The Steel Guitar Forum

This is ghastly.
http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html
The coments are quite fun.

For the tech minded: http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Steve Bailey

Yes, maybe Wiz could chime in here and tell us what all this means?

This is the hottest story in the security community at the moment. Here's the Reader's Digest version:

(The following only applies when listening to the affected CDs on your computer. Listening through a home or auto CD player is not impacted.)

The music industry is not happy that you have the ability to play a CD on a computer. You can copy, rip, re-mix, share, or send the music to other devices without purchasing another CD. To prevent this, the industry has begun using copy protection schemes. Most are trivial to defeat.

Sony, however, recently released several titles protected by means of rootkit technology, which is what crackers use to gain control of your PC without your knowledge. A rootkit gives you system-level control of a computer -- you own it.

A well-respected security expert discovered Sony's scheme accidentally after testing his own computer with a product he created to discover rootkits. He eventually traced it back to Sony's digital rights management (DRM) software, which had been installed on his computer when he played a protected CD.

In essence, Sony altered Windows so that you can't play their CD without the DRM protections (copying, ripping, etc.) However, the license agreement didn't mention that they were installing system-level software on the computer. Worse, the files they install are hidden and can't be viewed without special tools.

The programmer had such tools and was able to identify the files and remove them, although with difficulty. Unfortunately, this broke his computer. He was furious. After much work (of a kind not available to any but the most technically proficient) he was able to get it running again. He posted his experiences online and a firestorm erupted.

His main points were 1)the software was installed without user knowledge 2)it was poorly written and caused problems on users' PCs 3)removing it damaged users' computers 4)the rootkit technology left a path on your computer for unscrupulous crackers to exploit, much like virus writers do.

Under pressure, Sony issued instructions on their web site telling users how to remove the cloaking (display the hidden files). Unfortunately, if a user does that and then proceeds to delete their files, they will lose use of their CD drive, or worse.

The story is ongoing. The company that created the DRM scheme is arguing with the guy who discovered it. Sony is taking major heat from users but you can bet this will not be the last attempt by the music industry to restrict how and where you listen to music. Whether that's valid or not is another discussion. The current issue is that Sony is making users install software that can harm their computer and leave it vulnerable to attack.

What this means for the average listener is that you should not play a Sony CD with DRM on your computer. If you absolutely must buy one of their CDs, you can safely play it back on a CD player. Whether you should support a company with such disregard for your own computer is, of course, your decision.

From the Washington Post:

<SMALL>"Sony says any CDs that contain the software are labeled "Content enhanced & protected" on the front and back of the product packaging. A quick advanced search on Google of Amazon's site turns up more than 24,000 hits for "CONTENT/COPY-PROTECTED CD."</SMALL>

I purchased a CD, (a Country artist who's name I won't mention, but who's Steeler is a member here) and notice that label. I hought "Content Enhanced" was a reference to the fact that it was double sided. One side is CD, the other is DVD.

I made a personal use copy on my Mac Powerbook without a problem (I think).

This sounds like Class Action Lawsuit fodder.

Sony has used several different "copy protection" schemes and all have had the wrath of the user community.

Quicken got into it with their Turbo Tax a couple of years ago because it installed "spyware" for limits of use. There was an uproar and they posted instructions on their web site about removing it. They still lost customers over that.

There is also an issue with PC Game installation CD's. Some game CD's that have certain copy protect will not install if it sees a packet (UDF) CD copy program installed, such as the Sonic DLA, Nero InCd or Roxio Direct CD/Drag to Disc. In order to install the game CD's the UDF program must be temporarily uninstalled.

<h1>Sony/BMG DRM Rootkit</h1>
<h3>A.K.A: All Your Computers Are Belong To Us</h3>

I have been watching this develop since Mark Russinovich first blogged about it on October 31, 2005. I recommend that only technically advanced members read his findings on his blog. It will give you a headache if you aren't already into Windows security issues.

Somebody here posted about playing a Copy Protected CD on his MAC computer. He is the lucky one, in that the rootkit only installs on Windows operating systems.

This event is in flux and is rapidly evolving into a major snafu for Sony/BMG, First4Internet (the authors), Universal and others who distribute this cloaking technology. At the heart of the issue is the debate about how far legitimate companies can go to protect their intellectual and copyrighted properties.

My feeling is that we would not be at the junction at this time were it not for the millions of people who are/were swapping copyrighted music and movies illegally for the past couple of years. Most of these CDs and DVDs were originally purchased by people who ripped the content and put it in their shared folders, for all the world to grab, for free.

Now, as a result of the illegal behaviour of the filesharers folks who legally purchase music and videos that contain copy protection software are at risk from that very technology. Hackers are going to have a field-day with this and are already hard at work developing exploits and passing on their finding among their communities. Right now they are using Sony's own rootkit against itself to hide the presence of ripping and game cheating programs from the copy protection program!

This copy protection (rootkit) program was poorly written, so to speak, in that it was rushed to market before thorough testing for legal or security problems. The programmer who is responsible for it solicited coding assistance from readers of a newsgroup!

The top executives at Sony don't think that this is such a big deal; much ado about nothing. Here is a quote from one of the commenters on Mark's Blog, about a telephone interview NPR had with Sony management:
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
Did anyone click on the link MARK provided and actually LISTEN to the audio??

In this Audio, you will hear a comment from Thomas Hessa (not sure of spelling), PRESIDENT of Sony BMG's Global Digital Business. In this Audio and he says "Most people, I think, do not even know what a Rootkit is, so why should they care about it?"

FREAKING UNBELIEVEABLE!

Click on the LISTEN button on this link here to HEAR it yourself! http://www.npr.org/templates/story/story.php?storyId=4989260
</SMALL><HR></BLOCKQUOTE>

Now you all know what we are up against! This is a company without a conscience, or common courtesy, or who gives a hoot about any damage they may cause to the computers belonging to the people who legally purchased a Sony Copy Protected CD. The fact of the matter is that SONY DOES NOT WANT PEOPLE TO PLAY SONY/BMG MUSIC CDs ON THEIR COMPUTERS, PERIOD. If you pop one of these CDs into a home or car CD player it plays as expected, without installing any software... unless your CD player is also capable of reading MP3 encoded CDRs. Then you may end up with a damaged/rootkitted CD player!
<hr>
Here's a list of Sony BMG record label sites, I don't expect that it to be complete I'm sorry that it's just a cut and paste job.

From http://www.sonymusic.com/labels/index.html and http://www.sonybmg.com/ :
http://www.arista.com/ http://www.bluebirdjazz.com/index.jsp http://www.bmgclassics.com/ http://www.bmgheritage.com/ http://www.bnarecords.com/ http://www.columbiarecords.com/ http://www.epicrecords.com/ http://www.j-records.com/ http://www.laface.com/ http://www.legacyrecordings.com/ http://rcarecords.com/ http://www.rcavictor.com/index.jsp http://www.sonyclassical.com/ http://www.sonynashville.com/ http://www.sonywonder.com/ http://www.soso-def.com/ http://www.verityrecords.com/ http://www.windham.com/index.jsp
<hr>
I will continue to add comments to this post as I feel are relevant and new information.
<hr>
If anybody here wants to find out if they have this rootkit installed you can visit SysInternals.com and download RootkitRevealer. However, removing the rootkit will break Windows and remove all access to your CD drives! Sony and First4Internet have provided sofware to update the copy protection program and unhide it, but uninstallation requires that you personally contact Sony and request assistance to get this software off your computers.

NEW TEST ***
You can check if this "rootkit" is installed on the systems you are responsible for. This can be done by right clicking on your desktop, selecting New from the menu, selecting Folder from the submenu and naming the folder $sys$test

If the folder disappears, your system is compromised with the Sony DRM software and you would be advised to seek the assistance of a professional Microsoft Windows technician.

Be cautioned that the Patch currently offered by Sony could cause your computer to crash as it is also poorly written and requires the installation of an ActiveX control. In a nutshell, the patch tries to unload the rootkit while Windows is running, which causes most computers to crash instantly. If they had gone about this in the correct manner the driver would be unloaded upon rebooting, after the references to load it were deleted from the (hidden) registry keys that launch it as a service.

What a freakin mess!
<hr>
Listen to the interview Leo Laporte recently had with Steve Gibson (grc.com ... well known security guru), called "Sony's "Rootkit Technology" DRM (copy protection gone bad)" at: http://www.grc.com/securitynow.htm - episode #12 (or possibly newer). These files are available to play in Windows Media Player, in lo-fi, or hi-fi, or can be read in html, txt or pdf formats.
<hr>

Wiz
<small>Wizcrafts Computer Services</small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 07 November 2005 at 11:23 AM.]</p></FONT>

Is this something that would be eliminated if a person elected to run a Debug script on their hardrive and reinstall the O.S. and everything else?

It may be a good idea to buy a spare HDD, clone a known good (uncompromised) OS/Application set to it, and use it as a backup system, to restore the compromised HDD from scratch after it's been hit. That's what I did. (Use Ghost 2003 from Norton for the cloning.)

<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>Is this something that would be eliminated if a person elected to run a Debug script on their hardrive and reinstall the O.S. and everything else?
</SMALL><HR></BLOCKQUOTE>
Certainly. One could also "wipe" the Windows directory from DOS and reinstall the OS.

Those who are advanced level users can follow Mark Russinovich's method to eliminate the rootkit without reinstalling the OS. Read his entire Blog, including the reader comments and follow links to other reports. People have posted methods to safely remove this rootkit and restore the CD drives. This involves a combination of Recovery Console, Safe Mode, RootKitRevealer and Find New Hardware techniques. Mark has already performed the debugging and posted his results on his blog, at http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

Wiz

Latest news: Sony sued over copy-protected CDs

Steinar

------------------
www.gregertsen.com

Makes me glad I use Linux boxes.

Lucky for me, My copy of Martina's "Timeless" doesn't appear to have this garbage. I could just imagine cleaning out my wife's XP box after getting tricked into loading the rootkit.

------------------
2005 Carter S12U 7x5, Blanton D10 8x4, Peavey Session 400 Limited Wedge, Goodrich L120, Boss ME50 effects pedal

<font size="1" color="#8e236b"><p align="center">[This message was edited by Mike Ester on 10 November 2005 at 09:47 AM.]</p></FONT>

<h1>Hackers use Sony anti-copy software to hide in PCs</h1>
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
AMSTERDAM (Reuters) - A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval", a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down the firewall and gives hackers access to a PC. The malware hides by using Sony software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley.
</SMALL><HR></BLOCKQUOTE>

Read the article here: http://today.reuters.com/...US-SONY-HACK. xml <font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 10 November 2005 at 09:20 AM.]</p></FONT><font size="1" color="#8e236b"><p align="center">[This message was edited by b0b on 14 November 2005 at 11:59 AM.]</p></FONT>

Symantec AntiVirus Research Center (SARC) has just posted the number one threat today as a Trojan that exploits the Sony DRM Rootkit.

SARC: http://www.symantec.com/avcenter/venc/data/backdoor.ryknos.html

Some details:

Backdoor.Ryknos is a Trojan horse that attempts to utilize the SecurityRisk.First4DRM security risk to hide itself on the compromised computer. It can infect Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP computers. It opens a back door on the compromised computer.

Read the rest on SARC.

Wiz

My new folder didn't disappear.
Boo on Sony. It's a shame.

If your teenage kids have their own computer or laptop you better check them also. They are notorious for clicking on Agree without reading the EULA so they can play the game or music on a CD right away. Teens buy a lot of CD music and play it on their computer/laptop, and a lot of the CDs are/will be protected by this kind of rootkit DRM software.

Wiz

Hey Wiz I did the test you described above and here's what happened on my computer:

First time I tried the renaming the new folder reverted to the "new folder" name and did not accept the "$sys$test" but did not disappear either

Second time I tried renaming I got an error message saying "cannot rename file; cannot read from the source file or disc"

Do I have this rootkit installed? I recently purchased Emory Gordy Jr's wife's newest CD and it had the EULA prompt which I unwittingly agreed to.

Thanks for this---insidious as it is it might be here to stay!

J W

Invisible root file insertion... MERDE ALORS!
Hackers using the system on their own. HUH!
Very stupid not to send versions to some "tame hackers" for testing beforehand...


Looks that way. And the lawyers have given them a single user out with the "accept disclaimer" gambit.

But get a few hundred crashed systems, the potential for thousands more,
and one savy class action lawyer,
and things might change.

Going into someones system root, likely is in violation of Microsoft's liscencing agreement,
unless THEY also are in on the deal. Certainly not beyond the pale with them...

I'll stick to my Mac!

Glad I'm all Mac!

Brad

<h1>News Flash</h1>

<h2>Sony BMG 'temporarily suspends' production of music CDs with copy-protection</h2>

<i>"Stung by continuing criticism, the world's second-largest music
label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave
computers vulnerable to hackers," Ted Bridis reports for The Associated Press. "Sony defended its right to prevent customers from
illegally copying music but said it will halt manufacturing CDs with the 'XCP' technology as a precautionary measure. 'We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,' the company said in a statement."</i>

Wiz

J.W. Alexander asked:
<BLOCKQUOTE><font size="1" face="Verdana, Arial, Helvetica">quote:</font><HR><SMALL>
First time I tried the renaming the new folder reverted to the "new folder" name and did not accept the "$sys$test" but did not disappear either

Second time I tried renaming I got an error message saying "cannot rename file; cannot read from the source file or disc"

Do I have this rootkit installed?
</SMALL><HR></BLOCKQUOTE>
That is not correct behavior. You should have been able to rename the folder $sys$test without any issues. I tried it myself and was able to name a new folder $sys$test and it accepted that name. When you tried to rename it again you got the above quoted error message. Cannot read from source file means that it has either been deleted, and is still visible as an artifact, or has been hidden by the OS and remains as an artifact. Pressing F5 after clicking on the Windows desktop will refresh the icons.

Try this test. Right-click on the desktop and create a new folder. Try renaming it " old folder "
If successful, try renaming it " folder$sys "
If successful, right-click on the desktop and hit F5. If the folder stays put with that name add another dollar sign after sys: " old folder$sys$ " then refresh the view. If the folder remains, rename it " $sys$folder " and see what happens when you refresh the desktop. Let me know the results.

Wiz Feinberg
<small>Wizcrafts Computer Services</small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 13 November 2005 at 10:50 AM.]</p></FONT>

My daughter just brought home the new Trey Anastasio CD, and guess what it has.....yup, the Sony XCP protection. I'm hopping mad. My gut is telling me to bring the CD back to the store and request a refund. We frequently play CDs on the computer, but there is no way I'm gonna put this disk within spitting distance of my hard drive!
Now the thing is that it's my daughter's CD not mine, and her decision whether to keep it or not.
But for all the anti-ripping technology, can't an analog 'safe' copy still be made? You know, the old fashioned way.....recording from the stereo line-out?

Sony "temporarily suspending" producing
these cd's is almost a mea culpa,
but the lawyers MUST say we defend the inherent right
to prevent copying... BUT

it didn't dare say they are defending THIS version of the a anti-theft system... hmmmm.

No word in Microsoft's take on this.
Sony basically hacking the Windows system EVERY time a user puts in a cd.
Huh!

Boy, ya let the suits and lawuyers at the cash cow,
and they are bound to shoot it in the hoof
trying to get more meat off'n the bone...

David, read this:

Microsoft to Zap Sony DRM 'Rootkit'

Microsoft Corp. will start deleting the rootkit component of the controversial DRM scheme used by Sony BMG Music Entertainment.

The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology.

According to Jason Garms, group product manager in Microsoft's Anti-Malware Technology Team, the rootkit removal signature will be pushed out at Windows users through the anti-spyware application's weekly signature update process.

Read his statements on his Blog, at: http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx


------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services</small>

Not that I consider Wikipedia a one-stop reference center, but I found it interesting that this was displayed when I searched for XCP:

http://en.wikipedia.org/wiki/XCP

Sony is getting a well-deserved spanking for their misdeeds against paying customers.

Looks like Sony has seriously stepped in it. This is going to cost them big $$$ to buy back any semblance of credibility and respect. Stories I am reading are describing 'incredulity' by computer pros and academics that Sony would issue such poor software, such malicious spyware and use such poor judgement. Looks like evil met incompetence and this was the result.