From el Reg

Quote :

"Sysinternals' Mark Russinovich has performed an analysis of the copy restriction measures deployed by Sony Music on its latest CDs: which he bluntly calls it a 'root kit'. Using conventional tools to remove Sony's digital media malware will leave ordinary users with a dead Windows systems. While the Sony CDs play fine on Red Book audio devices such as standard consumer electronics CD players, when they're played on a Windows PC the software forces playback through a bundled media player, and restricts how many digital copies can be made from Windows. A 'root kit' generally refers to the nefarious malware used by hackers to gain control of a system. Root kits have several characteristics: they finds their way onto systems uninvited; endeavor to remain undetected; and then may either intercept system library routines and reroute them to its own routines, or replace system executables with its own, or both - all with the intention of gaining system level ownership of the computer. What makes Sony's CD digital media software particularly nasty is that using expert tools for removing the parasite risks leaving you with a Windows PC that's useless, and that requires a full reformat and reinstall. So is Sony bundling a root kit, or is it the latest in a long line of clumsy, and sometimes laughably inept attempts to thwart the playback of digital media on PCs? We were inclined to the latter - but in practical terms, for ordinary users, the consequences are so serious that semantic distinctions are secondary. In actuality both, reckons Russinovich. It's a 'root kit' that arrived uninvited, but it's also "underhanded and sloppy software" , that once removed, prevented Windows from playing his CD again (Van Zant's 'Get With The Man') he notes in his analysis. The Sony CD creates a hidden directory and installs several of its own device drivers, and then reroutes Windows systems calls to its own routines. It intercepts kernel-level APIs, but then attempts to disguise its presence, using a crude cloaking technique. Disingenuously, the copy restriction binaries were labelled "Essential System Tools". But the most disturbing part of the tale came when Russinovich ran his standard rootkit-removal tool on the post-Sony PC. "Users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," he writes. Which puts it in an entirely different class of software to the copy restriction measures we've seen so far, which can be disabled by a Post-It note. Until specialist tools arrive to disinfect PCs of this particular measure.® "

To Sum up: latest sony CD protection installs malware that corrupts your windows install if you attempt to remove it.

So if they release some song that you really must have, get it from a comparably clean source like kazaa

[Edited on November 1, 2005 at 9:11 AM. Reason : dont "buy" ok. Its early and i just got my mountain dew.]

11/1/2005 9:10:44 AM

heard any other reports of this? Hard to trust the opinion of one person on something like this...

11/1/2005 9:32:33 AM

Im a fan of his freeware tools and I personally view him as credible.

Quote :

" Mark Russinovich is Chief Software Architect and co-founder of Winternals Software (http://www.winternals.com), a company that specializes in advanced systems software for Microsoft Windows. Mark is coauthor of Inside Windows 2000, Third Edition (Microsoft Press) with David Solomon and the Fourth Edition, entitled Windows Internals. He and David Solomon also deliver public and private seminars on Windows operating system internals and advanced troubleshooting to numerous companies and organizations, including regular deliveries to Microsoft. They also created a 12 hour self-paced Windows internals video tutorial that Microsoft has licensed for worldwide corporate use. Mark is a Microsoft Most Valuable Professional (MVP) and serves as senior contributing editor for Windows IT Pro magazine where he writes for the Windows Power Tools column. He is also a frequent speaker at major industry conferences such as Microsoft Tech Ed, IT Forum, Windows IT Pro Magazine's Connections and Redmond Magazine's TechMentor. Mark has a B.S. from Carnegie Mellon University and a M.S. from Rensselaer Polytechnic Institute, both in computer engineering. In 1994, he earned a Ph.D. from Carnegie Mellon University, also in computer engineering. After working briefly at NuMega Technologies (now Compuware NuMega Laboratories), Mark worked for two and a half years at IBM's Thomas J. Watson Research Center in New York, where he participated in the research and development of kernel-mode Web server-accelerator technologies. He can be reached at mark@sysinternals.com. "

Hes not an unknown random guy by any means.

Of course you can always take a look at how he came to the conclusion and attempt to reproduce the results.

11/1/2005 9:46:37 AM

Winternals is VERY REPUTABLE

11/1/2005 11:19:08 AM

Yep. They make quality stuff. I'd definitely classify him as a Reputable Source.

[Edited on November 1, 2005 at 11:49 AM. Reason : d]

11/1/2005 11:48:57 AM

It sucks when you can't rip songs from a cd you paid for to put them on your own mp3 player.

11/1/2005 11:59:53 AM

Just hold down the Shift key when you put the CD in.

11/1/2005 12:20:36 PM

ya if russinovich says it's bad, pay attention.

his book (co-authored with david solomon) is an invaluable reference for those who want to know more about windows internals.

11/1/2005 12:22:41 PM

by

11/1/2005 12:37:02 PM

I wasn't going to buy them anyway. Not for the CD protection that is on it, but because of the music that is on it.

11/1/2005 1:12:07 PM

well i'll be damned i didnt know we could still buy music in the stores nowadays

haha i thought they did out with that when road runner and cd burners were invented

11/1/2005 2:02:15 PM

Sony spokesperson John McKay responded to some of the criticism yesterday:

"When asked for instructions on how to uninstall the software, McKay directed the IDG News Service to a section of the Sonybmg.com Web site where users could ask Sony customer support for uninstall directions."

http://cp.sonybmg.com/xcp/english/faq.html#uninstall

you have to submit a form. what a joke.

http://news.yahoo.com/s/pcworld/123362;_ylt=AnCcGGU3nZvjpQTYxadVYMYDW7oF;_ylu=X3oDMTBiMW04NW9mBHNlYwMlJVRPUCUl

11/2/2005 9:39:24 AM

bastards.

11/2/2005 9:56:28 AM

More News on this:

http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html
http://www.pcpro.co.uk/news/79450/sony-drm-burrows-into-rootkit-code.html
http://www.theinq.net/?article=27349

Quote :

"Sony's anti-piracy program installer pops up when you drop one of these content-protected CDs into your drive. If you agree to install it, there is no "uninstall" feature. Russinovich was able to use his knowledge of rootkits and the Windows operating system to zero in on the offending driver files needed to run the software. Unfortunately, he found that removing the program also erased the system files that power his CD-ROM drive, rendering it useless."

SONY CAN GO FUCK ITSELF!!!!!

11/2/2005 10:36:48 AM

^yeah i figured news outlets would exaggerate the hell out of his findings.

read his original article and then read all these news articles and see that it doesn't render any hardware useless - it's just a bitch to get rid of.

11/2/2005 10:47:42 AM

yeah the AP really took this story and ran with it. but i think it's great that it's being blown out of proportion. it'll teach sony a lesson. today is not a good day to be working at sony.

and look at that washingtonpost link:

Quote :

"the only way to uninstall the program in the conventional sense (without running the risk of hosing your system or CD-ROM drive) is to contact Sony BMG directly via a Web form and request removal. At that point, a real, live person will call you back and ask for all kinds of information about your system, and your reason for wanting to remove the software. You're then directed to a Web page that downloads an ActiveX program (yes, you must be using Microsoft's Internet Explorer to do this), which determines what version is installed and reports that back to First4Internet. Then you get an e-mail containing a link to another site that downloads something that finally uninstalls the Sony program. "

[Edited on November 2, 2005 at 11:11 AM. Reason : asdf]

11/2/2005 11:06:30 AM

I always bought sony brand cdr's when I copied playstation video games

11/2/2005 11:26:46 AM

shit like this is one of the main reason i don't purchase sony products.

11/2/2005 11:30:51 AM

yea. Sony sucks pretty hardcore.

11/2/2005 11:34:17 AM

This could be bad news for workers who try to play their Sony CDs at work and infect the business machine.

11/2/2005 12:48:24 PM

hmm yeah so I'm trying to remember the last time I got a sony product that wasn't a piece of shit.

11/2/2005 1:53:18 PM

^i love my trinitron flat screen tv, but i got a good deal on it (or technicially, my mom got a good deal on it)


p.s.
i think this thread should have really been titled

"don't buy music cds"

[Edited on November 2, 2005 at 2:15 PM. Reason : `]

11/2/2005 2:14:37 PM

i suppose it's been established that it's a reputable source, but i have to add that he wrote the book on it:


http://www.amazon.com/exec/obidos/tg/detail/-/0735619174/104-7609883-7675114

(it's a good book too)

edit: dar i need to actually read the quoted stuff...but, hey - i'll leave the link up anyway
edit2: make that i needto actually read the thread

[Edited on November 2, 2005 at 3:37 PM. Reason : ]

11/2/2005 3:33:29 PM

they're releasing a patch to view the hidden files now

11/3/2005 11:55:29 PM

Quote :

"Helsinki-based F-Secure, which along with independent researcher Mark Russinovich published results of an investigation into the Sony DRM, tested the patch and confirmed it revealed once-invisible files. "It now seems that the DRM software no longer attempts to hide anything on the computer," F-Secure concluded. "The rootkit driver (aries.sys) is removed from the system during the update." The copy protection scheme itself, however, remains on the PC, and cannot be removed without special tools and a complicated, risky procedure. F-Secure, in fact, continued Thursday to recommend that users request additional software from Sony to remove all traces of the DRM software. Users must fill out this Web form to make the request. Sony's change of heart may have come to late. Hackers are already debating how the DRM's rootkit can be used for malicious ends. On a site dedicated to hacking Blizzard Entertainment's popular "World of Warcraft" online game, posters have discussed using the rootkit to hide their code. "For only $14.99 you get a well done RING0 rootkit that is able to hide vs Warden/Hackshield," wrote a poster identified as "Outlaw." All some has to do, he said, was "1) Buy the CD, 2) Run the CD, 3) rename 'myhack.exe' to '$sys$myhack.exe.'" Blizzard installs a client -- dubbed spyware by some -- called "Warden" that sniffs out World of Warcraft cheaters by scanning active processes and comparing them to known cheat software. Not surprisingly, Warden doesn't "see" any files that are hidden with Sony's content protection rootkit; all a hacker need do is add the '$sys$' prefix to filenames. Outlaw recommended the Sony rootkit to other hackers. "The design of the rootkit is not that good but I don't think there is a single public kit out there that is more usable for the job then this one. "1) Blizz can not ban you for using it, 2) The kit is more or less stable, 3) The kit is 100% virus free, 4) Even a half brained ape could use it." "

interesting use for the rootkit lol

11/4/2005 4:24:11 AM

^^
The patch really is kinda sketchy.

Quote :

"The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they're not just taking away the rootkit-like function - they're almost certainly adding things to the system as well. And once again, they're not disclosing what they're doing."

That's just an opinion from somebody on a listserv I'm on... but keep your eyes open. Two ways of disabling the installation:
-Don't run Windows in Admin mode constantly
-Turn off autorun

11/4/2005 6:33:42 AM

Use tinyurl people. Can a mod fix this please?

11/4/2005 6:39:34 AM

running windows out of admin mode is not as easy as it seems - so many things use it now like even punkbuster requires your account to be an admin account, even if it's not THE admin account.

but yeah, the patch is sketchy. i've turned autorun off but i don't have any of their CDs so i'm not worried about it.



[Edited on November 4, 2005 at 7:04 AM. Reason : ^lmao @ tinyurl for tiny resolutions ]

11/4/2005 7:02:42 AM

why the fuck should we use tinyurl?

and why the fuck should we fix it?

gtfo.

11/4/2005 10:00:19 AM

does it work on osx?

11/4/2005 10:49:51 AM

looks like ill have to boycott the ps3

11/4/2005 11:34:04 AM

^^ no.

^ yeah, Sony is seriously evil for pulling shit like this.

11/4/2005 1:18:49 PM

^ Sony is getting the negative press but you have to understand how this probably went down:

1. Sony wants to implement DRM
2. Sony doesn't have guys in house who can do it
3. Sony lets vendors submit "proposals" to implement DRM
4. Sony picks cheapest vendor
5. Vendor delivers product
6. Sony says "giddey-up"

Sony isn't in the DRM business. Now, it's definitely their fault for not checking out how their third party software worked so i'm definitely making excuses for Sony. But what does this have to do with the PS3?

The PS3 is a stand-alone device. And it's gonna be awesome. It will probably have some built-in system to keep people from copying the dvds (just like the PS2) and just like the PS2, people will find a way around it.

All i'm saying is that all sony products aren't evil. I really like my Sony Wega flatscreen trinitron television. the picture blows away the competition from toshiba, rca, panasonic, jvc, etc.

11/4/2005 1:41:37 PM

boycotting the PS3 because the company has proven itself to be a bunch of assholes.

It doesnt matter how good/bad some of their products are or their relevance to this particular issue.

Sony = DRM, Sony = PS3

11/4/2005 1:46:57 PM

all of sonys products suck balls.

The ps3 will suck balls.

This cd protection bullshit is just more of their same old shit. Dont try to shift the blame to the DRM company. Sony knew exactly what the protection would do and anything they say to the contrary is a flat out lie.

They're a bad company with bad products that love to fuck their customers over.

11/4/2005 1:48:01 PM

We just got a notice at work about this. What a PITA!

11/4/2005 2:52:53 PM

hahaha you morons as if microsoft isn't just as jumpy-jack about DRM

11/6/2005 11:14:50 PM

shit like this is why I don't have autorun enabled...

11/7/2005 12:13:14 AM

Didn't they do this once before and it caused iMacs to lock up with the CD stuck inside?

And then somebody found the "cure" for it by using a magic marker to draw over the data portion of the CD?

_________

11/7/2005 8:53:49 PM

Quote :

"Italian Police Asked to Investigate Sony DRM Code link: http://www.pcworld.com/news/article/0,aid,123454,00.asp SAN FRANCISCO -- The fallout continues over Sony BMG Music Entertainment's controversial XCP copy protection software, with an Italian digital rights organization now taking the first step toward possible criminal charges in the matter. Separately, security vendor Computer Associates International said today it is now classifying Sony's software as spyware and will begin searching for and removing XCP with its antispyware software, starting on November 12. A group based in Milan called the ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy) filed a complaint Friday about Sony's software with the head of Italy's cyber-crime investigation unit, Colonel Umberto Rapetto of the Guardia di Finanza."

11/9/2005 1:13:43 AM

http://www.petitiononline.com/bcsony/petition.html

11/9/2005 4:19:55 AM

It just happened folks.

The first virus/trojan to take advantage of the Sony DRM has appeared.

http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

11/10/2005 10:34:02 AM

when you say that a virus/trojan "takes advantage" of this Sony Rootkit, all they really do to the virus application is prepend $sys$ to their virus executable name

Any script kiddie could do this

but shame on Sony

11/10/2005 10:45:33 AM

in what i think is the pinnacle of corporate arrogance, a Sony executive says: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

http://www.theregister.co.uk/2005/11/09/sony_drm_who_cares/

11/10/2005 11:47:30 AM

mmmm things like this make me want to stick to downloading mp3s instead of buying the cds.

11/10/2005 12:11:21 PM

Quote :

"Any script kiddie could do this "

Which is why its so nasty.

11/10/2005 1:03:33 PM

i just checked in at Mark Russinvoch's blog and saw that he has added three more blog entries since the original blog entry that sparked this whole mess. This just gets more and more interesting:

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html

http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

11/10/2005 2:13:55 PM

i woulda just wrote a virus to prove a fucking point to sony. that's a quick way to get a lot more pressure put on them.

[Edited on November 10, 2005 at 4:34 PM. Reason : .]

11/10/2005 4:34:15 PM

http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

Quote :

"Nowhere up to now have I seen the Sony Player or DRM software referred to as “MediaJam”. "

fuckin arrogant little bastards. they've done so much to fuck the user over! now they can't even make the shit a little bit easier to get rid of. i bet First4Internet wants to keep their software secure so they won't make the patch public.

Quote :

"Unicows.dll"

isn't that what we used to use for mIRC TCL scripting? can't remember right now - it's been so long.

Quote :

"I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."

wow...they really fucked up.

http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html

Quote :

"Another point that I made in the post is that the decloaking patch that Sony has made available weighs in at a relatively large 3.5 MB because it not only removes the rootkit, it also replaces most of the DRM files with updated versions. First 4 Internet responded with this: In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point."

i thought 'they cannot possibly fuck this situation up worse than they already have' but they never cease to amaze me.

http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

Quote :

"See for yourself. Visit http://www.sonybmg.com and search for the support site Sony has made available to the press. There’s no information on this story anywhere on the front page, no support link, and the FAQ only contains information about Sony’s merger with BMG. The fact that Sony’s announcement was directed at the press and that they’ve made no effort to make contact with their customers makes the patch and uninstall look solely like a public relations gesture for the media."

haha he's doing a pretty good job of tearing them apart.

Quote :

"When you eventually receive the uninstall email from Sony BMG support it comes with a cryptic link in the form http://www.xcp-aurora.com/support/sonybmg/process.aspx?opt=1&id=XYAUfasSFoSdasfDoFPPEWFFEoibnaZPQlSfFgKGSGGIAAAAAAAAAAA (I’ve modified the link so it doesn’t work) to your personalized uninstall page. Interestingly, the email address has a confidentially notice, which implies to me that Sony has something to hide, and it informs you that the uninstaller will expire in one week."

yeah, i think First4Internet uses this software for other stuff and doesn't want it to get out there. But i bet everyone is gonna put it on bittorrent and 0day sites soon.

Quote :

"The uninstall link Sony sends you has your case ID encrypted in the address and when you visit the uninstall page the ActiveX control sends the hardware signature to Sony’s site. If the signature doesn’t match the one it stored earlier with your Case ID when you made the second uninstall request the site informs you that there’s a case ID mismatch."

w...t...f.

[Edited on November 10, 2005 at 5:09 PM. Reason : .]

11/10/2005 5:09:38 PM

http://www.cnn.com/2005/TECH/internet/11/10/sony.hack.reut/index.html

ahahaha, a virus based on the sony program? how amusing. fuck you sony.

11/10/2005 10:17:13 PM