Sony Secretly Installs Rootkit on Computers

Mark Russinovich discovered a rootkit on his system. After much analysis, he discovered that the rootkit was installed as a part of the DRM software linked with a CD he bought. The package cannot be uninstalled. Even worse, the package actively cloaks itself from process listings and the file system.

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.

Removing the rootkit kills Windows.

Could Sony have violated the the Computer Misuse Act in the UK? If this isn’t clearly in the EULA, they have exceeded their privilege on the customer’s system by installing a rootkit to hide their software.

Certainly Mark has a reasonable lawsuit against Sony in the U.S.

EDITED TO ADD: The Washington Post is covering this story.

Sony lies about their rootkit:

November 2, 2005 – This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.

Their update does not remove the rootkit, it just gets rid of the $sys$ cloaking.

Ed Felton has a great post on the issue:

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function—they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert—falsely—that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.

And you can use the rootkit to avoid World of Warcraft spyware.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG’s content protection software can make tools made for cheating in the online world impossible to detect.

.

EDITED TO ADD: F-Secure makes a good point:

A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs.

In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error.

It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS.

Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.

EDITED TO ADD: Declan McCullagh has a good essay on the topic. There will be lawsuits.

EDITED TO ADD: The Italian police are getting involved.

EDITED TO ADD: Here’s a Trojan that uses Sony’s rootkit to hide.

EDITED TO ADD: Sony temporarily halts production of CDs protected with this technology.

Tags: , , , , , , , , , , , , , ,

Posted on November 1, 2005 at 10:17 AM82 Comments

Comments

mark November 1, 2005 10:36 AM

When Sony started doing their CD DRM, I stopped buying all Sony products (I buy several hundred CDs a year) and encouraged others to do the same. I am so glad I did…

mpd November 1, 2005 11:12 AM

A little off topic but:

From the Register:
“A ‘root kit’ generally refers to the nefarious malware used by hackers to gain control of a system. A root kit has several characteristics: it finds its way onto systems uninvited;…”

Technically, a rootkit is used to keep control of a system after it has been compromised by viruses, worms, or malicious hacking. The rootkit itself (typically) doesn’t do the compromising.

org November 1, 2005 11:31 AM

I’m sorry, but when I hear about things like this, I think screw them and download all mainstream music. Sony’s failing business model is not my problem.

Former musician November 1, 2005 11:43 AM

Yes, there’s an effective and fair solution, it’s called having artists returning to what they’ve traditionally done: performing as a way of making a living, and giving up on the idea of winning the top 40 lottery. The CD/download should be thought of as a hint of what’s to come in the live performance (which people pay for), not as a main source of revenue.

Any attempt at compromise will end in failure. And yes, it involves bankruptcy for the record labels.

Brent Dax November 1, 2005 12:05 PM

Hmm. If this is a copy protection measure, wouldn’t removing it and accessing the CD some other way constitute circumventing the copy protection? And wouldn’t a tool to automatically remove it be a circumvention device? Gotta love that DMCA…

Anyone think we could get an exemption from the Librarian of Congress for CDs protected by DRM that pwnz your computer?

Lyger November 1, 2005 12:55 PM

Hmm… I wonder if this is the reason why my last two Sony CDs won’t play on my MP3-enabled Walkman, but will on my other standard CD players (I haven’t tried them in a PC yet). No irony there, no sir…

greg November 1, 2005 1:31 PM

in NZ i always tell them b4 i get a CD i don’t use windows and i play CD’s on it. They always say “sure it will work”. If it does not, they must under the consumer laws here, give me a refund.

I do a similar thing when i buy a PC, but not when i buy a CD player.

You know that in some places, getting around copyright protection is not illegal.

peachpuff November 1, 2005 2:34 PM

What happens if this thing turns out to have a bug that causes, for example, random crashes?

Bruce Schneier November 1, 2005 2:51 PM

“What happens if this thing turns out to have a bug that causes, for example, random crashes?”

You can’t copy your music, so everyone still wins. (Oh, wait. You lose. Well, you don’t count. Everyone who counts still wins.)

peachpuff November 1, 2005 3:08 PM

If I had followed the link before posting, I wouldn’t have had to wonder:

“It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described.”

James November 1, 2005 3:57 PM

I’d like to know whether this software, which wouldn’t work unless it was loaded by a user with administrative priveledges, is installed with the player shipped on the disc (evidently required somehow to play the audio – I don’t understand why), which could seem “legitimate” when it requested such elevation, or whether the product merely takes advantage of users running as administrator by default on current versions of Windows, perhaps in conjunction with AutoPlay as has been attempted before.

Also, is the EULA one of those click-wrap agreement that disclaims everything anyway, regardless of what it mentions?

I’d really like to know which CDs use this system.

Foxyshadis November 1, 2005 5:01 PM

Someone’s going to analyse this and turn it into a worm and/or web exploit in the next few weeks. Code that hooks kernel apis is almost guaranteed several system-owning flaws, unless sony spent weeks or months profile its security. Great, buy a CD, get owned.

Phil Taylor November 1, 2005 6:09 PM

I’m surprised and shocked that a mainstream company like Sony would do this. In reference to the difficulty of uninstalling the crap, I use tools provided free by http://www.sysinternals.com. They show unwanted programs that begin at startup or are hidden in the registry. Shame on Sony!!

Tarkeel November 1, 2005 8:20 PM

Hm, wouldn’t removing this rootkit be illegal as it’s circumventing DRM? If so, what happens if it’s your anti-virus that does it instead of you?

Besides, doesn’t the rootkit fall under PATRIOT act’s CyberTerrorism paragraphs?

afx November 1, 2005 8:42 PM

To be honest I’m suprised they haven’t attempted something this insidious before. I’d be pretty sure this is First 4 Internet’s product they sold to Sony (and others) to solve their problems for a large sum. People have spent far more time writing rootkits for far less monetary rewards.

One would think Sony won’t cop anything more then bad press over this. Any lawsuits would be forwarded to First 4’s doorstep one way or another.

JAB November 1, 2005 10:04 PM

Compromising the integrity of a user’s computer, even done in the name of copy protection, is entirely unacceptable.

elegie November 1, 2005 11:24 PM

To be sure, the effectiveness of copy protection is questionable. This particular copy protection may have troublesome ramifications i.e. it cannot be uninstalled easily and could cause problems.

A while ago, there were Windows media files that led to pop-up ads and attempts to deploy adware when users tried to play the file. The DRM feature in the files made it possible to load an Internet site which led to the pop-up windows appearing. These files had been distributed on P2P networks. A company in the business of preventing illegal P2P copying appeared to be involved in what was happening. See http://www.pcworld.com/news/article/0,aid,119016,00.asp and http://www.theregister.co.uk/2004/12/31/p2p_adware_threat/

packrat November 2, 2005 12:53 AM

Yet another reason for always keeping auto-run disabled. Like someone said over on the sysinternals.com blog, it’s a way for anyone who publishes a CD to run arbitrary code on your system the instant you put the CD in the drive.

Davi Ottenheimer November 2, 2005 1:27 AM

I thought this part of Mark’s story was particularly revealing:

“The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies.”

Mark is so extra careful about the security of his system, and yet he’s loading music CDs that have DRM and proprietary players from big-media giants as though they can be trusted. It might not have seemed to be a threat to him at the time, but from now on I suspect every DRM label he sees will make him think of rootkits and unfair business practices.

I noticed the EULA mentions the rootkit “will not be used at any time to collect any personal information from you”. That’s probably because personal information is clearly regulated, whereas it increasingly seems that spyware/rootkits are tougher to nail for unscrupulous practices if accepted by users and intended to “protect” publisher rights.

Ya'akov November 2, 2005 1:39 AM

It surely cannot be ‘illegal’ to remove this copy protection – so long as you first remove the data it is there to protect.

Marc November 2, 2005 5:59 AM

The real answer to DRM in my view is to charge fair prices for CDs and not include any DRM. People who will not pay for music will not pay any price.

Other people know that CDs are severely overpriced, especially when the large labels have such economies of scale.

An example of this being done well is the American band Fugazi. For a great many years they have run their own label Dischord and printed on the CD themselves a MAXIMUM PRICE, which used to be USD $7 I believe, and here in the UK the CDs are usually around £10 which is quite a bit cheaper than mainstream CDs.

As far as I can tell they have been very successful with this, and their music is hardly mainstream. Imagine what would happen if more mainstream acts started charging a fair price for music?

DRM on CDs is abominable – Chrysalis (I think) have a broken system / system breaking application that is installed on some CDs too, I found it on a Jethro Tull reissue (“A” if I recall) and every since installing Windows Media Player echoes all sound, can’t burn CDs etc…

Phillip November 2, 2005 8:29 AM

If one DOES uninstall this, is he in violation of the DCMA?

Couldn’t someone just use Linux and a CD Ripper/burner to reburn the CD without the data track that contains the nasties? Of course….that would violate the DCMA.

Michael November 2, 2005 9:05 AM

“What happens if this thing turns out to have a bug that causes, for example, random crashes?”

A good write-up by Brian Krebs in the Washington Post – the first I’ve seen in the mainstream media – quotes Mikko Hypponen, F-Secure’s director of antivirus research. Hypponen says:

“installing the Sony program on a machine running Windows Vista — the beta version of Windows’ next iteration — ‘breaks the operating system spectacularly.'”

So there you are. It very definitely can cause bad damage to a machine. Brian Krebs also highlights Mark Russinovich’s finding that First 4/Sony actually configured the Trojan’s drivers to start in Safe Mode, which would make recovery from problems very difficult.

Chase Venters November 2, 2005 10:02 AM

@Former musician

…Which is precisely the problem. These outdated businesses (proprietary software, content ‘brokers’) built huge fortunes on screwing over the consumer. If they were smart and adapted to the movement of the market, they’d still lose money, because honest business honestly isn’t as lucrative. So instead, they use their billions to try to legislate themselves into permanent existence (and, since it’s a great opportunity for more greed, they’ll move to take far more than they were ever originally given).

I’m very impatiently waiting for the moment that John Q. Public, the silent majority, wakes up, gets off the couch and does away with this nonsense. It needs to happen before too much damage is done to our way of life – hell, even our freedoms.

Stephen A. Braithwaite November 2, 2005 2:01 PM

This is excellent work by Mark, and he’s very correct in bringing this to everyone’s attention.

With a quick look to the legal implications of this:

Indeed, this is a breach of the Computer Misuse Act – but more significantly – a breach of the the Terrorism Act, 2000 – both United Kingdom statutes.

These are actual crimes in the UK, and not civil proceedings. The Terrorism Act breach is particularly interesting – and something the government in the UK is keen to excise.

Furthermore: this presents two technically interesting points.
1) Does the much promoted Microsoft AntiSpyware app detect and cleanly remove SONY’s installation?
2) Has any malware creator already made use of this product to covertly hide their own code via this SONY-inflicted “hole”? If not, you can guarantee the will!
Futher to this – SONY would surely be liable to civil penalties to any party who experiences ill effects due to this hole being imparted by SONY’s poorly thought-out implentation.

uk_perspective November 2, 2005 2:54 PM

As you are installing software of your own free-will effectively[EULA now mentions this root-kit], it’s not computer misuse; well there is no case-law [according to my journal research] for this, it would be up to the judge of course. However, circumventing copyright in the EU is illegal, yet reverse engineering for educational purposes is not. Interesting times. I do thank you for your commentary of NIST, excellent, excellent, thwice excellent.

peachpuff November 2, 2005 2:58 PM

“These are actual crimes in the UK, and not civil proceedings.”

This may be a crime in the U.S. also. Sony is pretending that they’ve altered their music so that it doesn’t work without their software. What they’ve really done is alter your OS so that you can’t use your CD drive without their software.

That’s not just a philosophical difference, it’s a source of serious problems at the OS level. Those problems wouldn’t happen if Sony were doing what they pretend to be doing.

Herman November 2, 2005 6:51 PM

Sony came up with a fix, but they require a browser with ActiveX anabled to download it.

I am at a loss for words, they are beyond clueless.

olivr November 2, 2005 7:36 PM

It seems to me that users shouldn’t be running their systems with administrative privileges. This is obvious to anyone who uses UNIX-like systems. Seperation of user privileges is one of the most basic computer security principles.

Yes, this is nefarious. No, I don’t have much sympathy for victims.

peachpuff November 2, 2005 8:30 PM

“Yes, this is nefarious. No, I don’t have much sympathy for victims.”

I do. It apparently comes with a media player that you need admin privileges to install. It’s literally shrink-wrapped software from a major company containing a trojan and rootkit. The fact that this was first discovered by an expert testing an anti-rootkit tool on his own box tells me the victims deserve quite a bit of sympathy.

afx November 3, 2005 2:03 AM

http://www.betanews.com/article/print/Sony_to_Help_Remove_its_DRM_Rootkit/1130965475

Has some new details in the reply from Sony. Heres some of the interesting parts:

“… Nonetheless, the company has decided to issue a patch to eliminate the
cloaking and “allay any unnecessary concerns.”
The patch will be made available for download from Sony BMG’s Web site,
with another offered directly to antivirus vendors. The DRM software will
not be removed, however, only uncovered; that means users will still be
unable to delete it without risk of rendering their CD drive inoperable.
Customers must contact Sony BMG support for removal instructions.”

Ged November 3, 2005 5:36 AM

One aspect I haven’t seen mentioned yet: What happens when a consumer at some point installs two different “DRM rootkits”? Mark’s analysis idicates sloppy coding. My experience Windows low-level drivers suggests that even excellent driver code runs into trouble at times. Put together, this suggests big trouble for the poor user who made the mistake of buying CDs from two different labels. Unusable PC, corrupt data, you name it.

JohnJ November 3, 2005 7:11 AM

@uk_perspective: “As you are installing software of your own free-will effectively[EULA now mentions this root-kit], it’s not computer misuse;”

This is true if and only if the CD doesn’t store the EULA but instead downloads it from Sony prior to installation of the malware. Otherwise the EULA in effect is the one on the media; that’s the one the end user agreed to.

Well, there’s one other possibility. That Sony immediately and effectively recalled all affected CDs and replaced them with remastered versions that include the new EULA.

Karl Lembke November 3, 2005 12:04 PM

I spotted this in the Washington Post, and blogged it.

([ritestuff.blogspot.com/2005/11/spyware-provided-by-sony.html])

The comments at the WP’s “Security Fix” blog include detailed instructions on how to remove the software, and blogger Brian Krebs describes Mikko Hyponen’s use of a third-party shareware package to rip the CD, anti-piracy features notwithstanding.

The point: “In truth, most antipiracy programs created thus far (and this one is no exception) place limits on legitimate users, but usually do little to prevent determined users from getting around the copy protection altogether.”

(Oh, yes. There’s lots of neat info on the Security Fix blog. [blogs.washingtonpost.com/securityfix/])

Guillaume November 3, 2005 2:39 PM

Two wrongs make it right ?

Remember the WoW daemon that checked to see if the EULA was respected ? By merely renaming files, Sony’s rootkit hides cheating or other EULA breaking software from the Warden, WoW alleged spyware.

Talk about turning the tables !

Quote from Mark’s article :

“[Sony DRM] cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$???”

That lead to this thread :
http://www.wowsharp.net/forums/viewtopic.php?t=7251

Thomas Sprinkmeier November 3, 2005 6:38 PM

@olivr,
“It seems to me that users shouldn’t be running their systems with administrative privileges. …. Yes, this is nefarious. No, I don’t have much sympathy for victims.”

Until running Windows as non-root is a realistic option, I have loads of sympathy for the victims.

Lots of software cannot run as non-root because it’s badly made.
It seems that lots of other software (mainly copyprotection, anti-cheating tools etc) must run as root to do what they need to do (which is to protect someone else at the cost of your security).

The end result is that running as non-administrator means you cannot run a lot of the stuff that’s out there.

This is a security-vs-useability tradeoff, why bother having a PC when it’s so secure you can’t use it?
It’s like having a car that limits itself to walking pace unless you remove your seatbelt. Sure, it’s unsafe to drive without a seatbelt, but it’s pointless to drive at all if it’s that slow.

In my opinion it’s unfair to blame users for running as admin until this changes.

Precision Blogger November 4, 2005 5:05 AM

Microsoft’s silence on this issue is deafening. Why haven’t they issued a statement saying that it’s always bad to install a rootkit in Windows and they demand these other companies o stop doing it?

Could it be that Microsoft approves of companies like Sony installing rootkits?
– precision blogger

Bruce Schneier November 4, 2005 7:54 AM

“Microsoft’s silence on this issue is deafening. Why haven’t they issued a statement saying that it’s always bad to install a rootkit in Windows and they demand these other companies o stop doing it?”

Really good point.

Michael November 4, 2005 8:26 AM

“It’s literally shrink-wrapped software from a major company containing a trojan and rootkit.”

And possibly spyware, too. One contributor to Mark Russinovich’s blog says:

“Btw, I checked with a sniffer. The DRM system connects to connected.sonymusic.com and http://www.sonymusic.com and tells them an id number, apparently identifying the album. So, sony knows your ip address and what you listen to.”

This needs to be verified and added to the list of Sony’s misdemeanors with this software if it is replicable.

It’s also been pointed out that First 4 claimed to have consulted Symantec on their Trojan:

http://www.theinquirer.net/?article=27426

I wonder if any enterprising reporter has contacted Symantec for confirmation of that, because in my view if an anti-virus company has colluded in the production of a rootkit then they have betrayed their customers and this is a very, very serious issue, too.

Gary Johnston November 4, 2005 8:43 AM

“Microsoft’s silence on this issue is deafening. Why haven’t they issued a statement saying that it’s always bad to install a rootkit in Windows and they demand these other companies o stop doing it?”

Certainly Symantec and other AV Vendors will design signatures to detect and quarantine this malware, right?

Why shouldn’t they? Isn’t this what you are paying them for?

Microsoft’s “Malicious Software Removal Tool” should be modified to control this as well.

Shame on Sony…and shame on anyone who goes along with their scheme.

It’s YOUR PC, not ‘theirs’.

Bruce Hayden November 4, 2005 11:09 AM

As for administrator privileges, when I bought my HP laptop (running XP), it came with one account (“Owner”?) configured, by necessity, as an administrator. Because there is only one account, when you boot, it is automatically opened. I get the same thing when I restore the system from CDs.

Most computer users these days have no idea what you mean by “administrator” or “user” level privileges, or, indeed, even understand that you can (and should) run Windows NT based systems as multi-user systems. Heaven forbid trying to describe the much finer gradations I have with Win2K Professional Edition.

Indeed, I got in trouble with my parents when I enabled multi-user functionality with their Win98 systems. Too confusing for them. They just want to boot and go.

Davi Ottenheimer November 4, 2005 11:27 AM

I just noted the Reg’s latest take on this…some clever beavers are using the Sony BMG security to defeat the WoW security:

http://www.schneier.com/blog/archives/2005/11/sony_secretly_i_1.html

“Despite making a patch available on Wednesday to consumers to amend its copy protection software’s behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.”

A good example of how security technology is always a double-edged sword, as the old saying goes. It all just comes down to who is actually supposed to be entrusted with the master keys and why…do you trust Sony or Blizzard to manage ALL the information on your system in your best interest?

Gary Johnston November 4, 2005 11:51 AM

That’s right. If you are a System Admin and ANY of your users have Local Admin. rights they can bring in a Sony CD, install the rootkit, and proceed to hide any files on their system as they see fit.

Why, oh why, is there not a US CERT Bulletin on this yet?

Mike November 4, 2005 1:17 PM

AV company responses:

“Kaspersky Labs has classed Sony’s DRM software as spyware because, among other things, it can cause crashes and loss of data and it can compromise system integrity and security.

Explaining its decision, Kaspersky said it used the definition of spyware provided by the Anti-Spyware Coalition”

Sophos also condemned the Sony software, although rather more weakly: “We don’t really believe this is malware …” said Graham cluely of Sophos.

http://news.zdnet.co.uk/0,39020330,39235702,00.htm

Still no comment anywhere from Symantec.

Davi Ottenheimer November 4, 2005 3:23 PM

I enjoyed f-secure’s weblog entry today on the subject:

http://www.f-secure.com/weblog/#00000696

“Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.”

They also point to the market impact on the band:

“At the moment of writing this blog entry, it has 97 review entries and 1,5 stars. I actually feel sorry for Van Zant, as they certainly don’t have anything to do with the DRM on their CD.”

That last statement reminds me of the discussion where we asked should developers be liable for bugs/issues with corporate software. In that sense I would like to know whether folks like Howard Schmidt would say we should hold Van Zant to blame for Sony’s rootkit fiasco (and perhaps every Microsoft system they’ve broken):

http://www.schneier.com/blog/archives/2005/10/liabilities_and.html

Stephen Hirsch November 7, 2005 9:51 AM

Calling all US lawyers (EU lawyers, too?):

This is calling out for a class-action lawsuit…sic ’em, boys and girls!

DarkFire November 7, 2005 12:56 PM

Typical corporate behaviour:

1) If the intellectual rights are your then look at the finger.

2) If the intellectual rights are ours then look at the malware / team of lawyers.

Perhaps a better long-term solution for SOny would be to analyse WHY people wish to download their products for free: extortionate prices for their music / games & other products…

Mike November 8, 2005 6:19 AM

Someone has contacted Microsoft and asked whether the Malicious Software Removal Tool will tackle this malware. Microsoft’s response was not encouraging.

http://www.edbott.com/weblog/?p=1127

I find this staggering, because as Microsoft’s own John Howard points out the average user who experiences problems on account of this software will think Windows is to blame.

Way to go Microsoft – when personal users, if not yet corporate users, are starting to migrate to Apple why not give up protecting your users from corporate pirates like Sony. Madness.

Tom Ciarlone November 11, 2005 1:59 PM

Class Action Law Firm Investigating Sony CDs:
My law firm is investigating the situation surrounding “rootkits??? on Sony-label CDs. In connection with our investigation, we are interested in learning more about the experiences consumers have had with those CDs. I can be contacted at (212) 239-4340 or, by e-mail, at tciarlone@lawssb.com.

Minime November 11, 2005 2:46 PM

“Microsoft’s silence on this issue is deafening. Why haven’t they issued a statement saying that it’s always bad to install a rootkit in Windows and they demand these other companies o stop doing it?”

I think that one problem is that basically all antivirus, anti-spyware, behavior blockers, software firewalls etc. use rootkit-like technology to do their job.

Thomas Sprinkmeier November 12, 2005 5:27 AM

@Precision Blogger
“Microsoft’s silence on this issue is deafening.”

I think the problem is that what Sony tried to do, though the methods are different, is uncomfortably close to what Microsoft are trying to do with “trusted computing”.

Sony sneaks something onto your computer that has more control than you. You can’t see it, stop it, control it, or prevent it from double-checking what you do and report your actions to corporate HQ.

“trusted computing” has all those elements, except for the “install by stealth” part. Users will actually pay extra for a “trusted” system because they’ll be told it will improve security.
(No doubt something or someone will be more secure, it just may not be the PC or the person who bought it).

Would anyone feel more secure with a SONY rootkit? No? Then why would anyone feel more secure with system that has the exact same functionality as a rootkit designed in?

another_bruce November 12, 2005 11:57 PM

the spyware you get from a prominent record label is now worse than the spyware you get from file-swapping sites. the file-swapping sites need to install rootkits too!

Mike November 13, 2005 4:08 AM

I should add, it is not before time. As a government official at the Department of Homeland Security has pointed out, what if there is a serious national emergency, such as an outbreak of avian flu

People may need to use their PCs to communicate in such a situation, and if they have been damaged by Sony’s malicious software – I guess we can call it that now it is targeted by the MSRT – they may not work properly.

http://blogs.washingtonpost.com/securityfix/2005/11/the_bush_admini.html

Bruce Schneier November 13, 2005 11:47 AM

“Microsoft’s silence was, indeed deafening, but they have now finally gotten around to it. To use CNet’s term, they will wipe it.”

It really makes sense. If this rootkit — or any other of its ilk — crash Windows, Microsoft will be blamed.

Mike November 14, 2005 8:49 AM

“It really makes sense. If this rootkit — or any other of its ilk — crash Windows, Microsoft will be blamed.”

Absolutely – as John Howard had pointed out a while back. This makes it all the more astounding that Microsoft held off for so long.

Furthermore, contributors to Mark Russinovich’s blog speak of being directed to First 4 by Microsoft or asked if they have “the latest update to Windows Media Center” when reporting various nasty and inexplicable problems to Microsoft. And this seems to go back Some way.

Sorry to be cynical – and I wouldn’t be if the evidence didn’t seem to point that way – but I think Microsoft would have done nothing if this had not been, so to speak, blogged into people’s consciousness.

I have to suspect that the public pressure was pretty telling, and when the AV companies started to react, and Stewart Baker spoke out, Sony got the wind up … and Microsoft felt free to act.

Microsoft, like everyone else, had to tread carefully. It seems to me that the rotten fruit hidden at the bottom of the barrel here is the DCMA. It meant that companies who could have provided information and protection more timely would instead sooner have seen the whole barrel fester and corrupt then do anything about it – out of fear.

Now, I heard on the radio the other day that examination of the meta-data in Word documents made available by the US government showed that they had originated with Hollywood/the record-labels. Hmmm … so we now have a democracy in which law is dictated to the executive by interested (and deep-pocketed) parties.

And the result has been that a corporation has been able to infringe on individuals’ property rights – by placing spyware on their machines without full disclosure of what they were doing. Accordingly, it has made those machines unstable and insecure, and thereby, as Mr. Baker points out, threatened the national infrastructure at a time when avian flu might strike. Worse, the AV companies and Microsoft have felt frightened to react until it has become obvious that Sony/First 4’s behavior has been so egregious that it is safe to do so.

Sony/First 4 has also itself, possibly, violated copyright:

http://www.boingboing.net/2005/11/13/sonys_rootkit_infrin.html

Time, I think, to ask one’s elected representatives to look at this whole area of legislation afresh.

Thomas Sprinkmeier November 15, 2005 1:42 AM

@Bruce,
“If this rootkit — or any other of its ilk — crash Windows, Microsoft will be blamed.”

Faulty hardware and device drivers can also crash a PC. Hence the “approved device driver program” and “hardware compatibility list”.

Will there be a matching “approved rootkit” program?
(They’ll probably use the term “DRM enforcement technology” or somesuch rather than “rootkit” for marketing reasons, but a rose by any other name … ).

Jim Hyslop November 16, 2005 12:02 AM

OK, so if I understand how rootkit installations work, they modify files in the %systemroot% and/or %systemroot%\System32 directories. If that’s the case, then the solution is simple: do your day-to-day stuff (including listening to music) logged in as a plain, ordinary user, not as an administrative user. Ordinary users cannot modify the %systemroot% directory, therefore the rootkit cannot get installed in the first place.

Thomas Sprinkmeier November 16, 2005 4:49 PM

@Jim,
“… do your day-to-day stuff (including listening to music) logged in as a plain, ordinary user, …”

Been there, tried that, see earlier post. The number of apps that won’t run as non-admin makes this all but impossible, unless you want to settle for a tiny subset of what’s available. Try telling a 5 year-old thathe can’t run his “Paul the Plumber” game ‘cos it’s so badly written it needs admin priveleges.

I figure the only thing is to run a virtual windows machine (using something like VMware, Virtual PC, bochs etc.) that you can reset whenever it gets too infested. Pity the virtual machine needs its own costly windows license.

Apparently under “system requirements” for the Sony CD’s was “an account with admin access”.

Chui Tey November 17, 2005 8:45 PM

The law is the law. Antivirus companies cannot remove the rootkit since DMCA provisions preclude that. This includes Government offices, who should be first in-line to uphold the law.

Someone want to bring an action against the government to ensure they do not remove the rootkit from their computers?

Rufus Jenkins November 18, 2005 8:14 AM

Yes, unfortunately many users sit on an administrator account that is not even password protected, and with autoplay/autostart on, which is really asking for trouble.

linux cds November 18, 2005 8:16 AM

Microsoft themselves say they will remove it with the malicious software removal tool.

Since Sony themselves are recalling all CDs with the rootkit, I don’t think people will question AV companies & Microsoft on this.

Poop stir November 21, 2005 5:35 PM

“Microsoft themselves say they will remove it with the malicious software removal tool.”

And yet, how much DRM does MS inject on the typical WindowsXP system? I heard even when you insert a DVD it sends “anonymous” information back, and that’s just the beginning.

Sounds like Satan helping humans from the malicious acts of a demon.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.