August 31, 2016

avatar

CD-DRM Rootkit: Repairing the Damage

SonyBMG and First4Internet are in the doghouse now, having been caught installing rootkit-like software on the computers of SonyBMG music customers, thereby exposing the customers to security risk. The question now is whether the companies will face up to their mistake and try to remedy it.

First4Internet seems to be trying to dodge the issue. For example, here’s part of a news.com story by John Borland:

The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.

In any case, First 4 has moved away from the techniques used on the Van Zant album to new ways of cloaking files on a hard drive, said Mathew Gilliat-Smith, the company’s CEO.

“I think this is slightly old news,” Gilliat-Smith said. “For the eight months that these CDs have been out, we haven’t had any comments about malware (malicious software) at all.”

The claim that the software is not a risk is simply false, as Alex explained yesterday. And if the company is indeed working on new ways to hide the contents of your computer from you, that just shows that they haven’t learned their lesson. The problem is not that they used a particular rootkit method. The problem is that they used rootkit methods at all. Switching to a new rootkit method will, if anything, make the problem worse.

The claim that there haven’t been any complaints about the software is also false. The reviews on Amazon have plenty of complaints, and there was a discussion of these problems at CastleCops. And, of course, Mark Russinovich has complained.

The claim that this is old news is just bizarre. First4Internet is offering this system to record companies – today. SonyBMG is selling CDs containing this software – today. And this software is sitting on many users’ computers with no uninstaller – today.

If the First4Internet wants to stop spinning and address the problem, and if SonyBMG wants to start recovering consumer trust, I would suggest the following steps.

(1) Admit that there is a problem. The companies can admit that the software uses rootkit-like methods and may expose some consumers to increased security risk.

(2) Modify product packaging, company websites, and EULA language to disclose what the software actually does. Thus far there hasn’t been adequate notification. For example, the current EULA says this:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

Clearly a rootkit neither protects the audio files nor facilitates use of the content. This is not the only misleading aspect of the description. For example, this does not convey to users that they will be unable to make lawful uses of the music such as downloading it to an iPod, or that there is no way to uninstall the software (indeed, it strongly implies the opposite), or that attempting to remove the software may make the computer’s CD drive inaccessible.

(3) Release a patch or uninstaller that lets any consumer easily remove or disable the rootkit-like functions of the software. Having caused security problems for their users, the least the companies can do is to help users protect themselves.

(4) Make clear that the companies support, and give permission for, research into the security implications of their products. Saying “trust us” won’t cut it anymore. Having betrayed that trust once, the companies should publicly welcome the Mark Russinoviches of the world to keep studying their software and publishing what they find. If you act like you have something to hide – and you have had something to hide in the past – the public will be smart enough to conclude that you’re probably still hiding something. This is especially true if you announce that you are trying to find new ways to do the thing that you were just caught doing!

Finally, let me just point out two things. First, we don’t know yet whether the First4Internet/SonyBMG software causes even more security or privacy problems for users. Given what we’ve seen so far, I wouldn’t be at all surprised if there are more problems lurking.

Second, this general issue applies not only to F4I and SonyBMG’s technology. Any attempt to copy-protect CDs will face similar problems, because this kind of copy-protection software has a lot in common with standard malware. Most notably, both types of software try to maintain themselves on a user’s computer against the user’s will – something that cannot be done without eroding the user’s control over the computer and thereby inhibiting security.

If you’re using a recent version of Windows, you can protect yourself against this type of software, and some other security risks, by disabling autorun.

Comments

  1. or maybe someone in congress could just pass the Digital Media Consumers’ Rights Act (http://thomas.loc.gov/cgi-bin/query/z?c108:H.R.107:) so that SonyBMG would have to put a big label on the disk that says “this won’t work for you!”.

  2. Most notably, both types of software try to maintain themselves on a user’s computer against the user’s will — something that cannot be done without eroding the user’s control over the computer and thereby inhibiting security.

    This is a pretty good summary of the UK Computer Misuse Act, and although IANAL I’d be fairly confident that they could be successfully prosecuted. Any enterprising lawyers out there want to have a go?

  3. Sony, DRM and Trespass to Chattels

    By Eric Goldman A minor storm is brewing over Sony’s installation of DRM software on users’ computers when they play…

  4. Were Symantec and other virus companies REALLY contacted in the development of this rootkit? If so, why didn’t they go public and complain?

    There may be a story here, please follow it up!

  5. Good post, if a bit pointless. What people do not realize is that big corporations already own us. They have all the power, we don’t have any.
    Big corporations can do what they want with impunity. There is nothing we can do to stop them. A few posts here and there is not going to stop this steady erosion of our rights. Even a law won’t help- SONY and all the rest have billions of dollars to spend; we don’t. And sadly, people don’t care. Rights that we take for granted are being taken away daily.
    One could tell me to write my congressperson- sure. What good is it going to do? Our so-called representatives care less for their constituents rights than they do for money, so we lost again.
    Let’s face it- we are again serfs and slaves to the mighty- and most of us don’t care.

  6. avatar TsuDoNymh says:

    The part that interests me most: “The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.”

    Symantec cooperated in not detecting a rootkit on my computers?! Let’s get some comments from Symantec on how they worked this.

  7. avatar Malcolm Powell says:

    “Tom” wrote: “SONY and all the rest have billions of dollars to spend; we don’t”.

    Tom there are billions of us and a lot of us have a few dollars. They cannot do anything unless we are all apathetic like you and let them.

    “Tom” wrote: “Let’s face it- we are again serfs and slaves to the mighty- and most of us don’t care”.

    Tom you, and your ilk, are deeply sad and pathetic.

  8. Did Sony CD Malware Violate US Computer Fraud and Abuse Act?

    I think it would be a stretch to say that Sony violated CFAA, but I have to admit that in my opinion they come pretty close.Many readers are well-aware of the scandal of the week in cyberspace – Sony’s stealth digital rights management system w

  9. As soon as I first read about this I fired off several emails. One to my Congresswoman (havent gotten anything back yet) and to alot of friends and co- workers. I also wrote Sony and told them that they have lost me forever as a consumer of their products.

    The big corporations DO have more money and more influence in congress than we do, however perhaps it is time to start a IT issue/ consumer rights lobby of our own. More importantly, look to start electing politicians who “understand” what this is all about, who are not close to fossilization. it is time to begin electing IT savy men and women to office.

  10. Enough is enough. I will no long purchases any music with copy protection or the use of DRM. Sony’s latest copy protection scheme consumes CPU power on my computer alters basic system files and even go’s as far as altering the “Safe Boot” mode built into Microsoft Operating System.

    RIAA and large recording companies like Sony, BMG is destroying the music industry. They have been slow to adapt to the changing trends that the personal computer is becoming the media portal of choice by many people. They have crippled the quality of music played on computers by building in highly compressed Digit Rights Managed music on the CD they sell. The recording industry is running trials of different restrictions and copy protection programs all of which end up on the users computer. Inconsistencies in these copy protection scheme are well hidden and rarely identified as the problem when problems do occur.

    Before the RIAA began there witch hunts that started around 2001 I was purchasing over 40 music CD a year. The continued bad taste the recording industry has left me with, has reduced my yearly music CD purchases to under 8 CD per year. Beginning in 2006 I will no longer purchase any music that uses DRM or any other form of copy preventing software.

    When I purchase music I want the ability to play my purchased music on any device I own or that is in my presents. I want the ability to play my purchased music on my computer, in my walkman, on my Ipod. I want the ability to convert my music to a format that supports the device I want to use both now and in the future. I do not want my purchased music to be tied to a single technology. I have already purchased my music at least three times. In the early ages I built up a very large LP collection. Then repurchased my music when 8 tracks became popular and again when cassettes become popular. With the quality improvements of compact discs I set out to purchase my collection again.

    Like most people I’m very respectful of the artist and make sure they are rightfully compensated for there music. I am more than glad to purchase my music and in the past have used file sharing as a way to discover new artist. I have stopped using all forms of file sharing in 2002. Since I used file sharing to discover new artist I wanted to protect myself by documenting that all my music in my collection was purchased. My own record keeping has turned up some very interesting trends. My documented trends in my music habits are in direct contrast to what the RIAA claims to be there largest threat.

    Call to arms. All independent labels and independent artist please make your self know. I enjoy buying my music via the web and I want it unprotected. I have found the one stop on line music stores to be very convenient. I also have found the “music CD clubs” to be ok and have belonged to as many as four of them at the same time.

    It’s a real shame that I feel I must offer no more support to the many great artist that are under the Sony, BMG labels. While at the same time I’m excited to discover what the new year will bring to me in the way of undiscovered artist. Over time I hope these independents create large portals to distribute there music via the web.

  11. Peter Fusco said:

    “….perhaps it is time to start a IT issue/ consumer rights lobby of our own.”

    We have one – support the Electronic Frontier Foundation, http://www.eff.org/ Sign up for their ‘Effector’ email list, which frequently includes action links. And send money ;-) Disclosure: I have no personal connection to eff.org

  12. NEW ROOTKIT DISCOVERED (?) (!!!)

    A certain CD behaved very strangely as it was played in the computer.
    The computer went BSOD shortly after displaying symptoms of keylogging
    and modifying files but until this news broke no one could believe a legitimate
    CD could have a virus. It was certainly a rootkit, since it was smart enough
    to type html into my computer-generated-music website HTML code.
    …Bfast.com… Spybot identified Bfast as Spyware and removed it but
    this CD maybe even sicker than the November 1 2005 announced one.

    This CD is JOHN MAYER – HEAVIER THINGS , CD EXTRA FORMAT
    Apparently it’s rootkit may be made by “Specific Harm Music (ASCAP)” !!!
    Plenty of other evidence, a sticker saying you’ll hear unreleased songs
    only on a computer. I thought that only a few Sony CDs had rootkits since
    March 2005 but this CD is a bit older than that! Other branding: AWARE, COLUMBIA.

    Ironically, the only way to remove the ASCAP virus is put it into the Analog Hole!…
    …Which on October 31 was rumored to be assaulted again by the Evil Ones!

  13. Last time I checked it was a major multidecade jail sentence for hacking. In England even typing ..\ could land you in jail for 20 years. Sounds like all that is needed here is a 100 million dollar lawsuit with 20 years jail time for each instigator and collaborator. Symantec should know better than to aid hackers and should suffer the jail time perquisit to that stupidity..

  14. What would happen if another… cough, legitimate, cough music/software company attempted to copy protect their music/software using a similar method. Can two or more rootkits co-exist on the same OS at the same time? I would think there would be all kinds of conflicts as one rootkit attempted to overwrite/block the other(s) rootkids drivers. Oh, what a mess!

  15. avatar Tom Ciarlone says:

    Class Action Law Firm Investigating Sony CDs:
    My law firm is investigating the situation surrounding “rootkits” on Sony-label CDs. In connection with our investigation, we are interested in learning more about the experiences consumers have had with those CDs. I can be contacted at (212) 239-4340 or, by e-mail, at .

  16. ZEROING IN ON “SPECIFIC HARM” MUSICK CD TROJAN HORSE:

    Trojan Horse, May be called AWARE
    Installs AOL w/o permission to access internet.
    Found on Sony “CD EXTRA” format. Affects PC and Mac.

    Trojan Horse defined: An ancient act of warfare in which
    the WALLED city of Troy was given a gift of a giant horse statue.
    When the gift was taken into the city,
    enemy soldiers came out of the horse and Destroyed the City.

    “CD EXTRA” promises MORE FUN if you play the CD on a computer.

  17. To Tom: While Sony may have billions of dollars, if we (the billions of consumers worldwide) stop buying their CDs because of copy protection then they will stop putting copy protection on them because their billions come from… You guessed it: US!

    Btw, a friend was trying to rip a CD on the contaminated list a couple of months ago before this fiasco came out. I figured that some kind of copy protection was why he couldn’t rip it (well, the songs did copy but had some serious problems and were not listenable). I turned off autoplay on my machine and ripped them with no problem. The lesson: Autoplay is _bad_! Now I have to help him and another friend who tried to rip the disc for him get this rootkit off of their machines. (Mine, btw is clean according to rootkitrevealer by Sysinternals.)

  18. avatar VibeBender says:

    This post and all the others that probably will result is one that I have seen and experienced first hand…..Integrity can be found on both sides…..and he with the most correct integrity will win the fight…..

  19. After one company sued a grandfather for more than $5000 for downloading a movie, The individual copyright holders should be sued for damage to each machine. You cannot hire a computer professional for less than $5000 to remove the faulty added software from a machine to restore it to the condition that existed before the disk asked for your agreement to its conditions….

  20. SonyBMGmusic.com just advertised CDs on NBC’s late show, whether it was over the whole network or just locally I don’t know. But I suppose it got plenty of well deserved whacking because their website is down. That gives me a little more confidence as the global media dyscombobulated-conglomeration is trying to whitewash this and apparently it’s succeeding enough to attract some beastmarked investors. Unfortunately PLAYSTATION and VICE CITY type things and their addicts are a tape-patched inflatable lifesaver for them.

    A certain factory shut down due to Windows BSOD recently. I can imagine worse industrial BSOD problems. Sure, solved by not listening to music and not running your factory on Windows. Here are other BSOD events I recently witnessed (which I assumed happened WITHOUT DRM)…

    A bar couldn’t serve drinks for an hour.
    Disney World couldn’t sell food for an hour.
    Yes, there’s a Windows Restaurant Edition(tm) or something like that, I witness.

    What’s sad about the factory shutdown is that the windows control panel cost almost a million dollars and replaced a 4 kilobyte paper tape reader that could have been fixed with a splice, and was in fact bought and used by another factory. It had been in constant use for 40 years. Divide the MTBF of windows by 40 and you’re “better off” at a horse race.

    And Sony has only revealed a few more CD titles with XCP, as far as I know they’re not talking about the SunCom one or the one that SECRETLY installs AOL. SECRETLY means no EULA, no AOL logo on the CD, total malice and liability on their part. FYI the CD_EXTRA format in general does this (there may be exceptions but not in my CD collection). You might find in the fine print “This CD includes free internet access” or something obscure like that, which looks more like a typo. Like “This phone includes free service”.

    How many have had the displeasure of un-installing AOL? Well, CD_EXTRA is “rootkit enhanced by AOL” , assuming optimistically that the versions of AOL-CDs that come every other day for free in the snailmail box don’t include rootkits. Don’t forget I am a victim of a Remote Control hack, and arbitrarily claim a lost-art exchange. The quitclaim requires PC replacements, not CD replacements. Not subject to any EULA because there was none, THE CDS ARE MINE.

    WOULD YOU LIKE A FREE ROOTKIT, ANYONE? Just kidding about that.
    Remember, they only have to stop it until “after the flu epidemic”.
    So said the Department of Homeland Security!
    And maybe God. So, maybe only Sony will get the flu!

    Quick, before I do, let’s sing a new song…
    When Sony Gets The Flu My Friends, hurrah hurrah…
    …We’ll all hear good tunes when Sony gets the Flu!

    VIRUS MUSIC…HA!
    As Arlo Guthrie said in Alice’s Restaurant…
    wait until it comes around again… it’s coming around…
    You can get anything you want at Alice’s restaurant!

    What if Sony COUGHS on the replacement CDs?
    Let DRM be “Dead with Rigor Mortis”. Avoid it like THE PLAGUE.

  21. Let me clarify my position for that rant:
    I am an artist and Sony “broke my guitar” and stole my art.
    They are the PIRATES in this case. I was ROBBED!
    Just for Playing, not Copying, one CD!

  22. I dont think copy protection can ever go to far. If you copy software or music or anything then its exactly the same as just walking into the shop and taking it off the shelf, its stealing whichever way ya look at it!

  23. avatar Give it a rest says:

    Cheap cds, you are an idiot! And the kind of dolt that Sony wants on their side.

  24. avatar says:

    I BOUGHT A BMG CD “JANIS JOPLIN / BIG BROTHER LIVE AT WINTERLAND” BIG BROTHER WAS THE NAME OF HER BAND.
    NOW IT ALSO MEANS THAT “BMG-BIG BROTHER” IS OUT TO RUIN YOUR COMPUTER. IN EARLY NOVEMBER MY WEBROOT-SPYSWEEPER CAUGHT SOME TYPE OF “ROOTKIT” RUNNING IN MY COMPUTER. BUT IT WAS FOUND “TOO LATE” AND THE THING FROM BMG RUINED MY COMPUTER.
    ALL I DID WAS DOWNLOAD THE CD (I BOUGHT & PAID FOR) INTO MY COMPUTER FOR EASIER LOCATING & PLAYING. I MADE NO COPIES TO SEND OR BURN. SPYSWEEPER FOUND THIS “ROOTKIT” IN THAT JANIS JOPLIN CD STORED ON MY COMPTER. BE CAREFUL WITH CD YOU BUY & LOAD INTO YOUR COMPUTER. MY COMPUTER IS RUINED.

  25. […] Meanwhile, antivirus firms are already warning about a new trojan in the wild taking advantage of the rootkit. This story raisess some questions. These CDs with rootkits have been sold for 8 months. Where was Microsoft? Why didn’t they and antivirus companies notice this rootkit themselves long ago? When the story first hit, here’s the explanation given by First 4 Internet, the company that wrote the rootkit for Sony1 : The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said. So, Symantec and “the big antivirus companies” already knew about the rootkit? According to this statement, it seems they did. Are they then liable as well as Sony? Groklaw member alangmead asked another valid question in a comment to an earlier article: Does that mean that Microsoft knew also and was complicit, deliberately ignoring the rootkit? Alternatively, if not, might one not legitimately ask if Microsoft’s anti-spyware is “sophisticated enough to detect the system changes” made by Sony’s DRM? Which explanation is worse? I can’t help but wonder about a third possibility. Charlie Demerjian recently wrote about what he views as the new Microsoft PR technique. He says because Microsoft lacks credibility, they don’t put out press releases on certain stories. Instead they leak it to the press or to blogs. I’ll let him describe it for you: MS has taken to ‘slips’, ‘admissions’ and ‘leaks’ in ways that it ‘really should not have’ done. The reporter pounces, and the Microsoft spokesperson gets all defensive and asks that it not be published, blah blah blah. Memos leaked to the right people have a similar effect, as do blog entries as a first line of press knowledge. Few things work better than a grass roots spreading of ‘facts’ that the mainstream press ‘notices’. Few PR efforts or change of direction come in press releases any more, they all come from blogs and leaked memos. The people who pick the stories up and grassroots spread them tend not to mock as much as the real press. Those that do can be easily laughed off by real PR as the lunatic fringe. Basically, Microsoft is using the boggosphere to do its PR for them, and we are supposed to be the pawns. Is that what happened here? I have no idea, but I know it’s the right question. I’m not in love with Sony at the moment, but fair is fair. I thought it was important to mention all this, because of the litigation. Just how deep does this betrayal of customers go? F-Secure, who was not part of the complicit agreement apparently and discovered the rootkit independently, according to Russinovich, explained on November 4 on their blog why rootkits are a security problem: A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs. In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error. It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS. Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation. So imagine a situation where Joe Customer buys CD from label A and another CD from label B. Label A uses third party DRM from company X and Label B uses from company Y. Then our user first plays one of the CDs in his PC, and everything works fine. But after he starts playing the second CD, his computer crashes and wont boot again. This is something I would not like to associate with buying legal CDs. The Department of Homeland Security agrees. This IP protection is now threatening our security. How did everyone lose their sense of proportion? I earlier put a link to the audio of Stewart Baker, Department of Homeland Security Assistant Secretary for Policy, in News Picks, but what he said is so important, I wish to repeat it here: “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days. “If we have an avian flu outbreak here and it is even half as bad as the 1918 flu, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is going to be a matter of life and death and we take it very seriously as well.” – DHS Ass’t Sec’y on Policy Stewart Baker Copyright infringement is important to companies like Sony, of course, but if, when enforcing their rights, they end up exceeding their actual rights and endanger our lives in their quest to protect mere money, something is seriously out of balance. I also most sincerely hope that the DHS realizes the security value of the GNU/Linux operating system, as well as MacOSX. If the Department is relying exclusively on Windows, I am frankly terrified. By the way, if you’d like to hear the immortal words from Sony about rootkits and how customers don’t know what they are and so needn’t care about them, here you go. Your choices to listen to the audio are Windows Media Player or RealPlayer. Is it time, folks, for websites to broaden the choices they offer people? Some of us are afraid to use Windows, you know. And for any of you who are staring at your Windows computer and wondering just how bad it is in your personal case, may I encourage you to think about GNU/Linux systems as a remedy? It’s one advantage of FOSS software that there is no code you are not allowed to examine. That’s part of what the Free means in Free Sofware and the Open in Open Source, that you are free to look at the code and are free from secret corporate dirty tricks and private gentlemen’s agreements that put your security at risk. 1Note that the article referenced was later [at least by November 23, 2005] changed to read: “The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk. The company’s team has worked regularly with big antivirus companies to ensure the safety of its software, and to make sure it is not picked up as a virus, he said.” […]

  26. […] Search Techdirt Try the Advanced Search.   Sony Says It Will Patch The Rootkit… Sort Of Contributed by Mike on Wednesday, November 2nd, 2005 @ 01:08PM from the too-little-too-late? dept. Sony BMG and First 4 Internet, the makers of the rootkit copy protection that’s getting so much attention these days, have announced that they’ll be releasing a patch to fix the problem, while also delivering a fix to various anti-virus firms to put into their tools as well. Note that this patch doesn’t actually remove the copy protection or even make it that easy to uninstall. It just reveals the part that was hidden deeply in the computer. This isn’t quite the response that folks like Ed Felten suggested they take. Also, no word on whether or not other labels that use the same tools, like Universal Music, will also be releasing the patch. << If You Want To Email-Bomb Your Ex-Employer In The UK, You Should Do It Soon | Reply | Threaded | BBC Accedes To Record Label Whining >> […]

  27. Post comments on websites automatically using automated Comment Poster software. Get thousnads of backlinks per day, increase your sales and earnings. Automated comment poster is the best way to build backlinks and promote websites automatically today!