Thursday, November 03, 2005

Sony rootkit update

I am just amazed at how fast Sony rootkit talk has encompassed the web. Although Sony has released a patch, using the patch may make the CD unplayable.

Mark Russinovich: Sony, Rootkits and Digital Rights Management Gone Too Far
Inquirer also has a story on Sony's DRM being worse than we think. Inquirer comments about the discrimnation Sony has put in place.

IMO, F-Secure has tried to downplay the issue at hand here since they claim they were working on investigating the issue when Mark broke the news to public.

Brian Kerbs has also stuff to say about Sony rootkit.

Sony BMG has provided a FAQ section on his site trying to downplay the whole rootkit issue. For the following question about Sony rootkit:
I have heard that the protection software is really malware/spyware. Could this be true?

Sony had the following to say
Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement...

But according to a comment posted on SysInternal, Sony's rootkit acts similar to that of a spyware.
This software will be considered spyware under the ASC definition,

The ASC's most recent definition of spyware is:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

* Material changes that affect their user experience, privacy, or system security;

* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information.

I can see it certainly doing the first two, and doesnt need to do the third.

The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC....

Dont think that the Govt wont be taking Sony to court... they took Microsoft to task over anticompetition.,. all it takes is a letter to your Senator! is reporting that removing Sony's rootkit can kill Windows.

"So sue us"
According to WiredNews, its the Sony rootkit cover-up that's the crime.
Also see on

IMO, this is an idiotic move by Sony. People may boycott all products by Sony, not just its music. Has Sony really thought about the implications? I for one may not want to buy any product by Sony.

Learn more about RootKitRevealer, the software Mark was using when he discovered the Sony rootkit.

According to Wikipedia

The term "root kit" (also written as "rootkit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the cracker that those commands would normally display, thus allowing the crackers to maintain "root" on the system without the system administrator even seeing them.

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account)....

The key distinction between a computer virus and a root kit relates to propagation. Like a root kit, a computer virus modifies core software components of the system, inserting code which attempts to hide the "infection" and provides some additional feature or service to the attacker (the "payload" of a virus).

In the case of the root kit the payload may attempt to maintain the integrity of the root kit (the compromise to the system) --- for example every time one runs the root kit's ps command it may check the copies of init and inetd on the system to ensure that they are still compromised, and "re-infecting" them as necessary. The rest of the payload is there to ensure that the cracker (attacker) can continue to control the system. This generally involves having backdoors in the form of hard-coded username/password pairs, hidden command-line switches or magic environment variable settings which subvert the normal access control policies of the uncompromised versions of the programs. Some root kits may add port knocking checks to existing network daemons (services) such as inetd or the sshd

A computer virus can have any sort of payload. However, the computer virus also attempts to spread to other systems. In general a root kit limits itself to maintaining control of one system.

A program or suite of programs that attempts to automatically scan a network for vulnerable systems and to automatically exploit those vulnerabilities and compromise those systems is referred to as a computer worm. Other forms of computer worms work more passively, sniffing for usernames and passwords and using those to compromise accounts, installing copies of themselves into each such account (and usually relaying the compromise account information back to the cracker/attacker through some sort of covert channel).

Of course there are hybrids. A worm can install a root kit, and a root kit might include copies of one or more worms, packet sniffers or port scanners. Also many of the e-mail worms to which MS Windows platforms are uniquely vulnerable are commonly referred to as "viruses." So all of these terms have somewhat overlapping usage and can be easily conflated.

There are reports as of November 1, 2005 that Sony is using a form of copy protection, or digital rights management, on its CDs called "XCP-Aurora" (a version of Extended Copy Protection from First 4 Internet) which constitutes a root kit, surreptitiously installing itself in a cloaked manner on the user's computer and resisting attempts to detect, disable, or remove it. Much speculation is taking place on blogs and elsewhere about whether Sony might be civilly or criminally liable for such actions under various anti-computer-hacking and anti-malware legislation. Ironically, there is also speculation to the effect that the bloggers who point out what Sony CDs do, with technical details, may also be committing a civil or criminal offense under anti-circumvention provisions of laws such as the Digital Millennium Copyright Act in the United States. [1] [2]

On November 2, 2005 Sony released a patch to remove this rootkit, while continuing to maintain that it is not malicious and does not pose a security risk. To activate this patch, you are required to go to their Web site with Microsoft Internet Explorer; users of other browsers, such as Mozilla Firefox, get a message to the effect that their browser is incompatible, because of the use of ActiveX controls which Mozilla omits by design due to it being a proprietary Microsoft technology with security risks. [3]

Informed opinions differ on the security implication of this Sony 'XCP-Aurora' technology as there is evidence that the software has caused Blue Screen (BSOD) errors on Windows systems while in normal use. In addition the software is poorly implemented and the file hiding scheme could be used to hide arbitrary files on a PC simply by prefixing the filename with $sys$.

Further commentary including security implications can also be found on the Security Now! podcast #12 with Steve Gibson and Leo Laporte (titled "Sony's "Rootkit Technology" DRM (copy protection gone bad) at [4].

Linux rootkit detection utilites include rkhunter, chkrootkit,

"Sony knows ... what you listen to" - Internal techincal support says, "So sue us"

According to a comment posted on SysInternals:

Btw, I checked with a sniffer. The DRM system connects to and and tells them an id number, apparently identifying the album. So, sony knows your ip address and what you listen to.

So, Sony is spying on you. Really sickening stuff. In related news, Amazon users are calling for a complete Sony Boycott.



DO NOT PURCHASE - Adam Sowalsky


Sony's scheme worse than you thought - T. Rowe "Tolkien Fan"

This CD, plus all others by Sony that have copy protection, install Malware - PhilNZ

So, I called Sony's tech support at 800-222-7669 and eventually the obviously Indian rep told me told me to call Sony BMG at 212-833-8000.

The operator at Sony BMG in turn directed me to call the Sony tech support number. Talk about a run around.

Sony's internal techincal support says, "So sue us" - BSF (SysInternals)

So, I did a whois on Somy BMG's website, and called the technical contact at 212-833-7305. This resulted in me being transferred to an individual who indentified himself only as Sony's internal techincal support. He was very rude, said that he wasn't even supposed to be talking to me, and ultimately directed me to Mark's post and told to download RKR to remove the DRM rootkit. I attempted to explain to him that this program only works on NT and was no help to me since I'm running Win 98. He said that he couldn't do anything else. When I said that I wanted to speak to his manager, he told me that management was unavailiable, and when I said that I didn't appreciate this unauthorized and apparently illegal modification of my system, he said, "So sue us." - BSF


For System Administrators

Just some notes for system administrators

1. Checking logs for previous break-in attempts.
2. Checking server for existence of rootkits (used to hack and change programs on server without making them detectable to the admin) using multiple tools.
3. Create an alternate account (userKabacha) or (userDRM) which will act as the root account.
4. Changing the root login shell so even if a hacker breaks in using SSH brute force attack, they will be immediately kicked off the server. If the shell for root login is changed then everyone will need to login using an alternative account. If someone tries to login using the root account, it will be considered a break-in attempt.
5. I recommend installation of BFD (Brute Force Detection) software. This software will look for break-in attempts and if ssh login failure attempts exceed the specified threshold, the IP address of the hacker will be blocked (added to firewall).
6. Another software I recommend is SIM (System Integrity Monitor). Using SIM, we can specify load thresholds for "critial" (typically 45) and "warning" (typically 25). Once the server load crosses these thresholds, SIM will step in to stop and restart the needed services.
7. We can also setup a separate log file which will keep track of each successful root login attempt.
8. If you do not get a lot of traffic from countries like Taiwan, Japan, China, South Korea, Nigeria and so forth, I recommend that we block all IPs from these countries for any TCP traffic.
9. In addition there may be other tools and steps that we may recommend upon analysis of your server.

Sony rootkit and viruses - Think again before installing that music cd from Sony

Sony is installing rootkit and viruses on computers? I could have never believed it just a couple of years ago. But today seeing how greedy corporations are getting, I have no choice but to believe it.

GameShout reports
Sony is using spyware and rootkit technologies to prevent unauthorized copying of its music CDs. It has become the basis of a dispute that once again pits comptuer advocates against an entertainment company experimenting with new ways to prevent the unauthorized copying of its products.

And in case you are wondering that what about uninstalling the rootkit put by Sony, Andy (GameShout) had this to say
the uninstall process is not exactly straightforward and cannot be done through the Add or Remove Programs utility in the Windows control panel.

Sony has released a patch after facing backlash from security companies. Be warned, that after using the patch you cannot play that music CD either. So either you give control of your computer to Sony or stop listening to music from Sony.

The next time you pop-in that music cd from Sony, you may be asking for more than you want. According to reports, the media giant is installing rootkit on every computer where the cd is to be played. rootkits are a nightmare of a systems administrator and may leave your computer exposed to other hackers.

Credit goes to Mark Russinovich for discovering the Sony rootkit.

Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.

According to a comment posted on SysInternals by SiliconAngel:
... Whether or not Sony accepts responsibility for it, I do believe they should be prosecuted by governments as a matter of course - you can't let a multinational get away with criminal practices just because they're a big company! Do you think courts would be lenient with virus writers if they said 'We CLEARLY mentioned in the attached text file what parts of the system were being affected while we pwn3d each user's PC. If they wanted to remove our virus, all they had to do was contact us at the listed help desk number and pay $4.30 a minute, fill out some forms and download the removal tool. Trying to remove the virus on their own was clearly not part of their licence agreement and they deserve what they got!'? I think not...

IMO, this is really sickening.

- - - - -