Sophos develops Sony DRM unmasking tool

[Osiris]

UK security firm Sophos plans to release a tool which will detect the existence of Sony's DRM copy-protection rootkit on Windows computers, disable it, and prevent it from re-installing.

The move follows the discovery of the first malware (a Trojan called Breplibot) that takes advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs to mask its presence on infected systems.

"Sophos is acting on customers' concern that the software on Sony's CDs is introducing a vulnerability which hackers and virus writers are able to exploit," explained Cluley. "We will give customers the ability to determine if their computers suffer from the vulnerability and remove it if necessary." The free download should be available today.

Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory. Once loaded in this way the malware will be invisible to anti-virus scanners. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the malware.

Sophos's tool will remove this cloaking behaviour but will not remove the software components installed by Sony-BMG, the deletion of which might cause system instability. But this very cloaking means it may not be obvious to users that they need the tool. Around 20 CDs from Sony-BMG which have shipped an estimated 2m copies around the world feature the controversial DRM technology, developed by UK security developer First4Internet. Sophos obtained advice from First4Internet in developing its tool.

We wanted to ask First4Internet and Sony-BMG what they intended to do to make sure their copy-protection technology wasn't abused by virus writers but neither returned our calls this afternoon.

http://www.theregister.com/2005/11/10/sony_drm_unmasked/

 

[Osiris]

Sony BMG has said it will suspend production of audio 'CDs' that use the rootkit-style DRM developed by British company First4Internet Ltd, XCP. However the music giant refused to apologize for the software, which exposes PCs to malware and can disable CD playing functions.

Sony also declined to follow EMI's example in September and recall CDs already in the retail channels.

Around 20 CDs use XCP, which has been on the market since April. (The EFF has a list, here).

But since a security website drew attention to implications of XCP last week, Sony has been deluged with complaints, and prompted lawsuits in California and Italy.

"We are aware that a computer virus is circulating that may affect computers with XCP content protection software," Sonysaid in a statement. "Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use."

Sony may rue the wave of consumer outrage, and the subsequent lawsuits. But it may also note that the scandal took more than six months to surface.

And it isn't exactly rushing to make amends. The unfortunately worded phrase "ease of consumer use" reminds us that while the stealth DRM software installs itself without permission (the click-through statement fails to inform of the user of its true nature), uninstalling it requires the CD buyer to request permission from Sony via a web form. So it's hard to take Sony BMG's assurances seriously.

 

[Osiris]

So how many CDs actually contain XCP, Sony BMG's notorious DRM consumer assault weapon? And which ones?

Sony says that only 20 titles, which it refuses to name, contain the XCP virus - software which attacks music piracy by attacking your PC. But is it being economic with the actualité?

Reg reader Geoffrey McCaleb has found no fewer than 47 titles containing Sony's DRM rootkit. They are spread across several sub-labels owned by Sony-BMG, so it looks like a little finessing is going on.

Geoffrey has posted the list of rootkit-infected titles he's uncovered so far in his blog.

Sony BMG's woes continued yesterday with Microsoft's decision that the DRM software contained on infected CDs, counted as "malicious software under the rules it uses to define what Windows should be protected against", the BBC reports.

Sony has suspended production of CDs incorporating XCP copy protection, but the PR nightmare continues: class action lawsuits in California mean the record giant will be cleaning this oil slick for months to come

 

[RicoDirenzo]

From Fox News:

The last line in the story says it all!! It's about the class action law suit!! Their EULA makes no mention of the Root Kit!! They set themselves up for this. Arrogant bunch of jackasses, be they (Yodaesse)!!!

Sony BMG Recalling Hidden-Software Music CDs
Wednesday, November 16, 2005

STORIES LINKS
•Sony BMG 'Rootkit' on 500,000 Systems, Expert Says•Microsoft Treating Sony BMG Rootkit as Malicious Software•Experts: Sony BMG Rootkit 'Fix' Only Makes Things Worse•Sony BMG Suspends Making 'Rootkit' CDs•Euro Group: Music Consumers' Rights Being Abused•Microsoft 'Concerned' by Sony DRM•First Sony BMG 'Rootkit' Virus Reported•Sony BMG Sued Over 'Rootkit' on CDs•Sony BMG Releasing Rootkit-Revealing Patch•Sony BMG Hacking Into CD Buyers' Computers
AMSTERDAM — Record company Sony BMG, yielding to consumer concern, said on Wednesday it was recalling music CDs containing copy-protection software that acts like virus software and hides deep inside a computer.

"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange programme and removing all unsold CDs with this software from retail outlets," Sony BMG said in an statement.

The XCP software used by Sony BMG, which was developed by British software developers First4Internet, leaves the back door open for malicious online hackers.

Sony BMG, in a separate statement, also announced it would distribute a program to remove the software from a PC where it jeopardizes security.

"We deeply regret any inconvenience this may cause our customers. Details of this [recall] program will be announced shortly," Sony BMG said.

The withdrawal is set to affect millions of compact discs from artists such as Celine Dion and Sarah McLachlan, but Sony did not give exact figures or the names of the artists affected.



Sony reiterated that the copy-protection software only installs itself on personal computers and not on ordinary CD and DVD players.

Microsoft Corp.'s (MSFT) anti-virus team said on Tuesday it would add a detection and removal mechanism to rid a personal computer of the Sony's DRM copy-protection software. The software installs itself only on PCs running Microsoft's Windows operating system.

The flaws of the copy-protection software became acute last week, when the first computer viruses emerged that took advantage of the security holes left by the program.

Responding to public outcry over the software, the music publishing venture of Japanese electronics conglomerate Sony Corp. (SNE) and Germany's Bertelsmann AG had said on Friday it would temporarily suspend the manufacture of music CDs containing XCP technology.

It then provided a patch to make the hidden program more visible. At the time it did not recall the CDs or offer a program to remove it from computers. The initial measures still left PCs vulnerable, according to software engineers.

The program will have installed itself on a Windows-operated personal computer when consumers wanted to play certain Sony BMG music CDs. The program forces consumers to use a music player that comes with the program.

Sony BMG has positioned itself as a defender of artists' rights. It re-emphasized on Friday that copy-protection software is "an important tool to protect our intellectual property rights and those of our artists."

Sony BMG last week was targeted in a class-action lawsuit complaining that it had not disclosed the true nature of its copy-protection software.

 

[EricB]

they (sony) were on the news today blame third party people for implementing the software. they claimed that they didn't know that it was there

 

[horndude]

part of the code used was GPL also, allegedly from one of dvdjohn's projects