Anyone play their CDs on their PC?

If so, you need a quick geeky lesson ...


They've dubbed it the "Sony Root Kit virus"



A root kit is a package of scripts and programs that a hacker installs on a host once the hacker has already compromised the system and gained administrative access. The kit may contain Trojan binaries of system programs (such as cmd.exe, /bin/login, /bin/su) which, after installation, allow the hacker to gain free access to the system or to use administrative privileges without having to authenticate.

It is not necessary for a system to have an address available to the Internet to be vulnerable to attack (in other words just being behind a firewall doesn't insure your safety). Worms and viruses are often launched using end-user workstation e-mail accounts, or Internet downloads to end-user workstations.


Here's the controversy -

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

http://apnews.myway.com/article/20051103/D8DKP1KO7.html

well.. isn't that special. Have to wonder if they are only targeting windows users.

Ok, that was way over my head.


Good morning!

Could you repeat that in cro-magnum computer users language please?

The only part I got was "Anyone play CDs on their PC"? And my answer would be yes...

NaughtyLil1 said:

Ok, that was way over my head.


Good morning!

Click to expand...

Basically, you could innocently purchase a CD in the store and play it on your computer instead of your portable CD player and by launcing it on your computer you're installing hidden software that you have to contact Sony to uninstall and if you don't the software will constantly consume CPU resources even when you're not listening to music. Also, because of how the protection is written, it also could be used by malware authors to mask their programs.

If you have the software installed, here's where to go to get the stuff to remove it the right way ...


McKay said customers can request a program to safely uninstall everything by visiting the Sony BMG Web site at . That site, however, requires a form to be filled out and submitted.http://cp.sonybmg.com

Two questions... First of all why? I know I'm naive to these things but is it something like tracking ala Big Brother style?

And secondly, if you play it first on your auto or other personal players will it not affect your computer?

I know, I'm an idiot when it comes to this stuff

ShamelessFlirt said:

Basically, you could innocently purchase a CD in the store and play it on your computer instead of your portable CD player and by launcing it on your computer you're installing hidden software that you have to contact Sony to uninstall and if you don't the software will constantly consume CPU resources even when you're not listening to music. Also, because of how the protection is written, it also could be used by malware authors to mask their programs.

Click to expand...

Thanks for the explanation.

Image said:

Two questions... First of all why? I know I'm naive to these things but is it something like tracking ala Big Brother style?

And secondly, if you play it first on your auto or other personal players will it not affect your computer?

I know, I'm an idiot when it comes to this stuff

Click to expand...

It consumers computer resources (slowing it down) and weakens its defenses (making it more vulnerable to outside attacks).

And no.

I got part way through the article and then figured out how long it is.

Is there a quick & easy way to see if you have this thing on your machine, Flirt?

CD's can have a data section for programs and an audio section. pure audio CD devices will ignore the data section. The computer however with see and use both. The data section can be set up so that as soon as the computer regonizes the data section is there, the computer will execute a program or programs from the CD.

With normal data CDs, the program autorun is usually an install program which interfaces with the user. However, nothing requires a program to run and show the user anything.

Since it is a CD, it will attempt to auto run whatever it is setup to autorun each time the CD is entered in the a computer the recongizes the data section. It is possible to configure windows so it will not autorun, but the default setting is to autorun any CD which is setup to do so.

linuxgeek said:

CD's can have a data section for programs and an audio section. pure audio CD devices will ignore the data section. The computer however with see and use both. The data section can be set up so that as soon as the computer regonizes the data section is there, the computer will execute a program or programs from the CD.

With normal data CDs, the program autorun is usually an install program which interfaces with the user. However, nothing requires a program to run and show the user anything.

Since it is a CD, it will attempt to auto run whatever it is setup to autorun each time the CD is entered in the a computer the recongizes the data section. It is possible to configure windows so it will not autorun, but the default setting is to autorun any CD which is setup to do so.

Click to expand...

Also, from what I've heard (but haven't confirmed), if you hold the Shift key down when you inser the CD, it will disable the autoload feature.

RawHumor said:

Also, from what I've heard (but haven't confirmed), if you hold the Shift key down when you inser the CD, it will disable the autoload feature.

Click to expand...

That's one way to disable the autorun feature.

The easiest way to see if you specifically have the Sony DRM rootkit is to add $sys$ to a directory name and see if it "disappears".

Hacks are already using it to get around other forms of copy protection ...



Blizzard, makers of World of Warcraft, have deployed spyware to catch "cheaters." If you want to avoid the spyware, you can install Sony's rootkit DRM (just load a store-bought CD with Sony's DRM on it) and then use its cloaking capabilities to hide your WoW app:
World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.
Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.

ShamelessFlirt said:

That's one way to disable the autorun feature.

The easiest way to see if you specifically have the Sony DRM rootkit is to add $sys$ to a directory name and see if it "disappears".

Click to expand...

Only a directory, or a file too?

RawHumor said:

Only a directory, or a file too?

Click to expand...

Just a file is fine, in the Sysinternals blog that's one of the things the guy did.

"To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view."

How lovely. Thanks for letting us know.

Moon Dragon said:

How lovely. Thanks for letting us know.

Click to expand...

I don't doubt you'll be hearing more about this as the Antivirus companies jump on the bandwagon and the music companies start updating the software.

Do we know anyone who had an 'infected' CD that we could grab the data section from?

linuxgeek said:

Do we know anyone who had an 'infected' CD that we could grab the data section from?

Click to expand...

Sony updated the software on the 3rd (yesterday) -

http://www.f-secure.com/weblog/


We wrote on Tuesday about the DRM software from Sony that used rootkit technologies. The company behind the technology, First 4 Internet, has now released an update for the software. After visiting the web site, downloading and installing the update, it now seems that the DRM software no longer attempts to hide anything on the computer. The rootkit driver (aries.sys) is removed from the system during the update.



it's available here -
http://cp.sonybmg.com/xcp/english/updates.html

I don't know anyone that has the CD but I'll ask around (I'm looking for a list of them as well).

This article covers what they're attempting -
http://www.eweek.com/article2/0,1895,1880558,00.asp

and another more general -
http://arstechnica.com/news.ars/post/20051101-5514.html


The CDs are labeled:

Sony confirmed that it began using this particular DRM, which was developed by a British company called First 4 Internet, at some point in 2005. While the company refused to say how many CDs are protected via this method, it did say that such CDs are labeled "Content enhanced & protected" on both front and back. So if you've purchased a CD from Sony BMG this year, you may want to read the label and see if it has enhanced and protected content. If it does and you've installed the application that came with the CD, then congratulations! You've got a rootkit on your system.

good to know

I rememeber a couple of years ago same things with DVDs/

trojan was installed on your computer while you check your DVD's Special features (some were available only on through computer).

It's completely fucked up. I hope they get their ass handed to them. And it only makes torrents and P2P's look like a better alternative.

Does give reason to advocate having a linux box or one that can dual boot to linux. They have to work a touch harded to pull this shit as long as you don't login as administrator on a linux/unix box. Not being an administrator on a windows box doesn't really protect you significantly unless the system has been locked down so tight it is barely useable.

Fortunately, these days, even Macs are Unix/BSD. Not sure if they take the precaution of having the user login as a regular user or if they are always on as admin.

src

California has filed a class-action lawsuit against Sony and a second one may be filed today in New York. The lawsuit was filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, CA. It asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them. The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices. EFF has released a list of rootkit affected CD's and Slashdot user xtracto also has a list.

src

Are You Infected by Sony-BMG's Rootkit?
November 09, 2005

As we've mentioned before, Sony-BMG has been using copy-protection technology called XCP in its recent CDs. You insert your CD into your Windows PC, click "agree" in the pop up window, and the CD automatically installs software that uses rootkit techniques to cloak itself from you. Sony-BMG has released a "patch" that supposedly "uncloaks" the XCP software, but it creates new problems.

But how do you know whether you've been infected? It turns out Sony-BMG has deployed XCP on a number of titles, in variety of musical genres, on several of its wholly-owned labels.

EFF has confirmed the presence of XCP on the following titles (each has a data session, easily read on a Macintosh, that includes a file called "VERSION.DAT" that announces what version of XCP it is using). If you have one of these CDs, and you have a Windows PC (Macs are totally immune, as usual), you may have caught the XCP bug.

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

Several other Sony-BMG CDs are protected with a different copy-protection technology, sourced from SunnComm, including:

My Morning Jacket, Z
Santana, All That I Am
Sarah McLachlan, Bloom Remix Album

This is not a complete list. So how do you recognize other XCP-laden CDs in the wild?

Tip-off #1: on the front of the CD, at the left-most edge, in the transparent "spine", you'll see "CONTENT PROTECTED" along with the IFPI copy-protection logo. A few photos make this clearer.

http://www.eff.org/IP/DRM/Sony-BMG/TreyFrontEnlarge_25.jpg

Tip-off #2: on the back of the CD, on the bottom or right side, there will be a "Compatible with" disclosure box. Along with compatibility information, the box also includes a URL where you can get help. The URL has a telltale admission buried in it: cp.sonybmg.com/xcp. That lets you know that XCP is on this disc (discs protected with SunnComm have a different URL that includes "sunncomm").

http://www.eff.org/IP/DRM/Sony-BMG/TreyBackEnlarge_25.jpg

If you haven't been infected yet, to protect yourself from XCP in the future, disable "autorun" on your Windows PC. Once you have done so, however, these CDs may not be accessible under Windows unless you have specialized ripping software installed; these CDs are encoded in a way that intentionally confuses standard Windows CD drivers. For a smarter audio grabber for Windows, you may want to consider using Exact Audio Copy, which reportedly can read these CDs if you have turned off autorun and avoided infection by XCP.

I've used EAC before with a lot of success, and it's free.

Thanks for the followup Linux.