Saturday, November 12, 2005

Sony Rootkits

Since april this year, Sony have been selling "Content Protected" CDs. If you would wish to listen to any of them on your PC, you must install the Sony Media Player software that's included on the CD. Hidden with the media player is a rootkit and a DRM service. The rootkit is used to conceal a running process (the DRM service) from first 4 internet, a company that mainly focuses on products developed for digital asset management and copy protection.

First 4 Internet rootkit is programmed to hide any software with the prefix "$sys$" from your task list and process list, making it invisible for Windows. The software isn't mentioned clearly in the EULA that comes with the installer for the media player, and there is no easy way to uninstall it from your system. Not only is it lacking a Add/Remove Programs shortcut, but it's even programmed run in Windows Safe Mode. The uninstall process is as complex as when you try to remove a virus, and even if you do it right, it could crash your system and/or remove your cd/dvd-drives from your system.

Because of the inept design of the rootkit, it conceals everything that use the prefix "$sys$", that includes spyware, malware, viruses and hacks. It's already being exploited by World of Warcraft cheaters out there, preventing the Blizzard process checker from noticing the hacks that they use.

The media player is programmed using Macromedia Director, which in my humble opinion only should be used to produce concept designs of programs to show for your executives. Why not program it in far more optimzed C++ code instead?

Each time you run the player, it sends information about which album you have along with your IP address and looks up if there are any new banners for the album. So they can actually record each time a album is played and the IP adress of the computer playing it.

Even though you've closed the media player, the rootkit service is still consuming 1-2% of CPU usage. What it does is to every two seconds, querying basic information about the files, including their size, eight times every scan! Another proof of the programmers ineptness.

The "copy-protection" is now being considered as spyware by most anti virus programs. Sony is facing lawsuits in California and Italy, and another one is coming up from New York for the usage of rootkits.

If you want to listen to these CDs on your computer anyway, I recommend that you download Exact Audio Copy (download link below) and rip the music.

Exact Audio Copy v0.95 beta 3 (zip)

Sony EULA agreement
Sony, Rootkits and Digital Rights Management Gone Too Far
BBC - Sony sued over copy-protected CD
eTrust Spyware Encyclopedia - Sony Rootkit
World of Warcraft hackers using Sony BGM rootkit
Wikipedia, the free encyklopedia - Rootkit

Update: Aftonbladet - Vanliga cd-skivor kan förstöra din dator
Update 2: Sony-BMG's EULA, nine points of interest

No comments: