Page 2 of 9 FirstFirst 123456 ... LastLast
Results 11 to 20 of 89

Thread: Sony DRM

  1. #11
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,766

    Default

    Update:
    http://cp.sonybmg.com/xcp/english/updates.html


    http://updates.xcp-aurora.com/
    Latest Update
    Service Pack 2
    2|Nov|2005, 3.253Mb
    This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.
    Download Now

  2. #12
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    I would not rely on the stated information from Sony, for obvious reasons it is written with their own spin and is not completely factual. The patch mentioned by Tashi uncloaks the files, it does not remove the software, the harm and risk remain, one is just able to see the files, that's all. By now it is well understood that the Sony DRM does compromise security, a google search will lead to the explanations. To remove the software you are asked to register with Sony and after registering they state that they will respond later. I wonder if a removal process is available - as Agent O stated removal may not be that simple. Some users have lost the ability to see their CD drives when attempting to remove the software and have had to reinstall their systems.

    From my perspective this falls into the broad category of malware, it compromises your system and the compromised system can allow others to hack in. Other than being from a big company, I see this as no different than the numeruous toolbars that Spybot detects or for that matter the infamous DSO Exploit that allowed hackers a backway - Spybot detected the DSO Exploit, so why not this? Just my opinion....

    May find this of interest (from Kaspersky Lab http://www.viruslist.com/en/weblog?weblogid=173255368)
    We would like to highlight that according to ASC's definition of SpyWare this software may be classified as such.
    * May be a nuisance and impair productivity
    * Can slow machine down or cause crashes and loss of data
    * May be associated with security risks
    * Can compromise system integrity and security
    * Done covertly, it is stealing cycles and other resources
    Rootkits are rapidly becoming one of the biggest issues in cybersecurity. Vendors are making more and more of an effort to detect this kind of threat. So why is Sony opting to use this dubious technology?

    May find this of interest (from http://news.zdnet.co.uk/0,39020330,39235377,00.htm)
    Several antivirus companies followed Russinovich's news with warnings that the First 4 Internet tools could let virus writers hide malicious software on computers, if the coders piggybacked on the file-cloaking functions. "For now it is theoretical, or academic, but it is concerning," said Mikko Hypponen, chief research officer at antivirus company F-Secure. "There's no risk right now that we know of, but I wouldn't keep this on my machine." The patch that First 4 Internet is providing to antivirus companies will eliminate the rootkit's ability to hide itself and the copy-restriction software in a computer's recesses. The patch will be automatically distributed to people who use tools such as Norton Antivirus and other similar programs, Gilliat-Smith said. The patch that will be distributed through Sony BMG's Web site will work the same way, Gilliat-Smith said. In both cases, the antipiracy software itself will not be removed, only exposed to view. Consumers who want to remove the copy-restriction software altogether from their machine can contact the company's customer support service for instructions, a Sony BMG representative said.

    May find the BBC and Washington Post articles of interest also:
    http://news.bbc.co.uk/2/hi/technology/4400148.stm
    http://www.washingtonpost.com/wp-dyn...110202362.html
    Last edited by el cpu; 2005-11-04 at 00:16.

  3. #13
    Junior Member
    Join Date
    Oct 2005
    Location
    Rhode Island coast
    Posts
    4

    Default

    This kind of nonsense is a good reason to support those who fight privacy invasions-- like the EFF/Consumer's Union, Spybot, etc. I am tired of corpoworld sticking their noses in my affairs. I pay for my music, etc... I should not have to deal with such garbage in order to use something I paid for.
    Did they honestly think they would not EVENTUALLY get caught ??

  4. #14
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,766

    Default

    Mark Russinovich
    http://www.sysinternals.com/blog/200...ecloaking.html
    Another informative read.

  5. #15
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    Information below from the zdnet site, dated November 7, 2005.

    "Antivirus companies are considering protecting their customers from the digital rights management software used by Sony on some CDs. Kaspersky Lab has classed Sony's DRM software as spyware because, among other things, it can cause crashes and loss of data, and it can compromise system integrity and security. Explaining its decision, Kaspersky said it used the definition of spyware provided by the Anti-Spyware Coalition. Sophos, another security company, is similarly scathing of Sony and is calling the software "ineptware."

    Complete article at:
    http://www.zdnet.com.au/news/securit...9220988,00.htm

  6. #16
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    Computer Associates Pest Patrol is set to detect the Sony DRM starting with their November 11 update. Should Spybot consider the same?

    http://www3.ca.com/securityadvisor/p...x?id=453096362
    quote from above link:
    This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks as of the time of this writing, and could potentially hide an attacker's files and processes once access to an infected system had been gained. Sony BMG has released a patch which removes the rootkit and eliminates the above vulnerability. The patch fails the eTrust PestPatrol scorecard in its own right and its security advisor page can be found here. After the patch is run this variant of the XCP.Sony.Rootkit program still violates the eTrust PestPatrol Scorecard.

    Latest from Mark Russinovich: http://www.sysinternals.com/blog/200...-internet.html
    Last edited by el cpu; 2005-11-11 at 16:59.

  7. #17
    Member
    Join Date
    Oct 2005
    Posts
    44

    Default

    Quote Originally Posted by el cpu
    Computer Associates Pest Patrol is set to detect and remove the Sony DRM starting with their November 12 update. Should Spybot consider the same?
    I think many are interested in the answer to that.

    Seems to me that SONY is depending strongly on the users not noticing that they have been infected with a parasite...a parasite that secretly installs, secretly sends profiling data back to their server logs(spies), tries to hide, and has no viable uninstall string. I can't think of many more parasitic wares around.

    Another post from Mark;

    http://www.sysinternals.com/blog/200...ant-to_09.html

  8. #18
    Junior Member
    Join Date
    Nov 2005
    Posts
    3

    Exclamation

    What I anticipated and feared, has now happened; aries.sys, the cloaking component of XCP Aurora, is now now literally being (ab)used to cloak both in-the-wild and in-development trojans.

    One (barely working) "SonyEnabled" Breplibot here, which has already been analysed:
    http://www.bitdefender.com/VIRUS-100...RC.Snyd.A.html

    Also one SDbot variant in the channels but not in the wild yet (24-48 hours?); that actually carries a copy of aries.sys with it and installs it itself.

    After all, it saves the (often pretty unskilled) botters from trying to write their own flaky kernel-mode stealth driver, when they can just steal one that A) people would not be very surprised to see and would blame on something else (like, say, playing a copy-protected CD), B) that AVs would be reluctant to flag as a clear and present threat, and C) that is (providing you can find the dollar sign on your keyboard) absolutely trivial to use.

    This is starting to be a real problem. Please at least add aries to the sigs, because not all the AVs will.

    (Sophos' lab now has a working standalone aeries removal utility which they plan to release today, and they may well add aries as a threat as well; I think KAV have stated their intention to list it, I seem to remember Norton/Symantec coming down on the will-not-list-it side of things, but I could be wrong.)

    I can see bitman's reservations (even if I don't personally agree with them) about the other parts of XCP Aurora. I could understand if you did not choose to list the other components.

    (The other components are, however, still threats in their own ways - locally-exploitable privilege-escalation vulnerabilities. They really don't know how to write kernel code well. No, I won't give any details. I just can't see a patch being issued and actually deployed widely from these F4i guys, given the way the uncloaker and later uninstaller was/is distributed.)

    Remember; many users will be completely unaware they even have these drivers on their system (as far as they're concerned, they just played a CD they bought in the store). They will therefore probably be unaware they need to run some separate removal tool, or follow a complicated procedure for unmasking it or attempting to uninstall it (officially or otherwise). That's why I think it's particularly important that Spybot lists it and explains what it is (even if it's not checked for removal by default, its presence should be displayed).

  9. #19
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    Agent O reinforces the need for SB to include the Sony rootkit in it's detections. By now it is clear that the antispyware/antivirus community regards the Sony DRM as a serious vulnerability, in fact from CA's PestPatrol today, quote: "These CDs install the pest XCP.Sony.Rootkit, which is a trojan that opens security vulnerabilities through rootkit functionality." http://www3.ca.com/securityadvisor/p...aspx?cid=76345

    While PestPatrol detects the presence of the rootkit it is not clear to me that they will remove it. I had read that they would be able to do so with their November 11 defs but this is to be confirmed and may have referred to the cloaking aspect only.

    McAfee is now "detecting and removing" the cloaking (as of Nov 9, 2005 defs) http://vil.nai.com/vil/content/v_136855.htm
    but note their caveat about potential crashes in doing so, quote: "System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself." I belive that McAfee leaves the DRM software in place with the associated risks that have been identified and mentioned previously.

    Symantec has started to detect the presence of the rootkit but it does not remove it. They simply suggest to the user to obtain the so called SonyBMG patch which uncloaks the files but leaves the DRM in place (replaces some files).
    Last edited by el cpu; 2005-11-11 at 07:23.

  10. #20
    Junior Member
    Join Date
    Oct 2005
    Location
    Northwest Florida, U.S.A.
    Posts
    4

    Exclamation Virus found that exploits Sony BMG's software

    Besides being rootkit and other objectionable methods, the Sony BMG software now is being used to hide the Stinx-E trojan! See the related news article.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •