Mark D. Zacharias
December 13th 05, 01:05 PM
The following is an e-mail a friend of mine, with some other quotes
included, on the subject of Sony rootkits.
I think it's worth a read.
Mark Z.
************************************************** **
This is a good essay about the Sony rootkit problem.
I have included the links published with the essay.
That's why it's attached.
Followed by my comments.
Sony: The rootkit of all evil?
So Sony BMG has been getting a lot of flack lately for, well, for a bunch of
things. First it installed Trojan horse software on users' computers, then
claimed it wasn't a problem, then released a "removal" tool that was
actually spyware..
It's enough to make you turn to pirated music.
There seem to be two kinds of news stories about the ongoing Sony debacle.
Some gloss over what Sony did, simply saying that the company's anti-piracy
software has caused some concern among users.
Others get into the nitty-gritty of what Sony did, getting into rootkits and
ActiveX scripting, which is a quick way to put you to sleep.
I'm going to try to bridge that gap, because what Sony is as interesting as
it is nasty. An understanding of how the company's hidden software works is
important to understanding what all the hubbub is about - and to protecting
yourself.
Hacker holes
Sony, like most music companies, wants complete control over how you use the
music you buy. They want to prevent you from copying it, even to an iPod or
a mix you take in your car.
But in its latest attempt to control its customers' use of music, Sony went
overboard.
You almost can't blame it. Back in 2002, in a much-publicized debacle, the
copy-protection scheme Sony used was undermined in a decidedly low-tech way:
You simply needed to draw a line around the CD with a magic marker. Ouch.
So this time Sony took it to the max. It hired a company called
First4Internet to design a copy-protection system called XCP. If you tried
to play a protected disk in your computer, you first had to agree to install
a Sony music player to listen to it.
But what Sony didn't say out loud was that the software also included a
rootkit.
Rootkits were invented for Unix systems (where you could log in as "root" to
have complete control over a computer). They were designed by the bad
hackers to let them log into a system as "root" without the owner knowing.
A rootkit effectively creates a hidden space on users' computers. In that
space, Sony (or anyone else who knows how to access that space) could put
anything it wanted to hide. In Sony's case, it hid its copy-protection
software so users couldn't remove it.
But Sony and First4Internet did such a lousy job that the hidden space
created by the rootkit could be used by anyone who knew about it. In other
words, it created a huge security hole - a space on every user's computer
that a virus writer could hide some nasty code.
Sony's excuse? Users didn't care about rootkits because they didn't know
what they were.
In an NPR interview, Thomas Hesse, president of Sony BMG's global digital
business said, "Most people I think don't even know what a rootkit is, so
why should they care about it?"
Mark Russinovich cared. The computer expert and co-author of the
Sysinternals blog discovered the rootkit and figured out where it had come
from.
Then he discovered what it did. Besides installing a player for the CD and
copy-protection software, Sony also hid other code that contacted the
company every time a user played a song.
Yes, you read that right.
Now you're starting to see why people got upset.
Patch problems
Russinovich also discovered a problem. Not only did Sony and First4Internet
create a hidey-hole on users' computers, that hole is disturbingly easy to
get into.
Essentially, thanks to Sony, anything beginning with "$sys$" would be
invisible to a user and his anti-virus software. Even a program named
"$sys$erase-your-files.exe."
So Russinovich tried to remove the rootkit, and couldn't without damaging
his system. So he spread the word.
Sony's first reaction was to deny there was a problem - Hesse's NPR
interview was a case in point. But as word spread, first among blogs and
then to the mainstream media, the company reluctantly released a patch
program that closed the hidey-hole.
Sounds reasonable, if a bit slow. But it wasn't.
Get this: In order to get the patch, you have to provide your name, e-mail
address, and other personal information to Sony. When you finally download
the thing, it does the patch thing, and then it installs all sorts of new
stuff that Sony doesn't tell you about.
And it continues to send your listening habits to Sony and its partners, but
now it has a bunch of your personal information too.
But wait. Incredibly, there's more.
The patch itself, it turns out, opens another big security hole. If you
install it, it includes a program called "CodeSupport." The programmers who
slapped this thing together designed it so any website could access
CodeSupport on your computer to do things to it.
In other words, if you go to a bad guy's site after installing the Sony
patch, a hidden program on that site could look for CodeSupport, and could
do all sorts of nasty things to your.
The whole thing has gotten so bad that the original XCP software (which had
the rootkit), the patch Sony BMG released, and the new software installed by
the patch are all classified as Trojans by Computer Associates' security
division in its Spyware Encyclopedia.
None of this, of course, is what you agree to when you click "Accept" to
play the Sony CD.
(What do you agree to? Among other things, you agree not to play the CD at
work, to install any update Sony asks you to (and not to hold the company
liable if it damages your system), and, oddly enough, to delete all the
music if you file for bankruptcy.)
How bad?
None of this is doing Sony much good. The blinding light of publicity has
brought other things to the forefront.
For example, XCP isn't the only copy protection the company uses. Other CDs
from the company are "protected" with SunnComm's MediaMax software, which
installs things on your computer whether or not you accept the license
agreement. It, too, sends information about your activities, this time to
SunnComm.
And it also came to light that Sony has patented a method for prohibiting a
video game from being played on anything but the original machine it was
bought for. Speculation is that it will be used for the upcoming PlayStation
3, preventing gamers from, say, bringing a game to a friend's house, or
selling a used game.
The fallout has hit more than Sony. The CD that started it all is Van Zant's
Get Right with the Man. Check out its page on Amazon.com. As I write this,
the average customer review gives it one and a half stars.
"DO NOT PURCHASE - Installs dangerous software on your PC," reads the first
review. There are 237 more; a dozen or so are positive. Most give it one
star.
At this point, despite Sony's belated recall of the infected disks, many
computers - and networks - have been hit with the Sony rootkit. This means
huge potential security problems not only for personal computers but also
for corporate and government networks.
In fact, a researcher in Seattle figured out how to see how many networks
were infected. The rough answer? More than 500,000. That's a lot of cleanup
to do.
Anti-virus companies are already on the case, releasing tools to remove the
problem files. One company has released software that allows you to play
"protected" CDs and DVDs without dealing with the Sony software. Of course,
the lawyers are just getting started, with class-action suits in the works
in the U.S. and Europe.
I started writing this column last Saturday, Nov. 12. Since then, every day
has brought new twists. For music lovers, it's a big problem. For technology
columnists, it's a gift that keeps on giving.
Andrew Kantor is a technology writer, pundit, and know-it-all who covers
technology for the Roanoke Times. He's also a former editor for PC Magazine
and Internet World. Read more of his work at kantor.com. His column appears
Fridays on USATODAY.com.
Comment from James:
As of Dec.10, 05. Using an infected and "patched" computer, and a packet
sniffer. I found a keyboard logger/bot which looks for the keyword "Sony" in
saved text or Outlook documents. It then sends entire content of your
documents to Sony BMG!
It will even report if you type the word "Sony" at the keyboard and do
nothing else.
All of this without your knowledge or consent.
I then exposed and examined the root kit. Yes - The rootkit which was
supposedly "removed" by the "patch" from Sony.
It has been my experience this rootkit makes the system unstable by
corrupting file allocation. And eventually leads to an unrecoverable hard
drive failure due to inaccessible or overwritten drive sectors. I have seen
a bunch of these failures in recent months.
Upon examination of the failed hard drives, it was found (with one
exception) all had been exposed to the Sony spyware. The only way I know to
restore a drive, once exposed, is to partition and format the entire hard
drive. This destroys all data on the drive, including the O.S. It is more
then likely that not enough of the drive survives to make this effort worth
while anyway. I see evidence of physical damage due to thrashing causing
surface defects and bad sectors.
Think your safe because you use a Mac? Think again. The rootkit and it's
contents are the same. Just compiled for a Mac.
When researching this I found Sony BMG and other lables using a anti-piracy
technique which interrupts the audio data stream contained on the CD. Making
the CD unplayable on many CD players.
Sony BMG is among the labels being sued by they're own "talent" for
withholding of royalty payments, and other breaches of contract.
At this point I am boycotting all RIAA member labels. The last thing the
RIAA did of any value what so ever was to establish the phono EQ curve.
Unfortunately I won't be buying Sony products for a while either. Many
retailers in Texas no longer carry the Sony line of consumer electronic
products. Citing a high failure rates.
Currently the State of Texas is suing Sony in two consumer protection
actions.
One involving the rootkit. The other involving repeated failures of Sony
consumer electronics products within, and just out of the warranty period.
On a personal note. I find Sony's misconduct disturbing. I have proudly
serviced Sony products for many years. At one time not long ago, the name
Sony stood for the best products and conduct in the industry. It seems with
the passing of the former founder and CEO of the company, disturbing changes
have taken place at Sony. I hope Sony can turn it around and recapture its
glory days.
Meanwhile: The record industry (the last bastion of organized crime) can go
strait to hell on a pirated MP3.
James
included, on the subject of Sony rootkits.
I think it's worth a read.
Mark Z.
************************************************** **
This is a good essay about the Sony rootkit problem.
I have included the links published with the essay.
That's why it's attached.
Followed by my comments.
Sony: The rootkit of all evil?
So Sony BMG has been getting a lot of flack lately for, well, for a bunch of
things. First it installed Trojan horse software on users' computers, then
claimed it wasn't a problem, then released a "removal" tool that was
actually spyware..
It's enough to make you turn to pirated music.
There seem to be two kinds of news stories about the ongoing Sony debacle.
Some gloss over what Sony did, simply saying that the company's anti-piracy
software has caused some concern among users.
Others get into the nitty-gritty of what Sony did, getting into rootkits and
ActiveX scripting, which is a quick way to put you to sleep.
I'm going to try to bridge that gap, because what Sony is as interesting as
it is nasty. An understanding of how the company's hidden software works is
important to understanding what all the hubbub is about - and to protecting
yourself.
Hacker holes
Sony, like most music companies, wants complete control over how you use the
music you buy. They want to prevent you from copying it, even to an iPod or
a mix you take in your car.
But in its latest attempt to control its customers' use of music, Sony went
overboard.
You almost can't blame it. Back in 2002, in a much-publicized debacle, the
copy-protection scheme Sony used was undermined in a decidedly low-tech way:
You simply needed to draw a line around the CD with a magic marker. Ouch.
So this time Sony took it to the max. It hired a company called
First4Internet to design a copy-protection system called XCP. If you tried
to play a protected disk in your computer, you first had to agree to install
a Sony music player to listen to it.
But what Sony didn't say out loud was that the software also included a
rootkit.
Rootkits were invented for Unix systems (where you could log in as "root" to
have complete control over a computer). They were designed by the bad
hackers to let them log into a system as "root" without the owner knowing.
A rootkit effectively creates a hidden space on users' computers. In that
space, Sony (or anyone else who knows how to access that space) could put
anything it wanted to hide. In Sony's case, it hid its copy-protection
software so users couldn't remove it.
But Sony and First4Internet did such a lousy job that the hidden space
created by the rootkit could be used by anyone who knew about it. In other
words, it created a huge security hole - a space on every user's computer
that a virus writer could hide some nasty code.
Sony's excuse? Users didn't care about rootkits because they didn't know
what they were.
In an NPR interview, Thomas Hesse, president of Sony BMG's global digital
business said, "Most people I think don't even know what a rootkit is, so
why should they care about it?"
Mark Russinovich cared. The computer expert and co-author of the
Sysinternals blog discovered the rootkit and figured out where it had come
from.
Then he discovered what it did. Besides installing a player for the CD and
copy-protection software, Sony also hid other code that contacted the
company every time a user played a song.
Yes, you read that right.
Now you're starting to see why people got upset.
Patch problems
Russinovich also discovered a problem. Not only did Sony and First4Internet
create a hidey-hole on users' computers, that hole is disturbingly easy to
get into.
Essentially, thanks to Sony, anything beginning with "$sys$" would be
invisible to a user and his anti-virus software. Even a program named
"$sys$erase-your-files.exe."
So Russinovich tried to remove the rootkit, and couldn't without damaging
his system. So he spread the word.
Sony's first reaction was to deny there was a problem - Hesse's NPR
interview was a case in point. But as word spread, first among blogs and
then to the mainstream media, the company reluctantly released a patch
program that closed the hidey-hole.
Sounds reasonable, if a bit slow. But it wasn't.
Get this: In order to get the patch, you have to provide your name, e-mail
address, and other personal information to Sony. When you finally download
the thing, it does the patch thing, and then it installs all sorts of new
stuff that Sony doesn't tell you about.
And it continues to send your listening habits to Sony and its partners, but
now it has a bunch of your personal information too.
But wait. Incredibly, there's more.
The patch itself, it turns out, opens another big security hole. If you
install it, it includes a program called "CodeSupport." The programmers who
slapped this thing together designed it so any website could access
CodeSupport on your computer to do things to it.
In other words, if you go to a bad guy's site after installing the Sony
patch, a hidden program on that site could look for CodeSupport, and could
do all sorts of nasty things to your.
The whole thing has gotten so bad that the original XCP software (which had
the rootkit), the patch Sony BMG released, and the new software installed by
the patch are all classified as Trojans by Computer Associates' security
division in its Spyware Encyclopedia.
None of this, of course, is what you agree to when you click "Accept" to
play the Sony CD.
(What do you agree to? Among other things, you agree not to play the CD at
work, to install any update Sony asks you to (and not to hold the company
liable if it damages your system), and, oddly enough, to delete all the
music if you file for bankruptcy.)
How bad?
None of this is doing Sony much good. The blinding light of publicity has
brought other things to the forefront.
For example, XCP isn't the only copy protection the company uses. Other CDs
from the company are "protected" with SunnComm's MediaMax software, which
installs things on your computer whether or not you accept the license
agreement. It, too, sends information about your activities, this time to
SunnComm.
And it also came to light that Sony has patented a method for prohibiting a
video game from being played on anything but the original machine it was
bought for. Speculation is that it will be used for the upcoming PlayStation
3, preventing gamers from, say, bringing a game to a friend's house, or
selling a used game.
The fallout has hit more than Sony. The CD that started it all is Van Zant's
Get Right with the Man. Check out its page on Amazon.com. As I write this,
the average customer review gives it one and a half stars.
"DO NOT PURCHASE - Installs dangerous software on your PC," reads the first
review. There are 237 more; a dozen or so are positive. Most give it one
star.
At this point, despite Sony's belated recall of the infected disks, many
computers - and networks - have been hit with the Sony rootkit. This means
huge potential security problems not only for personal computers but also
for corporate and government networks.
In fact, a researcher in Seattle figured out how to see how many networks
were infected. The rough answer? More than 500,000. That's a lot of cleanup
to do.
Anti-virus companies are already on the case, releasing tools to remove the
problem files. One company has released software that allows you to play
"protected" CDs and DVDs without dealing with the Sony software. Of course,
the lawyers are just getting started, with class-action suits in the works
in the U.S. and Europe.
I started writing this column last Saturday, Nov. 12. Since then, every day
has brought new twists. For music lovers, it's a big problem. For technology
columnists, it's a gift that keeps on giving.
Andrew Kantor is a technology writer, pundit, and know-it-all who covers
technology for the Roanoke Times. He's also a former editor for PC Magazine
and Internet World. Read more of his work at kantor.com. His column appears
Fridays on USATODAY.com.
Comment from James:
As of Dec.10, 05. Using an infected and "patched" computer, and a packet
sniffer. I found a keyboard logger/bot which looks for the keyword "Sony" in
saved text or Outlook documents. It then sends entire content of your
documents to Sony BMG!
It will even report if you type the word "Sony" at the keyboard and do
nothing else.
All of this without your knowledge or consent.
I then exposed and examined the root kit. Yes - The rootkit which was
supposedly "removed" by the "patch" from Sony.
It has been my experience this rootkit makes the system unstable by
corrupting file allocation. And eventually leads to an unrecoverable hard
drive failure due to inaccessible or overwritten drive sectors. I have seen
a bunch of these failures in recent months.
Upon examination of the failed hard drives, it was found (with one
exception) all had been exposed to the Sony spyware. The only way I know to
restore a drive, once exposed, is to partition and format the entire hard
drive. This destroys all data on the drive, including the O.S. It is more
then likely that not enough of the drive survives to make this effort worth
while anyway. I see evidence of physical damage due to thrashing causing
surface defects and bad sectors.
Think your safe because you use a Mac? Think again. The rootkit and it's
contents are the same. Just compiled for a Mac.
When researching this I found Sony BMG and other lables using a anti-piracy
technique which interrupts the audio data stream contained on the CD. Making
the CD unplayable on many CD players.
Sony BMG is among the labels being sued by they're own "talent" for
withholding of royalty payments, and other breaches of contract.
At this point I am boycotting all RIAA member labels. The last thing the
RIAA did of any value what so ever was to establish the phono EQ curve.
Unfortunately I won't be buying Sony products for a while either. Many
retailers in Texas no longer carry the Sony line of consumer electronic
products. Citing a high failure rates.
Currently the State of Texas is suing Sony in two consumer protection
actions.
One involving the rootkit. The other involving repeated failures of Sony
consumer electronics products within, and just out of the warranty period.
On a personal note. I find Sony's misconduct disturbing. I have proudly
serviced Sony products for many years. At one time not long ago, the name
Sony stood for the best products and conduct in the industry. It seems with
the passing of the former founder and CEO of the company, disturbing changes
have taken place at Sony. I hope Sony can turn it around and recapture its
glory days.
Meanwhile: The record industry (the last bastion of organized crime) can go
strait to hell on a pirated MP3.
James