Techist - Tech Forum

Techist - Tech Forum (
-   Microsoft Windows and Software (
-   -   Removing Sony's CD 'rootkit' kills Windows (

Osiris 11-01-2005 06:46 AM

Removing Sony's CD 'rootkit' kills Windows
Sysinternals' Mark Russinovich has performed an analysis of the copy restriction measures deployed by Sony Music on its latest CDs: which he bluntly calls it a 'root kit'. Using conventional tools to remove Sony's digital media malware will leave ordinary users with a dead Windows systems.

While the Sony CDs play fine on Red Book audio devices such as standard consumer electronics CD players, when they're played on a Windows PC the software forces playback through a bundled media player, and restricts how many digital copies can be made from Windows.

A 'root kit' generally refers to the nefarious malware used by hackers to gain control of a system. Root kits have several characteristics: they finds their way onto systems uninvited; endeavor to remain undetected; and then may either intercept system library routines and reroute them to its own routines, or replace system executables with its own, or both - all with the intention of gaining system level ownership of the computer.

What makes Sony's CD digital media software particularly nasty is that using expert tools for removing the parasite risks leaving you with a Windows PC that's useless, and that requires a full reformat and reinstall.

So is Sony bundling a root kit, or is it the latest in a long line of clumsy, and sometimes laughably inept attempts to thwart the playback of digital media on PCs?

We were inclined to the latter - but in practical terms, for ordinary users, the consequences are so serious that semantic distinctions are secondary.

In actuality both, reckons Russinovich. It's a 'root kit' that arrived uninvited, but it's also "underhanded and sloppy software" , that once removed, prevented Windows from playing his CD again (Van Zant's 'Get With The Man') he notes in his analysis.

The Sony CD creates a hidden directory and installs several of its own device drivers, and then reroutes Windows systems calls to its own routines. It intercepts kernel-level APIs, but then attempts to disguise its presence, using a crude cloaking technique.

Disingenuously, the copy restriction binaries were labelled "Essential System Tools".

But the most disturbing part of the tale came when Russinovich ran his standard rootkit-removal tool on the post-Sony PC.

"Users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," he writes.

Which puts it in an entirely different class of software to the copy restriction measures we've seen so far, which can be disabled by a Post-It note. Until specialist tools arrive to disinfect PCs of this particular measure.®

EricB 11-01-2005 08:16 AM

there a way around everything. use a home cd and send the digital signal to a computer. somebody did a similar trick 2 years ago and they were outlaw from using it. it would basically unistall your drivers if you insert their cd into a pc

what everybody should do is boycott sony products, since they so stuck on preventing you from copy anything

Inaris 11-01-2005 11:13 AM

Please get your notes right! The article clearly only skimmed over the posting from Mark Russinovich. Read the whole thing. removing the root kit will not cripple your machine as long as you get all of it.
Read the whole article...

PS. Warez,
you need to list your source. the site can get in trouble for plagiarism if you just copy and paste from another site. Add a link to where you got it from. it's pretty simple...

Osiris 11-01-2005 11:42 AM

For what? I always post the whole article. Giving a reference to the site isnt going to give any more info that what I always post. What the different if I'm a poster for and post the same article on their website from It's not like I pull these articles outa my *** so there is no reason to suspect a ****ty post. I always get my info from the

Inaris 11-01-2005 11:54 AM

Doesn't matter. it's plagerism. You have to post a source. if they decide to get upset about it, guess who gets the fault. The website. not the user who put them up. it's something you should have learned in school. If you don't post who it's from, you are taking the credit...
Look at the end of here: story is here and searchenginewatch is here.®

not even theregister will fully quote. I know it's based on visability, but why risk it. it's easy to just add a link.

RicoDirenzo 11-01-2005 12:28 PM

This is a easy problem to overcome. Put the CD in cd player. RCA Jacks to any Hard Disk recorder. Matered in Adobe Audition or like program. Re-master the cd and stick it in limewire. These cd producers using copy protection are only protecting themselves against the people who won't copy the CD in the first place. They just sufficiently "piss off" the people with whom they should be communicating for a reasonalble solution to the copy protection issue..........the geeks who read this stuff including me. They are a group of arrogant nitwits!!! I hope sony reads this.......a bunch of totalitarian jackasses be you(Yodaneese). :):p

Edit: Is this a problem for systems administrators? If you are managing a network, say a corporation or government agency, and your workstations users are playing Sony CD's on their workstations....???????????? Yikes......this could get ugly!!!!! Sony will be sued over this....guarenteed......they need to include malware in thier EULA, which to date, they do not!!!!!

Osiris 11-03-2005 08:54 AM

Sony to offer patch for 'rootkit' DRM
Sony BMG said today it will offer a patch for one of its own exploits - one that comes bundled with its music CDs.

The code cloaks itself and by intercepting and redirecting low level windows system calls, forces the audio through a custom player, and restricts the number of CD burns that can be made.

As Sys Internals' Mark Russinovich discovered this week, removing the Sony code using standard anti-malware tools leaves the user with an inoperable CD drive.

Russinovich also pointed out that because the cloaking technique it used to hide itself was so crude, malware authors could hide their own nefarious programs on users hard disks using Sony's DRM software.

However, the patch that Sony will offer doesn't remove the 'rootkit' DRM: it only makes the hidden files visible.

Macintosh and Linux users are unaffected by the DRM kit, which only works on Windows PCs.

It isn't quite the "bombs" the RIAA once suggested it was developing to deter music downloads, but it's in the same spirit.

At time of writing, we don't have a download link from Sony or First 4 Internet Ltd, the British company that developed it . There's merely the standard problem-reporting form.

Anti-malware company F-Secure discusses the Sony DRM software here. F-Secure says its rootkit detection software will spot the hidden files, but strongly advises users not to remove it using its Blacklight software, and instead advises users to contact Sony.

"If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter," advises F-Secure.

It is alarming how little outrage there is from ordinary PC users. While Register readers are well versed in the restrictions of DRM and the dangers of malware, there's little sign the public shares this knowledge.

Incredibly, the Sony DRM malware has been out on the market for eight months and is bundled on 20 CD titles. Sony said it hadn't received a single complaint until this week. So, disturbingly, most people either haven't run into serious problems yet, or even more disturbingly, don't find the Sony DRM particularly onerous. We pray it's not the latter.

However, Sony's decision to offer a 'patch' that fails to remove the DRM code suggests it isn't too concerned by the howls of outrage heard this week from sophisticated PC users.

And with this level of apathy, the music giants will be emboldened to try these techniques again. And again. And again

RicoDirenzo 11-03-2005 10:32 AM

All this does is piss people off. I don't download warez songs myself. I am a musician and have a production studio owner (more a hobby than a business) but I can see that this kind of behavior by Sony will start a war. You do not want to piss off the people that can make it esay for people to do the very thing that they are trying to prevent. As for me...Sony can go to hell...I will not buy a CD from those jackasses and I'll be emailing their Corporate offices saying just that!! Mindless greed!!!! Boarding on totalitarinaism. So they have a EULA lettings us all know they are doing this? Not!!!!

Osiris 11-05-2005 07:55 AM

cook 11-05-2005 06:59 PM

HAHA morons over there at sony.

All times are GMT -5. The time now is 02:53 PM.

Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2019, vBulletin Solutions, Inc.