Page 5 of 9 FirstFirst 123456789 LastLast
Results 41 to 50 of 89

Thread: Sony DRM

  1. #41
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Post

    FYI...

    - http://www.freedom-to-tinker.com/?p=928
    "...You can tell whether you are vulnerable by visiting our CodeSupport detector page.
    If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.
    UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form... In its place is the following message:
    'November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.'
    This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk..."

    :(
    Last edited by AplusWebMaster; 2005-11-16 at 12:58.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #42
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Exclamation

    FYI the latest blog from Mark Russinovich: http://www.sysinternals.com/blog/2005/11/victory.html

    Also FYI, I hope my Spybot friends find the following as disturbing as I do..... Regardless of all the bad publicity that the Sony case has generated, Sony is currently bragging (apparently for good reason) that their Santana CD (Arista, with XCP content) is "the #1 Artist Album today" (as of Nov. 9) on the Billboard charts and the #2 entry in the charts (next to the Now compilation). So much for hurting them in the pocketbook, apparently consumers do not care (or know). To add salt... a Neil Diamond CD (XCP also) is the #6 CD in Amazon regardless of the fact that there have been hundreds of reviews warning purchasers. Amazon is still selling these CDs regardless of the recall. If you want to upset your stomach read the Sony release on Santana under the news section of the SonyBMG web, http://www.sonybmg.com/ This is the same website that states that the CDs are recalled.... Gee
    Last edited by el cpu; 2005-11-16 at 18:33.

  3. #43
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    Nancy McAleavey of Privacy Software (publisher of BOClean anti-trojan) shared a guide on how to remove Sony's Rootkit without the need of using the patch by Sony.

    Calendar of Updates - Tip of the Day forum here:
    http://www.dozleng.com/updates/topic7048

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  4. #44
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    For those of you considering the Nancy McAleavey (Privacy Software) removal process mentioned above, please be aware that Russinovich recommends against unloading the Aries driver while Windows is running, quote: "I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence..."
    http://www.sysinternals.com/blog/200...ecloaking.html
    Last edited by el cpu; 2005-11-16 at 23:21.

  5. #45
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    el cpu:

    For those who have installed the Sony XCP DRM software on their system what are your recommendations? You keep quoting that it is "never safe to unload a driver that patches the system call table", so how do you suggest that people go about removing the "Aries driver"?

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  6. #46
    Junior Member
    Join Date
    Nov 2005
    Posts
    25

    Default

    md usa spybot fan:

    In your post above you state that I "keep quoting that it is never safe to unload a driver..." FYI I have quoted that once. Regarding a suggestion to remove, I wish I had one but unfortunately no solution has yet been found safe, at least according to the discoverer himself. Please go back to my posting of November 15, 2005, at 16:25 >> "Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn’t require filling out the online form". All I can suggest at this time is that users follow his advise and continue to check the Sysinternals site: http://www.sysinternals.com/

    As one could perhaps discern from your own posting, the complete McAleavey solution is likely beyond the typical computer user. We have not heard much from the SB team on this, maybe they have a suggestion to share. Agent O put it well in his last post, I quote; "I hope Team Spybot can be proud to be the first to provide a complete solution".


  7. #47
    Esteemed Member
    Join Date
    Oct 2005
    Posts
    554

    Default

    I've been keeping quiet on this subject since although Sony and First4Internet have badly handled the process, it's obviously heading in the right direction; maybe bouncing off walls would be a better description. :(

    Anyway, I feel the following requires a simple sanity check:
    Quote Originally Posted by el cpu
    For those of you considering the Nancy McAleavey (Privacy Software) removal process mentioned above, please be aware that Russinovich recommends against unloading the Aries driver while Windows is running, quote: "I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence..."
    Though Mark Russinovich is undoubtedly correct about the proper method here and there is a potential risk, so what? What "thread might be just about to execute the first instruction of a hooked function when the driver unloads"? Most likely, this would be something related to the CD drive. Would you stick a CD in the drive while trying to remove software that uses it? What is the real likelyhood that such an event would occur under normal circumstances rather then under a test situation intended to show that it could occur? Though I don't know the answer myself, I doubt it's very probable.

    Even if the situation did occur and the dreaded 'blue screen' happened, what would the result be? Since the blue screen is really a processor halt condition created by the detection of the thread jumping into invalid memory, this simply locks up the PC to protect it. Only software that was open at the time would be affected, so who leaves important programs open when performing an uninstall of any software, escpecially something like copy protection?

    Though I understand and agree that both the software itself and the uninstallers to this point have potential problems, the only one that really concerns me is the ActiveX control used in the uninstall that appears to have an extremely bad vulnerability. Remember that the mass drive by the public is what is causing Sony to rush, which has helped create the current situation. Not defending Sony here, it's just always true that putting pressure on a bad technical situation will only make it worse. Sony's backout is no surprise to me, I knew it would happen the second I saw Mark's initial post, just not how quickly.

    At this point it's also obvious that anti-malware developers will have to become involved in the cleanup effort. Since the original software had no automatic update facility (that I've heard of anyway) there's no way to inform those with the issue directly. It would be best, however, if this was a coordinated effort between the ASC/AV vendors and Sony. The fiasco to this point is due in large part to the lack of any coordination by anyone and the less then useful 'help' of the news media and general public, neither of which have a clue. Read some of the comments at Mark's site or even many of the Articles and Blogs referencing his site, they're rife with inaccuracies and just plain dumb statements.

    My respect for Mark Russinovich as a programmer and helper within the anti-malware community in general is as solid as ever. However, my respect for his methods and handling of this situtaion are less then glowing. Posting this entire technical discussion directly in public without warning Sony and the anti-malware community first, giving them a chance to respond appropriately, was bound to create the mess that's ensued. It's made me question his motives more then once in the last few weeks. However, I'll give him the benefit of a doubt that he was concerned he might otherwise be stiffled by an injunction suit before he could go public.

    Either way, I'd prefer to see this thing slow down before the compound mistakes get even worse. Unfortunately, there's new ugency created by the ActiveX control, so that may need immediate attention. At this point I've seen no effective direct threat from the original or patched versions of the software, only proof of concept. It would be best to leave this piece alone at least until someone has a removal tool that will deal with all variants; unpatched, patched, partially uninstalled and never really installed and not create more problems then exist already. This is and should be Sony's job and should only be taken over by others if they're ready for the same flack that Sony's gotten, since it will be their fault if it doesn't work, not Sony's.

    Remember that the average person's tendancy is to just 'fix everything' and not research what's been found on their PC. So you better be sure your 'complete solution' will work before advertising it to the world or you'll end up linked with Sony in this debacle. So far I see no one coming up roses and the best profile has been to keep your head down in the crossfire.

  8. #48
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Default

    FYI...

    Welcome To Planet Sony
    - http://www.doxpara.com/?q=sony
    Submitted by Dan Kaminsky on Tue, 2005-11-15 09:28.
    "Sony.
    Sony has a rootkit.
    The rootkit phones home.
    Phoning home requires a DNS query.
    DNS queries are cached.
    Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
    It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .
    So what did I find?
    Much, much more than I expected.
    It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows... unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident..."

    :(
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #49
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,760

    Default

    Quote Originally Posted by bitman
    Either way, I'd prefer to see this thing slow down before the compound mistakes get even worse. Unfortunately, there's new ugency created by the ActiveX control, so that may need immediate attention. At this point I've seen no effective direct threat from the original or patched versions of the software, only proof of concept. It would be best to leave this piece alone at least until someone has a removal tool that will deal with all variants; unpatched, patched, partially uninstalled and never really installed and not create more problems then exist already.
    Well said bitman.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  10. #50
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Unhappy

    Hmmm...

    - http://www.wired.com/news/print/0,1294,69601,00.html
    Nov. 17, 2005
    "... That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.
    Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.
    What happens when the creators of malware collude with the very companies we hire to protect us from that malware?
    We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.
    Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?..."

    :(
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •