Sony DRM

Just read the following on Computer Associate's site (http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362)

XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

Any word from Team Spybot regarding inclusion on SB detections? How about removal? While most antispy/antivirus program are now set to detect the Sony DRM, no program may yet be able to remove it. Does anyone know?
 
Last edited:
After all the bad press, "SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology." See the Sony BMG Statement for their official acknowlegement of the trojan/virus and a link to the link to the patch/uninstall request.
 
FYI...

Troj/RKProc-Fam and Troj/Stinx disinfection instructions
- http://www.sophos.com/support/disinfection/rkprf.html
"Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers. This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

Windows 95/98/Me and Windows NT/2000/XP/2003
The Trojans can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Windows disinfector
RKPRFGUI is a disinfector for standalone Windows computers
open RKPRFGUI, run it, then click GO.
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

Command line disinfector
RKPRFSFX.EXE is a self-extracting archive containing RKPRFCLI, a Resolve command line disinfector
for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program..."

;)
 
Sunbelt dosn't plan to include this rootkit in it's removal capability.
from here
We do not intend to have this removal capability in CounterSpy, simply because it is incredibly hard to remove this rootkit without disabling the CD-ROM player. Suggestion: Either use Sony’s uninstaller or check out Sophos’.
Click to expand...
We'll see what Spybot does.

By the way, that StinxE trojan looks like it's more of a proof of concept thing than anything really meant to do harm. First it's targetted at British web users where there is limited distribution of the DRM CDs. Second, the trojan is buggy
from here
The first Trojan to exploit this flaw, Stinx.E, doesn't properly decrypt the registry keys needed to allow the Trojan to load when Windows is restarted. The Stinx.E Trojan also fails to load if the Sony DRM cloaking technology is active, despite its deliberate attempts to exploit it. Additionally, the IP addresses used to connect to the IRC server are invalid. In effect, the Sony Stinx Trojan is impotent.
Click to expand...
 
I believe that the Symantec removal tool mentioned by AplusWebMaster does not actually remove the Sony DRM and its associated risks. While I have not run the tool myself (I am not infected) I believe that the tool is the so called patch that Sony distributed to antivirus companies to uncloak the files so they could be seen from within Windows. As pointed out by Computer Associates and others, this patch, while uncloaking the files, installs a newer version of the DRM which is still a trojan by CA standards.

The following article at CNet http://news.com.com/Antivirus+firms+target+Sony+rootkit/2100-1029_3-5942265.html states that, quote: "Symantec said Wednesday that its antivirus software would identify the Sony software, but would not remove it. Instead, it will point to Sony's own Web site, where users can get instructions for uninstalling". The article further states that, quote: "Computer Associates... said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly. According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said. It will effectively insert pseudo-random noise into a file so that it becomes less listenable, said Sam Curry, a Computer Associates vice president. What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool. A Sony representative said the company's technical staff was looking into the issues identified by Computer Associates, but had no immediate comment."

Fun!!! :eek:
 
Last edited:
FYI...

Sony DRM Rootkit to be removed automatically by Microsoft
- http://isc.sans.org/diary.php?storyid=845
Last Updated: 2005-11-13 14:36:09 UTC
"Microsoft says* "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" "and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software."
* http://blogs.technet.com/antimalware/

..."Believe" that.
 
Last edited:
As I mentioned earlier, Microsoft, Symantec, and others are uncloaking the files so they are not hidden - they are not removing the First4Internet DRM technology, at least not yet. While this is a good first step, Computer Associates and the discoverer himself, Mark Russinovich, warn that the software that stays behind is still detrimental.

In his post above AplusWebMaster mentions that "Microsoft.... will add a detection and removal signature for the rootkit component of the XCP software." and instructs us to "believe" it. Note the word Microsoft used, "component". Note ZDNetUK: "Microsoft will update its security tools to detect and remove part of the copy protection tools installed on PCs when some Sony music CDs are played.", (emphasis on the word "part"). Note the "googled" news stating the same.

As has been widely reported, the rootkit component is the cloaking of the files, but even if this component is removed correctly, the XCP software remains, admittedly in a modified fashion. To those infected I recommend removing XCP completely by going through the tedious process available at the SonyBMG website http://cp.sonybmg.com/xcp/english/uninstall.html This has pitfalls of its own as mentioned by CA and Russinovich, see: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362 and http://www.sysinternals.com/Blog/. Some registry keys remain. Note the comments on CA's site regarding the updated Sony uninstaller.

The main SonyBMG site, under the tab News, Nov 10, 2005, http://www.sonybmg.com/ gives users two options, a patch which uncloaks the files and leaves a modified version of the software in place, and the uninstall. The alternative to the Sony uninstall is to wait and see if CA, F-Secure, or others are finally able to completely do so on their own. This is not the case yet.

Removing the rootkit component is a good thing, however this still leaves a modified XCP in the computer - completely uninstalling the software, if done properly, would be much better.
 
Last edited:
Mark Russinovich, the individual that discovered the Sony XCP rootkit, confirms what I had mentioned above. Mark's November 14, 2005 blog states, quote: "Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality." http://www.sysinternals.com/blog/2005/11/sony-no-more-rootkit-for-now.html

Mark goes on to say, quote: "Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. ..... I’ve said it before, but obviously need to say it again: Sony needs to make the uninstaller freely available as a standalone executable download so that users can choose to safely and easily discontinue use of this nefarious software."

Seems pretty clear to me.... :)
 
SONY BMG STATEMENT ON XCP COPY PROTECTION
http://blog.sonymusic.com/sonybmg/archives/xcp.html

SONY BMG STATEMENT

We are aware that a computer virus is circulating that may affect computers with XCP content protection software. The XCP software is included on a limited number of SONY BMG content protected titles. This potential problem has no effect on the use of these discs in conventional, non-computer-based, CD and DVD players.

In response to these events, SONY BMG has swiftly provided a patch to all major anti-virus companies and to the general public that guards against precisely the type of virus now said to exist. The patch fixes the possible software problem, and still allows CDs to be played on personal computers. It can be downloaded at http://cp.sonybmg.com/xcp/. Starting today, we will also be adding this link to the SONY BMG label and corporate sites. We deeply regret any possible inconvenience this may cause.

We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at: http://cp.sonybmg.com/xcp.
Click to expand...

Opinion: Rather than just "… temporarily suspending the manufacture of CDs containing XCP technology.", do the right thing and recall the CDs that contain the XCP DRM software that are currently available to consumers through retailers. Without taking this step you are continuing to subject more and more people who are unaware of the problem to possible hidden malware using the rootkit that you install with these CDs.

I believe that you have the right to protect your intellectual property, however, the XCP DRM that you employed went far beyond the terms and conditions of the EULA that "… this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER."

Consumers' have rights too. One of those rights is the unrestricted and uninterrupted enjoyment of personal property (their computer). Apparently those rights were not a major concern in the development of the XCP DRM when you hooked the operating system to hide files and intercept device drivers. In addition, you provided no means to uninstall the software. All this without disclosing this in the EULA. As it turns out your XCP DRM is something I would expect from hackers or malware purveyors, not from a legitimate music company.

Come on Sony BMG Music Entertainment start doing the right thing, recall the CDs that are still in the market place!!!
 
Last edited:
md usa spybot fan: Thanks for the good words, your opinion is of course widely shared by consumers including myself.

In addition to recalling the CDs in the marketplace, Sony needs to "make the uninstaller freely available as a standalone executable download" as Russinovich stated. Until this is done, infected consumers are limited to uncloaking the files vis-a-vis Microsoft, Symantec, etc. or going through the Sony uninstall process which is tedious and not without peril. A simple and reliable uninstall executable is needed for the thousands of people that are likely infected.
 
Last edited:
Perhaps someone who has downloaded the full uninstaller from Sony can post it online, and it can just be spread from there (without involving Sony). Since it seems that they they want people to go through the hassle of emailing them and having to manually download the patch...
 
Pogue, while your suggestion would good under normal circumstances, such is not possible with the Sony uninstaller and that is one of the many complaints Mark Russinovich and the AV community have of Sony. In order to uninstall, Sony makes one register and an Active X is then sent to your computer. Sony then replies back with the uninstaller however the uninstaller verifies that it is in the same computer as the original request. If it is not, it does not work and an error message appears. The uninstaller is also time limited. Sony wants this to be a machine-by-machine effort with them in full control. This of course is contrary to accepted computer practices - I can uninstall Office, PhotoShop or any other reputable software as I choose without having to go back to the developer. Check out the Russinovich posts which will elaborate in detail.
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html
 
Last edited:
Well.... Sony is finally pulling the CDs off the market.... According to USA Today: "Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs. Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC. .... Details about how long it will take to replace the XCP CDs and about its consumer exchange program will come later in the week, Sony said."

http://www.usatoday.com/money/industries/technology/2005-11-14-sony-cds_x.htm
 
FYI...

Sony’s Web-Based Uninstaller Opens a Big Security Hole...
- http://www.freedom-to-tinker.com/?p=927
November 15, 2005
"Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get..."

:confused:
 
More...

- http://www.theinquirer.net/?article=27714
15 November 2005
"...Blatant stupidity in the 'cure is worse than the disease' category... FTT goes into detail. It seems the 'cure' from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine. See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course. The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus program to uninstall it, you spent money to fix Sony's problems, and you are still a criminal. That's what you get for buying music."

:confused:
 
This keeps getting worse... What AplusWebMaster pointed out above has hit the national news big time via the Associated Press, see the MSNBC article: http://msnbc.msn.com/id/10053831/ In addition, Princeton University has confirmed what the Finnish researcher discovered, that the Sony Active X is blatantly flawed. The MSNBC piece goes on to say: "Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn’t require filling out the online form. There’s absolutely no excuse for Sony not to make one immediately available, he wrote in an e-mail Tuesday."

If the stand-alone program comes from Sony via First4Internet, who is going to trust it at this point; their track record is as low as it gets. I wonder if AV companies will be able to independently write a complete uninstaller (or if they will choose to, due to legal concerns). We'll see....

Further, it now appears that there are upwards of 500,000 computers infected so far. See: http://www.wired.com/news/privacy/0,1848,69573,00.html?tw=wn_tophead_2

:confused: indeed....
 
Last edited:
Last edited:
Firstly, it looks as though the player's AX control actually does contain LGPL'ed mp3lib code, and code from id3lib. Ironic that the DRM system itself violates copyright (the EULA is LGPL-incompatible, even if source were distributed).

More importantly, I followed up on my earlier work, because I was curious, and I extended my exploit to operate on a flaw in DRMServer that is remotely exploitable (in some scenarios, i.e., anonymous RPC access required and not firewalled) via the named pipe through which it communicates with the player application, chaining a kernel-mode privilege escalation vulnerability in crater.sys.

Obviously, I won't give this out, because there are at least half a million, possibly a million, vulnerable machines right now according to doxpara's estimates and my own metrics. Quite easily "worm food". Chilling.

It is worth pointing out that the aries cloaking component is not required for this exploit to work, and it works on the three versions I tested (including the post-Sony patch version).

So far, I haven't seen a properly working uninstaller. Of course, the uninstaller Sony have also leaves CodeSupport, another threat as previously discussed. And it doesn't seem to work properly anyway.

In my view, it's probably time to get tough; uninstallation really should, at this stage, not just remove aries, but schedule for the next reboot to blat out every single file XCP drops, including CodeSupport at this time, and unlink the XCP drivers from the Upper and Lower filter chains of the IDE channels and CD-ROM drives. That would indeed do it properly. (Ensure that you don't make the same mistake many others do; don't try to unload the drivers on the fly.)

Even MS have stated their intention to list $sys$aries (but not the rest) in the Malware Detection and Removal Tool that will be pushed out in the next (2005-12-13) Windows Update; a distinction normally afforded only to actual, highly prevalent, botnet variants.

I note it is still not listed in the signatures. I hope Team Spybot can be proud to be the first to provide a complete solution to this?
 
You must log in or register to reply here.
Back
Top