Sony Rootkits

Sony seems to have really screwed up by misjudging public sentiment about security protection. Basically they placed a Trojan function program on their music artist CDs. Once you play the CD on your computer, the "Digital Restriction Managment" program installs on your computer without proper prompting nor warning. This is what you see when you pop the CD in your computer, even if you ever read the 10 page legal jumbo, the wording tells you very little of what damages it does. Let me quote the relevant section out of all those long pages:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

So what is the fuss about, is it not just another program? The bad thing about this program is not just its secrecy. Like many computer virus, it is hidden from your Process Manager, you don't know that it is running. It said "the SOFTWARE will reside on YOUR COMPUTER until removed or deleted", which is another problem. It doesn't show up on your ADD/REMOVE Program. You won't even know its existance unless you have a byte by byte system background process comparison program running. An average computer user have no chance of detecting the program let alone exorcises it out of the computer. That is not the worse part.

It also instruct your computer to ignore detecting any file that starts with the $sys$ name. It is like someone declare any room in your house that starts with "bed" fair game for open house visit. Anyone, for example 3 guys wearing thongs, can come in and you are not allow to see who is coming or what they are doing. Effectively, it is a front door access to any virus writer out there. All they have to do is name their virus with $sys$random.

How is this legal? It is a gray area. Technology is being invented at such a fast pace it is out-pacing law making. Technically, they are doing everything they stated in their EULA, no sensentive material is being lifted from your computer by Sony. They just failed to mention they are holding the door open into your house.

Now here is the funny part, the first exploit using Sony RootKits is out and it is used to deafeat another Rootkits from Blizzard, the World of Warcraft game.

World of Warcraft upon installation puts a sub-program named Warden that scans for cheats. It tracks down every dll (system process instuctions) that is hooked on World of Warcraft to insure no cheat program is running. That is fine. However, it also sniffs your email and every open window on your computer. It grabs the open window title and compare the hash (digital name signature) with known cheat programs. It is bad because if you have QuickBook open, all your finicial record is now read. If you have email open who you respond to in email is now read.

So the bright people in the world decided to use evil against evil. They now not only ripe Sony for the music (illegal) but they now ripe their CD protection rootkit and named their WoW cheat program with "$sys$random". Ha! Now the Warden couldn't find those cheats. Oh, the irony. Of course, to be safe from other virus maker of the world, it is advisible to first change the Sony Rootkit ignore string to something more unique...something not "$sys$". Use "$wowcheat$" if you want, just something that other virus makers can't guess, that way your computer is relatively safe.

Now that Sony Rootkit new is out in the public,

Sony promised a fix and now, within days of the rootkit's discovery (and subsequent outrage that spread on the Net like wildfire) that fix is apparently already available..."Sony BMG and First 4 Internet have just released an update that will completely remove the rootkit based DRM content protection software and replace it with anon-rootkit DRM technology that is compatible with all current security protocols." Oddly, the downloadable fix is being referred to as "Service Pack 2" but it should not be confused with Microsoft's Service Pack 2 for Windows XP. Whereas the fix only handles substitution of the new DRM technology for the old rootkit-based on, Sony is apparently providing another form-based process for removal altogether. However, the removal procedure reveals yet another minor gaff that Sony says it hopes to have corrected later this month: it requires Internet Explorer and ActiveX.
-Zdnet, Sony offers removal and replacement for rootkit DRM

Oddly, I couldn't find any download. I was directed to send an email and I presume once I take the trouble to ask for a removal program Sony will then sent it to me.

It is interesting to hear people's comment regarding this event, "Thank goodness I download all my music via p2p, none of those Sony virus for me!" Oh, the irony.

Update1* 11/4/2005

If you are concerned and need to remove the Rootkits, here is what Washington Post says:

the only way to uninstall the program in the conventional sense (without running the risk of hosing your system or CD-ROM drive) is to contact Sony BMG directly via a web form [Link removed, see update3* for more detail] and request removal...At that point, a real, live person will call you back and ask for all kinds of information about your system, and your reason for wanting to remove the software. You're then directed to a Web page that downloads an ActiveX program (yes, you must be using Microsoft's Internet Explorer to do this), which determines what version is installed and reports that back to First4Internet. Then you get an e-mail containing a link to another site that downloads something that finally uninstalls the Sony program.

If you want to learn more The Inquirer paints a vastly more bleak picture with their article, it does a very detail run down of this "malware" with the article - Sony DRM is worse than you think. Fun reading.

Update2* 11/6/2005 Sony just released a direct fix to their virus, you can download the patch from Sony here [Patch link disabled, please see Update3]

Update3* 11/17/2005 Do NOT install the patch from Sony. News story from 11/15/2005 revealed that the patch doesn't completely remove the Root Kit, it also introduces new holes. I normally write an article once and let it go, but this is serious. If you haven't update by Sony patch yet, do not update! I will update one more time once the complete clean uninstaller is published. Here are the sources for my update3.

A patch that Sony issued a week ago when virus writers began taking advantage of the software's file-hiding capabilities actually introduces serious new security risks onto the user's machine, according to research released today by Princeton University computer science professor Edward Felten.

The Sony Web page where users can download the removal patch installs a program that remains on the user's PC even after removal tool has done its job, Felten said. And because of the way the tool is configured, he said, it allows any Web page that the user subsequently visits to download, install and run any code that it likes.

I was speechless when I read this news, and had roughly the same thoughts as Felten expressed in his blog: "That’s about as serious as a security flaw can get."

According to Felten (whose research was informed by a discovery from a Finnish researcher known as "Muzzy"), "the root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program -- an ActiveX control created by the [digital rights management software] vendor, First4Internet -- called CodeSupport.

"CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any Web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site.

"Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission."

If you've visited Sony's site and downloaded this removal tool, Felten's site has instructions on how to get rid of it -- although "it may not prevent the software from installing again, but it’s better than nothing. We’ll have to wait for First4Internet to develop a complete patch."

If you have Sony's anti-piracy software on your computer but haven't downloaded this removal tool yet, then good. Don't download it.

Here is a list of CDs that had Sony's Virus.
Here is the most up to date information I have found as of 11/17/2005

Honestly, this is the first time I have seen a patch issued by the company to do the same damage as the virus itself. Unbelievable.

[Technology][Sony][Virus]