Free Monthly Newsletter...and much more!

5 Star Support - Free Computer Help and Technical Support

 

 
Google

 

Sony Rootkit May Cause PC Problems

Written by Dave J
Nov 20, 2005
5 Star Support Security Specialist

Sony BMG introduced a new copy restriction scheme on their music CD’s in 2005. From what I can tell, this began with the company’s new music releases in roughly March of 2005. I fear most computer users are unaware of this, and so have decided to write this paper alerting to the fact.

While Sony CD’s play just fine on all standard audio devices and standard CD players, the problem occurs when they are played on a Windows based PC. This is not to include all Sony CD’s, but the more recent ones that indicate they contain DRM (Digital Rights Management) software or copy protection software, and require installation of an included “Player” software included on the CD. Sony indicates the new copy protection software is designed to limit copying of their music CD numerous times. When one of these new music CD’s is played on a Windows based PC, the software included (read imbedded) on the CD forces playback through a bundled media player, and restricts how many copies can be made from Windows.

Wondering how this could be enforced, the copy restriction measures were first looked into by Mark Russinovich of Sysinternals. His analysis of the CD and the software it contains revealed what he calls a ‘root kit’ and hidden files and folders with such names as “essential tools”. Herein lies the problem. When one of these new CD’s is played on a Windows based PC, the rootkit software is installed in the background, without your consent or knowledge, while you are simply installing the required player software and listening to the CD. Mark blew the whistle on this whole scheme about 2 weeks ago.

What, you may ask, is a root kit? A root kit generally refers to a form of malware used by crackers to gain control of a system. Root Kits in general have several common characteristics: they find their way into a system uninvited, they try to remain undetected, they modify and add to system registry entries, and they are very difficult to remove. A root kit is designed to gain control of the system it is installed in at the root level, thereby gaining a system level ownership of the computer. It can intercept system library routines and reroute them to its own routines, or replace system executables with its own, or both.

The Sony root kit creates its own hidden directory and installs its own device drivers, and then reroutes Windows system calls to its own routines. It intercepts kernel-level API’s (Application Program Interface), and then attempts to disguise itself with a cloaking technique. This is how it controls how many copies of the CD can be made on a Windows based machine.

Keep in mind that a root kit is, in reality, a modification to the operating system that can control operation of the computer at the root level in a number of ways. The problem is made more dangerous when you consider that the computers’ operation is now no longer totally yours. All this has happened without your knowledge or consent, simply by installing “required” software and playing the CD in your computer. Yes, when attempting to play the CD for the first time there is a window opened that indicates a player program needs to be installed from an administrator privilege log-on. It is labeled as an “Advanced CD Installer” in most cases, but how many users are really going to read all the information in the EULA (End User Licence Agreement), let alone understand it? There is certainly no information regarding a root kit, what it is, or what it can do once installed. By all appearances, it is simply an installation of song player software needed to play the CD. After all, all you want to do is listen to the new CD you just purchased, right? I can’t begin tell you how dangerous I believe this is.

The DRM software being used on these CD’s was developed for Sony by First 4 Internet Ltd., a British company. Both Sony and First 4 claim no wrong doing in any of their actions, and claim that the rootkit poses no reliability or security threat. One of Sony’s executives was quoted as saying “users don’t know what a rootkit is, and therefore, don’t care.” Without the user’s consent, the computer with the rootkit installed also informs Sony every time in plays a “protected” CD. Trust me Sony, I care.

The problem this creates worsened as this year progressed. The cloaking technique used by Sony is crude from a code standpoint. Writers of vulnerability code have already discovered this, and there are several forms of malware Trojans circulating the Web attached to crawlers that are looking for PC’s with this root kit installed so they can install themselves and hide within it. If they find you while you are in the Internet, and they install themselves, you can be in for more problems. Once hidden in the root kit, a Virus or Trojan can go easily undetected by scans from anti-virus software even if fully updated. It just can’t find the malware.

This DRM software has been out for about 8 months now, and is bundled on at least 20 different CD titles. So, what does the PC user do about it? The answer is rather complex. Advanced users who own root kit detection software are able to detect the presence of this software on their systems. On of the more popular detection programs is available from F-Secure, and it is included in their Internet Security 2006 program. It easily detects the presence of the root kit. F-Secure, however, does not recommend removing the root kit with its’ products. I recommend the same, no matter whose product you might use. The problem is this DRM system is implemented as a filter driver for the CD drive. Removing it may easily result in removal of access to the CD drive as well. I am aware of reports that indicate removal attempts have resulted in the drive letter disappearing altogether, and no means of getting Windows to recognize the drive again, even in the BIOS. Again, you must remember that installation of this root kit has modified the operating system at the root level.

Your next choice is to contact Sony BMG on the Web and ask for instructions on removing the rootkit. They have a link on their site: “INFORMATION ON XCP CONTENT PROTECTION” that will take you to a page with a form, a Sony disclaimer and disclosure, and other information, as well as the removal process they have made available.

But I do not recommend you use it. This is a multi-step process during which your computer’s identity is sent to Sony, and an ActiveX control is installed and used in the uninstall process. This bothers me, as the only thing actually being accomplished is the disabling and removal of the driver that implements the rootkit cloaking. Sony has made its patch available to commercial anti-virus companies as well. The installation of further software (ActiveX control) as part of the removal process also bothers me greatly, and I’m not the only one. Mark Russinovich says the same thing, and has looked at the AV cleaners available. He says they work the same way Sony’s patch behaves – the cloaking driver is unloaded from memory, which introduces the risk of a blue screen system crash.

The best recommendation I can make at this time is to disable the driver for the whole thing by deleting the rootkits registration from Windows. Mark has written a simple command that will accomplish this:

Open the Run dialog from the Start Menu
Enter the following: cmd /k sc delete $sys$aries
Reboot the computer

This will disable the Aries driver that runs the rootkit when Windows boots.

My other recommended choice is a small file available from SOPHOS in the UK that will also disable the rootkit. The tool is designed to detect and disable the Sony DRM cloaking copy protection technology, as well as detecting and disabling other Trojans that may have already found their way into a system. The Trojans already taking advantage of Sony’s cloaked DRM technology rootkit are known to SOPHOS as Troj/Stinx variants E and F. The Sony rootkit is classified by SOPHOS as Troj/RKProc-Fam. This file is available from the following link:

http://www.sophos.com/support/disinfection/rkprf.html

You are looking for a link on this page listed under Windows disinfector for standalone Windows computers. The file you want to click your mouse on is: RKPRFGUI where you open the file and run it. This file can also be saved to disk for running at a later time. To disinfect multiple computers, you can save the file to a floppy disk, write protect the disk, and then run it from there.

This is all I recommend doing for the time being. Hopefully in the near future a stand alone .exe file uninstaller will be made available from Sony or Microsoft or both to deal with the whole issue properly and safely in order to restore computers with this rootkit installed to proper operation. Then your computer will become truly yours again.

If you wish to read Mark’s entire blog on the subject, complete with updates, it is available at:

www.sysinternals.com

Look for the link to Marks Blog on the left side of the main page.

Sony has indicated it has “temporarily” suspended use of the rootkit DRM technology in production, and is recalling CD’s from vendors with the software on them at this time. My main concern for the future is the word “temporarily.” I am also left to wonder if and when the use of this form of technology will resume, and by whom? I can’t believe Sony is the only one to have thoughts along this line.

My final caution is to beware of ANY additional software included on ANY CD from ANYBODY. If it were mine, I would refuse to install it on my system and return the CD to the vendor for a refund. I strongly recommend you do the same.

Regards,

Dave
5 Star Support Security Specialist

Update: Nov 21, 2005

In the above paper regarding Sony’s root kit, I mentioned that Sony had made available a patch to uninstall the DRM software, and that I recommended you not use it because it not only does not remove the software, it installs an ActiveX control as well. I have learned that the Sony patch was written by First 4 Internet, the same company that wrote the DRM software and root kit to begin with. You will also recall I stated their software was crude from a code standpoint. Here the story continues and contains yet another reason not to install the Sony patch in your computer.

In a recent alert from SANS regarding vulnerabilities, The Consensus Vulnerability Alert Vol. 4 No. 46 dated 11/18/05, item 05.46.14 discusses a new vulnerability discovered by researchers at SANS and Qualys. The vulnerability is titled First 4 Internet CodeSupport Uninstallation AxtiveX Software Remote Code Execution. In this alert, the report states the uninstallation software is an ActiveX control called CodeSupport, and that it is susceptible to a remote code execution vulnerability due to a failure of the application to properly verify the source and validity of executable code prior to executing it.

This means, my friends, that installation of Sony’s patch only installs yet another vulnerability in your computer. An ActiveX control is used to run or execute code in your system. The one written by First 4 Internet as a patch for Sony does not check the signatures of the code for either the source or its validity. No digital signature of any kind is required. This means it will run whatever it is sent, by whoever sends it. All that has to be done is access the ActiveX control, and it will run whatever you give it. This is a very serious security issue, and represents vulnerability at least as big as the original root kit. A cracker could write vulnerability code of any kind, set it up to run in the background, tell it to look for the correct ActiveX control, and the rest happens automatically. All made possible by the root kit patch programmed with the same sort of crude and sloppy code as the original software. All you would need to do is be on the Internet at the wrong time and you loose again. Please, do not install this patch.

When a totally acceptable, stand-alone uninstaller is made available for this whole mess, I will let you know by means of a future update. Until that time comes, please use either the command line code from Mark Russinovich, or the SOPHOS file to disable the root kit.

Update 05.24.06: http://www.securityfocus.com/brief/214?ref=rss

[Top]

 

Use the Information above at your own risk.  See "Terms of Use"

 

   Site Map  | About 5 Star Support  | Links | Comments
    Privacy Policy  | Terms of Use  | Newsletter Archive  | Awards
Usage of this site constitutes acceptance of our Terms of Use
Copyright © 2000-2014  5 Star Support All rights reserved.