Update: fix released for Sony DRM rootkits

Lord of the Farce · Post by **Lord of the Farce** » 2005-11-03 02:27am

Psycho Smiley wrote:The fix is a direct response to the story being posted on many major tech sites. They probably wanted their asses covered before it hits a major news magazine or something.

EDIT: Slashdot says this may only make the shit visible, not remove it or keep it from hosing your system if you try to delete it. Braedley, have you tried this?

I might just be missing it, but looking at the "Aurora Support" page and both links, I see nothing about it cleaning up DRManure. So personally, I'd be rather suspicious as to what this "Software Update" actually does.

Psycho Smiley · Post by **Psycho Smiley** » 2005-11-03 07:49am

Rogue 9 wrote:
Psycho Smiley wrote:EDIT: Slashdot says this may only make the shit visible, not remove it or keep it from hosing your system if you try to delete it. Braedley, have you tried this?
Where does /. say this?

In a post here, there is a link:

CNET wrote:The patch that First 4 Internet is providing to antivirus companies will eliminate the rootkit's ability to hide itself and the copy-protection software in a computer's recesses. The patch will be automatically distributed to people who use tools such as Norton Antivirus and other similar programs, Gilliat-Smith said.

The patch that will be distributed through Sony BMG's Web site will work the same way, Gilliat-Smith said. In both cases, the antipiracy software itself will not be removed, only exposed to view.

Consumers who want to remove the copy-protection software altogether from their machine can contact the company's customer support service for instructions, a Sony BMG representative said.

Lord of the Farce wrote:I might just be missing it, but looking at the "Aurora Support" page and both links, I see nothing about it cleaning up DRManure.

The link Sony released requires jumping through at least one more link to get to the patch. I direct linked to the final page. Here is the original link if you prefer.

Braedley · Post by **Braedley** » 2005-11-03 10:00am

Ok, so I tried it last night, and by all my accounts, it didn't work. The cause of this could be that Sony doesn't use the exact same software on each album, meaning the disk that I bought isn't supported. I'll do some more testing later.

PS Thanks Psycho Smiley for doing all the hard work for me.

Drooling Iguana · Post by **Drooling Iguana** » 2005-11-03 11:50am

Let that be a lesson to all of you: Don't but CDs. Download pirated MP3s instead. It's safer.

Or at least that seems to be the message Sony wants to convey.

Psycho Smiley · Post by **Psycho Smiley** » 2005-11-03 10:18pm

Hackers are already making use of this. One example is to use it to circumvent WoW's new anti-cheating software by including $sys$ in the filenames. This hides the hacks from WoW's Warden system.

Faram · Post by **Faram** » 2005-11-07 03:48am

Well this rootkit is even worse!

It is also spyware, who would have guessed?

Sysinternals

Psycho Smiley · Post by **Psycho Smiley** » 2005-11-07 06:16am

Faram wrote:Well this rootkit is even worse!

It is also spyware, who would have guessed?

Sysinternals

To elaborate, it phones home to Sony every time you play their CDs. Not necessarily malicious, but it isn't advertised, and I'm sure it can be exploited.

Ace Pace · Post by **Ace Pace** » 2005-11-07 09:14am

So not only is this rootkit bullshit, its also stupid.

The Comments wrote: If you want a more concrete proof, try to rename your favourite ripping software as $sys$whatever.exe and then run it again. You'll notice that the DRM system can no longer detect it, and thus you'll get good copy of the track you try to rip instead of one filled with noise.

phongn · Post by **phongn** » 2005-11-07 09:24am

F4I's programmers are also incompetent. They're not doing some very basic things that are neccessary in a multithreaded environment.

Ace Pace · Post by **Ace Pace** » 2005-11-07 09:26am

phongn wrote:F4I's programmers are also incompetent. They're not doing some very basic things that are neccessary in a multithreaded environment.

I'm probebly missing something obvious but what exactly?

Xon · Post by **Xon** » 2005-11-07 11:52am

Ace Pace wrote:
phongn wrote:F4I's programmers are also incompetent. They're not doing some very basic things that are neccessary in a multithreaded environment.
I'm probebly missing something obvious but what exactly?

They patch the system jump table (that provides the entrypoints from user-land to kernel-land) and also provide the ability to unload themselves.

The problem with this is the system jump table is static, trying to "unpatch" it is just asking for trouble since every bit of software and it's pet monkey uses it.

For example, consider these events;

Random app gets an entry in the system jumptable
rootkit unloads & unpatches system jumptable
Random app actualls calls that location pointing to the rootkit(which is no unload)
Computer blue screens due to the kernel trying to execute memory which is unallocated