Windows with Amnesia — A Rootkit Warning
Since most people I have talked to lately haven't heard about the Sony DRM Rootkit, I thought I would mention something about it on my main blog.
First of all, a rootkit is a piece of malware1 that works like a Trojan2 virus. It employs cloaking technologies to hide processes, registry keys and files from system analysis and security software such as a virus scanner. They are the most vial attack that can be made to a computer and are virtually invisible. Rootkits can either function in what is called user mode3 by patching Windows APIs4 when a program goes to use them, or in kernel mode5 by intercepting calls made to the kernel API. Either way, they are a dangerous tool for hackers, crackers and system administrators.
If you have purchased a CD from a Sony/BMG artist and played it in your computer lately, you will have noticed that in some cases, it requires you to play it in a media player that is supplied by the CD itself. The player incorporates DRM6 that will only allow you to burn three copies of the CD as well as some other things. By putting the CD in the drive, you have to click through a EULA7 before you can listen to the music. Clicking through this EULA and opening the music player installs a rootkit onto your system. Every time you put a CD or DVD into your drive from this point on, a packet is sent off to Sony/BMG telling them exactly what you did with it as well as what the CD or DVD was; this is called Phoning Home. The rootkit also hides some processes from you and just flat out renames others. You cannot see the processes by even going to the process viewer in the Task Manager.
The rootkit is called Essential System Tools and is published by First 4 Internet. First 4 Internet is in an agreement with Sony and other record labels to package a DRM software application with each CD sold. It uses a file called Aries.sys (also hidden) to open and run the rootkit every time your computer is started — even in safe mode!
How do I know if I'm infected?
There are a couple ways a rootkit can be discovered. The easiest and most common is to download and install the latest version of RootkitRevealer or any other software that you trust to scan your system for rootkits. RootkitRevealer will show a user hidden processes, files, folders, etc.
How do I get rid of it?
That is an excellent question and the answer is "Not easily." Sony has published a piece of software with the purpose of "uninstalling" the rootkit. The software can be found here but does not really uninstall the rootkit. It simply stops the process and installs a new DRM software. Worse yet, it stops the Aries.sys file while Windows is running. This can cause an operating system to become unstable and bring on the Blue Screen of Death as well as the possibility of data loss. Currently there is no easy way to completely remove the rootkit. The more advanced ways to remove said rootkit will be added to my Sideblog as soon as I can get them typed up.
That's all for now. I just wanted to get that out for now. Feel free to email me if you have any questions about this. I'm also curious to know what you all think about having software installed to your system that can possibly cause security problems and make your system unstable without your knowledge. Feel free to comment it up.
Peace out!
- Malware – software written with an ill intent, usually to disable or destroy a computer's operating system. Examples are spyware, adware, viruses, etc. [back]
- Trojan – a malicious program disguised as legitimate software. [back]
- User mode – a non-privileged state where some code is forbidden from being executed or modified to protect the operating system. [back]
- Application Program Interface – a way for a piece of software to talk to other software without knowing the exact source or object code of the other software. [back]
- Kernel Mode – the state in which an operating system runs. Code executed in this mode has unlimited access to a computer system. [back]
- Digital Rights Management – a means for makers of digital media to protect their creation. [back]
- End User License Agreement – an agreement between the customer and the producer of software as to the user's rights as well as the rights of the software producer [back]
Print This Post
jon largent on 08 Nov 2005 at 7:50 pm #
i think sony should burn in hell for this. i also think we should boycott sony until they relize they are stupid
LarsG on 10 Nov 2005 at 7:56 pm #
A couple of comments:
A rootkit, as mentioned above, modifies the core of the operating system in order to hide programs, files and similar. Usually used as part of bad software like viruses and their ilk in order to hide their activities from anti-virus programs. A few anti-virus products use rootkit-like techniques in order to protect themselves from viruses that attempt to disable the anti-virus protection on your PC. But apart from that, I am not aware of any legitimate software that use this kind of technology. Until this story about the Sony DRM (called XCP), that is.
Modifying the operating system kernel is kind of a black art, and if you do so you have to be very careful because any bug can lead to the operating system crashing with a blue screen. Unfortunately, the rootkit part of the Sony XCP DRM is of low quality and is known to cause occational computer crashes, especially on Windows XP Media Center. If you ever see a bluescreen caused by ‘aries.sys’, XCP is to blame.
Even worse, the rootkit is not written to only hide the components of XCP, it will hide any file or directory that starts with the letters ‘$SYS$’. So if you have XCP installed on your system, any malware can easily use it to hide from your anti-virus. Anti-virus companies have already discovered malware in the wild that makes use of this.
This would be bad by itself, but there is more..
The EULA that pops up when you put the CD in your computer describes the software as a small application required to play the music on the disc. No mention is made of how intrusive it is, and you are given the impression that it should be easy to uninstall.
The software does not include any way of uninstalling itself. At the time of this writing, you have to go to the Sony website and go through a contorted process including giving them your name and email address in order to download an uninstall tool. The uninstall tool will be locked to the computer you downloaded the tool from, so if you are the administrator for 50 PCs you have to go through the entire process for each one.
Sony has been downplaying this entire issue in the media, stating that this is no big deal, that there are no security or stability risks, etc. One of the worst examples is that Thomas Hessa, President of Sony BMG’s Global Digital Business, went on National Public Radio and stated: “Most people, I think, do not even know what a Rootkit is, so why should they care about it?”.
There is even more, but I digress. For people that know a bit about operating systems and computer security this is like stepping through the looking glass, utterly unbelievable.
The XCP rootkit was discovered independently by Mark Russinovich of Sysinternals.com and the security software company F-secure. I recommend reading Mark’s blog if you are interested in knowing more. The story started on October 31
hayden on 16 Nov 2005 at 5:52 pm #
Dude, my comp got hacked too and i had to rehack my comp to figure out what he changed and what happend and how he got in. What he did was hacked into my comcast email, that my mom setup and i don’t use, a changed all of the commands and made me the admin. then he did something to the comp that i haven’t figured out yet. So he got in through an open port in my wireless router that i didn’t know was open and i have to close it and change the password and settings. But i still haven’t found anything he put on. I think he installed a trojan but i haven’t put my thumb on it. the only probeblem is my OS is 9 and there are no programs for that OS now no adaware type programs to get rid of spyware.
tm on 16 Nov 2005 at 9:20 pm #
Hayden, if your comment wasn’t riddled with run-on sentences and akward syntax, I might have a solution for you. I just don’t know what you’re asking.
hayden on 17 Nov 2005 at 9:19 pm #
yea, i know there were some errors, i wasn’t really worried about it at the moment. And I wasn’t really asking anything, just making a comment and sympathizing.