Skip to comments.Sony CD Copy Protection Seems To Rely On Hacker Rootkit
Posted on 11/03/2005 8:44:21 AM PST by holymoly
Sony is apparently borrowing a tactic from hackers for its digital-rights management technology, and some security experts question the practice.
Security researchers have identified a rootkit -- software used by hackers to hide their malicious code from anti-virus and anti-spyware defenses -- within the copy protection scheme Sony BMG Music Entertainment uses to prevent music CDs from being copied to computers.
The digital rights management (DRM) technology that Sony BMG uses limits the number of times a CD can be "ripped" to a computer. To prevent the DRM software from being easily circumvented, the copy protection's creator -- a U.K.-based company called First4Internet -- uses a rootkit to hide the DRM's files.
An independent researcher, Mark Russinovich, and the Helsinki-based F-Secure security firm, published details almost simultaneously on the DRM technology Sony BMG uses, and that technology's application of a rootkit.
Both stressed that rootkits are most commonly used by malicious code writers -- hackers -- and the use of it by a legitimate company such as Sony was alarming, they warned.
"Once the rootkit is there, there's no direct way to uninstall it," said Mikko Hyppönen, F-Secure's chief research officer, in an online brief. "The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves, too. This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed."
Russinovich, who stumbled across the rootkit after a long investigation that involved a number of advanced PC forensic tools, agreed. "Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall."
In fact, when Russinovich tried to uninstall the DRM software, all he got for his trouble was a dead CD drive.
"Most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," he said.
Removing the rootkit is so fraught with possibilities of calamity that F-Secure recommended users don't try it themselves. Instead, Hyppönen urged users to fill out a Sony BMG Web form and ask for instructions on how to remove the software. F-Secure has tested the resulting removal process -- which relies on the installation of an Internet Explorer ActiveX control -- and has confirmed it works.
According to one anti-spyware expert, Sony has no excuse for leaning on a rootkit to copy protect its content.
"Rootkits are always malicious," said Richard Stiennon, director of threat research for the Boulder, Colo.-based anti-spyware vendor Webroot. "There's no legitimate use of a rootkit, whose only purpose is to hide code from the operating system." Stiennon is intimately familiar with rootkits, since they're often by spyware writers to disguise some of their nastier work, like password keyloggers.
Stiennon's objection runs deeper than the rootkit code itself, however; he's also concerned that the copy protection software steps across another spyware line.
"The end user license agreement (EULA) doesn't mention any install [of a rootkit]," he said. "That likely makes it illegal in the U.K. and the EU, and in at least 10 states in the U.S. as well. Sony could be in a lot of trouble on this one.
"This is just the sort of thing that [anti-spyware advocates are] concerned about, that spyware laws, when written, will be too broad and won't take things like this into consideration," Stiennon added.
Even discounting Stiennon's concerns, however, Sony's use of a rootkit poses immediate danger, said F-Secure. In a technical description of the DRM software, the security vendor noted that "the hiding techniques can be abused by less technical malware authors to hide their backdoors and other tools."
All an attacker needs to do is name his files beginning with the same "$sys$" prefix used by the Sony CD copy protection files.
"It is very inappropriate for commercial software to use these techniques," said F-Secure.
Sony BMG did not immediately return a call for comment.
I had to shift gears while reading this article, because to me "rootkit" automatically implies a unix environment. But most rootkits today are targeted at Windoze. The idea is the same.
Does it really matter? If the CD can be played digitally it can be recorded perfectly using digital media. Unless they render the discs unplayable (ha ha) there will never be a way to keep people from making digital copies of the music.
Not to mention hackers and bootleggers have infinite resource and ingenuity.
I missed that. Still, that post doesn't have quite as much info.
So you have to install something to un-install something else? Nice! So what's in the Active-X control? More malware?
Once you remove this software, you will break your computer.
So far, I have not found any rootkits on recent vinyl records.
I'll keep an eye out.....
This is the link on Sony's website that removes the cloaking technology component.
Sounds like a lawauite in the making.
This kind of stuff really doesn't matter, every time they bring out new copyright protection it is cracked within hours.
You have one or two companies working on this kind of stuff and half a million on the internet working to break it. You do the math.
Once the root kit is there, any file name that begins with $sys$ will not be visible to the windows API.
So, you play a Sony CD, then rename notebook.exe to $sys$notebook.exe that file will disappear.
The end result of this, if sony continues to illegally install root kits with every CD autoplayed in a PC, will be hundreds of thousands of rootedPCs connected to the Internet, ready for exploitation.
Got a fire wall ?
Got anti-virus ?
None of it will matter because every time someone takes a Sony CD and puts it into the CD drive, it's set up to autoplay, which installs a new root kit with every play of the CD.
That's why it matters. Sony should be brought to court for their actions right now.
Ummm... why haven't you disabled autoplay yet?
Go here and download Blacklight Rootkit Eliminator:
I have. Sony should be sued for this right now.
I'll just make sure never to buy any.
How do I uninstall the software?
If at some point you wish to remove the software from your machine simply contact customer service through this link.
But only if you want to be a Beta tester for Blacklight...