November 23, 2024

SonyBMG DRM Customer Survival Kit

Here’s a handy bag of tricks for people whose computers are (or might be) infected by the SonyBMG/First4Internet rootkit DRM. The instructions here draw heavily from research by Alex Halderman and Mark Russinovich.

This DRM system operates only on recent versions of Windows. If you’re using MacOS or Linux, you have nothing to worry about from this particular DRM system. The instructions here apply to Windows XP.

How to tell whether the rootkit is on your computer: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc query $sys$aries

and hit the Enter key. If the response includes “STATE: 4 RUNNING”, then your machine is infected with the rootkit. If the response includes “The specified service does not exist as an installed service”, then your machine is not infected with the rootkit.

How to disable the rootkit: On the Start menu, choose Run. In the box that pops up, type this command:

cmd /k sc delete $sys$aries

and hit the Enter key. Then reboot your system, and the rootkit will be permanently disabled.

Note that this does not remove or disable the main anti-copying technologies. It only turns off the rootkit functionality that hides files, programs, and directory entries. The main DRM software is still present.

How to remove the DRM software entirely: Use the official uninstaller offered by the vendors. They’ll make you jump through unnecessary hoops, and give them unnecessary information, before you can uninstall. Feel free to complain to the vendors about their refusal to offer a simple uninstaller for download.

It is possible to remove the DRM software by hand, but I recommend against it – if you mess up, you can render your machine unbootable.

Probably someone will create an unofficial but easy-to-use uninstaller, but I haven’t seen one yet.

How to get songs from these discs into iTunes, an iPod, or anywhere else you can legally put them: SonyBMG will send instructions on how to do this to anyone who asks. Note that their instructions direct you to agree to their End User License Agreement; be sure to read the agreement and think about whether you want to accept it.

To save you time, I’ll quote their instructions here:

Place the CD into your computer and allow the supplied Sony BMG audio player on the CD to start. If our player software does not automatically start, open your Windows Explorer. Locate and select the drive letter for your CD drive. On the disc you will find either a file named LaunchCD.exe or Autorun.exe. Double-click this file to manually start the player.

Once the Sony BMG player application has been launched and the End User License Agreement has been accepted, click the “Copy Songs” icon/button and follow the instructions to copy the secured Windows Media Files (WMA) to your PC’s hard drive.

TIP: Once the WMA files are on your hard drive, be sure to remove the original CD from your optical drive before proceeding. The original CD is designed to only allow playback using the Sony BMG audio player software included on the disc.

Once the WMA files are on your PC, open and listen to the songs with Windows Media Player 9.0 or higher (version 10 is recommended for XP) to verify that they imported correctly. Then use Windows Media Player to burn the songs as a standard Audio CD.

TIP: By default Windows Media Player may assume that you want to create a data CD rather than an audio CD. This just creates a data CD of the audio files in their secured WMA format rather than first converting them to standard Red Book Audio format. Before creating the CD be sure to verify “Audio CD” is selected.

Having followed these instructions, you will then have a copy of the CD that is unencumbered by copy protection. You can then proceed to make any lawful use of the music, including ripping it into iTunes and downloading it onto your iPod.

You read that correctly – SonyBMG, which is willing to surreptitiously install a rootkit on your computer in the name of retarding copying of their music, will send, to anyone who asks, detailed instructions for making an unprotected copy of that same music.

SonyBMG "Protection" is Spyware

Mark Russinovich has yet another great post on the now-notorious SonyBMG/First4Internet CD “copy protection” software. His conclusion: “Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.”

Here’s how the uninstall process works:

  • The user somehow finds the obscure web page from which he can request the uninstaller.
  • The user fills out and submits a form requesting the uninstaller. The form requests information that is not necessary to perform the uninstallation.
  • The vendor sends the user an email asking them to install a patch, and then to visit another page if he still wants to uninstall the software.
  • The user is directed to install and run yet more software – an ActiveX control – on his computer.
  • The user has to fill out and submit yet another form, which asks unnecessarily for still more information.
  • The vendor sends the user an email containing a cryptic web link.
  • The user clicks on that web link. This will perform the uninstall, but only if the user is running on the same computer on which he performed the previous steps, and only if it is used within one week.

None of these steps is necessary. It would be perfectly feasible to provide for download a simple uninstaller that works on any computer that can run the original software. Indeed, it would have been easier for the vendor to do this.

In all the discussion of the SonyBMG software, I’ve been avoiding the S-word. But now it’s clear that this software crosses the line. It’s spyware.

Let’s review the evidence:

  • The software comes with a EULA which, at the very least, misleads users about what the software does.
  • The software interferes with the efforts of ordinary users and programs, including virus checkers and other security software, to identify it.
  • Without telling the user or obtaining consent, the software sends information to the vendor about the user’s activities.
  • No uninstaller is provided with the software, or even on the vendor’s website, despite indications to the contrary in the EULA.
  • The vendor has an uninstaller but refuses to make it available except to individual users who jump through a long series of hoops.
  • The vendor makes misleading statements to the press about the software.

This is the kind of behavior we’ve come to expect from spyware vendors. Experience teaches that it’s typical of small DRM companies too. But why isn’t SonyBMG backing away from this? Doesn’t SonyBMG aspire to at least a modest level of corporate citizenship?

There are three possibilities. Maybe SonyBMG is so out of touch that they don’t even realize they are in the wrong. Or maybe SonyBMG realizes its mistake but has decided to stonewall in the hope that the press and the public will lose interest before the company has to admit error. Or maybe SonyBMG realizes that its customers have good reason to be angry, but the company thinks it is strategically necessary to defend its practices anyway. The last possibility is the most interesting; I may write about it tomorrow.

Outside the SonyBMG executive suite, a consensus has developed that this software is dangerous, and forces are mobilizing against it. Virus researchers are analyzing malware now in circulation that exploits the software’s rootkit functionality. Class-action lawsuits have been filed in California and New York, and a government investigation seems likely in Italy. Computer Associates has labeled the software as spyware, and modified its PestPatrol spyware detector to look for the software. Organizations such as Rutgers University are even warning their people not to play SonyBMG CDs in their computers.

SonyBMG and First4Internet Release Mysterious Software Update

SonyBMG and First4Internet, the companies caught installing rootkit-like software on the computers of people who bought certain CDs, have taken their first baby steps toward addressing the problem. But they still have a long way to go; and they might even have made the situation worse.

Yesterday, the companies released a software update that they say “removes the cloaking technology component that has been recently discussed in a number of articles”. Reading that statement, and the press statements by company representitives, you might think that that’s all the update does. It’s not.

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function – they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert – falsely – that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.

The companies need to come clean with the public – their customers – about what they did in the first place, and what they are doing now. At the very least, they need to tell us what is in the software update they’re now distributing.

Meanwhile, lawprof Eric Goldman asks whether the SonyBMG EULA adequately disclosed what the company was doing to users’ computers. If not, the company may be legally liable for trespass to chattels, or may even have violated the Computer Fraud and Abuse Act. Goldman concludes that the disclosure may be adequate as a legal matter, though he doesn’t assert that it’s a good business practice.

While the legal question is beyond my expertise, it’s awfully hard to see how, from a common-sense viewpoint, SonyBMG could be said to have disclosed that they might be installing rootkit-like software. Surely the user’s consent to installing “a small proprietary software program … intended to protect the audio files embodied on the CD” does not give SonyBMG free rein to do absolutely anything they like to the user’s computer. Whether, as a legal matter, Sony exceeded their user-granted authorization to modify the user’s computer would ultimately be for a court to decide.

Goldman says, with some justification, that today’s EULAs expose a “crisis” in contract law by attenuating, almost beyond recognition, the notion of consent to a contract. Part of the problem is the well-known fact that hardly anybody reads EULAs. But another part of the problem is that EULAs don’t give even the most diligent users a clear idea of what they are consenting to.

CD-DRM Rootkit: Repairing the Damage

SonyBMG and First4Internet are in the doghouse now, having been caught installing rootkit-like software on the computers of SonyBMG music customers, thereby exposing the customers to security risk. The question now is whether the companies will face up to their mistake and try to remedy it.

First4Internet seems to be trying to dodge the issue. For example, here’s part of a news.com story by John Borland:

The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.

In any case, First 4 has moved away from the techniques used on the Van Zant album to new ways of cloaking files on a hard drive, said Mathew Gilliat-Smith, the company’s CEO.

“I think this is slightly old news,” Gilliat-Smith said. “For the eight months that these CDs have been out, we haven’t had any comments about malware (malicious software) at all.”

The claim that the software is not a risk is simply false, as Alex explained yesterday. And if the company is indeed working on new ways to hide the contents of your computer from you, that just shows that they haven’t learned their lesson. The problem is not that they used a particular rootkit method. The problem is that they used rootkit methods at all. Switching to a new rootkit method will, if anything, make the problem worse.

The claim that there haven’t been any complaints about the software is also false. The reviews on Amazon have plenty of complaints, and there was a discussion of these problems at CastleCops. And, of course, Mark Russinovich has complained.

The claim that this is old news is just bizarre. First4Internet is offering this system to record companies – today. SonyBMG is selling CDs containing this software – today. And this software is sitting on many users’ computers with no uninstaller – today.

If the First4Internet wants to stop spinning and address the problem, and if SonyBMG wants to start recovering consumer trust, I would suggest the following steps.

(1) Admit that there is a problem. The companies can admit that the software uses rootkit-like methods and may expose some consumers to increased security risk.

(2) Modify product packaging, company websites, and EULA language to disclose what the software actually does. Thus far there hasn’t been adequate notification. For example, the current EULA says this:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

Clearly a rootkit neither protects the audio files nor facilitates use of the content. This is not the only misleading aspect of the description. For example, this does not convey to users that they will be unable to make lawful uses of the music such as downloading it to an iPod, or that there is no way to uninstall the software (indeed, it strongly implies the opposite), or that attempting to remove the software may make the computer’s CD drive inaccessible.

(3) Release a patch or uninstaller that lets any consumer easily remove or disable the rootkit-like functions of the software. Having caused security problems for their users, the least the companies can do is to help users protect themselves.

(4) Make clear that the companies support, and give permission for, research into the security implications of their products. Saying “trust us” won’t cut it anymore. Having betrayed that trust once, the companies should publicly welcome the Mark Russinoviches of the world to keep studying their software and publishing what they find. If you act like you have something to hide – and you have had something to hide in the past – the public will be smart enough to conclude that you’re probably still hiding something. This is especially true if you announce that you are trying to find new ways to do the thing that you were just caught doing!

Finally, let me just point out two things. First, we don’t know yet whether the First4Internet/SonyBMG software causes even more security or privacy problems for users. Given what we’ve seen so far, I wouldn’t be at all surprised if there are more problems lurking.

Second, this general issue applies not only to F4I and SonyBMG’s technology. Any attempt to copy-protect CDs will face similar problems, because this kind of copy-protection software has a lot in common with standard malware. Most notably, both types of software try to maintain themselves on a user’s computer against the user’s will – something that cannot be done without eroding the user’s control over the computer and thereby inhibiting security.

If you’re using a recent version of Windows, you can protect yourself against this type of software, and some other security risks, by disabling autorun.

CD DRM Makes Computers Less Secure

Yesterday, Sysinternals’s Mark Russinovich posted an excellent analysis of a CD copy protection system called XCP2. This scheme, created by British-based First4Internet, has been deployed on many Sony/BMG albums released in the last six months. Like the SunnComm MediaMax system that I wrote about in 2003, XCP2 uses an “active” software-based approach in an attempt to stifle ripping and copying. The first time an XCP2-protected CD is inserted into a Windows system, the Windows Autorun feature launches an installer, which copies a small piece of software onto the computer. From then on, if the user attempts to copy or rip a protected CD, the software replaces the music with static.

This kind of copy protection has several weaknesses. For instance, users can prevent the active protection software from being installed by disabling autorun or by holding the shift key (which temporarily suspends autorun) while inserting protected discs. Or they can remove the software once it’s been installed, as was easily accomplished with the earlier SunnComm technology. Now, it seems, the latest innovations in CD copy protection involve making the protection software harder to uninstall.

What Russinovich discovered is that XCP2 borrows techniques from malicious software to accomplish this. When XCP2 installs its anti-copying program, it also installs a second component which serves to hide the existence of the software. Normally, programs and data aren’t supposed to be invisible, particularly to system administrators; they may be superficially hidden, but administrators need to be able to see what is installed and running in order to keep the computer secure. What kind of software would want to hide from system administrators? Viruses, spyware, and rootkits (malicious programs that surreptitiously hand over control of the computer to a remote intruder). Rootkits in particular are known for their stealthiness, and they sometimes go to great lengths to conceal their presence, as Russinovich explains:

Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.

Sure enough, XCP2 adopts the latter technique to conceal its presence.

Russinovich is right to be outraged that XCP2 employs the same techniques against him that a malicious rootkit would. This makes maintaining a secure system more difficult by blurring the line between legitimate and illegitimate software. Some users have described how the software has made their anti-virus programs “go nuts,” caused their system to crash, and cost them hours of aggravation as they puzzled over what appeared to be evidence of a compromised system.

But things are even worse than Russinovich states. According to his writeup, the XCP driver is indiscriminant about what it conceals:

I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.

Once the driver is installed, there’s no security mechanism in place to ensure that only the XCP2 software can use it. That means any application can make itself virtually invisible to standard Windows administration tools just by renaming its files so that they begin with the string “$sys$”. In some circumstances, real malicious software could leverage this functionality to conceal its own existence.

To understand how, you need to know that user accounts on Windows can be assigned different levels of control over the operation of the system. For example, some users are granted “administrator” or “root” level access—full control of the system—while others may be given more limited authority that allows them to perform every day tasks but prevent them from damaging other users’ files or impairing the operation of the computer. One task that administrators can perform that unprivileged users cannot is install software that uses the cloaking techniques that XCP2 and many rootkits employ. (Indeed, XCP2 is unable to install unless the user running it has administrator privileges.)

It’s a good security practice to give users as little permission as they need to do their jobs—we call this the “Principle of Least Privilege” in the security trade—because, among other reasons, it restricts the activities of malicious software. If every user on a system has administrator access, any malicious programs that become installed can put up their own cloaking mechanisms using the same techniques that XCP2 uses. However, consider what happens when there are multiple accounts on the system, some with Administrator access and some with more limited control. Such a setup is fairly common today, even on family computers. If the administrator uses a CD that installs XCP2, the XCP2 cloaking driver will be available to applications installed by any user on the system. Later, if one of the unprivileged users installs some malware, it can use the XCP2 driver to hide itself from the user and the Administrator, even though it wouldn’t have permission to perform such cloaking on its own.

This kind of security bug is called a “privilege escalation vulnerability.” Whenever such a vulnerability is discovered in Windows, Microsoft quickly rolls out a patch. If Sony and First4Internet have any regard for their customers’ security, they must immediately issue a fix for this serious problem.

Copy protection vendors admit that their software is merely a “speedbump” to copyright infringement, so why do they resort to such dangerous and disreputable means to make their systems only marginally more difficult to bypass? One of the recording industry’s favorite arguments why users should avoid P2P file sharing is that it can expose them to spyware and viruses. Thanks to First4Internet’s ill-conceived copy protection, the same can now be said of purchasing legitimate CDs.

In case you haven’t already disabled Autorun, now might be a good time.