Login

GRITS · (This post was last modified: 11-09-2005, 02:37 PM by GRITS.)

This was in yesterday's Boston Globe
Security firm: Sony CDs secretly install spyware
Company denies it, saying program aims to foil music piracy
Boston Globe article

Quote:Security firm: Sony CDs secretly install spyware
Company denies it, saying program aims to foil music piracy
By Hiawatha Bray, Globe StaffÂ |Â November 8, 2005

Sony is spying on thousands of listeners who buy and play its music CDs on their computers, a leading computer security firm said yesterday.

Breaking News Alerts Computer Associates International Inc. said that new anticopying software Sony is using to discourage pirating of its music also secretly collects information from any computer that plays the discs.

One of the world's largest software and information technology companies, Computer Associates is the latest to wade into the growing controversy over Sony's efforts to curb theft and illegal pirating of its music.

The software works only on computers running Microsoft Corp.'s Windows operating system. It limits listeners' ability to copy the music onto their computers, and locks copied files so they cannot be freely distributed over the Internet.

But Computer Associates said the antipirating software also secretly communicates with Sony over the Internet when listeners play the discs on computers that have an Internet connection. The software uses this connection to transmit the name of the CD being played to an office of Sony's music division in Cary, N.C. The software also transmits the IP address of the listener's computer, Computer Associates said, but not the name of the listener. But Sony can still use the data to create a profile of a listener's music collection, according to Computer Associates.

''This is in effect 'phone home' technology, whether its intent is to capture such data or not," said Sam Curry, vice president of Computer Associates' eTrust Security Management unit.

''If you choose to let people know what you're listening to, that's your business. If they do it without your permission, it's an invasion of privacy."

Sony and the British firm that wrote the antipirating code for the music company flatly denied the software snoops on listeners.

''We don't receive any spyware information, any consumer information," said Mathew Gilliat-Smith, chief executive of First 4 Internet Ltd., which makes the software for Sony BMG Music Entertainment.

So far, Sony BMG has installed the software on about 20 titles in its music catalog, including works by jazzman Dexter Gordon, singer Vivian Green, and the new issue by country rockers Van Zant, ''Get Right with the Man."

It was the Van Zant disc that led to the controversy over Sony's new software.

In late October, a well-known Windows computer engineer, Mark Russinovich, stumbled across the Sony software on one of his personal computers while running a security scan. Russinovich had used the computer to play the Van Zant CD, not realizing that it had installed the anticopying program.

When he tried to remove it, Russinovich found that the program lacked the ''uninstall" feature found in most Windows software. Indeed, key components of the software hid themselves deep in his computer by applying the same techniques used by data thieves to conceal their activities. Even a skilled user who identifies the correct files can't safely remove them, said Russinovich.

''Most users that stumble across the cloaked files . . . will cripple their computer if they attempt the obvious step of deleting the cloaked files," he wrote on his technology website, SysInternals.

Computer Associates yesterday concurred with Russinovich's assessment. Curry said Sony has made it so difficult for listeners to uninstall its software that some could lose all their data in the process.

''It can damage the operating system and the operating system's integrity, so it can't reboot at all," Curry said. ''As an expert in security, I can say this is bad behavior."

Indeed, Computer Associates has added the software to its list of spyware programs that collect personal information from computer users without their permission.

Russinovich also said that a patch Sony and First 4 released Friday to stop the software from hiding inside computers malfunctions and can cause an irreparable loss of computer data.

Gilliat-Smith of First 4 said he knows of no case in which this has happened. Sony offers a website where users can obtain a program that uninstalls its software. He said both efforts should prove that Computer Associates and Russinovich's complaints are unfounded.

''In theory there should be no concern," Gilliat-Smith said.

Hiawatha Bray can be reached at [email protected].

Â© Copyright 2005 Globe Newspaper Company.

Quickening · 11-09-2005, 02:55 PM

Sony continues to go down in my books.

Gwarsbane · 11-09-2005, 11:02 PM

Been posting about this over on MekTek since the 3rd. I guess I should have posted about it here too. I'll make a post of all my posting from there. It goes pretty deep and Sony is only digging themselves deeper.

http://www.mektek.net/forums/index.php?act...=ST&f=1&t=44660

Gwarsbane · 11-09-2005, 11:09 PM

http://www.sysinternals.com/blog/2005/10/s...tal-rights.html

There are just too many links and images to post everything here so I will give you the short version.

On some of sony music cds they are including DRM that includes rootkits. Basically it puts the stuff into hidden folder, hidden registry lines and just about everywhere it can stick something so that it can't be removed without basically formatting the hard drive and starting from scratch.

If you try to remove it, it will screw your system up and basically force you to reformat. Sometimes if you find the stuff they want you to find it reinstalls itself.

Now if you think that is bad enough, guess who else uses rootkits, you guessed it, hackers and virus makers.

So while you are trying to remove what you think is a virus it could be the junk that you agreed to have on your system when you bought and played that CD you just got.

Oh and it gets even better, the Sony rootkit, opens up your computer to a bunch of flaws which others (hackers and virus makers) can take advantage of. Also the legal rootkit installation can mess up other legal software you have.

So anyone else agree with me that DRM in general is just getting worse?

I wanted to post about this on the 31st when it was put out but as you know we had some minor problems between then and now. :D

Gwarsbane · 11-09-2005, 11:09 PM

I won't post the url because there is swearing on the page, but if you're slick enough you should be able to find it, most likly cause you already know of it. If you do know it, don't post the url here because as I said there is swearing on the page.

Quote:Sony Offers Removal Technique on Cloaked DRM Software
November 2, 2005
Thomas Mennecke

If the record labels are trying to win the DRM (Digital Rights Management) public relations war, they are off to an atrocious start. The intention of DRM is to protect the intellectual property rights of content owners. Being the blanket term it is, DRM can take the form of virtually any technique.

On October 31, 2005, the Internet community learned how ugly these techniques could get. Mark Russinovich, an expert on the internals of Windows and one of the writers behind Sysinternals.com, discovered evidence of a rootkit on one of his computers.

Rootkits are sneaky pieces of software that hide on one's computer. They are virtually invisible to most, if not all, conventional anti-spyware and anti-virus software. You may ask why they hide themselves from diagnostic software scans. This is done because they are most often associated with the worst kinds of software on the Internet. No, not Grokster, but other malicious software such as viruses, trojans, and other malware.

Using RootKitRevealer (RKR), Mark Russinovich discovered a "hidden directory, several hidden device drivers, and a hidden application"

After a lengthy and clever investigation, Mark Russinovich discovered the Rootkit was part of a DRM copy protection scheme devised by a company named First4Internet. First4Internet had developed a DRM technology dubbed XPC, or Extended Copy Protection, which it licensed to Sony-BMG Music. The copy protections software had been included on the Sony-BMG CD "Get Right with the Man" by the Van Zant brothers, which Russinovich had played on the computer in question.

The fact this software couldnât be detected by conventional spyware or virus sweepers was bad news, but certainly not the worst. If an inexperienced individual were to remove the cloaked files after discovers with RKR, the individual's computer may become seriously crippled. Although Sony repeatedly attempted to hide behind their EULA, which made no mention of this software, the public backlash proved too much for Sony-BMG to bear. Even those who support an artist's right to protect their content were scornful of this inexcusable move by Sony-BMG.

In response, Sony-BMG Music was forced to provide a method to remove this cloaked software. In an update issued today, Sony-BMG issued the following statement:

Quote:"November 2, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

Itâs interesting that Sony-BMG Music felt they could hide this kind of copy protection scheme from the public. The music industry is in a difficult position as "legitimate" downloads have stagnated and the P2P population continues to increase. A public relations nightmare such as this, especially one that draws attention to DRM and its implications, is definitely not what the music industry needs.

Gwarsbane · 11-09-2005, 11:11 PM

I'm not against some DRM, but the fact is stuff like this just does nothing but harm.

Even with rootkits there would be workarounds for it in hours and the music from the CD was most likly already up on p2p groups even before the CD was released.

Even if it would have been proven to be "safe" it would have given people a false sense of security.

Just imagine you know you bought the CD with that DRM on it and you knew about the rootkit and you decided to put up with it.

Everytime you do a scan it sees it and you don't allow it to be removed. Now imagin what would happen if another rootkit gets installed by someone not so nice and they change some of sonys version. Now you have a rootkit on your system that you think is authentic and you let it just stay there because as you already know it gets picked up by the scan but you have been told its safe. But in fact you are actually wide open to attack.

Gwarsbane · 11-09-2005, 11:12 PM

Quote:but this is absolutely no excuse for compromising a system without any permission by the user

Well here is where there is another problem. On the CD there is a warning of DRM, it don't say what the DRM is though. And from my understanding when you open the packaging you are agreeing to put the DRM on your computer.

So people are agreeing to put the DRM on their system just by opening and playing the CD.

Gwarsbane · 11-09-2005, 11:13 PM

Wasn't sure where to put this so figured I would put this in here and change the topic a little.

http://www.securityfocus.com/brief/34

Quote:World of Warcraft hackers using Sony BMG rootkit
Published: 2005-11-03

Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.

Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.

Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.

Hey Sony, thanks for making cheating at games a heck of a lot easeir!

Gwarsbane · 11-09-2005, 11:13 PM

http://news.zdnet.com/2100-1009_22-5933428...feed&subj=zdnet

Quote:Sony's antipiracy may end up on antivirus hit listsBy Matt Loney, ZDNet (UK)
Published on ZDNet News: November 4, 2005, 11:03 AM PT

Antivirus companies are considering protecting their customers from the digital rights management software used by Sony on some CDs.

Kaspersky Lab has classed Sony's DRM software as spyware because, among other things, it can cause crashes and loss of data, and it can compromise system integrity and security.

Explaining its decision, Kaspersky said it used the definition of spyware provided by the Anti-Spyware Coalition. Sophos, another security company, is similarly scathing of Sony and is calling the software "ineptware."

The issue reaches much further than the individual PCs of those users who buy particular Sony CDs, the antivirus companies say. The DRM software uses what is known as a "rootkit," which means that it is invisible to the operating system, to most antivirus and security software and to IT departments trying to cope with security on desktop and notebook computers.

Furthermore, say the antivirus companies, the rootkit software can be exploited by hackers and viruses and used to cloak any file from the operating system. A rootkit takes partial control of a computer's operating system at a very deep level in order to hide the presence of files or ongoing processes.

"The Sony rootkit can be used to hide any files from the operating system, so we think the way that Sony has implemented this is somewhat flawed," said Graham Cluley, the senior technology consultant at Sophos. "The danger is that other malware (malicious hardware) may come along which exploits the Sony rootkit."

Due to what Cluley said is a lack of malicious intent on Sony's part, Sophos is not defining the rootkit itself as malicious software, preferring instead to refer to it as "ineptware."

"We don't really believe this is malware, and so we don't currently detect it," Cluley said. However, he said detection for rootkits like that used by Sony will be built into Sophos Antivirus version 6, due out in 2006.

"This is potentially unwanted software, and we will add the capability to detect the bad stuff and give the enterprise more control over what is on their PCs," he said. "This software is the sort of thing we will consider adding."

David Emm, a senior technology consultant at Kaspersky Lab, said he was also dismayed to see Sony using rootkits. "We don't have an issue with Sony taking steps to protect its legal rights and licensing," he said. "But given that over the past 12 to 18 months we have seen an increasing use of rootkits (by criminals), to see similar technology being implemented from someone supposedly on the good side is particularly worrying."

Use of techniques that are usually the preserve of criminals by companies such as Sony are causing problems to antivirus and security companies. "Previously it has been possible to say a rootkit equals a bad thing, but now we're having to deal with things that are not so clear cut," he said.

Kaspersky uses the term "riskware" to define programs that behave like malicious software but may not have malicious intent behind them. Although it attempts to detect riskware, so that users can be asked what they would like to do with it and so that policies can be created, it does not currently detect the rootkit used by Sony's DRM. "At the moment this is still under discussion and no final decision has been made," Emm added.

Sony's use of techniques usually employed by hackers and virus writers makes it much more difficult to differentiate between malicious and benign software, said Kaspersky on its viruslist.com blog. "Rootkits are rapidly becoming one of the biggest issues in cybersecurity. Vendors are making more and more of an effort to detect this kind of threat. So why is Sony opting to use this dubious technology?" the Kaspersky posting said.

"Naturally, we're strongly against this development," it continued. "We can only hope that this message comes across loud and clear to the people who have a say in this at Sony and elsewhere. We'd hate to see the use of rootkits becoming a habit among mainstream software manufacturers when there are so many security and ethical arguments against such use."

Man this thing with Sony just keeps getting better and better

Gwarsbane · 11-09-2005, 11:15 PM

Its like the energizer bunny, it keeps going and going and going....

http://www.sysinternals.com/blog/2005/11/s...4-internet.html

Quote:Sonyâs Rootkit: First 4 Internet Responds
First 4 Internet, the company that implements Sonyâs Digital Rights Management (DRM) software that includes a rootkit, has responded to my last post, More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home. They rebut four of the points I raise in the post. Their first statement relates to my assertion that Sonyâs player contacts Sonyâs web site each time it runs and sends the site an ID associated with the CD the user is playing:

The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities.

I speculated that the player sends Sonyâs web site a CD identifier as part of a check to see if new song lyrics or artwork was available, which they essentially confirm. Their claim that the communication is âone wayâ from Sonyâs web site is false, however, since Sony can make a record of each time their player is used to play a CD, which CD is played, and what computer is playing the CD. If theyâve configured standard Web server logging then they are doing that. As I stated earlier, I doubt Sony is using this information to track user behavior, but the information allows them to do so. In any case, First 4 Internet cannot claim what Sony is or is not doing with the information since they do not control those servers, and the First 4 Internet response fails to address the fact that the End User License Agreement (EULA) and Sony executives either make no mention of the âphone homeâ behavior or explicitly deny it.

Another point that I made in the post is that the decloaking patch that Sony has made available weighs in at a relatively large 3.5 MB because it not only removes the rootkit, it also replaces most of the DRM files with updated versions. First 4 Internet responded with this:

In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point.

Itâs not clear to me what they mean by âa secure installationâ, but like most of the disclosure in this story, theyâve acknowledged the updating nature of the patch only after someone else has disclosed it first. Whatâs also lost in their response is that Sony DRM users not following this story as it develops have no way of knowing that thereâs a patch available or that they even have software installed that requires a patch.

Further, Sonyâs patch is dangerous because the way that it removes the cloak could crash Windows. I discussed the flaw in the patchâs decloaking method in the first post and again in the last one (I also provide a simple way for users to remove the cloak safely), yet First 4 Internet refuses to recognize it. They contest my claim in their comment:

This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more.

While the probability of a crash is relatively small, its not âpure conjectureâ, but fundamental to multithreaded programming concepts. Anyone that writes Windows device driver code must have a firm grasp of these concepts or they can easily introduce bugs and security holes into Windows. Hereâs one of many scenarios that will lead to a crash when the patch decloaks Sonyâs rootkit:

Quote:Thread A invokes one of the functions that Aries.sys, the Sony rootkit driver developed by First 4 Internet, has redirected

Thread A reads the address of the redirected function from the system service table, which points at the rootkit function in Aries.sys

Thread A executes the first few instructions of the Aries.sys function, which is enough to enter the driver, but not enough to execute the Aries.sys code that attempts to track threads running within it

Thread A is context swapped off the CPU by the Windows scheduler

The scheduler gives thread B the CPU, which executes the patchâs âunload driverâ command, unloading the Aries.sys driver from memory

The scheduler runs thread A again, which executes memory that previously held the contents of Aries.sys, but is now invalid or holds other code or data

Windows detects thread Aâs illegal execution and crashes the system with a blue screen

First 4 Internetâs failure to imagine this control flow is consistent with their general failure to understand Windows device driver programming.

As further evidence of this, Iâve performed further testing of the Aries.sys driver using a program I wrote, NTCrash2, and found that Aries.sys fails to perform basic checks on the data passed to it by applications. NTCrash2 passes randomly-generated invalid data to Windows APIs and on a stock Windows system simply receives error codes from the APIs. However, when NTCrash2 runs on a system that has the Sony rootkit installed Windows crashes. Hereâs an example Windows blue screen that identifies Aries.sys as the cause of a crash that occurred while NTCrash2 ran:

**Image**

Besides demonstrating the ineptitude of the First 4 Internet programmers, this flaw highlights my message that rootkits create reliability risks in addition to security risks. Because the software package that installed the rootkit is hidden when Windows is running (in this case Sonyâs DRM software), and even if exposed not clearly identified, if an application triggers one of Aries.sysâs bugs a user would have no way of associating the driver responsible for the resulting crash with any software package they have installed on their system. The user would therefore be unable to conclusively diagnose the cause of the crash, check to see if they have the most recent version of the driver or of uninstalling the driver.

First 4 Internet and Sony also continue to argue that the rootkit poses no security vulnerability, repeating it in the description of the patch download. Any software that hides files, processes, and registry keys based on a prefix of letters can clearly be used by malicious software.

First 4 Internetâs final rebuttal relates to my complaint that as part of a request to uninstall their DRM software Sony requires you to submit your email address to their marketing lists. First 4 Internet says:

An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.

The Sony privacy policy the comment refers to clearly states that Sony may add a userâs email address to their marketing lists:

Except on sites devoted to particular recording artists, we may share the information we collect from you with our affiliates or send you e-mail promotions and special offers from reputable third parties in whose products and services we think you may have an interest. We may also share your information with reputable third-parties who may contact you directly.

Again, the fact is that most users of Sonyâs DRM wonât realize that they even have software that can be uninstalled. Also, the comment does not explain why Sony wonât simply make the uninstaller available as a freely accessible download like they do the patch, nor why users have to submit two requests for the uninstaller and then wait for further instructions to be emailed (I still have not received the uninstaller). The only motivation I can see for this is that Sony hopes youâll give up somewhere in the process and leave their DRM software on your system. Iâve seen similar strategies used by adware programs that make it difficult, but not impossible, for you to remove them.

Instead of admitting fault for installing a rootkit and installing it without proper disclosure, both Sony and First 4 Internet claim innocence. By not coming clean they are making clear to any potential customers that they are a not only technically incompetent, but also dishonest.

Lots of links on the page and an image.

Gwarsbane · 11-09-2005, 11:15 PM

Yup, you guessed it... still more stuff to do with the sony screwup.

http://www.smarthouse.com.au/Entertainment...y/News/Q7P7L4N2

Quote:Police Called In To Investigate Sony

David Richards - Wednesday, 9 November 2005

A leading software company has accused Sony of spying on tens of thousands of people who buy Sony music CD's.

Computer Associates said that new anticopying software Sony is using to discourage pirating of its music also secretly collects information from any computer that plays the discs including hundreds of people in Australia who buy BMG Sony music. One of the world's largest software and information technology companies, Computer Associates is the latest to wade into the growing controversy over Sony's efforts to curb theft and illegal pirating of its music.In Europe Police have been called in to investigate Sony's actions.

An Italian digital rights organisation has taken the first steps to possible criminal charges over the XCP software which, it was recently discovered cloaks itself on users' computers and communicates with Sony servers over the Internet.

The group, calling itself the ALCEI-EFI (Association for Freedom in Electronic Interactive Communications - Electronic Frontiers Italy), filed a complaint about Sony's software with the head of Italy's cyber-crime investigation unit, Colonel Umberto Rapetto of the Guardia di Finanza.

The complaint alleges that XCP violates a number of Italy's computer security laws by causing damage to users' systems and by acting in the same way as malicious software, according to Andrea Monti, chair of the ALCEI-EFI. "What Sony did qualifies as a criminal offense under Italian law," he said.

Should police determine that a crime has been committed, prosecutors will be required to begin criminal proceedings against Sony, Monti said.

The software works only on computers running the Microsoft  Windows operating system. It limits listeners' ability to copy the music onto their computers, and locks copied files so they cannot be freely distributed over the Internet.

But Computer Associates said the antipirating software also secretly communicates with Sony over the Internet when listeners play the discs on computers that have an Internet connection. The software uses this connection to transmit the name of the CD being played to an office of Sony's music division in Cary, N.C. The software also transmits the IP address of the listener's computer, Computer Associates said, but not the name of the listener. But Sony can still use the data to create a profile of a listener's music collection, according to Computer Associates.

''This is in effect 'phone home' technology, whether its intent is to capture such data or not," said Sam Curry, vice president of Computer Associates' eTrust Security Management unit. ''If you choose to let people know what you're listening to, that's your business. If they do it without your permission, it's an invasion of privacy."

Sony and the British firm that wrote the antipirating code for the music company flatly denied the software snoops on listeners. ''We don't receive any spyware information, any consumer information," said Mathew Gilliat-Smith, chief executive of First 4 Internet Ltd., which makes the software for Sony BMG Music Entertainment.

So far, Sony BMG has installed the software on about 20 titles in its music catalog, including works by jazzman Dexter Gordon, singer Vivian Green, and the new issue by country rockers Van Zant, ''Get Right with the Man." It was the Van Zant disc that led to the controversy over Sony's new software. In late October, a well-known Windows computer engineer, Mark Russinovich, stumbled across the Sony software on one of his personal computers while running a security scan. Russinovich had used the computer to play the Van Zant CD, not realizing that it had installed the anticopying program. When he tried to remove it, Russinovich found that the program lacked the ''uninstall" feature found in most Windows software. Indeed, key components of the software hid themselves deep in his computer by applying the same techniques used by data thieves to conceal their activities. Even a skilled user who identifies the correct files can't safely remove them, said Russinovich.

''Most users that stumble across the cloaked files . . . will cripple their computer if they attempt the obvious step of deleting the cloaked files," he wrote on his technology website, SysInternals. Computer Associates yesterday concurred with Russinovich's assessment. Curry said Sony has made it so difficult for listeners to uninstall its software that some could lose all their data in the process.

''It can damage the operating system and the operating system's integrity, so it can't reboot at all," Curry said. ''As an expert in security, I can say this is bad behavior." Indeed, Computer Associates has added the software to its list of spyware programs that collect personal information from computer users without their permission. Russinovich also said that a patch Sony and First 4 released Friday to stop the software from hiding inside computers malfunctions and can cause an irreparable loss of computer data. Gilliat-Smith of First 4 said he knows of no case in which this has happened. Sony offers a website where users can obtain a program that uninstalls its software. He said both efforts should prove that Computer Associates and Russinovich's complaints are unfounded.

Gwarsbane · 11-09-2005, 11:16 PM

Zertoss,Nov 9 2005, 16:56 Wrote:Just keeps getting better and better.:lol:

Doesn't look like Kaspersky has added Sony's rootkit to their viruslist yet. Anyone know if other AVs are protecting PCs from it yet?

I don't think there are any AV packages out there yet that look for rootkits, but from my understanding the next major version of most of them will.

There are specific anti-rootkit programs out there, but I have never tried them yet, but I have been thinking of trying them, see what they come up with. I just don't want to mess with them right now cause I don't want to have to reformat.

Gwarsbane · 11-10-2005, 12:04 PM

Did you actually think it would have stopped by now? ya right...

http://blogs.washingtonpost.com/securityfix/

Quote:Posted at 06:35 PM ET, 11/ 8/2005
Calif. Lawsuit Targets Sony

A class-action lawsuit has been filed on behalf of California consumers who may have been harmed by anti-piracy software installed by some Sony music CDs. A second, nationwide class-action lawsuit is expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased any of the 20 music CDs in question.

Experts say the Sony CDs use virus-like techniques to install digital rights management software on computers. Windows users cannot listen to the protected CDs on their computers without first installing the software, which hides itself on the users' system and cannot be uninstalled by conventional removal methods.

The California lawsuit, filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, Calif., attorney Alan Himmelfarb, asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them.

The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices.

Himmelfarb was on a plane at the time of this writing and could not be reached for comment.  But a court-stamped copy of the lawsuit he filed is online here (PDF).

Scott Kamber, an attorney in New York, said he plans on Wednesday to file class-action suits targeting Sony under both New York consumer protection statutes and a federal criminal statute that allows civil actions.

"This situation is particularly egregious and surprising from a company that should be familiar with concerns people have with programs crashing their Windows computers," Kamber said. "What Sony is saying with this software is that 'Our intellectual property is more deserving of protection than your intellectual property,' and Sony can't be allowed to get away with that."

Sony spokesman John McKay declined to comment on the suits.

I wouldn't be surprised if other lawyers and law firms around the country are also preparing to file similar suits.

As I wrote in a story last week, "Sony's move is the latest effort by the entertainment companies to rely on controversial 'digital rights management' (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks like Kazaa and Limewire."

Experts who studied the Sony program said it has a built-in file-cloaking feature that could also be used by attackers to hide viruses and other files on a user's computer, and that conventional means of removing the anti-piracy software renders the user's CD-Rom drive inoperable.

In response to public criticism over the invasiveness of the software, Sony last week made available on its Web site a "patch" that would prevent its software files from hiding on the user's system. But according to further research by a variety of security experts, that patch can lead to a crashed system and data loss.

Lots of links to click in the above

Quote:Posted at 10:05 AM ET, 11/10/2005
Sony's Attitude Has a History
A Security Fix reader with an excellent memory (thanks, Patrick) reminded me today of a few choice words spoken nearly five years ago by Sony Corp. chief executive Howard Stringer that eerily foreshadowed the controversial soup that Sony BMG now finds itself mired in over the invasiveness of its anti-piracy technology.

Cue the spooky music and the wavy screen, and we'll take you way back in Internet time to March of 2001, to a confab of technology industry titans dubbed the "Silicon Summit II." Among the items up for discussion at the time was what to do about Napster (this was back in the Stone Age of the Internet, before the entertainment industry succeeded in scuttling the file-sharing service, only to see the concept rise from the ashes and multiply).

I tried to find a transcript of this particular roundtable, but MSNBC -- which hosted it -- has since moved the hyperlink, so a snippet from this ZDNet story (there is no author listed) will have to suffice.

"The panelists then talked about the controversial song-swapping service Napster and the need to find a way for people to download music over the Internet in a way that enables the artists to get paid for their work....

Sony CEO Howard Stringer, who kept the audience laughing throughout the night with a battery of quips, said, âRight now it would be possible for us, and Iâve often thought it would cheer me up to do it, you could dispatch a virus to anybody whose files contain us or Columbia records, and make them listen to four hours of Yanni ... but in the end weâre going to have to get serious about encryption and digital-rights management and watermarking.â

A student in the audience then put Stringer on the spot, telling him he had recently bought a portable digital music player made by Sony that makes it easy to download songs from the Internet. Isnât it hypocritical of Sony, he asked, to be fighting Napster from its music division and then supporting it by making such devices?

Calling the studentâs question a good one, Stringer replied, âAt some point, we work it out as we go along. But if we donât stay in the business, someone else will do it. And thereâs a real danger with the margins of consumer electronics companies that Singapore and Korea and so forth will design the machines. So we play defense on the one hand and offense on the other hand. And if it seems a little illogical itâs only defending our turf.â

Fast-forward to Nov. 4, 2005, when Thomas Hesse, president of Sony's Global Digital Business was interviewed on National Public Radio's Morning Edition, and said of complaints that Sony's anti-piracy software behaved exactly like a rootkit:

"Most people, I think, donât even know what a rootkit is, so why should they care about it?"

Small wonder, then, that class-action lawyers are starting to circle Sony's wagon train. Can anyone at Sony really be scratching their heads as to why there is so much public outrage and indignation over this entire anti-piracy escapade? The offhand, flippant remarks of Sony's senior leadership speaks volumes about the company's attitude toward the rights of their customers.

Again lots of links in the above. In this posting I think one of my favorite lines is...

Quote:"Most people, I think, donât even know what a rootkit is, so why should they care about it?"

This comes of Thomas Hesse, president of Sony's Global Digital Business. The guy sure seems like a moron to do. Why should they care about it??? I'll tell you why because it opens up their computer to lots of illegal and dangerious stuff. At least there are more and more people out there that are looking out for the ones that don't know anything about this stuff (or think DRM is good) and trying to teach those people that stuff like this is VERY VERY bad.

Gwarsbane · 11-10-2005, 12:52 PM

http://www.pcpro.co.uk/news/79728/virus-ta...ootkit-drm.html

Quote:Thursday 10th November 2005

Virus targets SonyBMG rootkit DRM 2:01PM
Security researchers' worst fears have been realised as the first instance of a virus taking advantage of the rootkit DRM technology in some SonyBMG copy-protected CDs has been discovered.
Sophos says that the Trojan known as Stinx-E uses the Sony DRM rootkit to make itself invisible through the file $sys$drv.exe. However, this does not mean that in not having the Sony DRM installed you are immune to infection.

The rootkit makes all files beginning with '$sys$' invisible, and Sophos' senior antivirus consultant Graham Cluley described it as 'particularly troublesome'. He told us that antivirus software will detect the file when it is first run if it has already been updated to look out for it. But out of date antivirus software won't detect the virus at that point, and once the virus is installed, won't be able to see it at all.

Despite the fact that the Sony DRM in question is available on US CDs, it is possible to get them in the UK from the likes of Amazon. Curiously, the Trojan appears to be targetting the UK specifically. Cluley said that Sophos' research centres across the globe were aware of the new Trojan but had yet to encounter it.

'There's a peculiarly British angle to this one in that it pretends to come from an organisation called Total Business Monthly and refers to the website totalbusiness.co.uk,' he said.

He said that while the Trojan appears to be out there in numbers, Sophos has yet to receive any reports of infection. 'We've had reports from a few large companies that have received the virus, but fortunately it seems they had the good sense to quarantine it.'

The Trojan arrives in an email with attached files with names such as Article+Photos.exe, subjects such as 'Photo Approval Required' and the following message:

Quote:'Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes?If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************'

If the recipient opens the attachment, the Trojan will attempt to copy the file $sys$drv.exe onto the hard drive where the Sony rootkit, if present, will render it invisible. The Trojan opens a backdoor onto the computer allowing remote control over the machine through IRC channels. The backdoor allows an attacker to delete, execute, and download files on the target machine. It also attempts to bypass the Windows Firewall.

The DRM technology the Trojan takes advantage of is included in a number of SonyBMG CDs and was first discovered by IT researchers when it turned up on a computer that was scanned for rootkits - a form of malware that talks directly to operating systems at a low-level and is invisible through Windows, and thus to other programs.

Further research showed that any file beginning with '$sys$' would also be cloaked by the Sony rootkit used to hide its DRM technology.

The company that developed the technology for Sony has since updated its software and removed the rootkit element, but that update may take sometime to make it to CDs on sale. It has also released patches to antivirus companies, but again this depends on end users updating their software.

Security firms immediately warned of the likelihood that virus writers would take advantage of this simple method of rendering their malicious creations invisible. Sony has been noticeable in its silence on the issue, although a spokesperson for the UK said that there were no absolutely plans to use to the technology for CDs sold here.

Cluley said that any allegations of irresponsible disclosure for revealing the information are misguided. 'Don't blame the guys who blew the whistle on Sony's activities,' he said.

Sophos will later today make a tool available from its website that will detect the presence of the Sony rootkit and, if desired, remove it and prevent reinstallation.

Cluley said that this Trojan is likely to be just the first of new viruses adapted to take advantage of the '$sys$' cloaking capabilities made possible through the DRM protection in some Sony CDs.

Matt Whipp

Gwarsbane · 11-10-2005, 01:25 PM

more on sony...

Antivirus firms target Sony 'rootkit'

Are You Infected by Sony-BMG's Rootkit?

Now the Legalese Rootkit: Sony-BMG's EULA

Sony: You donât reeeeaaaally want to uninstall, do you?

CA targets Sony DRM as spyware

First Trojan using Sony DRM spotted

Just too many new ones to post everything so here are the links to them.

GRITS · 11-10-2005, 06:33 PM

Login
Username:
Password:	Lost Password?
	Remember me