Wednesday, May 18, 2022
  • Home

One BIG root kit post

November 2nd, 2005 by Patrick S

Okay this one is big because it intersts me after watching a Microsoft webcast about rootkits (it will prob interst Patrick E too but i have got all the infor from other sources so its extremely long.
The 2 stories are about sony and how they are installing rootkits on your PC!!! :s

Read the rest!!!–>

Sysinternals’ Mark Russinovich has performed an analysis of the copy restriction measures deployed by Sony Music on its latest CDs: which he bluntly calls a ‘root kit’. Using conventional tools to remove Sony’s digital media malware will leave ordinary users with Windows systems unable to play CDs.

While the Sony CDs play fine on Red Book audio devices such as standard consumer electronics CD players, when they’re played on a Windows PC the software forces playback through a bundled media player, and restricts how many digital copies can be made from Windows.

A ‘root kit’ generally refers to the nefarious malware used by hackers to gain control of a system. A root kit has several characteristics: it finds its way onto systems uninvited; endeavors to remain undetected; and then may either intercept system library routines and reroute them to its own routines, or replace system executables with its own, or both – all with the intention of gaining system level ownership of the computer.

What makes Sony’s CD digital media software particularly nasty is that using expert tools for removing the parasite risks leaving you with a Windows PC that’s useless, and that requires a full reformat and reinstall.

So is Sony bundling a root kit, or is it the latest in a long line of clumsy, and sometimes laughably inept attempts to thwart the playback of digital media on PCs?

We were inclined to the latter – but in practical terms, for ordinary users, the consequences are so serious that semantic distinctions are secondary.

In actuality both, reckons Russinovich. It’s a ‘root kit’ that arrived uninvited, but it’s also “underhanded and sloppy software” , that once removed, prevented Windows from playing his CD again (Van Zant’s ‘Get With The Man’) he notes in his analysis.

The Sony CD creates a hidden directory and installs several of its own device drivers, and then reroutes Windows systems calls to its own routines. It intercepts kernel-level APIs, but then attempts to disguise its presence, using a crude cloaking technique.

Disingenuously, the copy restriction binaries were labelled “Essential System Tools”.

But the most disturbing part of the tale came when Russinovich ran his standard rootkit-removal tool on the post-Sony PC.

“Users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files,” he writes.

Which puts it in an entirely different class of software to the copy restriction measures we’ve seen so far, which can be disabled by a Post-It note. Until specialist tools arrive to disinfect PCs of this particular measure.

The register

Rootkit is technology that hides software from the user and security software. This kind of technology is normally used by malware authors that want their presence to remain undetected in the system as long as possible. DRM software is not malicious but it has other reasons for hiding from the user. DRM software restricts the user’s ability to make copies of a record and for that reason uses technology that prevents removal and modification of the software.

Sony BMG is currently using a rootkit-based DRM system on some CD records sold in USA. As far as we know, this system has been in use since March 2005. We’ve made some test purchases for Sony BMG records from and can confirm that they contained this technology.

When you insert such a CD to a Windows-based PC, the record will display a license agreement and then it will seem install a song player software – while it really installs a rootkit to the system. Once the rootkit is there, there’s no direct way to uninstall it. The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed.

F-Secure has implemented an anti-rootkit scanner in F-Secure Internet Security 2006. The F-Secure BlackLight scanner is able to detect both this Sony DRM rootkit system and any malware that hides using it.

So: if you’ve recently used CD releases from Sony BMG that state that they are content protected on your Windows computer, the “Scan for Rootkits” function in our product will detect this program on your system. Same happens with our free BlackLight beta that you can download from F-secures web site.



Posted in Security | 2 Comments »

This entry was posted on Wednesday, November 2nd, 2005 at 2:18 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses

  1. Patrick E Says:

    Does it ask before installing the rootkit? or is it bundled into an autorun? I hope somebody sues Sony for loss /destruction of data resulting from this. This should be illegal.

  2. Patrick S Says:

    So do I…
    When it asks if u want to install a media player it installs the root kit. If that isnt dodgy i do not know what is!