Page 1 of 9 12345 ... LastLast
Results 1 to 10 of 89

Thread: Sony DRM

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    3

    Angry Sony DRM

    Take a look at http://www.sysinternals.com/blog/200...al-rights.html

    This is a revelation of the inner workings of the DRM-implementation that came with at least one Sony CD. Basically the software acts as a "rootkit", the most vile kind of scumware in existence, ordinarily only used by the kind of criminals that crack computers, designed to change the operating system at the lowest level and be undetectable. Moreover, it appears to be a badly coded rootkit, opening the door wide open for potential further abuse from companies with even less honest objectives than the RIAA.

    Just because Sony is a huge corporation shouldn't give them the right to bully consumers and infect PCs this way. I strongly urge the developers to add this to the detection rules to allow users to block or remove this offensive garbage. I also wouldn't be surprised if this is going to get Sony into a class action lawsuit sooner or later.

  2. #2
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    Thank you Carnivore. I will certainly bring this to our detectives attention.

    Cheers.

  3. #3
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default

    Mark's article is an opinion, not an indication of any illegal activity. As he states and shows with a graphic of the Amazon Web page he purchased from:
    I hadn’t noticed when I purchased the CD from Amazon.com that it’s protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known:
    Immediately below the CD title in large letters is the statement:
    [CONTENT COPY-PROTECTED CD]

    Though Mark doesn't like the way they implement that protection for technical reasons, they are totally within their rights as he also states:
    While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.
    Most of this statement is an opinion, it has no legal basis since the DRM is mentioned by Sony before the sale. Mark may be well respected for his technical knowledge relating to such software, but that does not assign him any special legal status. Though I agree with him about the technical issues he discovered, this doesn't change the fact that Sony is entirely within their rights to install such software.

    If you agree with him, your primary recourse is to not buy this or other Sony CDs protected in this way and/or inform Sony of your disklike for their methods.

  4. #4
    Junior Member
    Join Date
    Nov 2005
    Posts
    3

    Default

    That kind of defense must be typical of what every malware producer comes up with to justify their actions. "We're not foistware, all you have to do is read through the 10,000 words of gobbledygook in our EULA and you'd know you were giving your consent for us to install invisible software on your computer that nodody in their right mind would normally allow!"

    According to Mark:
    I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall.
    I think that says it all.
    Last edited by Carnivore; 2005-11-01 at 22:05.

  5. #5
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default

    The information missing from the EULA would be an issue to bring to Sony, but doesn't really change the legal situation since it's more then clearly stated that Copy-Protection software will be installed on the Web page.

    As I said before, the primary recourse is to refuse to buy products with such software installs and make sure Sony knows about it. I'm not protecting the badly written software being used by Sony, but they have the legal right to include DRM software if they've informed the purchaser that it's included.

    I'd rather not see any reputable antispyware organization take the position of removing such software since that pits them against an industry with lots of money and legal backing and a history of using it on little guys. All that will do is place both industries in a bad light and tie up resources that would be better spent fighting 'true' malware.

    This software is bad enough technically that complete exposure of that via this and other forums and serving notice to Sony of peoples' issue with it should be sufficient to invoke change.

    I hope for Mark's sake that nothing about this specific software is mentioned anywhere since if it is, there's likely the usual legalize about no dissassembly, reverse engineering, etc. Since he displays the fact that he's done exactly this on this web page, he's at a greater risk of being sued by either Sony or the software creator then being able to sue them for badly written software that's caused him no specific issue to this point.

  6. #6
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    We shall see what unfolds; the anti malware community is not blowing off the results of Sony DRM.

  7. #7
    Junior Member
    Join Date
    Nov 2005
    Posts
    3

    Default

    I'd like to start by saying I really appreciate the work that you do; and I, and many others, would indeed tremendously appreciate it if you would indeed add f4i XCP as a Malware detection.

    Contrary to bitman's position above, I am personally of the opinion that Sony should not be held to a lower ethical standard merely because they are big. I think this should be added to the definitions. Covert malware like this is unacceptable, no matter who makes or distributes it; and I would hope that any reputable antispyware solution would also feel the same way (lest, god forbid, people start assuming that this kind of behaviour is normal and acceptable).

    (Sideline: Given the stated "casual-copying-prevention" target of this DRM, and that of course the autoplay can be disabled by many methods and of course isn't active on unsupported systems like Macs, I wonder why it goes to such lengths to keep its claws in? There's no need to hide itself, and no need for it to stay persistent after the CD is ejected, to perform its stated copy-protection function.)

    I'm sure Mark is keenly aware of the legal issues; he is an experienced white-hat, and decided that public disclosure was important. Early variants of this XCP software apparently install before the EULA is displayed (I'm trying to procure a sample, someone I know bought one).

    I've actually been tracking this one myself for a while already. The SBCPHID driver performed a similar ripping-scrambling purpose in the MediaMax DRM system (and was also covertly installed in some cases, and as hazardous to remove), but when they switched to f4i's XCP I was surprised myself to see that even actively tried to hide itself using the (dirty) syscall hooks mentioned, which is definitely a step beyond the pale.

    It is, of course, in the wild and widespread, being included on more or less every recent Sony Music release; and I have received reports of people already using the $sys$ hiding provided by aries.sys to cloak other software (notably WoW botting programs: http://www.wowsharp.net/forums/viewtopic.php?t=7251 - and one WoW password stealer, so I hear; probably related) as a sort of easy ride to a simple kernel-mode-stealth.

    It has malicious intent; it scrambles sectors ripped on any CD that has a similar (but not necessarily identical) TOC to the protected disc. (Indeed, it can scramble all subsequent CD ripping - I've seen Mediamax do this - or fail installation, causing a broken link in the lower filter chain, causing the CD-ROM drive to apparently vanish.)

    It's badly written; I've seen it cause bluescreens on a test VMWare image during an insert of some CDs (the author is an amateur at kernel-mode code; even as I write this, I am wondering if there are any locally-exploitable privilege escalation vulnerabilities in it).

    A component examines the process list and files continually (that might be a little mild to qualify as spying in and of itself, it doesn't send it anywhere).

    Most importantly: It has no uninstall option. It is difficult to remove manually. It tries - very hard - to actively hide its existence. That alone qualifies it as malware, in my humble opinion. (I'd personally class it under the "Malware" detection, as "rootkit" is more traditionally used for covert remote access applications, not covert malware in general, but of course rootkits is where this hiding technique gained ground.)

    "XCP Red" from the same company is a CDS-200 spinoff, apparently, and tries to make the CD unreadable to any with scrambled session techniques; it's not supposed to be readable in a PC at all (or suitable for public use, because of that, it's used internally, apparently on some radio promo CDs, I'm trying to procure a sample out of sheer interest), so there isn't any data track, and so no malware on it.


    Detection wouldn't tie up much time, because it's fairly trivial. I can see two obvious ways. One, look for the files and registry keys, they show up when directly accessed, just not in listings (probably the easiest). Or two, create a tempfile with a name like $sys$f4itest.dat, and see if it vanishes (before deleting it).

    Removal is trickier; you need to remember to remove it from the list of Lowerfilters in all the CD-ROM keys, but that's pretty much the only catch.

  8. #8
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    After reading Mark Russinovich superb summary on the Sony DRM rootkit exploit I completely agree with the concerns expressed by Carnivore and Agent O. Bear with me please, but I think Bitman missed the point, regardless of a EULA Sony does not have the right to cloack software and install it without an uninstaller, especially when such software allows a hacker to compromise a system. A Google News search of Sony BMG just brought 129 articles worldwide on this bug. Sony is rapidly providing a patch to the major virus scanning companies, Symantec, McAfee, F-Secure, etc. to uncloack the files although this patch does not remove the software. I share in urging our trusted friends at Spybot to include this item in their detections. Sony compromised computers allow malware crooks a backway to get into the systems and it is a matter of a few hours, not days before someone exploits this flaw. Shame on Sony.

    May want to visit the following F-Secure site: http://www.f-secure.com/v-descs/xcp_drm.shtml
    quote: "Although the software isn't itself malicious, the hiding techniques used are exactly the same that malicious software known as rootkits use to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits. The hiding techniques used by the DRM software can be abused by less technical malware authors to hide their backdoors and other tools. If a malware names its files beginning with the prefix '$sys$', the files will also be hidden by the DRM software. Thus it is very inappropriate for commercial software to use these techniques."

    Also PCWorld had this to say today in their article "Is Sony trying to kill the CD Format for Music": http://blogs.pcworld.com/staffblog/archives/001051.html
    Last edited by el cpu; 2005-11-03 at 10:58.

  9. #9
    Member of Team Spybot Buster's Avatar
    Join Date
    Oct 2005
    Location
    Bochum/Germany
    Posts
    389

    Angry

    Here is the statement from Sony about this. http://cp.sonybmg.com/xcp/english/faq.html

    6. I have heard that the protection software is really malware/spyware. Could this be true?

    Of course not. The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution. It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system. Also, the protection components are never installed without the consumer first accepting the End User License Agreement.

    If at some point you wish to remove the software from your machine simply contact customer service through this link. You will, though, be unable to use the disc on your computer once you uninstall the components.

    Our technology vendors are constantly looking to improve the product as well as respond to any critical software issues found. Please check here for upgrades to address any known issues
    But being forced to enter an email address to get the uninstall software doesn´t make this more anonymous.
    The software does not collect any personal information nor is it designed to be intrusive to your computer system.
    "The advantage of wisdom is that you can always act the fool. The opposite is quite tough."

    K. Tucholsky

    _______________________________________________________________

    Please help us improve Spybot and download our distributed testing client.

  10. #10
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default Just plain "Bad software"

    I've got no arguement with anyone's analysis of the software, it's obviously not well written and by using the same techniques as malware, put's itself at risk of exactly what's happened already.

    My position perfectly mirrors the first paragraph of the F-Secure Conclusion section which 'el cpu' left out in the quote above:
    Conclusion

    The DRM software does not self-replicate and doesn't contain malicious features and should thus be considered a false positive, triggered by the advanced hiding techniques used by the software.
    http://www.f-secure.com/v-descs/xcp_drm.shtml

    Though it's badly written and may create a potential hiding place for true malware, nothing described has made this program itself malware. At best it deserves the PUPs 'Possibly Unwanted Program' designation created by Team Spybot for exactly such situations. This would allow optional removal of the software without marking it as malware itself, also requiring the user to check the removal box which is unchecked by default.

    My concern is that by considering this software for a malware rating, an antispyware organization would be placing itself at risk of a valid legal suit by the RIAA, which would have to protect its right to copy-protection. This also places them directly in the middle of the RIAA and everyone who hates them, a no win situation from the start and an already hopeless legal mess. No antispyware organization needs to create such an obvious problem for itself and allow it to drain their already limited resources.

    Note that all the press has already resulted in exactly what I mentioned it would, Sony has had to respond. They've offered a method to uninstall the software and been forced to respond publicly. Undoubtedly they'll have to respond further over the coming days and weeks by improving/replacing the copy-protection software and installation notification within the associated EULA. All of this is exactly what should happen.

    The idea that antimalware exist's to remove every peice of software that creates even a potential issue is getting streched here. By this standard, Internet Explorer and even the Windows OS itself should be removed by antimalware. There must be a solid criteria for such decisions which as I understand, the ASC was created to help provide. Hopefully Team Spybot and other members of this group have defined a way to deal with such situations. We shall see.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •