Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Sony CD Copy Protection Seems To Rely On Hacker Rootkit
InformationWeek ^ | Nov. 2, 2005 | Gregg Keizer

Posted on 11/03/2005 8:44:21 AM PST by holymoly

Sony is apparently borrowing a tactic from hackers for its digital-rights management technology, and some security experts question the practice.

Security researchers have identified a rootkit -- software used by hackers to hide their malicious code from anti-virus and anti-spyware defenses -- within the copy protection scheme Sony BMG Music Entertainment uses to prevent music CDs from being copied to computers.

The digital rights management (DRM) technology that Sony BMG uses limits the number of times a CD can be "ripped" to a computer. To prevent the DRM software from being easily circumvented, the copy protection's creator -- a U.K.-based company called First4Internet -- uses a rootkit to hide the DRM's files.

An independent researcher, Mark Russinovich, and the Helsinki-based F-Secure security firm, published details almost simultaneously on the DRM technology Sony BMG uses, and that technology's application of a rootkit.

Both stressed that rootkits are most commonly used by malicious code writers -- hackers -- and the use of it by a legitimate company such as Sony was alarming, they warned.

"Once the rootkit is there, there's no direct way to uninstall it," said Mikko Hyppönen, F-Secure's chief research officer, in an online brief. "The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves, too. This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed."

Russinovich, who stumbled across the rootkit after a long investigation that involved a number of advanced PC forensic tools, agreed. "Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall."

In fact, when Russinovich tried to uninstall the DRM software, all he got for his trouble was a dead CD drive.

"Most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," he said.

Removing the rootkit is so fraught with possibilities of calamity that F-Secure recommended users don't try it themselves. Instead, Hyppönen urged users to fill out a Sony BMG Web form and ask for instructions on how to remove the software. F-Secure has tested the resulting removal process -- which relies on the installation of an Internet Explorer ActiveX control -- and has confirmed it works.

According to one anti-spyware expert, Sony has no excuse for leaning on a rootkit to copy protect its content.

"Rootkits are always malicious," said Richard Stiennon, director of threat research for the Boulder, Colo.-based anti-spyware vendor Webroot. "There's no legitimate use of a rootkit, whose only purpose is to hide code from the operating system." Stiennon is intimately familiar with rootkits, since they're often by spyware writers to disguise some of their nastier work, like password keyloggers.

Stiennon's objection runs deeper than the rootkit code itself, however; he's also concerned that the copy protection software steps across another spyware line.

"The end user license agreement (EULA) doesn't mention any install [of a rootkit]," he said. "That likely makes it illegal in the U.K. and the EU, and in at least 10 states in the U.S. as well. Sony could be in a lot of trouble on this one.

"This is just the sort of thing that [anti-spyware advocates are] concerned about, that spyware laws, when written, will be too broad and won't take things like this into consideration," Stiennon added.

Even discounting Stiennon's concerns, however, Sony's use of a rootkit poses immediate danger, said F-Secure. In a technical description of the DRM software, the security vendor noted that "the hiding techniques can be abused by less technical malware authors to hide their backdoors and other tools."

All an attacker needs to do is name his files beginning with the same "$sys$" prefix used by the Sony CD copy protection files.

"It is very inappropriate for commercial software to use these techniques," said F-Secure.

Sony BMG did not immediately return a call for comment.


TOPICS: News/Current Events; Technical
KEYWORDS: cd; copy; hacker; kit; protection; root; rootkit; sony; tech
FYI
1 posted on 11/03/2005 8:44:22 AM PST by holymoly
[ Post Reply | Private Reply | View Replies]

To: holymoly
Won't make a ripple. How many boxen do you suppose that don't already have rootkits from malicious websites?

I had to shift gears while reading this article, because to me "rootkit" automatically implies a unix environment. But most rootkits today are targeted at Windoze. The idea is the same.

2 posted on 11/03/2005 8:47:41 AM PST by thulldud (It's bad luck to be superstitious.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly
Already posted
3 posted on 11/03/2005 8:47:51 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

Does it really matter? If the CD can be played digitally it can be recorded perfectly using digital media. Unless they render the discs unplayable (ha ha) there will never be a way to keep people from making digital copies of the music.

Not to mention hackers and bootleggers have infinite resource and ingenuity.


4 posted on 11/03/2005 8:48:00 AM PST by AbeKrieger (Islam is the virus that causes al-Qaeda.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

I missed that. Still, that post doesn't have quite as much info.


5 posted on 11/03/2005 8:50:22 AM PST by holymoly ("A lot" is TWO words.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: holymoly
>> F-Secure has tested the resulting removal process -- which relies on the installation of an Internet Explorer ActiveX control

So you have to install something to un-install something else? Nice! So what's in the Active-X control? More malware?

6 posted on 11/03/2005 8:54:53 AM PST by vikingd00d
[ Post Reply | Private Reply | To 1 | View Replies]

To: AbeKrieger
That wasn't the point of this. The point is that Sony is installing software onyour computer that sits between your hardware (CD drive) and the OS, thus hijacking the way your computer works.

Once you remove this software, you will break your computer.

7 posted on 11/03/2005 8:55:08 AM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 4 | View Replies]

To: holymoly

So far, I have not found any rootkits on recent vinyl records.

I'll keep an eye out.....


8 posted on 11/03/2005 9:01:10 AM PST by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: thulldud

http://cp.sonybmg.com/xcp/english/updates.html

This is the link on Sony's website that removes the cloaking technology component.


9 posted on 11/03/2005 9:08:42 AM PST by lunarville (memo to Dan...don't let the door hit you on the way out....)
[ Post Reply | Private Reply | To 2 | View Replies]

To: holymoly

Sounds like a lawauite in the making.

This kind of stuff really doesn't matter, every time they bring out new copyright protection it is cracked within hours.

You have one or two companies working on this kind of stuff and half a million on the internet working to break it. You do the math.


10 posted on 11/03/2005 9:14:13 AM PST by Xenophobic Alien (I'm as confused as a baby in a topless bar.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

BTTP


11 posted on 11/03/2005 9:17:36 AM PST by AxelPaulsenJr (Pray Daily For Our Troops and President Bush and the SAPPS)
[ Post Reply | Private Reply | To 3 | View Replies]

To: AbeKrieger
Re:Does it really matter?

Once the root kit is there, any file name that begins with $sys$ will not be visible to the windows API.

So, you play a Sony CD, then rename notebook.exe to $sys$notebook.exe that file will disappear.

The end result of this, if sony continues to illegally install root kits with every CD autoplayed in a PC, will be hundreds of thousands of rootedPCs connected to the Internet, ready for exploitation.

Got a fire wall ?
Got anti-virus ?

None of it will matter because every time someone takes a Sony CD and puts it into the CD drive, it's set up to autoplay, which installs a new root kit with every play of the CD.

That's why it matters. Sony should be brought to court for their actions right now.

12 posted on 11/03/2005 9:26:13 AM PST by ChadGore (VISUALIZE 62,041,268 Bush fans.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ChadGore
None of it will matter because every time someone takes a Sony CD and puts it into the CD drive, it's set up to autoplay, which installs a new root kit with every play of the CD.

Ummm... why haven't you disabled autoplay yet?

13 posted on 11/03/2005 9:29:48 AM PST by killjoy (Real Men Love Bush)
[ Post Reply | Private Reply | To 12 | View Replies]

To: holymoly
That's fine. Even if they could design a perfectly copy-proof cd, it wouldn't matter. More people are learning about new music through the internet than through their junk corporate radio now anyway. They are just shooting themselves in the foot.

If record companies want to thrive, they should encourage people to share music. It's free advertising. And they should drop the price of a cd to $10. If they don't do that, eventually they will actually start to lose money.
14 posted on 11/03/2005 9:30:42 AM PST by mysterio
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly

Go here and download Blacklight Rootkit Eliminator:

http://www.f-secure.com/blacklight/try.shtml


15 posted on 11/03/2005 9:31:02 AM PST by TommyDale
[ Post Reply | Private Reply | To 1 | View Replies]

To: killjoy
Re: why haven't you disabled autoplay yet?

I have. Sony should be sued for this right now.

16 posted on 11/03/2005 9:32:19 AM PST by ChadGore (VISUALIZE 62,041,268 Bush fans.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: ChadGore
The one useful bit of information is not included in the article.
When did Sony start including this new "feature" in their music CDs?

I'll just make sure never to buy any.

17 posted on 11/03/2005 9:33:12 AM PST by Publius6961 (Liberal level playing field: If the Islamics win we are their slaves..if we win they are our equals.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: lunarville
This is my favorite part of the FAQ from that Sony website you linked to:

How do I uninstall the software?

If at some point you wish to remove the software from your machine simply contact customer service through this link.

18 posted on 11/03/2005 9:35:28 AM PST by oremites
[ Post Reply | Private Reply | To 9 | View Replies]

To: TommyDale
Go here and download Blacklight Rootkit Eliminator:

But only if you want to be a Beta tester for Blacklight...

19 posted on 11/03/2005 9:35:45 AM PST by Publius6961 (Liberal level playing field: If the Islamics win we are their slaves..if we win they are our equals.)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Publius6961
Re:When did Sony start including this new "feature" in their music CDs?

http://www.f-secure.com/v-descs/xcp_drm.shtml

20 posted on 11/03/2005 9:40:58 AM PST by ChadGore (VISUALIZE 62,041,268 Bush fans.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Publius6961
Is that a problem right now? I would certainly scan my system and then uninstall the beta software. The ultimate solution is to completely

BOYCOTT SONY / BMG !!


21 posted on 11/03/2005 9:45:07 AM PST by TommyDale
[ Post Reply | Private Reply | To 19 | View Replies]

To: Publius6961
From: http://www.f-secure.com/weblog/archives/archive-112005.html#00000691

Sony BMG is currently using a rootkit-based DRM system on some CD records sold in USA. As far as we know, this system has been in use since March 2005.

22 posted on 11/03/2005 9:46:00 AM PST by ChadGore (VISUALIZE 62,041,268 Bush fans.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: holymoly
Somebody at Sony needs to go to jail for this.

Or we can just throw up our hands and forget any pretense that we have a rule of law that applies to everybody.

23 posted on 11/03/2005 9:48:24 AM PST by steve-b (A desire not to butt into other people's business is eighty percent of all human wisdom)
[ Post Reply | Private Reply | To 1 | View Replies]

To: holymoly
f-secure makes the software that installs a rootkit, then sells software that rmoves the rootkit.

It's good work if you can get it.

Write software that breaks the law by rooting XP boxen, then sell the end user the clean up tool.

It's sick. Sick, twisted and not a legal thing to do.

24 posted on 11/03/2005 9:50:50 AM PST by ChadGore (VISUALIZE 62,041,268 Bush fans.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Already posted

Yes, but we need to keep this issu front and center. Sony/BMG are using music CDs to infect computers. I'll be going out of my way to make sure that noone in my family or immediate friends will purchase any Sony/BMG products this upcoming Christmas Holiday.

25 posted on 11/03/2005 2:13:48 PM PST by zeugma (Warning: Self-referential object does not reference itself.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: zeugma; ShadowAce

Seen this one?

http://www.securityfocus.com/brief/34


26 posted on 11/03/2005 2:18:23 PM PST by Senator Bedfellow (g_r)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Senator Bedfellow

LOL! It's amazing the things people will do to cheat their way through.


27 posted on 11/03/2005 2:20:41 PM PST by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 26 | View Replies]

To: zeugma

i never bought a cd for 10+ years... now probably never...


28 posted on 11/03/2005 2:22:35 PM PST by Twist_T (internment camps for the future!!)
[ Post Reply | Private Reply | To 25 | View Replies]

To: mysterio
If record companies want to thrive, they should encourage people to share music. It's free advertising. And they should drop the price of a cd to $10. If they don't do that, eventually they will actually start to lose money.

They already do. They have for decades. It's called radio.

These same companies annually spend millions of dollars promoting their product on the radio for free public consumption. Recording music from the radio is legal. Calling a station to request a song, then recording the song when it's played, is legal.

The only difference between this process and P2P sharing is the technology, not the activity itself. Why is one method actively supported by the recording industry and legally upheld by the courts, yet the other is criminal?

29 posted on 11/03/2005 2:24:12 PM PST by TChris ("The central issue is America's credibility and will to prevail" - Goh Chok Tong)
[ Post Reply | Private Reply | To 14 | View Replies]

To: Senator Bedfellow
That's hilarious. Hackers will be including these tools in their payloads soon too (yet Sony claim it's not a security issue). Fortunately, it's really easy to test for the presence of the rootkit because it was so poorly written.
30 posted on 11/03/2005 3:54:48 PM PST by zeugma (Warning: Self-referential object does not reference itself.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: zeugma
Fortunately, it's really easy to test for the presence of the rootkit because it was so poorly written.

True, but that doesn't help the folks at Blizzard - what are they going to do, ban everyone who's bought a Sony CD?

Anyway, just thought it was fun to see what sorts of things this little proggy was turning into a vector for. Aside from some sloppiness in the implementation, it's kind of a clever idea, in a perversely evil sort of way ;)

31 posted on 11/03/2005 4:37:06 PM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 30 | View Replies]

To: holymoly

Now what happens if some other music publisher also wants to use a rootkit, and the two rootkits are incompatible? This is wild west on your hard drive. Unacceptable.


32 posted on 11/04/2005 2:02:27 AM PST by The Red Zone (Florida, the sun-shame state, and Illinois the chicken injun.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Senator Bedfellow
When I was speaking of how easy it was to test for, I was thinking more in terms of the users themselves. Anyone who thinks they might be infected with this DRM/Rootkit, can do it quickly from the command line, or even your gui file explorer.

Regarding the WoW folks using it to hide things, I would imagine or hope that a patch could come out to test for it. I'm not into the gaming scene so I'm not sure how it would be enforced. Folks who cheat on such things are pretty low IMO. They probably cheat in solitaire too.

33 posted on 11/04/2005 6:10:23 AM PST by zeugma (Warning: Self-referential object does not reference itself.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: zeugma
Too bad it wasn't aimed at Sony's online games - the irony there would have been pretty rich.

They probably cheat in solitaire too.

Hey, I only did that once and you can't prove anything anyway, pal ;)

34 posted on 11/04/2005 6:18:03 AM PST by Senator Bedfellow
[ Post Reply | Private Reply | To 33 | View Replies]

To: ChadGore
Write software that breaks the law by rooting XP boxen, then sell the end user the clean up tool.

It's sick. Sick, twisted and not a legal thing to do.

That does it. I have now lost any shred of respect I may have once had for the entertainment industry's copyright system. May the hackers bust it whenever they can and set music and film free from the Hollywood middlemen.

Oh, and there's a delicious bonus: this would strip the Democratic Party of its biggest source of funds.

35 posted on 11/04/2005 9:18:04 PM PST by BlazingArizona
[ Post Reply | Private Reply | To 24 | View Replies]

To: TChris
The only difference between this process and P2P sharing is the technology, not the activity itself. Why is one method actively supported by the recording industry and legally upheld by the courts, yet the other is criminal?

There's another difference: the RIAA companies use radio stations' oligopoly over the airwaves to control what music is advertised in that fashion.

Ironically, the real threat to the RIAA comes not from people who "share" RIAA music, but people who share NON-RIAA music. If more artists start realizing they can have almost as good a shot at popularity via the Internet as via radio, but keep most of the profits from their records instead of giving them to the record companies, the RIAA companies will have a much harder time finding new slaves to work for them.

36 posted on 11/10/2005 7:50:12 PM PST by supercat (Don't fix blame--FIX THE PROBLEM.)
[ Post Reply | Private Reply | To 29 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson