Thursday, November 03, 2005

Sony rootkit update

I am just amazed at how fast Sony rootkit talk has encompassed the web. Although Sony has released a patch, using the patch may make the CD unplayable.

Mark Russinovich: Sony, Rootkits and Digital Rights Management Gone Too Far
Inquirer also has a story on Sony's DRM being worse than we think. Inquirer comments about the discrimnation Sony has put in place.

IMO, F-Secure has tried to downplay the issue at hand here since they claim they were working on investigating the issue when Mark broke the news to public.

Brian Kerbs has also stuff to say about Sony rootkit.

Sony BMG has provided a FAQ section on his site trying to downplay the whole rootkit issue. For the following question about Sony rootkit:
I have heard that the protection software is really malware/spyware. Could this be true?

Sony had the following to say
Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement...

But according to a comment posted on SysInternal, Sony's rootkit acts similar to that of a spyware.
This software will be considered spyware under the ASC definition,

The ASC's most recent definition of spyware is:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

* Material changes that affect their user experience, privacy, or system security;

* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information.

I can see it certainly doing the first two, and doesnt need to do the third.

The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC....

Dont think that the Govt wont be taking Sony to court... they took Microsoft to task over anticompetition.,. all it takes is a letter to your Senator! is reporting that removing Sony's rootkit can kill Windows.

"So sue us"
According to WiredNews, its the Sony rootkit cover-up that's the crime.
Also see on

IMO, this is an idiotic move by Sony. People may boycott all products by Sony, not just its music. Has Sony really thought about the implications? I for one may not want to buy any product by Sony.

Learn more about RootKitRevealer, the software Mark was using when he discovered the Sony rootkit.

According to Wikipedia

The term "root kit" (also written as "rootkit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the cracker that those commands would normally display, thus allowing the crackers to maintain "root" on the system without the system administrator even seeing them.

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account)....

The key distinction between a computer virus and a root kit relates to propagation. Like a root kit, a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus).

In the case of the root kit the payload may attempt to maintain the integrity of the root kit (the compromise to the system) --- for example every time one runs the root kit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the cracker (attacker) can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some root kits may add port knocking checks to existing network daemons (services) such as inetd or the sshd

A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general a root kit limits itself to maintaining control of one system.

A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the cracker/attacker through some sort of covert channel).

Of course there are hybrids. A worm can install a root kit, and a root kit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated.

There are reports as of November 1, 2005 that Sony is using a form of copy protection, or digital rights management, on its CDs called "XCP-Aurora" (a version of Extended Copy Protection from First 4 Internet) which constitutes a root kit, surreptitiously installing itself in a cloaked manner on the user's computer and resisting attempts to detect, disable, or remove it. Much speculation is taking place on blogs and elsewhere about whether Sony might be civilly or criminally liable for such actions under various anti-computer-hacking and anti-malware legislation. Ironically, there is also speculation to the effect that the bloggers who point out what Sony CDs do, with technical details, may also be committing a civil or criminal offense under anti-circumvention provisions of laws such as the Digital Millennium Copyright Act in the United States. [1] [2]

On November 2, 2005 Sony released a patch to remove this rootkit, while continuing to maintain that it is not malicious and does not pose a security risk. To activate this patch, you are required to go to their Web site with Microsoft Internet Explorer; users of other browsers, such as Mozilla Firefox, get a message to the effect that their browser is incompatible, because of the use of ActiveX controls which Mozilla omits by design due to it being a proprietary Microsoft technology with security risks. [3]

Informed opinions differ on the security implication of this Sony 'XCP-Aurora' technology as there is evidence that the software has caused Blue Screen (BSOD) errors on Windows systems while in normal use. In addition the software is poorly implemented and the file hiding scheme could be used to hide arbitrary files on a PC simply by prefixing the filename with $sys$.

Further commentary including security implications can also be found on the Security Now! podcast #12 with Steve Gibson and Leo Laporte (titled "Sony's "Rootkit Technology" DRM (copy protection gone bad) at [4].

Linux rootkit detection utilites include rkhunter, chkrootkit,


Post a Comment

<< Home