Hakin9 - Hard Core IT Security Magazine

Access:

» Sony, rootkit and the fifth power

Related categories: Security | Rootkits | Spyware

Micha� Piotr Pr�gowski
Viewed: 5047 | Article date: 2006-04-24 18:07:10

We present the Rootkits and spyware history putting on audio CDs by Sony company. We describe the scandal.

Over half a million infected computers, an international scandal and numerous legal suits - the aftermath of Sony BMG putting spyware on audio CDs. The scandal was revealed on the Web by network security experts, once again proving the speed and effectiveness of this method of communication.

About the author

Micha� Piotr Pr�gowski graduated from the Faculty of Journalism and Political Sciences at Warsaw University. He is currently working on his Ph.D. at the Institute of Applied Social Sciences of the same university. His interests include: the social impact of the Internet-based media, self-presentation in computer-mediated communication, ludology. He runs a Polish-language blog devoted to these issues: http://www.error300.org.

It all happened very quickly. On October 31, the first mention of the Sony rootkit appeared on Mark Russinovich's blog (see Frame On the Net), and within a few days the whole world was aflame with outrage. On November 10, Kaspersky Lab published information of the first detected worm to use the Sony rootkit, and several days later the multimedia giant temporarily withdrew all its CDs protected using the controversial Extended Copy Protection technology (XCP), officially to analyse it for security and user convenience. The Internet community was left with a bitter after-taste, but also with something far more important: the realisation that if they speak up loudly and unanimously, they will be heard.

What you will learn...

what the Sony rootkit is and what dangers it carries,
what mistakes Sony made and who became interested in exploiting them,
what the Internet-based fifth power is.

What you should know...

the basics of Digital Rights Management (DRM).

You probably remember the story as well as I do. Russinovich, editor of Windows IT Pro and software engineer at Winternals Software, detected an unidentified rootkit on his PC and through painstaking deduction traced it to its makers - a company called First4Internet. The malware in question was built using XCP technology that First4Internet sold to various companies. Sony BMG Music used XCP with an integrated rootkit and its was through a Sony CD that Russinovich's PC was infected. After that, all hell broke loose, and the headlines spoke of the Sony rootkit and the Sony BMG rootkit saga.

Tragedy of errors

The list of Sony's rootkit sins is a long one. To start with, software included on Sony BMG music CDs modifies Windows so as to hide the activities of a spyware program from the user. The program gathers user information and sends it to Sony, threatening user privacy by calling home. Worse still, until the issue was spotlighted by world media (and even for some time afterwards), the Sony rootkit could not be removed without endangering system stability. The first Sony embarrassment in the weeks that followed was that the first official patch did not actually remove the spyware, but merely made it visible to the user. Another embarrassment came on November 4, courtesy of Sony BMG's Thomas Hesse, who in an interview for NPR stated that most people don't even know what a rootkit is, so why should they care about it? This stunning statement was snapped up by computer security experts and enthusiasts, and the F-Secure team even brought out T-shirts quoting the Sony manager verbatim.

The plot continued to develop like a bad TV series. Baffled customers were long kept waiting for an official list of CDs containing the dangerous software (see Frame On the Web). When Sony finally provided a web-based uninstaller for the rootkit, it turned out that running it left the system vulnerable to attack from the Internet - and critically vulnerable at that. The buggy uninstaller left Windows full of holes that allowed potentially any website to install and execute arbitrary code in the system. Hard to think of a more serious security issue.

Van Zant sunk by the rootkit

Van Zant, the band whose record was the source of infection for Mark Russinovich's PC, is now in serious trouble. Although the country-rockers have absolutely no connection to Sony's actions, users have almost unanimously condemned their album. Customer ratings on Amazon.com left little doubt - one star out of five. As of this writing, the average from 250 votes has risen very little over one.

Interestingly enough, some of the most negative comments include apologies to the band, explaining that the one-star rating does not relate to the music but rather to the rootkit and Sony's actions. Indeed, many Internet users are still calling for a boycott of Sony products.

Regardless of the reasons, Van Zant are in trouble: not only is nobody going to buy their record, but even the group's fans are more likely to download the album via P2P to avoid the risk of infection.

How XCP works

Any XCP-protected CD is multisession, containing both traditional unprotected audio data and software making use of Windows' autoplay feature.
After the CD is placed in the drive, software is installed without the user's knowledge or consent (though correct installation requires administrator privileges). However, if the user skips autoplay by holding down [Shift] after inserting the CD, protection software will not be installed and the CD will be treated just like an unprotected one, for example allowing the audio data to be copied. In other words, protection can be easily bypassed, rendering the whole scheme useless.
The software includes two malicious applications: a rootkit and a spyware program. The rootkit hides all files, processes, directories, registry entries and other system objects whose names start with $sys$ (the method does not work in recovery mode). The spy app resides in a directory hidden by the rootkit. When a CD is played, the program connects to Sony servers and sends information about the record being played and the user's IP.
Once installed, the spyware continuously monitors processes running in the system (eating up 1-2% of processor time), locates programs for copying audio CDs and disrupts their operation by inserting noise into the data being copied, regardless of whether or not the CD is copy-protected.
There is no easy way of uninstalling the software. Removing it causes system failure to prevent CDs from being played.
The rootkit indiscriminately hides all objects with matching names, so it could well be used to hide third-party malware, such as worms, viruses and trojans.
Some of the software components were named so as to resemble vital Windows components (such as Plug and Play drivers).
The rootkit uninstaller supplied by Sony merely reveals the hidden files and does not actually remove any components with spyware functionality. Accessing the uninstaller requires the user to register at the Sony website, supply their private information and install an ActiveX control on their system. The control is very badly written, and executing it leaves the system open to arbitrary code execution by malicious parties - the user need only visit a specially crafted website for an intruder to gain full control of their system.

Page: 1 2

Buy article		Buy subscription

Standard price: 2€/$3		Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles.		Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.