Our first kook is not one person! It’s a whole damned company!

Congratulations to SONY BMG for being kooky enough to help us launch our site!

I have noticed over the course of the last week that there has been a lot of buzz in podcasts about the Sony DRM Rootkit, but there has been very little buzz in the blogosphere.

A security analyst alleged Monday that playing a Sony copy-protected CD on his PC actually installed a rootkit into his computer from a third-party rights-management package.

According to Mark Russinovich’s security blog on Sysinternals.com, the Van Zant CD Get Right With The Man contains a rootkit that was installed when the CD’s on-disc player software was installed. That software, which Russinovich traced to U.K. vendor First 4 Internet, modified the Windows registry and was configured to hide system files encoded with a “$sys$” prefix.

The CD used a version of First 4’s rights management software, called “XCP,” to protect the CD from unauthorized copying. Sony configured the software to allow two legal backups of the entire CD. Over 2 million CDs encoded with the First 4 Internet files have been shipped by Sony, according to MSNBC.

…

A “rootkit” is so named because it theoretically allows an attacker a easy way to “go root,” or to gain control of a vulnerable PC. According to Russinovich, the CD’s software patched the registry, hiding itself from security software in the process in an effort to ensure the legitimacy of the software – every two seconds. Theoretically, an attacker or virus managing to inject a file labeled with the “$sys$” prefix onto that user’s system would be able to modify it without the user’s knowledge.

According to Russinovich, the CD’s EULA license also did not notify the user that any software would be installed that could modify his system, a possible violation of the U.K.’s Computer Misuse Act and California state law, which both prohibit the unauthorized modification of the contents of a user’s computer. Gilliat-Smith, for his part, said that accepting the software was part of a “consent agreement” agreed to by the customer.

Furthermore, the player software did not offer any method of uninstalling itself, Russinovich wrote. When Russinovich tried to do so, removing the software also disabled the computer’s CD-ROM drive through a “filter”, a file dependency built into Windows.

“The entire experience was frustrating and irritating,” Russinovich wrote. “Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

Distributing software, of any kind, that installs itself on my computer without my knowledge should be illegal.

Sony had no right to distribute such dangerous software, and, in my opinion, violated the rights of every person who purchased a CD from them, whether or not their computer was actually compromised by the software.

Apparently, other people are thinking the same thing.

Record company Sony BMG Music Entertainment has been targeted in a class-action lawsuit in California by consumers claiming their computers have been harmed by anti-piracy software on some Sony BMG CDs.

The claim states that Sony BMG’s failed to disclose the true nature of the digital rights management system it uses on its CDs and thousands of computer users have unknowingly infected their computers, according to court documents.

The suit, filed November 1 in Los Angeles Superior Court asks the court to stop Sony BMG from selling additional CDs protected by the anti-piracy software and seeks monetary damages for California consumers who purchased them.

A spokesman for Sony BMG declined comment.

Sony BMG is a joint venture of Sony Corp. and Bertelsmann AG.

Alan Himmelfarb, the attorney for the consumers, was not available for comment.

The suit claims that around June 2005, Sony BMG began to issue some CDs that install digital rights management software that continuously monitor for rights problems, depleting a computer’s available resources. The suit says the technology cannot be removed without damage to the system and that Sony BMG does not advise consumers of the existence or true nature of the program.

Apparently, hackers are already exploiting the computers of those who have unwittingly become victim to this invasive software and anti-virus software companies are jumping to protect their customers.

Zone Labs(R), a Check Point(R) company (NASDAQ:CHKP),announced today that users of the award-winning ZoneAlarm(R) 6.0 lineof Internet security solutions have, from day one, been proactivelyprotected from the recently-reported rootkit packaged with select Sonymusic CDs and related threats, including a newly-launched Trojanattack that uses the Sony rootkit to hide within a PC.

The new Trojan, named Win32.Outsbot.V by Zone Labs antiviruspartner Computer Associates (NYSE: CA), connects the compromised PC toan Internet chat relay server where it joins a bot net — a network ofcompromised computers used by hackers to launch denial of serviceattacks and distribute spam and other malware.

Of course, with their feet pressed into the fire, and the possibilty of their checkbook developing a case of the dropsies, Sony BMG has responded by stopping production of the copy-protected CD’s.

On Friday, Sony responded to the furor and announced that it will suspend production of CDs that contain this particular copy-protection technology and take a second look at its digital rights management strategy.

While it may take months, or even years for the pending court cases to shed any light on the matter, here is some information I thought you could use. Now. Before some hacker dweeb takes control of your computer without you knowing about it.

Even if you could find the hidden copy protection components yourself, computer experts warn against trying to uninstall it without help. Trying to do remove it without official instructions could damage the computer, rendering the CD drive inoperable.

Sony’s Web site has a downloadable patch which will remove the ability of the copy protection software to hide from view, but will not uninstall it.

To uninstall the software completely, a user must fill out a separate customer service form on Sony’s Web site, asking for instructions on how to uninstall the rootkit software.

Needless to say, Sony BMG has really screwed up and it’s time for them to step up to the plate to (a) make things right with those whose systems have been comprised, and (b) make things right so those of us who might still want to purchase a CD from them wont have to worry about this in the future.

To find out more about Rootkits you can listen to the Security Now podcast, episodes 9 and 12.

UPDATE MEMO: I was sitting at the conference table with Zack (Mr. Belch to you) and he informed me of a couple of links that will help root out these rootkits.

The first is RootKit Revealer

RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don’t attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

The second is Blacklight

Now, there is a cure, F-Secure BlackLight Rootkit Elimination Technology. And, it’s time to find out, whether your computer is infected by invisible rootkits.

Thanks Zack!

FOLLOW UP: Do not use the above mentioned products to actually remove the rootkit. Use them only for detection. You must contact SONY for the proper removal instructions.

A good way to know if you are “infected” is to create a new file on your desktop named “$sys$Canary”. If the rootkit is present, the file will suddenly disappear. If you get infected later on, it will disappear at that time.

One Response to “Sony BMG: Our First Kook!”