PDA

View Full Version : Sony DRM



Carnivore
2005-11-01, 19:01
Take a look at http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

This is a revelation of the inner workings of the DRM-implementation that came with at least one Sony CD. Basically the software acts as a "rootkit", the most vile kind of scumware in existence, ordinarily only used by the kind of criminals that crack computers, designed to change the operating system at the lowest level and be undetectable. Moreover, it appears to be a badly coded rootkit, opening the door wide open for potential further abuse from companies with even less honest objectives than the RIAA.

Just because Sony is a huge corporation shouldn't give them the right to bully consumers and infect PCs this way. I strongly urge the developers to add this to the detection rules to allow users to block or remove this offensive garbage. I also wouldn't be surprised if this is going to get Sony into a class action lawsuit sooner or later.

tashi
2005-11-01, 19:08
Thank you Carnivore. I will certainly bring this to our detectives attention.

Cheers. :)

bitman
2005-11-01, 21:27
Mark's article is an opinion, not an indication of any illegal activity. As he states and shows with a graphic of the Amazon Web page he purchased from:

I hadn’t noticed when I purchased the CD from Amazon.com that it’s protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known:
Immediately below the CD title in large letters is the statement:
[CONTENT COPY-PROTECTED CD]

Though Mark doesn't like the way they implement that protection for technical reasons, they are totally within their rights as he also states:

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.
Most of this statement is an opinion, it has no legal basis since the DRM is mentioned by Sony before the sale. Mark may be well respected for his technical knowledge relating to such software, but that does not assign him any special legal status. Though I agree with him about the technical issues he discovered, this doesn't change the fact that Sony is entirely within their rights to install such software.

If you agree with him, your primary recourse is to not buy this or other Sony CDs protected in this way and/or inform Sony of your disklike for their methods.

Carnivore
2005-11-01, 22:02
That kind of defense must be typical of what every malware producer comes up with to justify their actions. "We're not foistware, all you have to do is read through the 10,000 words of gobbledygook in our EULA and you'd know you were giving your consent for us to install invisible software on your computer that nodody in their right mind would normally allow!"

According to Mark:

I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall.
I think that says it all.

bitman
2005-11-01, 23:32
The information missing from the EULA would be an issue to bring to Sony, but doesn't really change the legal situation since it's more then clearly stated that Copy-Protection software will be installed on the Web page.

As I said before, the primary recourse is to refuse to buy products with such software installs and make sure Sony knows about it. I'm not protecting the badly written software being used by Sony, but they have the legal right to include DRM software if they've informed the purchaser that it's included.

I'd rather not see any reputable antispyware organization take the position of removing such software since that pits them against an industry with lots of money and legal backing and a history of using it on little guys. All that will do is place both industries in a bad light and tie up resources that would be better spent fighting 'true' malware.

This software is bad enough technically that complete exposure of that via this and other forums and serving notice to Sony of peoples' issue with it should be sufficient to invoke change.

I hope for Mark's sake that nothing about this specific software is mentioned anywhere since if it is, there's likely the usual legalize about no dissassembly, reverse engineering, etc. Since he displays the fact that he's done exactly this on this web page, he's at a greater risk of being sued by either Sony or the software creator then being able to sue them for badly written software that's caused him no specific issue to this point.

tashi
2005-11-02, 16:00
We shall see what unfolds; the anti malware community is not blowing off the results of Sony DRM.

Agent O
2005-11-02, 21:41
I'd like to start by saying I really appreciate the work that you do; and I, and many others, would indeed tremendously appreciate it if you would indeed add f4i XCP as a Malware detection.

Contrary to bitman's position above, I am personally of the opinion that Sony should not be held to a lower ethical standard merely because they are big. I think this should be added to the definitions. Covert malware like this is unacceptable, no matter who makes or distributes it; and I would hope that any reputable antispyware solution would also feel the same way (lest, god forbid, people start assuming that this kind of behaviour is normal and acceptable).

(Sideline: Given the stated "casual-copying-prevention" target of this DRM, and that of course the autoplay can be disabled by many methods and of course isn't active on unsupported systems like Macs, I wonder why it goes to such lengths to keep its claws in? There's no need to hide itself, and no need for it to stay persistent after the CD is ejected, to perform its stated copy-protection function.)

I'm sure Mark is keenly aware of the legal issues; he is an experienced white-hat, and decided that public disclosure was important. Early variants of this XCP software apparently install before the EULA is displayed (I'm trying to procure a sample, someone I know bought one).

I've actually been tracking this one myself for a while already. The SBCPHID driver performed a similar ripping-scrambling purpose in the MediaMax DRM system (and was also covertly installed in some cases, and as hazardous to remove), but when they switched to f4i's XCP I was surprised myself to see that even actively tried to hide itself using the (dirty) syscall hooks mentioned, which is definitely a step beyond the pale.

It is, of course, in the wild and widespread, being included on more or less every recent Sony Music release; and I have received reports of people already using the $sys$ hiding provided by aries.sys to cloak other software (notably WoW botting programs: http://www.wowsharp.net/forums/viewtopic.php?t=7251 - and one WoW password stealer, so I hear; probably related) as a sort of easy ride to a simple kernel-mode-stealth.

It has malicious intent; it scrambles sectors ripped on any CD that has a similar (but not necessarily identical) TOC to the protected disc. (Indeed, it can scramble all subsequent CD ripping - I've seen Mediamax do this - or fail installation, causing a broken link in the lower filter chain, causing the CD-ROM drive to apparently vanish.)

It's badly written; I've seen it cause bluescreens on a test VMWare image during an insert of some CDs (the author is an amateur at kernel-mode code; even as I write this, I am wondering if there are any locally-exploitable privilege escalation vulnerabilities in it).

A component examines the process list and files continually (that might be a little mild to qualify as spying in and of itself, it doesn't send it anywhere).

Most importantly: It has no uninstall option. It is difficult to remove manually. It tries - very hard - to actively hide its existence. That alone qualifies it as malware, in my humble opinion. (I'd personally class it under the "Malware" detection, as "rootkit" is more traditionally used for covert remote access applications, not covert malware in general, but of course rootkits is where this hiding technique gained ground.)

"XCP Red" from the same company is a CDS-200 spinoff, apparently, and tries to make the CD unreadable to any with scrambled session techniques; it's not supposed to be readable in a PC at all (or suitable for public use, because of that, it's used internally, apparently on some radio promo CDs, I'm trying to procure a sample out of sheer interest), so there isn't any data track, and so no malware on it.


Detection wouldn't tie up much time, because it's fairly trivial. I can see two obvious ways. One, look for the files and registry keys, they show up when directly accessed, just not in listings (probably the easiest). Or two, create a tempfile with a name like $sys$f4itest.dat, and see if it vanishes (before deleting it).

Removal is trickier; you need to remember to remove it from the list of Lowerfilters in all the CD-ROM keys, but that's pretty much the only catch.

el cpu
2005-11-03, 10:16
After reading Mark Russinovich superb summary on the Sony DRM rootkit exploit I completely agree with the concerns expressed by Carnivore and Agent O. Bear with me please, but I think Bitman missed the point, regardless of a EULA Sony does not have the right to cloack software and install it without an uninstaller, especially when such software allows a hacker to compromise a system. A Google News search of Sony BMG just brought 129 articles worldwide on this bug. Sony is rapidly providing a patch to the major virus scanning companies, Symantec, McAfee, F-Secure, etc. to uncloack the files although this patch does not remove the software. I share in urging our trusted friends at Spybot to include this item in their detections. Sony compromised computers allow malware crooks a backway to get into the systems and it is a matter of a few hours, not days before someone exploits this flaw. Shame on Sony. :mad:

May want to visit the following F-Secure site: http://www.f-secure.com/v-descs/xcp_drm.shtml
quote: "Although the software isn't itself malicious, the hiding techniques used are exactly the same that malicious software known as rootkits use to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits. The hiding techniques used by the DRM software can be abused by less technical malware authors to hide their backdoors and other tools. If a malware names its files beginning with the prefix '$sys$', the files will also be hidden by the DRM software. Thus it is very inappropriate for commercial software to use these techniques."

Also PCWorld had this to say today in their article "Is Sony trying to kill the CD Format for Music": http://blogs.pcworld.com/staffblog/archives/001051.html

Buster
2005-11-03, 12:39
Here is the statement from Sony about this. http://cp.sonybmg.com/xcp/english/faq.html


6. I have heard that the protection software is really malware/spyware. Could this be true?

Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.

If at some point you wish to remove the software from your machine simply contact customer service through this link. You will, though, be unable to use the disc on your computer once you uninstall the components.

Our technology vendors are constantly looking to improve the product as well as respond to any critical software issues found. Please check here for upgrades to address any known issues

But being forced to enter an email address to get the uninstall software doesn´t make this more anonymous. :confused:
The software does not collect any personal information nor is it designed to be intrusive to your computer system.

bitman
2005-11-03, 14:24
I've got no arguement with anyone's analysis of the software, it's obviously not well written and by using the same techniques as malware, put's itself at risk of exactly what's happened already.

My position perfectly mirrors the first paragraph of the F-Secure Conclusion section which 'el cpu' left out in the quote above:

Conclusion

The DRM software does not self-replicate and doesn't contain malicious features and should thus be considered a false positive, triggered by the advanced hiding techniques used by the software.
http://www.f-secure.com/v-descs/xcp_drm.shtml

Though it's badly written and may create a potential hiding place for true malware, nothing described has made this program itself malware. At best it deserves the PUPs 'Possibly Unwanted Program' designation created by Team Spybot for exactly such situations. This would allow optional removal of the software without marking it as malware itself, also requiring the user to check the removal box which is unchecked by default.

My concern is that by considering this software for a malware rating, an antispyware organization would be placing itself at risk of a valid legal suit by the RIAA, which would have to protect its right to copy-protection. This also places them directly in the middle of the RIAA and everyone who hates them, a no win situation from the start and an already hopeless legal mess. No antispyware organization needs to create such an obvious problem for itself and allow it to drain their already limited resources.

Note that all the press has already resulted in exactly what I mentioned it would, Sony has had to respond. They've offered a method to uninstall the software and been forced to respond publicly. Undoubtedly they'll have to respond further over the coming days and weeks by improving/replacing the copy-protection software and installation notification within the associated EULA. All of this is exactly what should happen.

The idea that antimalware exist's to remove every peice of software that creates even a potential issue is getting streched here. By this standard, Internet Explorer and even the Windows OS itself should be removed by antimalware. There must be a solid criteria for such decisions which as I understand, the ASC was created to help provide. Hopefully Team Spybot and other members of this group have defined a way to deal with such situations. We shall see.

tashi
2005-11-03, 18:25
Update:
http://cp.sonybmg.com/xcp/english/updates.html


http://updates.xcp-aurora.com/

Latest Update
Service Pack 2
2|Nov|2005, 3.253Mb
This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.
Download Now

el cpu
2005-11-03, 21:14
I would not rely on the stated information from Sony, for obvious reasons it is written with their own spin and is not completely factual. The patch mentioned by Tashi uncloaks the files, it does not remove the software, the harm and risk remain, one is just able to see the files, that's all. By now it is well understood that the Sony DRM does compromise security, a google search will lead to the explanations. To remove the software you are asked to register with Sony and after registering they state that they will respond later. I wonder if a removal process is available - as Agent O stated removal may not be that simple. Some users have lost the ability to see their CD drives when attempting to remove the software and have had to reinstall their systems.

From my perspective this falls into the broad category of malware, it compromises your system and the compromised system can allow others to hack in. Other than being from a big company, I see this as no different than the numeruous toolbars that Spybot detects or for that matter the infamous DSO Exploit that allowed hackers a backway - Spybot detected the DSO Exploit, so why not this? Just my opinion.... :)

May find this of interest (from Kaspersky Lab http://www.viruslist.com/en/weblog?weblogid=173255368)
We would like to highlight that according to ASC's definition of SpyWare this software may be classified as such.
* May be a nuisance and impair productivity
* Can slow machine down or cause crashes and loss of data
* May be associated with security risks
* Can compromise system integrity and security
* Done covertly, it is stealing cycles and other resources
Rootkits are rapidly becoming one of the biggest issues in cybersecurity. Vendors are making more and more of an effort to detect this kind of threat. So why is Sony opting to use this dubious technology?

May find this of interest (from http://news.zdnet.co.uk/0,39020330,39235377,00.htm)
Several antivirus companies followed Russinovich's news with warnings that the First 4 Internet tools could let virus writers hide malicious software on computers, if the coders piggybacked on the file-cloaking functions. "For now it is theoretical, or academic, but it is concerning," said Mikko Hypponen, chief research officer at antivirus company F-Secure. "There's no risk right now that we know of, but I wouldn't keep this on my machine." The patch that First 4 Internet is providing to antivirus companies will eliminate the rootkit's ability to hide itself and the copy-restriction software in a computer's recesses. The patch will be automatically distributed to people who use tools such as Norton Antivirus and other similar programs, Gilliat-Smith said. The patch that will be distributed through Sony BMG's Web site will work the same way, Gilliat-Smith said. In both cases, the antipiracy software itself will not be removed, only exposed to view. Consumers who want to remove the copy-restriction software altogether from their machine can contact the company's customer support service for instructions, a Sony BMG representative said.

May find the BBC and Washington Post articles of interest also:
http://news.bbc.co.uk/2/hi/technology/4400148.stm
http://www.washingtonpost.com/wp-dyn/content/article/2005/11/02/AR2005110202362.html

ih8bills
2005-11-04, 04:43
:mad: This kind of nonsense is a good reason to support those who fight privacy invasions-- like the EFF/Consumer's Union, Spybot, etc. I am tired of corpoworld sticking their noses in my affairs. I pay for my music, etc... I should not have to deal with such garbage in order to use something I paid for.
Did they honestly think they would not EVENTUALLY get caught ??:rolleyes:

tashi
2005-11-05, 02:28
Mark Russinovich
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
Another informative read.

el cpu
2005-11-07, 19:05
Information below from the zdnet site, dated November 7, 2005.

"Antivirus companies are considering protecting their customers from the digital rights management software used by Sony on some CDs. Kaspersky Lab has classed Sony's DRM software as spyware because, among other things, it can cause crashes and loss of data, and it can compromise system integrity and security. Explaining its decision, Kaspersky said it used the definition of spyware provided by the Anti-Spyware Coalition. Sophos, another security company, is similarly scathing of Sony and is calling the software "ineptware."

Complete article at:
http://www.zdnet.com.au/news/security/soa/Sony_s_antipiracy_may_end_up_on_antivirus_hit_lists/0,2000061744,39220988,00.htm

el cpu
2005-11-08, 20:57
Computer Associates Pest Patrol is set to detect the Sony DRM starting with their November 11 update. Should Spybot consider the same?

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362
quote from above link:
This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks as of the time of this writing, and could potentially hide an attacker's files and processes once access to an infected system had been gained. Sony BMG has released a patch which removes the rootkit and eliminates the above vulnerability. The patch fails the eTrust PestPatrol scorecard in its own right and its security advisor page can be found here. After the patch is run this variant of the XCP.Sony.Rootkit program still violates the eTrust PestPatrol Scorecard.

Latest from Mark Russinovich: http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html

mikey
2005-11-10, 15:14
Computer Associates Pest Patrol is set to detect and remove the Sony DRM starting with their November 12 update. Should Spybot consider the same?


I think many are interested in the answer to that.

Seems to me that SONY is depending strongly on the users not noticing that they have been infected with a parasite...a parasite that secretly installs, secretly sends profiling data back to their server logs(spies), tries to hide, and has no viable uninstall string. I can't think of many more parasitic wares around.

Another post from Mark;

http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

Agent O
2005-11-10, 21:11
What I anticipated and feared, has now happened; aries.sys, the cloaking component of XCP Aurora, is now now literally being (ab)used to cloak both in-the-wild and in-development trojans.

One (barely working) "SonyEnabled" Breplibot here, which has already been analysed:
http://www.bitdefender.com/VIRUS-1000058-en--Backdoor.IRC.Snyd.A.html

Also one SDbot variant in the channels but not in the wild yet (24-48 hours?); that actually carries a copy of aries.sys with it and installs it itself.

After all, it saves the (often pretty unskilled) botters from trying to write their own flaky kernel-mode stealth driver, when they can just steal one that A) people would not be very surprised to see and would blame on something else (like, say, playing a copy-protected CD), B) that AVs would be reluctant to flag as a clear and present threat, and C) that is (providing you can find the dollar sign on your keyboard) absolutely trivial to use.

This is starting to be a real problem. Please at least add aries to the sigs, because not all the AVs will.

(Sophos' lab now has a working standalone aeries removal utility which they plan to release today, and they may well add aries as a threat as well; I think KAV have stated their intention to list it, I seem to remember Norton/Symantec coming down on the will-not-list-it side of things, but I could be wrong.)

I can see bitman's reservations (even if I don't personally agree with them) about the other parts of XCP Aurora. I could understand if you did not choose to list the other components.

(The other components are, however, still threats in their own ways - locally-exploitable privilege-escalation vulnerabilities. They really don't know how to write kernel code well. No, I won't give any details. I just can't see a patch being issued and actually deployed widely from these F4i guys, given the way the uncloaker and later uninstaller was/is distributed.)

Remember; many users will be completely unaware they even have these drivers on their system (as far as they're concerned, they just played a CD they bought in the store). They will therefore probably be unaware they need to run some separate removal tool, or follow a complicated procedure for unmasking it or attempting to uninstall it (officially or otherwise). That's why I think it's particularly important that Spybot lists it and explains what it is (even if it's not checked for removal by default, its presence should be displayed).

el cpu
2005-11-10, 22:17
Agent O reinforces the need for SB to include the Sony rootkit in it's detections. By now it is clear that the antispyware/antivirus community regards the Sony DRM as a serious vulnerability, in fact from CA's PestPatrol today, quote: "These CDs install the pest XCP.Sony.Rootkit, which is a trojan that opens security vulnerabilities through rootkit functionality." http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76345

While PestPatrol detects the presence of the rootkit it is not clear to me that they will remove it. I had read that they would be able to do so with their November 11 defs but this is to be confirmed and may have referred to the cloaking aspect only.

McAfee is now "detecting and removing" the cloaking (as of Nov 9, 2005 defs) http://vil.nai.com/vil/content/v_136855.htm
but note their caveat about potential crashes in doing so, quote: "System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself." I belive that McAfee leaves the DRM software in place with the associated risks that have been identified and mentioned previously.

Symantec has started to detect the presence of the rootkit but it does not remove it. They simply suggest to the user to obtain the so called SonyBMG patch which uncloaks the files but leaves the DRM in place (replaces some files).

J_Rey
2005-11-11, 00:22
Besides being rootkit and other objectionable methods, the Sony BMG software now is being used to hide the Stinx-E trojan! See the related news article (http://www.usatoday.com/money/industries/technology/2005-11-10-sony-hackers_x.htm?csp=24).

el cpu
2005-11-11, 07:46
Just read the following on Computer Associate's site (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362)

XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

Any word from Team Spybot regarding inclusion on SB detections? How about removal? While most antispy/antivirus program are now set to detect the Sony DRM, no program may yet be able to remove it. Does anyone know?

J_Rey
2005-11-11, 23:55
After all the bad press, "SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology." See the Sony BMG Statement (http://blog.sonymusic.com/sonybmg/archives/xcp.html) for their official acknowlegement of the trojan/virus and a link to the link to the patch/uninstall request.

AplusWebMaster
2005-11-12, 00:08
FYI...

Troj/RKProc-Fam and Troj/Stinx disinfection instructions
- http://www.sophos.com/support/disinfection/rkprf.html
"Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers. This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

Windows 95/98/Me and Windows NT/2000/XP/2003
The Trojans can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Windows disinfector
RKPRFGUI is a disinfector for standalone Windows computers
open RKPRFGUI, run it, then click GO.
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

Command line disinfector
RKPRFSFX.EXE is a self-extracting archive containing RKPRFCLI, a Resolve command line disinfector
for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program..."

;)

Nick-YF19
2005-11-12, 18:08
Sunbelt dosn't plan to include this rootkit in it's removal capability.

from here (http://sunbeltblog.blogspot.com/2005/11/sophos-releases-tool-to-rid-rootkit.html)
We do not intend to have this removal capability in CounterSpy, simply because it is incredibly hard to remove this rootkit without disabling the CD-ROM player. Suggestion: Either use Sony’s uninstaller or check out Sophos’. We'll see what Spybot does.

By the way, that StinxE trojan looks like it's more of a proof of concept thing than anything really meant to do harm. First it's targetted at British web users where there is limited distribution of the DRM CDs. Second, the trojan is buggy
from here (http://antivirus.about.com/b/a/218067.htm)
The first Trojan to exploit this flaw, Stinx.E, doesn't properly decrypt the registry keys needed to allow the Trojan to load when Windows is restarted. The Stinx.E Trojan also fails to load if the Sony DRM cloaking technology is active, despite its deliberate attempts to exploit it. Additionally, the IP addresses used to connect to the IRC server are invalid. In effect, the Sony Stinx Trojan is impotent.

teslafan
2005-11-13, 00:48
Windows Update 24 Oct. optional dnld for WMDRM. Media Player 9. No reason to suspect Microsoft of Sonyesque tactics. Right?:rolleyes:
KB link for more info: http://support.microsoft.com/kb/891122#appliesto.

AplusWebMaster
2005-11-13, 05:24
FYI...

SecurityRisk.First4DRM Removal Tool
- http://securityresponse.symantec.com/avcenter/venc/data/securityrisk.first4drm.html?Open



:D

el cpu
2005-11-13, 06:31
I believe that the Symantec removal tool mentioned by AplusWebMaster does not actually remove the Sony DRM and its associated risks. While I have not run the tool myself (I am not infected) I believe that the tool is the so called patch that Sony distributed to antivirus companies to uncloak the files so they could be seen from within Windows. As pointed out by Computer Associates and others, this patch, while uncloaking the files, installs a newer version of the DRM which is still a trojan by CA standards.

The following article at CNet http://news.com.com/Antivirus+firms+target+Sony+rootkit/2100-1029_3-5942265.html states that, quote: "Symantec said Wednesday that its antivirus software would identify the Sony software, but would not remove it. Instead, it will point to Sony's own Web site, where users can get instructions for uninstalling". The article further states that, quote: "Computer Associates... said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly. According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said. It will effectively insert pseudo-random noise into a file so that it becomes less listenable, said Sam Curry, a Computer Associates vice president. What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool. A Sony representative said the company's technical staff was looking into the issues identified by Computer Associates, but had no immediate comment."

Fun!!! :eek:

AplusWebMaster
2005-11-13, 18:09
FYI...

Sony DRM Rootkit to be removed automatically by Microsoft
- http://isc.sans.org/diary.php?storyid=845
Last Updated: 2005-11-13 14:36:09 UTC
"Microsoft says* "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" "and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software."
* http://blogs.technet.com/antimalware/

..."Believe" that.

el cpu
2005-11-13, 19:44
As I mentioned earlier, Microsoft, Symantec, and others are uncloaking the files so they are not hidden - they are not removing the First4Internet DRM technology, at least not yet. While this is a good first step, Computer Associates and the discoverer himself, Mark Russinovich, warn that the software that stays behind is still detrimental.

In his post above AplusWebMaster mentions that "Microsoft.... will add a detection and removal signature for the rootkit component of the XCP software." and instructs us to "believe" it. Note the word Microsoft used, "component". Note ZDNetUK: "Microsoft will update its security tools to detect and remove part of the copy protection tools installed on PCs when some Sony music CDs are played.", (emphasis on the word "part"). Note the "googled" news stating the same.

As has been widely reported, the rootkit component is the cloaking of the files, but even if this component is removed correctly, the XCP software remains, admittedly in a modified fashion. To those infected I recommend removing XCP completely by going through the tedious process available at the SonyBMG website http://cp.sonybmg.com/xcp/english/uninstall.html This has pitfalls of its own as mentioned by CA and Russinovich, see: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362 and http://www.sysinternals.com/Blog/. Some registry keys remain. Note the comments on CA's site regarding the updated Sony uninstaller.

The main SonyBMG site, under the tab News, Nov 10, 2005, http://www.sonybmg.com/ gives users two options, a patch which uncloaks the files and leaves a modified version of the software in place, and the uninstall. The alternative to the Sony uninstall is to wait and see if CA, F-Secure, or others are finally able to completely do so on their own. This is not the case yet.

Removing the rootkit component is a good thing, however this still leaves a modified XCP in the computer - completely uninstalling the software, if done properly, would be much better.

el cpu
2005-11-14, 18:59
Mark Russinovich, the individual that discovered the Sony XCP rootkit, confirms what I had mentioned above. Mark's November 14, 2005 blog states, quote: "Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality." http://www.sysinternals.com/blog/2005/11/sony-no-more-rootkit-for-now.html

Mark goes on to say, quote: "Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. ..... I’ve said it before, but obviously need to say it again: Sony needs to make the uninstaller freely available as a standalone executable download so that users can choose to safely and easily discontinue use of this nefarious software."

Seems pretty clear to me.... :)

md usa spybot fan
2005-11-14, 20:58
SONY BMG STATEMENT ON XCP COPY PROTECTION
http://blog.sonymusic.com/sonybmg/archives/xcp.html


SONY BMG STATEMENT

We are aware that a computer virus is circulating that may affect computers with XCP content protection software. The XCP software is included on a limited number of SONY BMG content protected titles. This potential problem has no effect on the use of these discs in conventional, non-computer-based, CD and DVD players.

In response to these events, SONY BMG has swiftly provided a patch to all major anti-virus companies and to the general public that guards against precisely the type of virus now said to exist. The patch fixes the possible software problem, and still allows CDs to be played on personal computers. It can be downloaded at http://cp.sonybmg.com/xcp/. Starting today, we will also be adding this link to the SONY BMG label and corporate sites. We deeply regret any possible inconvenience this may cause.

We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at: http://cp.sonybmg.com/xcp.

Opinion: Rather than just "… temporarily suspending the manufacture of CDs containing XCP technology.", do the right thing and recall the CDs that contain the XCP DRM software that are currently available to consumers through retailers. Without taking this step you are continuing to subject more and more people who are unaware of the problem to possible hidden malware using the rootkit that you install with these CDs.

I believe that you have the right to protect your intellectual property, however, the XCP DRM that you employed went far beyond the terms and conditions of the EULA that "… this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER."

Consumers' have rights too. One of those rights is the unrestricted and uninterrupted enjoyment of personal property (their computer). Apparently those rights were not a major concern in the development of the XCP DRM when you hooked the operating system to hide files and intercept device drivers. In addition, you provided no means to uninstall the software. All this without disclosing this in the EULA. As it turns out your XCP DRM is something I would expect from hackers or malware purveyors, not from a legitimate music company.

Come on Sony BMG Music Entertainment start doing the right thing, recall the CDs that are still in the market place!!!

el cpu
2005-11-14, 22:07
md usa spybot fan: Thanks for the good words, your opinion is of course widely shared by consumers including myself.

In addition to recalling the CDs in the marketplace, Sony needs to "make the uninstaller freely available as a standalone executable download" as Russinovich stated. Until this is done, infected consumers are limited to uncloaking the files vis-a-vis Microsoft, Symantec, etc. or going through the Sony uninstall process which is tedious and not without peril. A simple and reliable uninstall executable is needed for the thousands of people that are likely infected.

pogue
2005-11-15, 01:44
Perhaps someone who has downloaded the full uninstaller from Sony can post it online, and it can just be spread from there (without involving Sony). Since it seems that they they want people to go through the hassle of emailing them and having to manually download the patch...

el cpu
2005-11-15, 02:12
Pogue, while your suggestion would good under normal circumstances, such is not possible with the Sony uninstaller and that is one of the many complaints Mark Russinovich and the AV community have of Sony. In order to uninstall, Sony makes one register and an Active X is then sent to your computer. Sony then replies back with the uninstaller however the uninstaller verifies that it is in the same computer as the original request. If it is not, it does not work and an error message appears. The uninstaller is also time limited. Sony wants this to be a machine-by-machine effort with them in full control. This of course is contrary to accepted computer practices - I can uninstall Office, PhotoShop or any other reputable software as I choose without having to go back to the developer. Check out the Russinovich posts which will elaborate in detail.
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

el cpu
2005-11-15, 18:47
Well.... Sony is finally pulling the CDs off the market.... According to USA Today: "Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs. Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC. .... Details about how long it will take to replace the XCP CDs and about its consumer exchange program will come later in the week, Sony said."

http://www.usatoday.com/money/industries/technology/2005-11-14-sony-cds_x.htm

AplusWebMaster
2005-11-15, 22:25
FYI...

Sony’s Web-Based Uninstaller Opens a Big Security Hole...
- http://www.freedom-to-tinker.com/?p=927
November 15, 2005
"Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get..."

:confused:

AplusWebMaster
2005-11-15, 23:14
More...

- http://www.theinquirer.net/?article=27714
15 November 2005
"...Blatant stupidity in the 'cure is worse than the disease' category... FTT goes into detail. It seems the 'cure' from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine. See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course. The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus program to uninstall it, you spent money to fix Sony's problems, and you are still a criminal. That's what you get for buying music."

:confused:

el cpu
2005-11-16, 00:25
This keeps getting worse... What AplusWebMaster pointed out above has hit the national news big time via the Associated Press, see the MSNBC article: http://msnbc.msn.com/id/10053831/ In addition, Princeton University has confirmed what the Finnish researcher discovered, that the Sony Active X is blatantly flawed. The MSNBC piece goes on to say: "Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn’t require filling out the online form. There’s absolutely no excuse for Sony not to make one immediately available, he wrote in an e-mail Tuesday."

If the stand-alone program comes from Sony via First4Internet, who is going to trust it at this point; their track record is as low as it gets. I wonder if AV companies will be able to independently write a complete uninstaller (or if they will choose to, due to legal concerns). We'll see....

Further, it now appears that there are upwards of 500,000 computers infected so far. See: http://www.wired.com/news/privacy/0,1848,69573,00.html?tw=wn_tophead_2

:confused: indeed....

AplusWebMaster
2005-11-16, 01:20
FYI...

- http://www.freedom-to-tinker.com/?p=927
"To see whether CodeSupport is on your computer, try our CodeSupport detector page:
- http://www.cs.princeton.edu/~jhalderm/xcp/detect.html

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
cmd /k del “%windir%\downloaded program files\codesupport.*”

;)

Agent O
2005-11-16, 01:53
Firstly, it looks as though the player's AX control actually does contain LGPL'ed mp3lib code, and code from id3lib. Ironic that the DRM system itself violates copyright (the EULA is LGPL-incompatible, even if source were distributed).

More importantly, I followed up on my earlier work, because I was curious, and I extended my exploit to operate on a flaw in DRMServer that is remotely exploitable (in some scenarios, i.e., anonymous RPC access required and not firewalled) via the named pipe through which it communicates with the player application, chaining a kernel-mode privilege escalation vulnerability in crater.sys.

Obviously, I won't give this out, because there are at least half a million, possibly a million, vulnerable machines right now according to doxpara's estimates and my own metrics. Quite easily "worm food". Chilling.

It is worth pointing out that the aries cloaking component is not required for this exploit to work, and it works on the three versions I tested (including the post-Sony patch version).

So far, I haven't seen a properly working uninstaller. Of course, the uninstaller Sony have also leaves CodeSupport, another threat as previously discussed. And it doesn't seem to work properly anyway.

In my view, it's probably time to get tough; uninstallation really should, at this stage, not just remove aries, but schedule for the next reboot to blat out every single file XCP drops, including CodeSupport at this time, and unlink the XCP drivers from the Upper and Lower filter chains of the IDE channels and CD-ROM drives. That would indeed do it properly. (Ensure that you don't make the same mistake many others do; don't try to unload the drivers on the fly.)

Even MS have stated their intention to list $sys$aries (but not the rest) in the Malware Detection and Removal Tool that will be pushed out in the next (2005-12-13) Windows Update; a distinction normally afforded only to actual, highly prevalent, botnet variants.

I note it is still not listed in the signatures. I hope Team Spybot can be proud to be the first to provide a complete solution to this?

AplusWebMaster
2005-11-16, 13:54
FYI...

- http://www.freedom-to-tinker.com/?p=928
"...You can tell whether you are vulnerable by visiting our CodeSupport detector page.
If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.
UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form... In its place is the following message:
'November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.'
This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk..."

:(

el cpu
2005-11-16, 18:36
FYI the latest blog from Mark Russinovich: http://www.sysinternals.com/blog/2005/11/victory.html

Also FYI, I hope my Spybot friends find the following as disturbing as I do..... Regardless of all the bad publicity that the Sony case has generated, Sony is currently bragging (apparently for good reason) that their Santana CD (Arista, with XCP content) is "the #1 Artist Album today" (as of Nov. 9) on the Billboard charts and the #2 entry in the charts (next to the Now compilation). So much for hurting them in the pocketbook, apparently consumers do not care (or know). To add salt... a Neil Diamond CD (XCP also) is the #6 CD in Amazon regardless of the fact that there have been hundreds of reviews warning purchasers. Amazon is still selling these CDs regardless of the recall. If you want to upset your stomach read the Sony release on Santana under the news section of the SonyBMG web, http://www.sonybmg.com/ This is the same website that states that the CDs are recalled.... Gee :mad: :mad: :mad:

md usa spybot fan
2005-11-16, 21:22
Nancy McAleavey of Privacy Software (publisher of BOClean anti-trojan) shared a guide on how to remove Sony's Rootkit without the need of using the patch by Sony.

Calendar of Updates - Tip of the Day forum here:
http://www.dozleng.com/updates/topic7048

el cpu
2005-11-16, 23:57
For those of you considering the Nancy McAleavey (Privacy Software) removal process mentioned above, please be aware that Russinovich recommends against unloading the Aries driver while Windows is running, quote: "I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence..."
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

md usa spybot fan
2005-11-17, 00:34
el cpu:

For those who have installed the Sony XCP DRM software on their system what are your recommendations? You keep quoting that it is "never safe to unload a driver that patches the system call table", so how do you suggest that people go about removing the "Aries driver"?

el cpu
2005-11-17, 06:03
md usa spybot fan:

In your post above you state that I "keep quoting that it is never safe to unload a driver..." FYI I have quoted that once. Regarding a suggestion to remove, I wish I had one but unfortunately no solution has yet been found safe, at least according to the discoverer himself. Please go back to my posting of November 15, 2005, at 16:25 >> "Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn’t require filling out the online form". All I can suggest at this time is that users follow his advise and continue to check the Sysinternals site: http://www.sysinternals.com/

As one could perhaps discern from your own posting, the complete McAleavey solution is likely beyond the typical computer user. We have not heard much from the SB team on this, maybe they have a suggestion to share. Agent O put it well in his last post, I quote; "I hope Team Spybot can be proud to be the first to provide a complete solution".

:)

bitman
2005-11-17, 06:42
I've been keeping quiet on this subject since although Sony and First4Internet have badly handled the process, it's obviously heading in the right direction; maybe bouncing off walls would be a better description. :(

Anyway, I feel the following requires a simple sanity check:

For those of you considering the Nancy McAleavey (Privacy Software) removal process mentioned above, please be aware that Russinovich recommends against unloading the Aries driver while Windows is running, quote: "I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence..."
Though Mark Russinovich is undoubtedly correct about the proper method here and there is a potential risk, so what? What "thread might be just about to execute the first instruction of a hooked function when the driver unloads"? Most likely, this would be something related to the CD drive. Would you stick a CD in the drive while trying to remove software that uses it? What is the real likelyhood that such an event would occur under normal circumstances rather then under a test situation intended to show that it could occur? Though I don't know the answer myself, I doubt it's very probable.

Even if the situation did occur and the dreaded 'blue screen' happened, what would the result be? Since the blue screen is really a processor halt condition created by the detection of the thread jumping into invalid memory, this simply locks up the PC to protect it. Only software that was open at the time would be affected, so who leaves important programs open when performing an uninstall of any software, escpecially something like copy protection?

Though I understand and agree that both the software itself and the uninstallers to this point have potential problems, the only one that really concerns me is the ActiveX control used in the uninstall that appears to have an extremely bad vulnerability. Remember that the mass drive by the public is what is causing Sony to rush, which has helped create the current situation. Not defending Sony here, it's just always true that putting pressure on a bad technical situation will only make it worse. Sony's backout is no surprise to me, I knew it would happen the second I saw Mark's initial post, just not how quickly.

At this point it's also obvious that anti-malware developers will have to become involved in the cleanup effort. Since the original software had no automatic update facility (that I've heard of anyway) there's no way to inform those with the issue directly. It would be best, however, if this was a coordinated effort between the ASC/AV vendors and Sony. The fiasco to this point is due in large part to the lack of any coordination by anyone and the less then useful 'help' of the news media and general public, neither of which have a clue. Read some of the comments at Mark's site or even many of the Articles and Blogs referencing his site, they're rife with inaccuracies and just plain dumb statements.

My respect for Mark Russinovich as a programmer and helper within the anti-malware community in general is as solid as ever. However, my respect for his methods and handling of this situtaion are less then glowing. Posting this entire technical discussion directly in public without warning Sony and the anti-malware community first, giving them a chance to respond appropriately, was bound to create the mess that's ensued. It's made me question his motives more then once in the last few weeks. However, I'll give him the benefit of a doubt that he was concerned he might otherwise be stiffled by an injunction suit before he could go public.

Either way, I'd prefer to see this thing slow down before the compound mistakes get even worse. Unfortunately, there's new ugency created by the ActiveX control, so that may need immediate attention. At this point I've seen no effective direct threat from the original or patched versions of the software, only proof of concept. It would be best to leave this piece alone at least until someone has a removal tool that will deal with all variants; unpatched, patched, partially uninstalled and never really installed and not create more problems then exist already. This is and should be Sony's job and should only be taken over by others if they're ready for the same flack that Sony's gotten, since it will be their fault if it doesn't work, not Sony's.

Remember that the average person's tendancy is to just 'fix everything' and not research what's been found on their PC. So you better be sure your 'complete solution' will work before advertising it to the world or you'll end up linked with Sony in this debacle. So far I see no one coming up roses and the best profile has been to keep your head down in the crossfire.

AplusWebMaster
2005-11-18, 03:03
FYI...

Welcome To Planet Sony
- http://www.doxpara.com/?q=sony
Submitted by Dan Kaminsky on Tue, 2005-11-15 09:28.
"Sony.
Sony has a rootkit.
The rootkit phones home.
Phoning home requires a DNS query.
DNS queries are cached.
Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .
So what did I find?
Much, much more than I expected.
It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows... unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident..."

:(

tashi
2005-11-18, 04:18
Either way, I'd prefer to see this thing slow down before the compound mistakes get even worse. Unfortunately, there's new ugency created by the ActiveX control, so that may need immediate attention. At this point I've seen no effective direct threat from the original or patched versions of the software, only proof of concept. It would be best to leave this piece alone at least until someone has a removal tool that will deal with all variants; unpatched, patched, partially uninstalled and never really installed and not create more problems then exist already.
Well said bitman.

AplusWebMaster
2005-11-18, 15:24
Hmmm...

- http://www.wired.com/news/print/0,1294,69601,00.html
Nov. 17, 2005
"... That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.
Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.
What happens when the creators of malware collude with the very companies we hire to protect us from that malware?
We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.
Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?..."

:(

el cpu
2005-11-18, 18:43
FYI, from the Microsoft Anti-Malware team:
"Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December. We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change. There has also been quite a bit of discussion on the web around the ActiveX control that was later released by First 4 Internet and Sony to neutralize the rootkit. The ActiveX control has been cited with a variety of issues / vulnerabilities and it was quickly pulled off of the Sony site. If you have concerns with this ActiveX control it can be blocked by following the directions at the MSRC blog." http://blogs.technet.com/antimalware/archive/2005/11/17.aspx

It also apppears that one of the other Copy Protection schemes that SonyBMG uses, SunnComm DRM, has big problems also. See the post: "Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole" at: http://www.freedom-to-tinker.com/

zak.wilson
2005-11-20, 07:09
I'm inclined to agree with CA's list of reasons (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362) for detecting XCP:

Installs without user permission, presenting only a vague and misleading EULA
Changes system configuration without user permission at time of change.
Defends against removal of, or changes to, its components
Silently modifies other programs' information or website content as displayed.
Includes mechanisms to thwart removal by security or anti-spyware products.
Cannot be uninstalled by Windows Add/Remove Programs and no uninstaller is provided with application.

Perhaps Spybot needs a separate category of "rootkit" for software that hides files or processes from the administrator of the computer, even if the software doesn't do anything else malicious. I'm inclined to believe that most people don't want rootkits on their computers, regardless of who put them there and why.

BigRedNeck
2005-11-21, 04:08
I'm inclined to agree with CA's list of reasons (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362) for detecting XCP:

Installs without user permission, presenting only a vague and misleading EULA
Changes system configuration without user permission at time of change.
Defends against removal of, or changes to, its components
Silently modifies other programs' information or website content as displayed.
Includes mechanisms to thwart removal by security or anti-spyware products.
Cannot be uninstalled by Windows Add/Remove Programs and no uninstaller is provided with application.

Perhaps Spybot needs a separate category of "rootkit" for software that hides files or processes from the administrator of the computer, even if the software doesn't do anything else malicious. I'm inclined to believe that most people don't want rootkits on their computers, regardless of who put them there and why.

I completely agree...ITS TIME!!!

I will need to be able to recommend an effective tool to protect users, for my family, friends, coworkers and customers...will Spybot be up to the task, or bow to corporate poison?

Right now CA's PestPatrol seems to be the only product I can recommend for effective spyware protection..unless Spbot steps up to the plate and blocks not only the rootkit but XCP entirely.

Personally, I don't want a single shred of DRM installed on my machines for any reason. If something I want to watch or listen to is DRM'd, I don't need it!

bitman
2005-11-21, 08:06
At this point I'm less inclined then ever to suggest that any anti-malware product attempt this removal, since Sony now displays the following on their page regarding uninstalls:

November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.http://cp.sonybmg.com/xcp/english/form14.html

Only if this new uninstaller doesn't become available in a reasonable time frame (a couple weeks for development and testing) and/or doesn't truly remove the software completely and safely at that point should this be considered.

Until then, only removal of the hidden attribute of the 'Root Kit' technology and blocking of the problematic ActiveX control used with the earlier uninstaller should be considered. In fact, I feel that removing the hidden attribute is itself dangerous, since some users may then attempt to delete the files manually, which is known to be dangerous to the stability of the PC.

In addition, this cooling off period gives Team Spybot time to thoroughly test the detection and removal process on multiple platforms for all variants of the software currently known to exist, if they are indeed working on such a thing at all. If such removal is attempted, the potential for failure and damage to a PC is the responsibility of those removing it, not Sony.

By declaring this DRM package 'malware' some will feel they are justified to remove it, safely or not. Those who do this and fail will find out how quickly the public can turn on them since the last thing the user did was 'scan and fix' with their program, they won't care what was being removed or what disclaimers the software contains about such possibile damage.

BigRedNeck
2005-11-21, 15:33
I completely understand not removing it at this point, but I'd like to see it added to the immunization database to prevent installation in the future.

I'd be inclined to wipe my hard drive and reinstall my system to get rid of it.

tashi
2005-11-21, 19:49
Hello.
Regarding Spybot-S&D detections, team is aware of and looking into the subject matter.

zak.wilson
2005-11-22, 00:33
In addition, this cooling off period gives Team Spybot time to thoroughly test the detection and removal process on multiple platforms for all variants of the software currently known to exist, if they are indeed working on such a thing at all. If such removal is attempted, the potential for failure and damage to a PC is the responsibility of those removing it, not Sony.

By declaring this DRM package 'malware' some will feel they are justified to remove it, safely or not. Those who do this and fail will find out how quickly the public can turn on them since the last thing the user did was 'scan and fix' with their program, they won't care what was being removed or what disclaimers the software contains about such possibile damage.
I agree with you that any potentially dangerous removal routine should be tested before being released to the general public. If the Spybot team needs to take its time to make sure the removal works properly, they should do so. My point is simply that rootkits are malware, regardless of who's using them or why.

As for XCP itself, my understanding of the software is that it interferes with the way the OS normally accesses the CD drive, and it sends information to Sony without telling the user. The EULA might say they can do it, but most peolpe don't accept that excuse from Gator/Claria; why should we accept it from Sony?

el cpu
2005-11-22, 02:05
Bitman:

I have followed your posts on this thread with interest as your opinions have differed from those of the anti-malware community. Bear with me please, :)... I quote:

Nov 1: Mark's article is an opinion, not an indication of any illegal activity [by Sony]
Nov 1: Though Mark doesn't like the way they implement that protection for technical reasons, they [Sony] are totally within their rights
Nov 1: I'd rather not see any reputable antispyware organization take the position of removing such software… All that will do is…. tie up resources that would be better spent fighting 'true' malware
Nov 3: Though it's badly written and may create a potential hiding place for true malware, nothing described has made this program itself malware
Nov 17: At this point it's also obvious that anti-malware developers will have to become involved in the cleanup effort
Nov 21: At this point I'm less inclined then [sic] ever to suggest that any anti-malware product attempt this removal, since Sony now displays...

All of us are entitled to our opinions of course, but personally I am glad to see Tashi’s post above. The Sony rootkit has been classified as malware by nearly all AntiVirus/AntiMalware companies and most have added it to their detections already; Computer Associates, Symantec, McAfee, and Microsoft AntiSpyware, to name a few. Your last post is entitled "Suicide by Root Kit removal"... are all those companies wrong? Relying exclusively on a Sony uninstaller for the complete XCP might work for those that know they are infected but will do nothing for those that do not - isn't that what anti-malware programs are about, to detect and warn about existing malware that the user may not be aware of? Agent O said it well in a previous post, quote: “Contrary to bitman's position above, I am personally of the opinion that Sony should not be held to a lower ethical standard merely because they are big. I think this should be added to the [Spybot] definitions. Covert malware like this is unacceptable, no matter who makes or distributes it; and I would hope that any reputable antispyware solution would also feel the same way.”

p.s. to all readers, Nancy McAleavey has a new post on her site http://www.dozleng.com/updates/topic7048 that addresses the concerns I mentioned in an earlier post… Russinovich’s concerns, not mine, although I am the one that quoted them. Nancy has addressed them well. Also fyi "The Electronic Frontier Foundation filed a class-action lawsuit against SonyBMG on Monday. It's the second legal challenge to SonyBMG in one day. The attorney general for Texas also filed a suit against the music giant for allegedly violating the Consumer Protection Against Computer Spyware Act of 2005."

zak.wilson
2005-11-22, 03:34
The Sony rootkit has been classified as malware by nearly all AntiVirus/AntiMalware companies and most have added it to their detections already; Computer Associates, Symantec, McAfee, and Microsoft AntiSpyware, to name a few. Your last post is entitled "Suicide by Root Kit removal"... are all those companies wrong? Relying exclusively on a Sony uninstaller for the complete XCP might work for those that know they are infected but will do nothing for those that do not - isn't that what anti-malware programs are about, to detect and warn about existing malware that the user may not be aware of?
Symantec detects it as a security risk, not as malware. They provide a removal tool, but recommend that you use Sony's instead. Microsoft detects and removes the cloaking, but not XCP itself. McAfee removes the cloaking, but not the copy protection. CA detects all varients of XCP as trojans, but their website doesn't make it clear if it is properly removed or not. They also classify the included music player program as spyware because it phones home without telling the user.

Of these, I think CA's attitude is the most appropriate. I suspect they don't provide a fully functional uninstaller because they haven't properly tested it yet, not because they don't want to. Symantec and McAfee appear to believe XCP is legitimate, but a potential security risk. Microsoft condems the rootkit functionality, but seems ok with the rest of it. Only CA condems the whole package.

tashi
2005-11-22, 18:32
Bitman:
Your last post is entitled "Suicide by Root Kit removal"... are all those companies wrong?
I believe bitman was considering that in the rush to find a fix there was the potential to cause even more damage.

el cpu
2005-11-22, 20:43
I believe bitman was considering that in the rush to find a fix there was the possible potential to cause even more damage.

True, nobody would want that. A potential approach might be for Spybot to detect and offer to remove the rootkit component only, as Microsoft is apparently safely doing. Removing the "rootkit component", i.e, the cloaking of files, appears straightforward, see Nancy McAleavy's post at: http://www.dozleng.com/updates/topic7048 Once the rootkit has been detected, Spybot could point the user to the eventual Sony uninstaller if a reliable one becomes available. My understanding is that Princeton is working with Sony on this, thus adding credibility which is badly needed. The alternative of course is for Spybot to stay out of this altogether and leave it in the hands of others like Microsoft. The drawback is that while the MS Malicious Software Tool will remove the cloaking, it will not warn users of the remaining XCP which has been classified as malware by CA and others.

Oh well.... no clear answer here, I realize :)

bitman
2005-11-23, 03:52
Of these, I think CA's attitude is the most appropriate. I suspect they don't provide a fully functional uninstaller because they haven't properly tested it yet, not because they don't want to. Symantec and McAfee appear to believe XCP is legitimate, but a potential security risk. Microsoft condems the rootkit functionality, but seems ok with the rest of it. Only CA condems the whole package.

Oh well.... no clear answer here, I realize :)
That's been my primary concern here all along and is part of the reason my own posts seem inconsistent, since they are discussing the situation from different angles as our knowledge of it has evolved over time.

After researching the ASC 'Anti-Spyware Coalition Definitions and Supporting Documents', I can see why some have decided to label it malware, based on the definitions of a rootkit.

Rootkits

System Modifying Software

Used to modify system and change user experience: e.g. home page, search page, default media player, or lower level system functions

Without appropriate consent, system modification is hijacking
Can compromise system integrity and security
Can drive user to spoofed web sites in order to steal their ID.

May be used for desirable customization

http://www.antispywarecoalition.org/documents/definitions.htm

I think it's interesting that many Blogs and other online news outlets have referenced something relating to the ASC definitions, but as yet, I've seen no anti-malware vendor that has, even anti-spyware. CA references that "this variant of the XCP.Sony.Rootkit program still violates the eTrust PestPatrol Scorecard" for example, and they are even a member of the ASC themselves. I'm not impressed with what I see as the first test of the decisions made and presented by the ASC, though I understand these are simply considered guidance at this point.

I also understand why many consider the Digital Rights Management itself to be undesirable, since nobody really wants their activities monitored, even for a legal purpose. However, that issue has become confused with the definitions of malware in this case, primarily due to the use of rootkit like hiding of files and modification of CD-ROM access. I don't personally see this as a malicious rootkit, since its purpose isn't truly to take complete control of your pc, though the line is admittedly extremely thin.

The issues of DRM technology itself has lead to much of the interest in this situation, since few would care if this were done to protect say, a database of personal picture files from deletion by mistake for example. Any DRM discussion is inherently rife with politics and opinions, which hasn't got a true home in these forums as of yet. Unfortunately, this decision can't be made without considering them as we've seen.

My final statement of opinion is that I feel it would be best for Sony to take the responsibility for removal of this software, both for their own education and the user community as a whole. However, there's nothing wrong with them asking the anti-malware community for aid in notification and distribution of the removal tool(s) developed. The result might be better choices and involvement by both communities in whatever Sony decides to try next. It's the adversarial situation which exists with DRM that is the true core problem that needs to be resolved.

el cpu
2005-11-23, 04:47
Thanks bitman, good comments above. While I have disagreed with some of your opinions I have always appreciated your technical advise; I was a visitor to the old SB forum and used to see your comments there.

As we are now aware, this case has taken a legal turn; the Attorney General of Texas (among others) has filed a lawsuit, http://www.chron.com/disp/story.mpl/business/3476945.html. I wonder if Sony will issue the uninstaller any time soon due to the legal quagmire they find themselves in. This problem will be around for years to come as only a fraction of the XCP CDs now in circulation will eventually come in. They are still for sale here in Houston....

zak.wilson
2005-11-24, 07:12
I also understand why many consider the Digital Rights Management itself to be undesirable, since nobody really wants their activities monitored, even for a legal purpose. However, that issue has become confused with the definitions of malware in this case, primarily due to the use of rootkit like hiding of files and modification of CD-ROM access. I don't personally see this as a malicious rootkit, since its purpose isn't truly to take complete control of your pc, though the line is admittedly extremely thin.

I think that distinction is critical if you're filing a lawsuit or criminal charges. I find it relatively unimportant to the question of how Spybot should classify the software: it's hidden software with harmful effects that's difficult to remove and unlikely to be installed on purpose if the user actually understands what it's going to do. That's exactly the sort of thing people run antispyware software to get rid of.


The issues of DRM technology itself has lead to much of the interest in this situation, since few would care if this were done to protect say, a database of personal picture files from deletion by mistake for example. Any DRM discussion is inherently rife with politics and opinions, which hasn't got a true home in these forums as of yet.

Quite right about the political issues. I think most people would be unhappy if they installed a program that was intended to prevent accidental deletions and it cloaked itself, could not be removed safely and contacted its distributor without notifying the user or administrator. The problem here is not so much with DRM but with the methods used by XCP.


My final statement of opinion is that I feel it would be best for Sony to take the responsibility for removal of this software, both for their own education and the user community as a whole.
I agree with you there, though I think they should ask First4Internet to share that responsibility as they're the ones who created the product. It would be nice if they offered assistance to the anti-malware community to develop their own solutions as well; after the first two removal utilities, I suspect many people aren't too inclined to trust Sony.

AplusWebMaster
2005-11-24, 16:59
But first, a few questions:

Sony-baloney
- http://www.securityfocus.com/columnists/370
2005-11-22...

...not many answers yet.


:(

BigRedNeck
2005-11-29, 21:42
Updates?

Lets keep this up top for now.

md usa spybot fan
2005-11-30, 00:02
There is nothing really new in the following article for an upcoming issue of Newsweek International, but it is interesting (non-technical) reading. Hopefully the article will keep the issue in the public eye and expand the awareness of the problem. I can only hope that the continued attention on the issue will help prevent similar abuses in the future.

Sony Gets Caught With Slipped Discs
http://msnbc.msn.com/id/10217704/site/newsweek/


By Steven Levy
Newsweek International

Dec. 5, 2005 issue - Benjamin Franklin once remarked that the definition of insanity is doing the same thing over and over and expecting a different result. In that case, someone should immediately dispatch a cadre of psychiatrists to the headquarters of Sony. Its efforts to protect the music it sells have resulted—again—in unmitigated disaster. After infuriating its customers, alienating its artists and running afoul of the U.S. Homeland Security Department, Sony recently announced a recall of 52 CD titles—everyone from Dion to Celine Dion—protected with a flawed scheme that left customers' computers vulnerable to viruses and vandals. …
Also:


Since Sony's new CEO Howard Stringer is a smart guy, one might have assumed that he cautioned the company's music division, which recently merged with Bertelsmann's BMG label, that future efforts should not turn off customers by erring on the side of protection. ...
My view, if Sony's new CEO Howard Stringer is a smart guy, one might assume that he would fire Thomas Hesse, President of Sony BMG's global digital business division, for this inane remark during a National Public Radio (NPR) interview on November 4, 2005 which demonstrated his contemptible disregard for the company's customers:


Most people, I think, don't even know what a rootkit is, so why should they care about it?

flabdablet
2005-11-30, 10:20
At this point it's also obvious that anti-malware developers will have to become involved in the cleanup effort. Since the original software had no automatic update facility (that I've heard of anyway) there's no way to inform those with the issue directly.

Turns out there is, and it would be technically trivial for Sony to do it. See

http://www.benedelman.org/news/112105-1.html

md usa spybot fan
2005-12-01, 18:41
According to the following article, F-Secure notified Sony BGM about the potential dangers of their XCP DRM software long before Mark Russinovich posted the problem on his Sysinternal's Blog and they failed to act:

Sony BMG's Costly Silence
The label was alerted to the secret, virus-vulnerable software on its CDs long before the scandal broke. Trouble is, it didn't act immediately to alert consumers
http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm


For Sony BMG Music Entertainment, it has become a public-relations nightmare -- and it shows no signs of abating. On Oct. 31, computer-systems expert Mark Russinovich posted a message on his blog revealing that Sony BMG had placed anti-piracy software on music CDs that was difficult to detect and that made customers' PCs vulnerable to hacker attacks …

SLOW TO ACT? Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 -- nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn't understand the software it was introducing to people's computers and was slow to react. ...

tashi
2005-12-02, 12:55
I can only hope that the continued attention on the issue will help prevent similar abuses in the future.
With the excellent and informed reporting such as we have seen here; one could indeed hope any such company will not further assume the public is completely uneducated in such matters.

silly putty
2005-12-05, 19:56
SLOW TO ACT? Sony BMG is in a catfight with a well-known computer-security outfit that became aware of the software problem on Sept. 30 and notified the music company on Oct. 4 -- nearly a month before the issue blew up. F-Secure, a Finland-based antivirus company that prides itself on being the first to spot new malware outbreaks, says Sony BMG didn't understand the software it was introducing to people's computers and was slow to react. ...

"Sony didn't _understand_ the software" is an understatement of galactic proportions. Someone just needs to be honest and truthful about Sony and say "Sony sucks." Their laptops suck. Their attempts at software development suck. Their technical support sucks. Their digital cameras suck. Their CD/DVD-ROM/RAM drives suck. And now their attempt at DRM sucks. Sony is on my blacklist of companies to not buy anything from for 10 years.

BigRedNeck
2005-12-05, 20:20
Well, I wouldn't say "Their CD/DVD-ROM/RAM drives suck" since they are made by Lite-On, but the retail versions are not a great value...just get a Lite-On and you have a Sony, or an HP, now that Lite-On has their new Lightscribe contract. :)

md usa spybot fan
2005-12-08, 00:18
Besides installing software before issuing the EULA, the following articles indicate that there is a security hole in the older SunnComm MediaMax Version 5 Digital Rights Management (DRM) software that Sony/BMG distributed on their CDs:
EFF lifts curtain on new act of Sony DRM farce
http://news.zdnet.co.uk/0,39020330,39240592,00.htm
Sony opens up over another CD security hole
http://www.theregister.co.uk/2005/12/07/sony_cd_security/
Will the DRM saga never end?

AplusWebMaster
2005-12-08, 14:59
FYI...

- http://www.wired.com/news/print/0,1294,69763,00.html
Dec. 07, 2005
"...The software used a Microsoft Windows feature called AutoRun that executes software on a CD without the user's knowledge or consent. Holding down the Shift key stopped AutoRun and prevented the software from being installed. Halderman wrote about the software, and the "infamous Shift key attack," in an academic paper and posted it online. Within 24 hours, SunnComm was threatening a $10 million lawsuit, and vowing to refer Halderman to authorities for allegedly committing a felony under the controversial Digital Millennium Copyright Act, or DMCA. By the next day, the company had backed down in the face of public outrage. Looking back, Halderman says, "The whole experience was a whirlwind.... The response was way bigger than (anything I'd) expected"..."

:rolleyes:

md usa spybot fan
2005-12-08, 15:14
Here is an Electronic Frontier Foundation (EFF) article concerning the vulnerability in SunnComm MediaMax Version 5 DRM software :
SunnComm MediaMax Security Vulnerability FAQ
http://www.eff.org/IP/DRM/Sony-BMG/mediamaxfaq.php#2

AplusWebMaster
2005-12-09, 14:20
FYI...

Not Just Another Buggy Program
- http://www.freedom-to-tinker.com/?p=944
Thursday December 8, 2005 by Ed Felten
"Was anybody surprised at Tuesday’s announcement that the MediaMax copy protection software on Sony CDs had a serious security flaw? I sure wasn’t. The folks at iSEC Partners were clever to find the flaw, and the details they uncovered were interesting, but it was pretty predictable that a problem like this would turn up...if you decline the MediaMax licence agreement, and the software secretly installs itself anyway, you will face risks that you didn’t choose. You won’t even know that you’re at risk. All of this, simply because you tried to listen to a compact disc. Experience teaches that where there is one bug, there are probably others. That’s doubly true where the basic design of the product is risky. I’d be surprised if there aren’t more security bugs lurking in MediaMax...."

(More detail at the URL above.)

:(

bitman
2005-12-09, 20:38
Apparently no one here has been watching the Sony BMG pages:
http://cp.sonybmg.com/xcp/english/form14.html

UNINSTALL REQUESTS

The uninstall software can be downloaded here.

If you have already run the uninstaller and still have problems or questions, please click here to complete a customer service request.

This takes you to a page explaining the options, including:
http://cp.sonybmg.com/xcp/english/updates.html

INFORMATION ABOUT XCP PROTECTED CDs

CDs containing XCP content protection software developed by First4Internet for SONY BMG may increase the vulnerability of your computer to certain computer viruses. To address these concerns, we are providing you with a software tool for download that offers you two options.

You may either:


Update the XCP software on your computer.
This option installs an update which removes the component of the XCP software that has been the subject of public attention and will alleviate concerns you may have about the software posing potential security vulnerabilities. It will also enable you to continue using the protected disc(s) on your computer.

Completely uninstall the XCP software and associated content protection files.
This option will remove all XCP and associated content protection files, including service/processes, registry entries and folders from your computer. Note that once you delete the XCP content protection software, if you wish to play a CD protected with XCP it will be necessary to reinstall the XCP software in accordance with that CD's End User License Agreement after you insert the disc into your computer.

Please note that you must reboot your computer after running the software tool.

If you have previously uninstalled the XCP software using the Sony BMG customer support website, and you are concerned about security issues relating to the delivery of ActiveX controls, both options will result in the deletion of these controls.

For users who have previously uninstalled XCP software using the uninstaller made available prior to November 18, 2005, we recommend that you run the currently available uninstaller, to eliminate a potential security vulnerability presented by the earlier uninstaller that was brought to our attention.

Please note that uninstalling from your computer the XCP software and associated content protection files loaded from an XCP-protected CD will NOT delete or affect your use of any audio files that you have previously transferred from an XCP-protected CD. Such files remain subject to the digital rights management rules in the End User License Agreement: namely that you may rip the audio into the secure formats provided on the disc, move these tracks to compatible portable devices, and make up to three copies of each track on to CD-Rs.

Please be advised that this program is protected by all applicable intellectual property and unfair competition laws, including patent, copyright and trade secret laws, and that all uses, including reverse engineering, in violation thereof are prohibited.

The XCP software tool is available for download here as an EXECUTABLE (2.3 MB) or ZIP FILE (1.03 MB)
<<< Added with Edit >>>This appears to be the executable uninstaller recommended by Mark Russinovich, though I haven't done anything to confirm this myself. At this point I don't see any new comments on Mark's Blog either, so it must have just released. We'll see how this fares over the next few days.

AplusWebMaster
2005-12-14, 05:27
FYI...

Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
- http://www.microsoft.com/technet/security/Bulletin/MS05-054.mspx
Published: December 13, 2005
"...This cumulative security update sets the kill bit for the First4Internet XCP uninstallation ActiveX control. For more information about this ActiveX control, visit the SONY BMG Web site. Older versions of this control have been found to contain a security vulnerability. To help protect customers who have this control installed, this update prevents older versions of this control from running in Internet Explorer. It does this by setting the kill bit for the older versions of this control that are no longer supported. This kill-bit is being set with the permission of the owner of the ActiveX control..."

.

AplusWebMaster
2005-12-31, 19:41
FYI...

Sony BMG To Settle One Copy Protection Class-Action Lawsuit
- http://www.techweb.com/article/printableArticle.jhtml?articleID=175701269&site_section=700028
December 29, 2005
"Lawyers working the class-action lawsuit against Sony BMG Music filed a proposed settlement with a federal court Wednesday that if approved, would force Sony to stop making copy-protected CDs, pay affected customers a small fee, and provide replacement discs and/or other albums. Several class action suits were filed in New York and California during November that claimed Sony's copy-protection technology, which had come under fire earlier in the month, damaged buyers' computers. On Dec. 1, the court consolidated about 10 pending class-action cases, and appointed two law firms, Girard Gibbs & de Bartolomeo of California, and Kamber & Associates of New York, to handle the combined suit. According to the settlement papers filed with the U.S. District Court, Southern District of New York, "the parties engaged in virtual round-the-clock settlement negotiations" through most of December. "The primary and overriding concern of the parties over the course of these lengthy, arms’-length negotiations was an effort to provide prompt relief to consumers affected by XCP and MediaMax software, in order to limit the risk that these consumers’ computers would be vulnerable to malicious software," the papers continued. Among the provisions of the settlement, Sony BMG would be barred from using XCP or MediaMax technologies to copy-protect its music CDs, will continue to update the uninstall utilities for removing the XCP and MediaMax copy-protection schemes, and will offer two different incentive programs to buyers of XCP-protected discs so that they return copy-protected CDs. Furthermore, until 2008, any copy protection scheme Sony BMG uses on its audio CDs must meet a slew of criteria, including ones which require that it get users' explicit permission before installing rights software, that uninstallers for the copy protection be available, and that a third party verify that the copy-protection technology doesn't present any security risk..."

:(

tashi
2006-01-14, 20:42
January 10, 2006

Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer.

Symantec has released a product update that will now display the previously hidden NProtect directory in the Windows interface.
http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html

January 12, 2006

Symantec just admitted that the "Norton Protected Recycle Bin," or "NProtect" feature of Norton SystemWorks, deliberately conceals a directory from Windows APIs to protect the files from accidental deletion. A commercial security vendor using rootkit technology? Unbelievable. Symantec explained its thinking in a security bulletin. "When NProtect was first released, hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory. We have released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect."
http://www.computerworld.com/blogs/node/1573

AplusWebMaster
2006-01-16, 04:40
FYI...

- http://www.theinquirer.net/?article=28990
15 January 2006
"SEPARATE CASES were filed against Microsoft, Yahoo and a spate of other tech firms in the US last week, alleging patents covering digital rights management (DRM) were breached by the firms. The main action is against Microsoft, filed in the Eastern District Court of Texas, and relates to US patent 6,249,868, a method and system for embedded, automated, component level control of computer systems and other complex systems.
The patent covers security components for a PC which can enable or disable systems using a remote server. Softvault alleges that products with the feature include Windows Server 2003, Windows XP, Microsoft Office XP, Access 2002, Excel 2002, Vision 2002, Visual Studio Net, Office 2000 SR-1, Project 2000 SR-1, Powerpoint, and many other products including Word. Softvault also claims Microsoft infringes patent 6,594,765, with a long list of Volish software alleged to breach that patent. Softvault wants damages, injunctions, fees, costs, and the like. The other case against Yahoo, Microsoft, Napster, Creative Labs, Dell, Gateway, Iriver, Samsung, Toshiba, Digital Networks, Palm, Audiovox, Sandisk and Thomson also relates to the 868 patent and the 765 patent... Softvault alleges that Microsoft supplies Windows Media Digital Rights Management (DRM) which breaches its patent, and Yahoo's Music Unlimited to Go uses this DRM and so infringes its patents. The other firms named in the suit also infringe Softvault's patents by using Microsoft DRM, it's alleged. Softvault wants the defendants to pay up after a jury trial. Softvault, according to its web page, here*, is a Washington based IP firm which explains that by using its tech a device breaching digital rights can be turned into a brick. And, as we all know, bricks make houses. And gold bricks make gold houses."
* http://www.softvault.com/pages/1/index.htm

Hmmm...

AplusWebMaster
2006-01-17, 01:00
FYI...

- http://www.securityfocus.com/news/11369
2006-01-16
"...Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks--many belonging to the military and government--contain computers affected by the software. "It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks," Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains... Kaminsky's research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of 9 million domain-name servers, about 3 million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the 3 million systems, asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches. During his first survey, carried out over three days in mid-November, he found 568,000 DNS servers had previously been asked to look up three different server addresses used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet. The most recent survey, which lasted between December 15 and December 23, he found 350,000 servers had the unique address in their caches. While other factors may increase or decrease the number, Kaminsky continues to stress that the experiment is about finding out the magnitude of the impact of Sony BMG's software..."

:(

DrCR1
2006-01-27, 04:30
Yeah, I'm late to all this, but I just wanted to confim this does not affect 9x/ME OSes, correct?

Also...so will Spybot add immunization or detection, if not removal? Just checking.

Thanks for such an awesome app. I've been using Spybot S&D for years now, and it's still my #1 choice for WinOS spyware issues. :)

DrCR

BigRedNeck
2006-02-22, 16:08
It is irresponsible not to add it.

BTW...using Slysoft's AnyDVD completely blocks Sony's DRM from installing, as well as many other audio and video DRM mechanisms.

tashi
2006-02-22, 16:37
http://www.theregister.co.uk/2005/04/11/heise_not_allowed_to_mention_slysoft/
'Aider and abettor' to CD ripping
By Jan Libbenga
Published Monday 11th April 2005 15:18 GMT

A Munich court has ruled that German news site Heise Online was wrong to publish a link to Slysoft.com, a company that advertises software that can play, copy and rip protected audio CDs. In January the German IT site received a writ from the German music industry preventing it from publishing links to the company.

A court last week ruled that, by providing a link to the company's homepage, Heise intentionally provided "assistance in the fulfillment of unlawful acts" and is therefore liable as "an aider and abettor", as described in Section 830 of the German Civil Code.

BigRedNeck
2006-02-22, 17:24
Looks like I'm an 'Aider and abettor' to CD ripping too...I wholeheartedly support it in every way.

But more importantly, I support a PC user's right to guard their PC against tresspass by companies like Sony, etc. and Slysoft's AnyDVD steps up to protect the consumer against something that Spybot does not.

Germany...sounds like communist China to me.

BigRedNeck
2006-02-22, 18:02
Is there an "official" reason that Spybot does not block or remove the Sony DRM rootkit?

Or shall we assume that Sony is providing an "incentive" not to?

J_Rey
2006-03-06, 20:26
Well, I noticed that there weren't any direct links to these pages, yet:

SunnComm's MediaMax software update:
http://www.sunncomm.com/support/faq/

The Information Web Site for the Sony BMG CD Technologies Settlement:
http://www.sonybmgcdtechsettlement.com/

md usa spybot fan
2006-05-12, 19:30
When tashi (http://forums.spybot.info/member.php?u=7) referenced this thread in the Microsoft media player. protection. (http://forums.spybot.info/showthread.php?t=4392) thread, it reminded me of something I read just the other day.

After being successfully sued for price fixing just three years ago to the tune of $143 Million, now some of the major companies in the music industry are paying fines for bribing DJs to play their music. See the following article:
Universal Music settles payola probe for $12 million (http://www.courttv.com/news/2006/0511/payola_ap.html)

These companies have absolutely no scruples.