Page 3 of 9 FirstFirst 1234567 ... LastLast
Results 21 to 30 of 89

Thread: Sony DRM

  1. #21
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    Just read the following on Computer Associate's site (http://www3.ca.com/securityadvisor/p...x?id=453096362)

    XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

    Any word from Team Spybot regarding inclusion on SB detections? How about removal? While most antispy/antivirus program are now set to detect the Sony DRM, no program may yet be able to remove it. Does anyone know?
    Last edited by el cpu; 2005-11-11 at 08:24.

  2. #22
    Junior Member
    Join Date
    Oct 2005
    Location
    Northwest Florida, U.S.A.
    Posts
    4

    Default

    After all the bad press, "SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology." See the Sony BMG Statement for their official acknowlegement of the trojan/virus and a link to the link to the patch/uninstall request.

  3. #23
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Arrow

    FYI...

    Troj/RKProc-Fam and Troj/Stinx disinfection instructions
    - http://www.sophos.com/support/disinfection/rkprf.html
    "Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers. This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

    Windows 95/98/Me and Windows NT/2000/XP/2003
    The Trojans can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

    Windows disinfector
    RKPRFGUI is a disinfector for standalone Windows computers
    open RKPRFGUI, run it, then click GO.
    If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

    Command line disinfector
    RKPRFSFX.EXE is a self-extracting archive containing RKPRFCLI, a Resolve command line disinfector
    for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program..."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #24
    Visiting Staff
    Join Date
    Oct 2005
    Location
    California
    Posts
    19

    Default

    Sunbelt dosn't plan to include this rootkit in it's removal capability.
    from here
    We do not intend to have this removal capability in CounterSpy, simply because it is incredibly hard to remove this rootkit without disabling the CD-ROM player. Suggestion: Either use Sony’s uninstaller or check out Sophos’.
    We'll see what Spybot does.

    By the way, that StinxE trojan looks like it's more of a proof of concept thing than anything really meant to do harm. First it's targetted at British web users where there is limited distribution of the DRM CDs. Second, the trojan is buggy
    from here
    The first Trojan to exploit this flaw, Stinx.E, doesn't properly decrypt the registry keys needed to allow the Trojan to load when Windows is restarted. The Stinx.E Trojan also fails to load if the Sony DRM cloaking technology is active, despite its deliberate attempts to exploit it. Additionally, the IP addresses used to connect to the IRC server are invalid. In effect, the Sony Stinx Trojan is impotent.
    My computer security blog

    I am a member of the Alliance of Security Analysis Professionals

  5. #25
    Junior Member
    Join Date
    Oct 2005
    Posts
    3

    Default Not apples & apples, but pears?

    Windows Update 24 Oct. optional dnld for WMDRM. Media Player 9. No reason to suspect Microsoft of Sonyesque tactics. Right?
    KB link for more info: http://support.microsoft.com/kb/891122#appliesto.

  6. #26
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Talking

    FYI...

    SecurityRisk.First4DRM Removal Tool
    - http://securityresponse.symantec.com...4drm.html?Open



    :D
    Last edited by AplusWebMaster; 2005-11-13 at 21:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #27
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    I believe that the Symantec removal tool mentioned by AplusWebMaster does not actually remove the Sony DRM and its associated risks. While I have not run the tool myself (I am not infected) I believe that the tool is the so called patch that Sony distributed to antivirus companies to uncloak the files so they could be seen from within Windows. As pointed out by Computer Associates and others, this patch, while uncloaking the files, installs a newer version of the DRM which is still a trojan by CA standards.

    The following article at CNet http://news.com.com/Antivirus+firms+...3-5942265.html states that, quote: "Symantec said Wednesday that its antivirus software would identify the Sony software, but would not remove it. Instead, it will point to Sony's own Web site, where users can get instructions for uninstalling". The article further states that, quote: "Computer Associates... said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly. According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said. It will effectively insert pseudo-random noise into a file so that it becomes less listenable, said Sam Curry, a Computer Associates vice president. What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool. A Sony representative said the company's technical staff was looking into the issues identified by Computer Associates, but had no immediate comment."

    Fun!!!
    Last edited by el cpu; 2005-11-13 at 06:51.

  8. #28
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post

    FYI...

    Sony DRM Rootkit to be removed automatically by Microsoft
    - http://isc.sans.org/diary.php?storyid=845
    Last Updated: 2005-11-13 14:36:09 UTC
    "Microsoft says* "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" "and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software."
    * http://blogs.technet.com/antimalware/

    ..."Believe" that.
    Last edited by AplusWebMaster; 2005-11-13 at 21:42.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #29
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    As I mentioned earlier, Microsoft, Symantec, and others are uncloaking the files so they are not hidden - they are not removing the First4Internet DRM technology, at least not yet. While this is a good first step, Computer Associates and the discoverer himself, Mark Russinovich, warn that the software that stays behind is still detrimental.

    In his post above AplusWebMaster mentions that "Microsoft.... will add a detection and removal signature for the rootkit component of the XCP software." and instructs us to "believe" it. Note the word Microsoft used, "component". Note ZDNetUK: "Microsoft will update its security tools to detect and remove part of the copy protection tools installed on PCs when some Sony music CDs are played.", (emphasis on the word "part"). Note the "googled" news stating the same.

    As has been widely reported, the rootkit component is the cloaking of the files, but even if this component is removed correctly, the XCP software remains, admittedly in a modified fashion. To those infected I recommend removing XCP completely by going through the tedious process available at the SonyBMG website http://cp.sonybmg.com/xcp/english/uninstall.html This has pitfalls of its own as mentioned by CA and Russinovich, see: http://www3.ca.com/securityadvisor/p...x?id=453096362 and http://www.sysinternals.com/Blog/. Some registry keys remain. Note the comments on CA's site regarding the updated Sony uninstaller.

    The main SonyBMG site, under the tab News, Nov 10, 2005, http://www.sonybmg.com/ gives users two options, a patch which uncloaks the files and leaves a modified version of the software in place, and the uninstall. The alternative to the Sony uninstall is to wait and see if CA, F-Secure, or others are finally able to completely do so on their own. This is not the case yet.

    Removing the rootkit component is a good thing, however this still leaves a modified XCP in the computer - completely uninstalling the software, if done properly, would be much better.
    Last edited by el cpu; 2005-11-14 at 21:41.

  10. #30
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Thumbs up

    Mark Russinovich, the individual that discovered the Sony XCP rootkit, confirms what I had mentioned above. Mark's November 14, 2005 blog states, quote: "Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality." http://www.sysinternals.com/blog/200...t-for-now.html

    Mark goes on to say, quote: "Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. ..... I’ve said it before, but obviously need to say it again: Sony needs to make the uninstaller freely available as a standalone executable download so that users can choose to safely and easily discontinue use of this nefarious software."

    Seems pretty clear to me....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •