26 replies to this topic

[AplusWebMaster]

FYI...

- http://isc.sans.org/...php?storyid=810
Last Updated: 2005-10-31 22:19:15 UTC
"A news fwiw, there is a great analysis and commentary on a rootkit made to run in safemode today at Mark's Sysinternals Blog today. Thanks very much for the great rootkit detection work and writing Mark!"
- http://www.sysinternals.com/Blog/
Sony, Rootkits and Digital Rights Management Gone Too Far
Monday, October 31, 2005

[AplusWebMaster]

FYI...

http://www.theinquir.../?article=27349
1 November 2005
"...To play your songs, you simply drop your legally purchased CD in your legally purchased computer, and you are infected with DRM, no choice in the matter... It has finally come down to this, you don't have a choice about DRM, your rights are removed and there is no recourse. All of this to protect the profit margins of Sony Corp, at your expense. If there was ever a good argument for piracy, to me, this is it. No, better yet people, just say no and don't buy this carp**, it is the higher ground."

Edited by AplusWebMaster, 01 November 2005 - 04:36 PM.

[AplusWebMaster]

FYI...

- http://www.f-secure....s/xcp_drm.shtml
Nov 1, 2005
"Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltd. XCP has been used to protect some audio CDs released by Sony BMG Music Entertainment. The XCP protected disks contain digital rights management (DRM) software that allow the user to make a limited number of copies of the disk and also rip the music into a digital format to be used on a computer or portable music player.
Once installed, the DRM software will hide:
Files
Processes
Registry keys and values
No means of uninstalling the DRM software is given. The software supports Windows 98SE, Windows ME, Windows 2000 SP4 and Windows XP..."

More...
- http://www.f-secure.com/weblog/

Sony CD Copy Protection Relies On Hacker Rootkit
- http://www.techweb.c...2&site_section=

[AplusWebMaster]

FYI...

Sony sued over rootkits
- http://www.theinquir.../?article=27508
7 November 2005
"SONY IS FINALLY GOING to have to answer the tough questions, because it is being sued. According to the press release here ( http://www.alcei.org...hp/archives/106 ), and the complaint here ( http://www.alcei.org...hp/archives/105 ), the Italian group ALCEI is suing Sony over the rootkitting DRM infection. It seems that ALCEI hired a noted Italian security researcher name(d) Stefano Zanero to dot all the Is and cross all the Ts."

.

Edited by AplusWebMaster, 07 November 2005 - 05:48 PM.

[AplusWebMaster]

FYI...

Sony Copy Protection Called Spyware
- http://www.techweb.c..._section=700028
November 8, 2005
"Sony BMG's woes over its CD copy protection scheme continued Tuesday as a security company accused the entertainment firm of shoving spyware onto users' PCs. By Computer Associates' account, the XCP (eXtended Copy Protection) technology failed 8 of the 22 tests it applies to determine if software is legitimate or spyware, and so it added the programs to its Pest Patrol spyware lists. "Sony failed several different tests, each of which would have identified it as either a Trojan [horse] or a rootkit," said Sam Curry, vice president of CA's eTrust Security group. XCP -- which was crafted by U.K.-based First4Internet -- has serious spyware personality traits, including a lack of consent, the omission of an uninstall routine, and most egregious, a hidden "phone home" feature that sends data about the user to Sony without the user's permission.
The software retrieves lyrics and updated album art automatically, but also, claimed Curry, the user's IP address. "This could also be used to determine [music] playing habits," said Curry. "And users aren't told any of this." Hidden features and a lack of a clear end-user licensing agreement ( EULA) are traits of spyware, pure and simple, said Curry. "People are buying CDs, thinking they're getting content, when in actuality, the CD's changing the behavior of the user's computer"...
Curry said that his group was also digging into Sony's process for users who request an uninstaller because that has spyware characteristics as well. "The uninstaller is an ActiveX control, which is generally considered a security problem," said Curry, "but the removal process also requires users to give up personal information." That information includes their name, e-mail address, the albums purchased, and the places of purchase.
An unknown amount of data is also sent by the ActiveX uninstaller to First4Internet, claimed Curry, and the copy protection causes the system hard drive to read so frequently that it "becomes nearly constant, and could damage the hardware," he added. "This isn't an issue about artists' rights, it's an issue about users' rights. The computer is more than a gloried CD player"..."

[AplusWebMaster]

FYI...

Calif. Lawsuit Targets Sony
- http://blogs.washing..._ny_lawsui.html
November 8, 2005; 06:35 PM ET
"A class-action lawsuit has been filed on behalf of California consumers who may have been harmed by anti-piracy software installed by some Sony music CDs. A second, nationwide class-action lawsuit is expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased any of the 20 music CDs in question...
The California lawsuit, filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, Calif., attorney Alan Himmelfarb, asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them. The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices...
Scott Kamber, an attorney in New York, said he plans on Wednesday to file class-action suits targeting Sony under both New York consumer protection statutes and a federal criminal statute that allows civil actions..."

.

[AplusWebMaster]

FYI...

Trojan Horse Hides Using Sony Rootkit
- http://www.betanews....tkit/1131640601
November 10, 2005
"What security experts have warned about Sony's DRM has come to pass, with a new trojan horse attempting to hide itself using techniques enabled by the company's anti-piracy software. Dubbed "Troj/Stinx-E" by Sophos, the application copies itself to a file called: $sys$drv.exe, which is hidden by Sony's copy protection. F-Secure has named the malware "Breplibot.b," but says a code mistake will limit its damage. "Luckily, the bot has a design flaw. If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error," explained F-Secure's Mika Pehkonen in a blog posting."

Bot trying to hide under Sony DRM
- http://www.f-secure.com/weblog/

[AplusWebMaster]

FYI...

Troj/RKProc-Fam and Troj/Stinx disinfection instructions
- http://www.sophos.co...tion/rkprf.html
"Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers. This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

Windows 95/98/Me and Windows NT/2000/XP/2003
The Trojans can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Windows disinfector
RKPRFGUI is a disinfector for standalone Windows computers
open RKPRFGUI, run it, then click GO.
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

Command line disinfector
RKPRFSFX.EXE is a self-extracting archive containing RKPRFCLI, a Resolve command line disinfector
for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program..."

[AplusWebMaster]

FYI...

Sony halts music CDs with anti-piracy scheme
- http://www.msnbc.msn.com/id/10005667/
Nov. 11, 2005
"Stung by continuing criticism, the world’s second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.
Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the “XCP” technology as a precautionary measure. “We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,” the company said in a statement..."

[AplusWebMaster]

FYI...

Symantec - SecurityRisk.First4DRM Removal Tool
- http://tinyurl.com/9mqs4

[AplusWebMaster]

FYI...

Sony DRM Rootkit to be removed automatically by Microsoft
- http://isc.sans.org/...php?storyid=845
Last Updated: 2005-11-13 14:36:09 UTC
"Microsoft says* "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" "and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software."
* http://blogs.technet.com/antimalware/

.

[AplusWebMaster]

FYI...

- http://www.sysinternals.com/Blog/
November 14, 2005
"...Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
1. Open the Run dialog from the Start menu
2. Enter “cmd /k sc delete $sys$aries”
3. Reboot ..."

[AplusWebMaster]

FYI...

Sony’s Web-Based Uninstaller Opens a Big Security Hole...
- http://www.freedom-t...nker.com/?p=927
November 15, 2005
"Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get..."

Sony to pull controversial CDs, offer swap
- http://www.usatoday....ds_x.htm?csp=34
11/14/2005 11:01 PM

[AplusWebMaster]

More...

- http://www.theinquir.../?article=27714
15 November 2005
"...Blatant stupidity in the 'cure is worse than the disease' category... FTT goes into detail. It seems the 'cure' from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine. See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course. The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus program to uninstall it, you spent money to fix Sony's problems, and you are still a criminal. That's what you get for buying music."

[AplusWebMaster]

FYI...

- http://www.freedom-t...nker.com/?p=927
"To see whether CodeSupport is on your computer, try our CodeSupport detector page:
- http://www.cs.prince...xcp/detect.html

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
cmd /k del “%windir%\downloaded program files\codesupport.*”

Edited by AplusWebMaster, 15 November 2005 - 05:28 PM.