Sony Installs DRM 'Rootkits' On Users Machines.



In what's set to be 2005's hottest story yet Sony have been found to install illegal Trojan horse-based digital restrictions management (DRM) technology that installs itself as a rootkit on Windows PCs.

Users who purchase certain Sony Music CDs from online stores like Amazon are subject to this rootkit being installed on their machines. According to Sysinternals' Mark Russinovich the kit installs itself in hidden directories and attempts to mask its existence as "Essential System Tools".

What's more fun is that attempting to remove the rootkit with common tools that perform a RKR scan will render a Windows XP machine useslesss. "Users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," Mark wrote in an online blog entry yesterday.

So what exactly is Sony playing at? Installing rootkit software that's not identified in its EULA and rendering machines useless if users try to remove the software! This is taking the RIAA effort a little too far.


From:
http://www.neowin.net/comments.php?i...&category=main


More:

Sony, Rootkits and Digital Rights Management Gone Too Far

http://www.sysinternals.com/blog/200...al-rights.html

Block CD/DVD DRM and Rootkits Easily



Author: Andrew

Sony recently showed the extent to which they will go to attempt to copy protect their Music CDs. The latest use of Rootkits in their DRM has gone way too far. I am personally boycotting Sony Products. Stopping these sorts of infections and getting around DRM is much easier then you think. Simply disabling the Windows Autorun feature blocks them from installing cold. Losing the convenience of Autorun is a small price to pay for the peace of mind that your computer will not become the dumping ground for future DRM Viruses and Rootkits that can cripple the ability to use your CD/DVD drive.

Disabling Autorun
For DRM Viruses and Rootkits to install they must be executed. Music CD/DVDs do this by utilizing the built-in Autorun feature of Windows that lets you put a disc in your drive and have it play automatically. This convenient feature also lets the DRM software execute and infect your computer. Simply disabling Autorun blocks the DRM software from executing but allows you to still manually listen to the music. This does require an additional step on your part to open the CD/DVD from your media player but it is much more secure.



http://poptech.blogspot.com/2005/11/...ts-easily.html

Sony Offers Removal Technique on Cloaked DRM Software

November 2, 2005
Thomas Mennecke



If the record labels are trying to win the DRM (Digital Rights Management) public relations war, they are off to an atrocious start. The intention of DRM is to protect the intellectual property rights of content owners. Being the blanket term it is, DRM can take the form of virtually any technique.


On October 31, 2005, the Internet community learned how ugly these techniques could get. Mark Russinovich, an expert on the internals of Windows and one of the writers behind Sysinternals.com, discovered evidence of a rootkit on one of his computers.

Rootkits are sneaky pieces of software that hide on one's computer. They are virtually invisible to most, if not all, conventional anti-spyware and anti-virus software. You may ask why they hide themselves from diagnostic software scans. This is done because they are most often associated with the worst kinds of software on the Internet. No, not Grokster, but other malicious software such as viruses, trojans, and other malware.

Using RootKitRevealer (RKR), Mark Russinovich discovered a "hidden directory, several hidden device drivers, and a hidden application"

After a lengthy and clever investigation, Mark Russinovich discovered the Rootkit was part of a DRM copy protection scheme devised by a company named First4Internet. First4Internet had developed a DRM technology dubbed XPC, or Extended Copy Protection, which it licensed to Sony-BMG Music. The copy protections software had been included on the Sony-BMG CD "Get Right with the Man" by the Van Zant brothers, which Russinovich had played on the computer in question.

The fact this software couldn?t be detected by conventional spyware or virus sweepers was bad news, but certainly not the worst. If an inexperienced individual were to remove the cloaked files after discovery with RKR, the individual's computer may become seriously crippled. Although Sony repeatedly attempted to hide behind their EULA, which made no mention of this software, the public backlash proved too much for Sony-BMG to bear. Even those who support an artist's right to protect their content were scornful of this inexcusable move by Sony-BMG.

In response, Sony-BMG Music was forced to provide a method to remove this cloaked DRM software. In an update issued today, Sony-BMG issued the following statement:

"November 2, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

It?s interesting that Sony-BMG Music felt they could hide this kind of copy protection scheme from the public. The music industry is in a difficult position as "legitimate" downloads have stagnated and the P2P population continues to increase. A public relations nightmare such as this, especially one that draws attention to DRM and its implications, is definitely not what the music industry needs.


From:
http://slyck.com/news.php?story=977

Sony's Uninstaller Is Worse than Its DRM

By Larry Loeb


Opinion: Using the uninstaller provided by Sony to remove its rootkit-like DRM program can leave the user even more vulnerable.

In response to the firestorm over its DRM on CDs, Sony made available last week a Web-based "uninstaller" to remove it. It appears this cure is worse than the disease.

Matti Nikki of Finland was the first to figure out just what the uninstaller was doing. It seems the uninstaller puts an ActiveX control called CodeSupport on the target machine even before the uninstall URL can be obtained.

Click here to read more about Sony's DRM and its resemblance to a rootkit.

The control is marked "safe for scripting" and remains this way on the machine even after the uninstall process is concluded.

What this means is that any remote user can use the methods of this control to do anything. Here's the list of methods that Muzzy found:

GenerateRequestPacket
ExecuteCode (can crash browser)
Uninstall
RebootMachine (exploitable; Muzzy has a demo that may make the
situation worse)
GetProgress
OnLoaded
InitializeDiscScan
GetNumberOfDiscs
IsDRMServerValid
GetAlbumArtist
GetAlbumName
GetMaxBurnCount
GetCurrentBurnCount
GenerateIncrementPacket
IsContentOwnerValid
DoIncrement
GetInstalledSoftwareVersion
IsXCPDiscPresent
InstallUpdate (possibly exploitable, downloads given a URL)
GetInstallProgress
GetCompletionStatus
IsXCPDiscPresentAsLong
IsAdministrator

It was at this point that Ed Felten and Alex Halderman of Princeton got involved on their Freedom to Tinker Weblog. They realized that the CodeSupport control would allow any Web page to download, install and run any code it wants to on your computer, since Code Support doesn't verify that it is only working with the uninstaller code it was supposed to deal with.

Halderman and Felten have written exploits (that they are not making public) to verify that this can occur. While Sony has replaced the Web-based installer with a downloadable .exe file, it remains unclear at this point (given the company's track record) whether the new installer is safe to use.

There is a simple way suggested by Halderman and Felten to remove the CodeSupport component from Windows if you have been affected.

From the Start Menu, choose Run, and then type the following (between the brackets without typing the brackets) into the box that appears.
[cmd /k del "%windir%\downloaded program files\codesupport.*"]

That should delete all files associated with control. Please understand that you do this at your own risk, since your security settings may not prevent the software from being installed again.



From:
http://www.security.ithub.com/articl.../165408_1.aspx