair's across the country. Is SONY going to pick up the tab because THEIR DRM software screwed up the computer?
Also if buy a CD and it doesnt work, fraud anyone? It's very clear if you buy something and it doesnt work, you are entitled to get your money back else it IS considered fraud regardless of any EULAs or store rules.
What is really ironic, I know a senators child who just happened to buy a number of SONY cd's with the DRM. Won't it be interesting when they install it on DADDY's computer.
SONY did you consider what happens when you piss of a senator? You think he is going to be happy to find out out about, and heaven forbid his kid try and remove it. Then he'll REALLY be mad.
-----------------------------------
This software will be considered spyware under the ASC definition,
The ASC's most recent definition of spyware is:
Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:
* Material changes that affect their user experience, privacy, or system security;
* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information. - thank you Mellisa
-----------------------------------
"The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC.... " - thank you Mellisa
-----------------------------------
INAL, but this appears to be illegal in the State of California, punishable by a $1000 fine per computer affected.
California Business & Protections Code Section 22947.3, Paragraph C:
A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
...
(c) Prevent, without the authorization of an authorized user, an authorized user's reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(1) Presenting the authorized user with an option to decline
installation of software with knowledge that, when the option is
selected by the authorized user, the installation nevertheless proceeds.
(2) Falsely representing that software has been disabled.
- Thank you Erik
-----------------------------------
Computer Misuse Act - UK
Ever think of this one? It may be old but it's broad, however it does cover what is mentioned that they do.
-----------------------------------
Even if they changed the EULA, it's been proven that the DMCA OVERULES THEM. After all the RIAA has used the DMCA to overrule EULA's before theyby setting a precendence for others to use against them AND thier associates.
I love how they shoot themselves in the foot.
Also as previously stated the rootkit and can used by other programs to future exploit the system. So SONY has thereby placed a method to where others can hack the machine.
-----------------------------------
I look forward to a class action suit. If nothing else, bad publicity will hurt them more then anything.
Remember the embarassing bypass with a marker anyone?
11/1/2005 4:44:00 PM by Legal Buff
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
11/1/2005 4:50:00 PM by pion
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
We would be interested in speaking to any California residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme. You can contact us at gw@classcounsel.com.
11/1/2005 5:07:00 PM by Green Welling
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
This is part of the reason we use products such as DeviceWall on our systems. It helps not allows us to block contractors from plugging in iPods into our corporate networks, but also helps keep crap like this off of our systems when employees bring discs in from outside the office.
11/1/2005 5:08:00 PM by Ken
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
If someone wants to copy a cd, then you can, a easy step to copy a copyprotected cd like this would be to get a discman or anyother non-computer cd drive that plays cd's (sound system, dvd player). Then, from the headphone jack or audio out jack from whatever player your using, simply plug it into your microphone input on your computer. Then, using any high quality audio recorder (adobe audition), you can record the sound being directly feed into your machine. You shouldnt loose quality if you do it right and dont use low quality soudn recording software.
11/1/2005 6:14:00 PM by Sloth_Boy
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
In response to Chad:
He cannot be held responsible for violating the restriction against decompilation or reverse engineering because there was no indication that the DRM rootkit was a part of that software package until after he disassembled.
Thus, there is no possibility of mens rea being present that might meet statutory requirements for culpability.
Plus the fact that this is total bullshit. Extra software installed in a way that endanger the stabilty of the system with a rather sophisticated cloaking mechanism... this immediately casts doubt on the legitimacy of the software publisher (unauthorized access of a computer is governed by the Computer Fraud and Abuse Act in the United States). You could argue that the publisher is liable for legal violations rather than the other way around, and in that case the dirty hands doctrine would absolve anyone of legal liability.
Of course, with the mess that copyright laws are, I wouldn't want to be the one fighting the good fight. I wouldn't have nearly enough money to pay hundreds of laywer-hours if the EFF didn't throw itself into the fray.
11/1/2005 6:17:00 PM by Darkest Day
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
VampiressX-
They should ideally be setup to only have user level access anyway. Only the Administrator (presumably yourself) should be able to install anything. Not sure how this stacks up with root kits but its a start on Basic Security 101.
Yeah I know... and even though she's 17 I should put her as a user. Sometimes certain software won't work then but oh well... I have her keep her data files on a separate partition and I'm gonna create an image of her c: drive in this pristeen state. She's not going to like it but she's the only one of my 2 girls at home (the other is 20) that gets into this sort of trouble.
As for the drive by installations, I had to help a co-worker who's daughter also got hit with crap pushed to her computer, as well as someone I know (same thing, got a $100 Safeway card out of it).
11/1/2005 6:18:00 PM by Greggie B
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I found google cookies and few pages in the cache that are hidden from the system. I have google toolbar and I think it comes from toolbar.
11/1/2005 6:23:00 PM by Pavel
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I had posted a while back in CDfreak's "Audio" forums on how to disable this protection so you can rip the CD Music. I do not believe there is anyway to remove all the files on your system.
http://club.cdfreaks.com/showthread.php?t=151461
XCP2 (First 4 Internet) http://www.xcp-aurora.com/
How to identify: There will be a file called “VERSION.DAT” if this is opened with Note Pad it will say something like “VERSION=XCP2, Version 1.7”
Win98/ME/2K & XP
Step 1. Press F8 during startup to boot into safe mode.
Step 2: On windows partition (where Windows is installed default is C:/ drive) Search for a file called “$sys$caj.dll” and delete it.
The default path is C:WINDOWSsystem32$sys$caj.dll
Step 2: Reboot PC and go to “Device Manager” and uninstall all CD/DVD drives and then rescan for hardware changes.
Now the XCP protection is permanently disabled.
11/1/2005 6:50:00 PM by hyqwn
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I have a solution. Learn to use Linux or buy yourself a Mac. :)
11/1/2005 6:55:00 PM by Allan
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
The comment about Aries.sys and jumping into invalid memory - occured after trying to copy music from a CD for my wife.
Restarted the system after the music was copied only to find a BSOD involving Aries.sys. Lets just say that Sony's little tricks resulted in my needing to completely reinstall windows...
11/1/2005 6:58:00 PM by William
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
From my point of view, Mark has done an excellent work since I also do not tolerate ANY software that does not comply with the rules, publicly set by the owner of the proprietary code. This is clearly a case for the law authorities, that simply HAVE TO RESPONSE in a proper manner, that is to fill a law suite against the Sony corporation. And no, I am not exaggerating. I have also found numerous of malware on my system, without taking necessary action! And ... I'm still mad about it! The goal does not devote the mean ... with no exceptions!!!
11/1/2005 7:05:00 PM by tomcat
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
11/1/2005 7:16:00 PM by BadHead
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Re: Oasisob1
That doesn't presume that their software has to be hidden! Eg. If you uninstall it, you know for sure, that something won't work! That's the way things are done in an enterprise environment And this things are even published in a user guide. I can comply with many things, as long as I know them and as long as I can discontinue to use them ... even if a have not actually read the whole EULA with assistance of my lawyer...
11/1/2005 7:29:00 PM by tomcat
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Perhaps contacing Van Zant Brothers directly to let them konow how Sony are corrupting their music might help. They have no email address, but their m anagement company can be contacted at:
Vector Management
Ken Levitan and Ross Schilling
P.O. Box 120479
Nashville, TN 37212
Phone: 615-269-6600
Fax: 615-269-6002
If they get enough disgruntled and rightly furious people ringing them up night and day, they might act themselves. It is often the case that the Artists themselves actually hate this as much as their fans do as it p*&^es people of so much that they might stop buying the bands music, blaming them for this abuse rather than their record companies.
If it's alright, I'm going to send an email concerning this blog off to 'PC Pro', a widely read PC Magazine here in the UK. I suggest that everyone who posted a comment here do the same with some of their favourite computer magazines and maybe even television shows. Perhaps then, Sony will be shamed into acting like human beings.
# posted by BadHead : 7:16 PM, November 01, 2005
11/1/2005 7:33:00 PM by BadHead
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Very interesting, thanks for sharing your insights. Your article has been mentioned in the Austrian news that's how I stumbled over it http://futurezone.orf.at/futurezone.orf?read=detail&id=276825
I hope that Sony will pay for it. This goes far beyond any reasonable copyright protection
11/1/2005 7:46:00 PM by cyana
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I recommend saving a copy of the EULA before they change it again.
11/1/2005 8:06:00 PM by _Jon
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
11/1/2005 8:07:00 PM by jack3617
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I SAY BOYCOTT THE BASTARDS!!
11/1/2005 8:09:00 PM by jack3617
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I SAY BOYCOTT THE BASTARDS!!
11/1/2005 8:09:00 PM by jack3617
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Where's the script so I can run it on my computer? Once the script is written distribution pretty much happens automatically doesn't it?
Hey-hey! Now there's an idea!
mabell
11/1/2005 8:22:00 PM by mabell01
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Thank you very much for publishing this for the world. I was directed to this site though an article I read today. Although I now have a Mac, I first ran the disk on my PC and was horrified by this pathetic and frustrating program. I exchanged a series of emails and called BMG at just about every office they have to try to find out how I could get the software to let me listen to full quality audio (it only allows windows media player to play at a 128 bit rate) only to find out that the software does not allow it. And now to find that I cannot uninstall the software… On the BMG website they offer a go around for iTunes users (to burn a cd with WMP and rip that into iTunes) and also encourage iTunes uses to write apple to get them to cooperate with Sony and support the software. I wrote to do just the opposite and finding this only supports my gut suspicion of this software. There is no live support for it, at least not that I could find in my two hours on the phone. Infuriating. So I am spreading the word in an effort to start a boycott of BMG music.
11/1/2005 8:30:00 PM by Nathaniel
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Remind me to attach a EULA to my next root kit, that way its all good and dandy.
/kinda sarcasm
11/1/2005 8:34:00 PM by thewuh
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Great info as always. I have passed this on to the readers over at Productivity Hacks
11/1/2005 8:55:00 PM by Stu Shipinski
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Cool, now we can all start to distribute new viruses, rootkits and spyware ourselves, knowing that they will remain hidden through Sony's assistance. Just stick em in system32, and put sys at the start of their name.
WoHoo.
11/1/2005 9:07:00 PM by Doug Jackson
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Originally posted by: _Jon
"I recommend saving a copy of the EULA before they change it again."
I would also recommend doing that.
Sony has stepped the line...
And you must bring them back over it through some means.
Great find too.
Keep at it. We'll need the information you obtain.
11/1/2005 10:01:00 PM by superdoughboy4
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
To Oasisob1: you said Sony changed the EULA - Mark told me he compared what you posted above with the EULA he has and they are the same...
So where is the change you refer to, and when did this change occur? Do you have a before and after version we can see?
11/1/2005 10:14:00 PM by David Solomon
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Wow, I just found this site thru the Inquirer, and all I gotta a say is: DAMN, you're a friggin' genius, Mark...
Makes me want to sharpen up on my (feeble) skills.
Anyway, thanks for opening my eyes to the underhanded shenanigans being perpetrated by the named companies.
Sheesh... they think they can do whatever they want - and no matter how many lawmakers they "persuade" (bribe) into this bull, it doesn't make it right.
11/1/2005 10:15:00 PM by rumin8or
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
FYI - I have been trying to pull together information on this subject at http://bhayden.blogspot.com/, but more from a legal point of view than technical. I should note that I did include the lengthy comment by legal buff above.
11/1/2005 11:19:00 PM by Bruce Hayden
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark, thank you for "opening up this can of worms" especially before Christmas!
Anything that has to do with Sony and thier other affilated companies (as someone had posted earlier in this blog) certainly will not be on my Christmas shopping list!
Somehow this must get out to the mainstream media such as BBC, CNN, MSNBC, FOX etc. for the "average PC user" to HEAR on the NEWS.
11/1/2005 11:24:00 PM by CindyRilla
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
If you plan on boycotting, let the offending company know. They need to know that they are loosing customers and WHY. Perhaps others companies will get the message as well. -2 cents- :P
11/1/2005 11:53:00 PM by Kolby
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Great article. But honestly, as long as people that read this just whine around and say "I'll never buy a Sony product any more" exactly _nothing_ will change. If sales drop the music industry passed fault to p2p networks and increases DRM activity.
Don't avoid Sony CDs! Do the opposite! Buy them, and if they come with one of these DRM thingies like the one Mark discovered, than sue them! What they did with this DRM scheme is illegal in most civilized countries. The more users in different countries sue them for manipulating their computer, the sooner companies like Sony will realize that this goes to far.
Just being harrased and talking about that doesn't change anything. If You all avoid Sony products You just deliver them more arguments to justify DRM...
Just my 0,02c
Ben
11/2/2005 12:23:00 AM by bgawert
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
this is now on MSNBC's tech blog: http://www.msnbc.msn.com/id/6409077/ - not quite the mainstream, but getting there. Also, check this from time to time to see who is picking it up: http://news.google.com/news?hl=en&ned=&q=Sony+Rootkit
11/2/2005 12:32:00 AM by LE
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
the sad thing is that (i'm sure) a good number of people that DO care to do something about this are too dirty to pursue the RIAA/Sony without anything backfiring in their face, and the people that ARE clean enough to fight the RIAA could care less as they don't buy enough music for it to affect them. as usual, the consumer are the ones getting... bent over.
11/2/2005 12:55:00 AM by plonk420
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Has anyone put a review of this CD on Amazon with a link to this article???
I think someone should
11/2/2005 1:50:00 AM by Andy
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark, would it be possible to detect thie rootkit using BartPE?
11/2/2005 1:55:00 AM by Annon
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Hy Mark!
Thanks for the hint!
I wanted to ask you if the "DRM packager" that used to be distributed by sony-ericson in order to add DRM tags to Mp3 ( in order to be able to use them as ringtones on sony-ericson phones ) is the same software you are refering to.
or in alternative can you give me a hint to discover the presence of the sw when no special sw is installed on the machine (I don't have filemon nor RootkitRevealer ...) ?
Thanks
Bruno
11/2/2005 2:33:00 AM by Bruno
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
I love my Linux.
11/2/2005 4:14:00 AM by MonkeyBlue
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Mark, I have a rootkitrevealer feature request for you. It doesn't recognize junction points. Also try testing it on SFU. There is a number of files the rootkitrevealer considers hidden. Maybe they are junctions too, but I'm not sure.
11/2/2005 4:25:00 AM by Alexei Zakharov
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Oh this is cool. Anybody put a sniffer between the pc and network connection yet? hahahahaha
11/2/2005 4:32:00 AM by nut
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
hey there...
i've found this article over www.orf.at and found another article earlier this this about this "protection": http://futurezone.orf.at/futurezone.orf?read=detail&id=259880
11/2/2005 4:38:00 AM by Lets Rock
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
i confirm this doesnt install with restricted accounts. I am in a corporate environment and inserting the cd that autoruns presents users with an error saying they need to see their administrator (me).
I tell them to click cancel then to open windows cd player...
Never use an admin powered account for day to day things, take linux's example!!
11/2/2005 5:03:00 AM by aftertaf
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
The system Sony is using appears to be the XCP Aurora system:
http://www.xcp-aurora.com/
Produced by this company:
http://www.f4i.co.uk/
Best regards
Steve
11/2/2005 5:13:00 AM by Steve Larson
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Ironic isn't it? In an attempt to prevent "illegal" copying of their material, Sony is willing to violate the rights of their honest paying end user!
This makes me more reluctant to by new product than ever as I don't want crap installed on my machine, especially unauthorised stuff. As if there isn't enough problems with malware/spyware from the internet, now we have to deal with it from stable media.
Corporate terrorism at its best.
11/2/2005 5:17:00 AM by POD77
# re: Sony, Rootkits and Digital Rights Management Gone Too Far
Has anyone found e-mail contacts within Sony I've looked and they're not available on the public sites. A concerted effort on our part is called for. Unfortunately I think this article is too technical for the general public and media to digest, but I think we do need to raise awareness & tell these corporates that they cannot cross the boundaries whatever their size and influence.
11/2/2005 5:44:00 AM by Jay
# re: Sony, Rootkits and Dig