Okay, I've been silent lately because, well, because I can be. But I feel the need to roundup all the news on this nasty Sony story which has been splattering the newswires of late. If you haven't heard anything about it, this should be a good summary.
Some definition is required. Without going into the nitty-gritty details, a rootkit
is a piece of code (i.e. software) that installs into the deepest darkest internal level of your operating system - so deep in fact that it basically hides itself and is therefore fairly difficult to even see it is there, even when you know what you're doing. A good analogy would be as follows: Computer virii are lizards. You can see them, but regardless, they are fast and run around shitting everywhere. A rootkit, on the other hand, is sort of like a cameleon - if you don't know to look for it, you'll never see it. So a rootkit is not, in and of itself, a virus. A virus replicates. A rootkit just hides itself, which still seems a bit malicious, but let's not confuse apples and oranges. What a rootkit can
do is help to hide a virus or other such malicious code. Back on October 31st (boo!) there was a post on Mark's Sysinternals blog outlining his discovery of a nasty rootkit from Sony
. In Mark's post he explains how he ferretted out the fact that when you autoload certain Sony Music CD's with "enhanced features", this rootkit is installed:
After I finished studying [the rootkit's] code I rebooted the system...
... I doubted that the files had any version information, but ran [a utility] on them anyway. To my surprise, the majority did have identifying product, file and company strings. [Some] files claimed to be part of the “Essential System Tools” product from a company called “First 4 Internet”...
... the fact that the company sells a technology called XCP made me think that maybe the files I’d found were part of some content protection scheme. I Googled the company name and came across this article, confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs.
Needless to say, this little jewel has caused quite a hub-bub within the technology crowd and enough so that even some laymen out there are wondering what's up - on Nov. 8th, the same day that Sony released a patch to unhide their rootkit
, an article from USAToday headlined Sony aims at pirates — and hits users
[Mark's] Van Zant album had automatically installed the rootkit to hide custom anti-piracy software when he played the CD on his computer. The blogosphere erupted with invective. They accused Sony of using "hacker ware" and programming computers to spy on their owners — and possibly opening a "backdoor" for hackers on consumers' machines.
Sony's software was designed by British copyright protection firm First 4 Internet, which acknowledges a "theoretical" security risk posed by the rootkit. According to First 4 Internet CEO Matthew Gilliat-Smith, the rootkit application could create a secret backdoor for hackers. Sony has hastily posted a "patch" program to reveal the rootkit, but some say it doesn't go far enough...
... When a user inserts the CD, he or she is asked to consent to an "end user licensing agreement," for a Digital Rights Management (DRM) application. If the user agrees, the rootkit automatically installs and hides (or "cloaks") a suite of DRM software.
While the Sony digital consent form mentions the DRM application, it does not specifically mention a rootkit, says Jason Schultz, a staff attorney at the Electronic Frontier Foundation, a digital rights advocacy group...
[However, the CEO of First 4 Internet says] "I think this whole issue is about intent. There's no question there was no intent to create a hypothetical security breach here. We've reacted very quickly to provide a solution."
So what we have here is a mainstream company basically installing malicious software on unassumers (unassuming consumers) computers without informing them of what the risks are. This is akin to Ford ignoring the potential explosiveness of it's Pinto subcompact car in the 1970's.
How could this get any worse? Well, for one, the consent form doesn't even tell the consumer that the DRM software phones home
. The same Mark from the Sysinternals blog who discovered the rootkit in the first place went ahead and delved further. He posted more info about the Sony rootkit
on Nov. 4th to find:
...There’s more to the story than rootkits, however, and that’s where I think Sony is missing the point. As I’ve pointed out in press interviews related to the post, the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There's no way to ensure that you have up-to-date security patches for software you don't know you have and there's no way to remove, update or even identify hidden software that's crashing your computer.
The EULA also makes no reference to any “phone home” behavior... I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed.. the Player does send an ID to a Sony web site.
I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way.
If this doesn't scare the bejeezus out of you then it should. This is worse
then Ford's Pinto mishap - it's as if every Ford Pinto reported back to headquarters it's chance of blowing up without the driver knowing about the communication. Even that metaphor probably doesn't do this justice.
tell me this ends here? No:
...there’s more to the story, like how Sony’s patch can lead to a crashed system and data loss and how Sony is still making users jump through hoops to get an uninstaller.
The uninstall question on Sony’s FAQ page directs you to another page that asks you to fill out a form requesting for uninstall directions to be emailed to you.
A few minutes after submitting the form I received an email assigning me a case ID and directing me to another page on Sony’s site where I would have to submit an uninstall request a second time.
Cripes, what's next? Well, the "theoretical" security risk mentioned in the USAToday article is no longer theoretical. On Nov. 10th, the Register reported - First Trojan using Sony DRM spotted
Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory.
"This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit," warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro
The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" to be used for the December issue. If the malicious payload contained in this email is executed then the Trojan installs an IRC backdoor on affected Windows systems.
Is this getting really nasty or what? So far there has been two major class-action lawsuits filed, one by a California firm and the other by ALCEI, Italy's version of the EFF.
If you want to keep up with this, the Washington Post's securityfix blog
is pretty thorough:
[a lawsuit lawyer claims]Sony BMG is facing yet another class-action lawsuit stemming from the controversy over its anti-piracy software, this time from a New York attorney who filed a federal case that could potentially include consumers in all 50 states.A patch that Sony issued a week ago when virus writers began taking advantage of the software's file-hiding capabilities actually introduces serious new security risks onto the user's machine
- uninstalling any of the software's components without first going through Sony's multi-step authorization process can render the user's CD-rom drive completely useless for anything other than a cupholder.
- "To date, over 3 million copies of XCP encoded disks have been sold. It is probable that millions of consumers have played these discs on their PC's and thus compromised their systems without knowing it,"
Finally, something pretty to look at out of all of this - Dan Kaminsky of Doxpara Research
exploited the following facts:
[a Domain Name Server is a service which resolves server names, such as www.cnn.com to their actual IP addresses, such as 184.108.40.206, which allows your computer to actually contact the server in question]DNS queries are cached.Caches are externally testable, provided you have a list of all the name servers out there.It just so happens [that Dan Kaminsky has] such a list
- Sony has a rootkit.
- The rootkit phones home.
- Phoning home requires a DNS query
And he collected information on the DNS caches of lookups of Sony's "phone-home" servers. He used a tool to associate long/lat with the IPs associated with the lookups, and then he built a map of the world which displays a rough estimation of densities of computers "infected" with Sony's rootkit. Bottom line, it's a lot:
Full pictures available at these links:
All of this should concern everybody, regardless of whether you are a technophob or a technorat. It's one more alarming example of a major corporation trying to control and manipulate consumers. Beware.