[Gllug] Sony Protected CD's apparently installing rootkits...

Russell Howe rhowe at siksai.co.uk
Tue Nov 1 19:44:43 UTC 2005


On Tue, Nov 01, 2005 at 06:35:30PM +0000, Rob Crowther wrote:
> In which case you are safe if you have previously disabled autorun on 
> your CD drives?  (Or are running Linux...)

After a bit of reading up, this would appear to be sort of the case...

Their 'DRM' system allows people to produce redbook (the CD standard)
compliant CDs, while storing certain tracks in a DRM-restricted format
needing a special (Windows-only) player application.

This application is installed via autorun when the CD is inserted into a
windows box, and if the user has the necessary access rights, the
installer pops up, with an EULA making no mention of the kernel-level
hooks being installed (more on these later). If the user doesn't have
appropriate privileges, the installer requests that they log in as an
administrator and install it.

The hooks would appear to do typical rootkit-type things, such as hide
files in the filesystem (in this case, any file beginning with $sys$ -
huge potential for 4th party malware to take advantage of this). It
would appear that the registry keys used by the software are hidden from
the Windows API calls used to enumerate the registry too, making it
pretty difficult to tell if the software is installed.

Of course, no facility to uninstall the software seems to be provided,
although I saw references to Sony detailing the necessary steps to take
if pressed.

There was also a link which seemed to suggest that the DRM rootkit
caused windows XP media centre edition to become unstable, although the
MS techchat the guy linked to didn't contain anything relevant..

By googling for the names of various people from the company who produce
this software, there are various mailing list postings about doing all
sorts of things with potentially unpleasant consequences:

* Winsock LSP hooks (hooking into the IP networking layer in Windows, a
  technique used by such people as newnet)
* SCSI filters (hooking into the SCSI layer, allowing their software to
  inspect, modify and disallow arbitrary SCSI commands on a device)
* Patching the Windows equivalent of the syscall table (as used to mask
  the file and registry system API calls)

This almost certainly falls foul of the Computer Misuse Act, although
whether it's Sony or the company producing the software who are in the
wrong, I don't know. I would guess Sony, who would then go after the
software producer for selling them software which did illegal things.
At least one of the top-level people in the software company have been
involved in various Sony subsidiaries in the past, according to a
comment on the sysinternals article.

If there have been any laws enacted to protect against spyware/malware,
then I'm sure the DRM software would fall foul of that. Not providing an
uninstaller is a bad enough offence for the proposed US legislation I
saw a while back...

Also, the methods they're using to patch the Windows syscall table would
appear to be blocked by Windows x64 - MS took the opportunity of a new
architecture to plug such weak points, although no doubt there are still
ways to do what this software does...

Fact is, to do this on Linux would also be trivial. One would hope a
user would be wary about a music CD specifying that you must become root
and run a binary on the disc in order to install a special media player
before being able to listen to the music, however...

The non-trivial part of it would be to write the media player. Decoding
the music isn't so hard, but writing a single music player which works
in all environments (or even all X-based environments) is non-trivial in
Linux, what with the choice of OSS/Free, OSS, ALSA, ALSA/dmix, ALSA's
OSS emulation for basic sound drivers, with optionally a sound server
such as Jack, esd, aRts, NAS, rplayd, ... the list goes on.

nasty, nasty and evil. The lot of them.

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list