Sony, You, and Root kits

[Phantom_RAcast]

Sysinternals' Mark Russinovich has performed an analysis of the copy restriction measures deployed by Sony Music on its latest CDs: which he bluntly calls a 'root kit'. Using conventional tools to remove Sony's digital media malware will leave ordinary users with Windows systems unable to play CDs.

While the Sony CDs play fine on Red Book audio devices such as standard consumer electronics CD players, when they're played on a Windows PC the software forces playback through a bundled media player, and restricts how many digital copies can be made from Windows.
Click Here

A 'root kit' generally refers to the nefarious malware used by hackers to gain control of a system. A root kit has several characteristics: it finds its way onto systems uninvited; endeavors to remain undetected; and then may either intercept system library routines and reroute them to its own routines, or replace system executables with its own, or both - all with the intention of gaining system level ownership of the computer.

What makes Sony's CD digital media software particularly nasty is that using expert tools for removing the parasite risks leaving you with a Windows PC that's useless, and that requires a full reformat and reinstall.

So is Sony bundling a root kit, or is it the latest in a long line of clumsy, and sometimes laughably inept attempts to thwart the playback of digital media on PCs?

We were inclined to the latter - but in practical terms, for ordinary users, the consequences are so serious that semantic distinctions are secondary.

In actuality both, reckons Russinovich. It's a 'root kit' that arrived uninvited, but it's also "underhanded and sloppy software" , that once removed, prevented Windows from playing his CD again (Van Zant's 'Get With The Man') he notes in his analysis.

The Sony CD creates a hidden directory and installs several of its own device drivers, and then reroutes Windows systems calls to its own routines. It intercepts kernel-level APIs, but then attempts to disguise its presence, using a crude cloaking technique.

Disingenuously, the copy restriction binaries were labelled "Essential System Tools".

But the most disturbing part of the tale came when Russinovich ran his standard rootkit-removal tool on the post-Sony PC.

"Users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," he writes.

Which puts it in an entirely different class of software to the copy restriction measures we've seen so far, which can be disabled by a Post-It note. Until specialist tools arrive to disinfect PCs of this particular measure.

Theres only 20 titles using this "protection". I dont think I'll ever buy a Sony Music CD..

[Poo Fly]

Sony i hate you!

[Lee-yoshi]

I'm already using a Sony computer, what more do they want!

[Talex]

Stupid bas!!!!!, you go squish now

[Phantom_RAcast]

Current list of CDs using this protection in the UK:
http://ukcdr.org/issues/cd/bad/
USA:
http://www.fatchuck.com/z3.html

[Serpent7]

There's gotta be a way to prevent it being placed on the HDD... =/

[Phantom_RAcast]

There probably is. I'll start searching later today and see if I can come up with any thing

[Serpent7]

For instance, does it self-install as soon as the CD is placed in the drive? Could you write-protect the registry etc. for that brief time, or are there too many processes going on for that?

[Phantom_RAcast]

Update

AMSTERDAM (Reuters) - A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's (6758.T) controversial CD copy-protection software to hide on PCs and wreak havoc.
ADVERTISEMENT

Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley.

Later on Thursday, security software firm Symantec Corp. (Nasdaq: SYMC - news) also discovered the first trojans to abuse the security flaw in Sony BMG's copy-protection software. A trojan is a program that appears desirable but actually contains something harmful.

Sony BMG's spokesman John McKay in New York was not immediately available to comment.

The music publishing venture of Japanese electronics conglomerate Sony Corp. (6758.T) and Germany's Bertelsmann AG (BERT.UL) is distributing the copy-protection software on a range of recent music compact disks (CDs) from artists such as Celine Dion and Sarah McLachlan.

When the CD is played on a Windows personal computer, the software first installs itself and then limits the usage rights of a consumer. It only allows playback with Sony software.

The software sparked a class action lawsuit against Sony in California last week, claiming that Sony has not informed consumers that it installs software directly into the "roots" of their computer systems with rootkit software, which cloaks all associated files and is dangerous to remove.

Sophos said it would have a tool to disable the copy protection software available later on Thursday.

Sony BMG made a patch available on its Web site on Tuesday that rids a PC from the "cloaking" element that is part of the copy-protection software, while claiming that "the component is not malicious and does not compromise security."

The patch does not disable the copy protection itself.

The Sony copy-protection software does not install itself on
Macintosh computers or ordinary CD and DVD players.
http://news.yahoo.com/s/nm/20051110/tc_nm/sony_hack_dc
More
The decision by the music label comes after 10 days of controversy around the technology, which is designed to limit the number of copies that can be made of the CD and to prevent a computer user from making unprotected MP3s of the music.

Security experts blasted the technology because it uses "rootkit" techniques to hide itself on hard drives and could be used by virus writers to make their malicious code invisible. The first remote-control Trojan horses that took advantage of the cloak provided by Sony BMG surfaced this week.

"We are aware that a computer virus is circulating that may affect computers with XCP content protection software," the record label said in a statement Friday. "We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology."
Microsoft fine-tuning Internet ad push
Internet showdown in Tunis
OpenDocument gathers steam
Bad capacitors plague PCs
Delivering the Net with the gas
Previous Next

The company said it is not halting production of all discs that contain additional copy-protection technologies. It also uses antipiracy technology from SunnComm and will keep manufacturing CDs carrying that software, a Sony BMG representative said.

The XCP software, created by U.K.-based First 4 Internet, is included on a limited number of Sony BMG titles, including recent releases from My Morning Jacket and Southern rockers Van Zant. When the discs are played on a computer, the listener is asked to click through a consent form and install the copy-protection software.

In response to the firestorm of criticism around the copyright protection software, Sony BMG has also provided a patch to fix the security problem and still allow CDs to be played on computers. Some antivirus software also detects the Sony BMG tool and can help users protect their PCs.
http://news.com.com/2100-1029_3-5946825.html

[Serpent7]

"The Sony copy-protection software does not install itself on
Macintosh computers or ordinary CD and DVD players."

Lol, really? >_>


I don't believe that they'll remove it. I still want to find a way around it.