What I'm Doing

Thursday, November 03, 2005

Sony Installs Rootkits as DRM

This is absolutely appalling. This past Monday (Oct 31, 2005), Mark Russinovich, author of a utility called Rootkit Revealer (RKR), revealed on his blog that, while testing the latest version of RKR, he discovered that Sony's DRM software installs a rootkit in users' PC's (for those who are unfamiliar with the term rootkit, see "What Is a Rootkit" below). You can read his post, where he explains how he made this discovery and gives screenshots as proof, here. The Washington Post also has an article on this, and this story was the subject of a recent Security Now! podcast (which you can download from here.

According to the stories, this software is installed when a user attempts to play a copy-protected CD on a Windows machine, as CD playing software which is required to play the music. If the user chooses not to install the CD software, the CD will not play. What the user is not told, however, is that the software installs as a rootkit, that it integrates itself as a driver into the operating system, etc. The EULA only says that the software will remain on the computer until it is removed, which is misleading, because there is no provided way to remove the software—there isn't even an entry in the Control Panel's Add/Remove Programs list. In fact, as Russinovich discovered, attempting to remove the software manually can result in Windows not being able to find your CD-ROM drive!

This is all bad enough: a major music label secretly installing software on a user's machine that integrates itself into the OS and hides itself so it cannot be found and/or removed. It gets worse. The method the rootkit uses to hide files, directories, registry keys, etc. is indiscriminate; anything with a name starting with "$sys$" gets hidden. Russinovich discovered this by creating a copy of notepad.exe that he named $sys$notepad.exe, and the file disappeared.

What this means is that anyone that wants to has the ability of hiding malicious files, procosses, etc. on a computer with Sony's software installed, without knowing how to create a rootkit of their own. This is a huge security hole!

Apparently, the company Sony got this software from has, since the story broke, released a patch that will remove the software's inability to hide files, although installing this patch involves knowing that it exists, and, apparently, removing the software can still cripple the user's computer. Sony, also (according to the Post), has indicated that the software has been included on 20 CDs so far, and thay it "may" include it on future titles.

In another twist, it was pointed out both in a comment on Russinovich's blog and on the Security Now! podcast that Russinovich's blog entry could possibly be considered a violation of the Digital Millenium Copyright Act (DMCA).

For me, this is another reason not to buy CD's. I have recently downloaded iTunes in Windows, and had already decided to use that for any further music purchases, for a variety of reasons. This only adds to that list. However, whether I want to buy anything from Sony right now is questionable. This is just another example of the recording industry screwing their customers. Note that this software only affects Windows; Mac and Linux users can play the CD normally. Regardless, pirates are going to find a way around the DRM, and still pirate music, and this crap is only an incentive to not buy the CD.

What Is a Rootkit?

For those who don't know, a rootkit is software that is designed to hide itself on your system, so that you don't know it's there. Rootkits are used by crackers (bad hackers) to hide their presence on a compromised system. They have been increasingly used by spy-ware (software that collect data such as what web sites you visit and report this data back to some server) and other malware programs to make the user unaware that the software exists on the computer. Because the software's existence is hidden, typical malware removal detection and removal programs (like anti-virus software) can't detect it. When it is detected (using, for instance, a special program like Rootkit Revealer), it is very difficult and requires some more advanced knowledge to remove, and there is the potential that doing so may cripple your system.

1 comment:

Anonymous said...

Hmmm, thanks for the info on that. I actually didn't know what a rootkit was other than it was kinda like a spyware thing. SEE, i did comment :). Later.

Michael Gayler