Cheaters of the world rejoice.

Sony's new "Enhanced" music CD's load a root kit onto any PC that plays them. The jist of rootkits is they are like a sub OS running on a system that allow files to be completely hidden, even from Windows.

The quick version of this story is that the Sony rootkit auto-hides any file that starts with "$sys$".

Blizzard has admitted that loading the rootkit onto your system and renaming any hack or cheat file on your PC to start with $sys$ makes it invisible to them. All you have to do is go out and buy a Sony Enhanced music disk, load it up and you are ready to cheat. You can't get caught.

Some additional info is here (http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/). Or check out the newest TwiTcast #29 (http://www.twit.tv).

Get ready. It's been out there for a week. It will only get worse.

I read about this last week. Sony is full of neat ideas. I'm just glad that none of the CDs I've bought lately have been from them.

This proves that the people who thought it couldn't get any worse than StarForce (http://www.glop.org/starforce/) were wrong. Joy.

It should also go without saying that any 12 year old script kiddie can now easily hide anything he wants on your system.

I think Microsoft should sue Sony for intentionally putting a battleship sized hole in "our most secure OS ever!".

That Sony root kit also phones home, doesn't it? Among a slew of other crud?

Here's the icing on top of the Stupidity Cake, though.

The app was designed to keep you from finding it and to stop you from copying the CDs by blocking your burning software.

Well, the damn thing is self-defeating. Can't run Nero anymore?

just rename it: $sys$nero.exe

suddenly copying CDs works again.

I read about this the other day. I'm pretty sure I won't be buying any more CDs from Sony. They've now made instructions available for removing the code, but that's like punching someone in the eye and then telling them to make sure to apply an ice pack to reduce the swelling. What a bunch of assholes. Doesn't that break some law about being able to make backups of your stuff?

It gets better!

Check out EFF's reading of the Sony EULA:

http://www.eff.org/deeplinks/archives/004145.php

that's it... now i'm just plain convinved the thinktank execs and lawyers at sony need to all die a fiery and painful death.

Um... can somebody explain to me in very simple terms (yeah, like for a dummy) what this all means? All I understand is that 12 year-old kids will now be able to ride three times as fast as me and hit me for 12,000 DPS without Blizz detecting that there's hack involved. That's sure gonna be fun. But does that mean I have now some kind of spyware on my computer that does something funny when I don't look? Or prevents me from copying my CDs? :(

Blizzard employs an app called Warden that scans your active programs while WoW is running. It looks for specific applications and checks the memory that is allocated to WoW. If it finds an application that is on Blizzard's updated "blacklist", Warden reports the infraction to Blizzard and the account is either wanred or banned.

(if you remember Redtale getting banned, the above is likely what happened.)

Recently, and unrelated, Sony introduced a "rootkit" that shipped with their newer CDs. The intent of the rootkit is that when you insert their music CDs into your PC, it autoruns and installs itself. Its purpose is to scan your PC for violations of Sony's EULA and report back to Sony (so they can sue you for buying their music, apparently). If you have any burning or imaging software such as Alcohol120%, ISObuster, or Nero (among others) Sony will disable some or all of the functions of the application so that you can not illegally duplicate and distribute their Intellectual Property.

Since Sony's product is, in no uncertain terms "Spyware", it would only be a matter of time before it was detected as such by anti-virus and anti-spyware apps and disabled (and likely blacklisted). In order to defend itself agains being detected and removed, the product uses a blind to hide itself. The processes run under a $sys$ prefix and are hidden from view from Windows. I don't know how this works exactly, but the idea behind it is painfully and horribly dangerous.

Here's where the two become intermingled:

If a WoW player intentionally installs the Sony rootkit, and runs a hack for WoW, they simply rename the hack preceded with the $sys$ prefix and Blizzard's Warden can no longer detect the application. The hacker becomes essentially legit according to Warden and can run his hacks unreported.

This is only the first and most relevant problem with the rootkit, though. In theory, people that are likely to get spyware will continue to do so. New spyware, however, will probably begin to incorporate this exploit. So instead of Alexa installing "alexa.exe" (which anti-spyware applications will flag for removal) it will install "$sys$alexa.exe". Anti-spyware apps can no longer see it, and will no longer be able to remove it. And spyware is only the tip of the iceberg. Viruses, backdoors, and worms are sure to follow.

Essentially, Sony's rootkit opens a potential door for your PC to become as filthy and infected as a $3 Indonesian whore.

Microsoft (who, as you might guess, is not Sony's #1 fan) has announced that their malicious software removal tool (available via Windows Update) will soon detect and remove the rootkit software.

Lemme see if I have this right;

The $sys$-trick will only work if you've installed the $ony rootkit?

$3? Big spender you...

The key to all this is understanding that rootkits are sort of like a mini OS running under Windows and re-directing any queries to the kernel that it wants to. What ends up happening is that Windows itself does not know that certain files are on the hard drive, and as a result, any programs running through windows will be unaware also. This includes Anti-spyware, Anti-virus, and program "checkers" like WoW's Warden. When they ask the OS to report if file A, B, or C are on the hard drive, Windows says "No" because the rootkit intercepts the request.

Rootkits are not all evil, they were originally intended for use on Unix for legitimate reasons and certain programs (including some Anti-virus programs) use them for good reasons.

The problem with the Sony rootkit is that it was written so poorly and will be distributed so easily and widely that it is an easy to use exploit for evil-doer's to use for their own purposes. That and 99.9% of people that have it on their systems will never know it. The Wow cheating comes in because people who want to cheat on games that have Warden like programs will be able to easily do it with little knowledge about PCs or programing. (in this case, just run a newer Sony disk, and rename your WoW hack so it starts with $sys$_________)

If anyone is now newly paranoid about rootkits, Sysinternals (http://www.sysinternals.com/Utilities/RootkitRevealer.html) makes a rootkit of their own that checks the contents of the hard drive, then queries Windows to do the same. The two lists are compared and any differences are reported. If there are differences, you have a rootkit on your system. (once again, this might not be a bad thing, there are a few legitimate rootkits out there)

I now agree with Arm; the people responsible (the excs, not the coders) should have their ankles broken 'Misery' style.

Somehow this all sounds very illegal to me. But I'm probably just naive.

the jury is still out, so to speak.

I wouldn't go cashing in your Nest Egg for Sony stock any time soon, though.

Rootkits right now are not illegal as far as I know. And to top it off (I've never used one of the Sony Disks myself) Sony's rootkit is apparently covered under their EULA. If you have to sign off on it, it really can't be illegal.

The CDs with the rootkits aren't clearly labeled, and it auto-installs without showing the EULA, AFAIK. I suppose I could find out more, but I don't really buy CDs. It really skirts the edges of legality, and a contract that has unreasonable demands that you agree to simply by purchasing the product isn't exactly what one might call "enforceable". We'll all know more soon enough anyhow. Once Microsoft has lawyers involved the details will probably be media kibble.

see also 1 (http://www.nolo.com/article.cfm/objectID/EEF92280-11CF-4910-8DECF67369130844/111/277/257/ART/), 2 (http://www.law.buffalo.edu/Academics/courses/623/text/5-broker2.html)

most recently I heard reported that upon deleting the root kit files, your CD/DVD drives will become completely disabled and useless... barring anything short of Orioning your hard drive ....... reinstalling windows.

This whole thing is dumb, but let's not go nuts here. That wouldn't even make sense and would most definitely be illegal, Arm. I mean Sony gives instructions on how to remove the rootkit.

Well the good news is Sony has given up and will not be using the software anymore.

The bad news is, as of Saturday there are already two "viruses" that are using the exploit, and of course, the disks that are already out there are out there. Sony will not recall them.

circuit, i totally agree that it makes no sense, i'm just passing along what I saw on "Attack of the Show" on G4..

and it was on TV, so it HAD to be true!

i saw numerous posts on othe locations that the rootkit was difficult to remove completely as well. Most people complained of the symptom arm described.

Did I mention the Sony uninstaller for the root kit leaves an activeX control on your machine with full scripting/execution rights that any website can launch and use to take over your computer? They just keep digging themselves deeper!

So far the stories about that are all from one Finnish researcher, but it doesn't seem all that surprising. This is clipped from the article I saw:

Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.

Basically, it's Sony's way of saying "LOL! WE TRICK J00!!". Maybe they'll make an uninstaller for that ActiveX control that removes your hard drive and smashes it with a rock. Pretty much your best bet if you accidentally play a Sony/BMG CD on your computer is to just reformat and never buy music from them again.

crud.. one of the listed rootkit cd's is one that I imported into iTunes!!!!!!

will that have caused the rootkit to install or would I have had to do something more?

If you have autorun turned on for your CD ROM drives (by default it's on), that seems to be all it takes. The only way I've found to turn that off in XP is by editing the registry.

You should be able to go into My Computer, right click on the optical drive and choose Properties, go into the Autorun tab, check "Select an Action to Perform" and then select "Take No Action" from the list below it. This will disable autorun.

If you don't want to disable Autorun for everything, but do for some things, when you put the CD in the drive, hold down the "Shift" key as it spins up. No applications will run, and the CD will be mounted as a data cd.

JR. would you get me the sledgehammer and rope from the closet?

the last time I did that I got rope burn, a concussion, and pregnant.

I'm not falling for it this time.

JR, in my experience that hasn't always worked completely. It seems to do it on a disc-by-disc basis. Holding shift does work, however, but that's sort of annoying.

You were fine and it's a cute kid.

Now hold this guy while I find a board to stick between his ankles...

After two weeks of relentless criticism over its XCP copy protection software, Sony BMG Music Entertainment is pulling CDs that contain the software from store shelves. The company is also planning to offer customers a way to exchange CDs that contain the flawed copy-protection software. "We share the concerns of consumers regarding discs with the XCP software, and we are instituting a program that will allow customers to exchange any CD with XCP software for the same CD without copy protection," Sony said in a statement posted on Tuesday.


EDIT: Gotcha, Pal.

Sony is now recalling the affected cd's.

This is my chance to segway into my favorite pet peeve of all time!

Antivirus software is useless. It's a cure with the same symptoms as the disease, and it doesn't stop stuff like the sony root kit.

Thank you for your time.

edit:
i don't know if norton or the others have gotten updated to look for the rootkit or not last i heard, they were thinking about it.

Antivirus software is useless. It's a cure with the same symptoms as the disease, and it doesn't stop stuff like the sony root kit.


That's the belief here at work too.

OMG!
we just deployed this kiosk application to the field. the client put all these stringent requirements in about antivirus protection because it holds consumer data.

Well the dang things are constantly shutting down and unable to communicate with us because Norton constantly runs amok.

it's Irony, plain and simple. the things are unpredictable and loose data because of Norton Internet Security.

We won't run Norton anywhere, it's a horrible virus. You couldn't push back on the clients and force them to go with a firewall (I am assuming this thing connects somewhere, cause if it didn't connect anywhere, the only way it could get a virus is if the end user sneezes on it)?

when the client is visa, it's hard to push back.

the kiosks sit in locations around the country. they have firewalls configured on them to only access certain things. only talk to our webservice, etc, and have extensive group policy settings that restrict what anyone can do if they managed to get it out of kiosk mode and back to the desktop.

and also norton cause it has to be there by decree of the client.

Humans are Stupid :(

Ok, barring any really serious updates on this story, this will be my last post on the topic.

Texas is sueing Sony. (http://www.betanews.com/article/Texas_Sues_Sony_BMG_Over_CD_Rootkit/1132596035)

And my favorite active newspaper style comic strip (http://news.yahoo.com/news?tmpl=story&u=/uclickcomics/20051121/cx_ft_uc/ft20051121) took a quick stab at them too.