Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

Sony, Rootkits and Digital Rights Management Gone Too Far

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:



Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran Process Explorer and Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to LiveKd, a tool I wrote for Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking.

Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.

It’s relatively easy to spot system call hooking simply by dumping the contents of the service table: all entries should point at addresses that lie within the Windows kernel; any that don’t are patched functions. Dumping the table in Livekd revealed several patched functions:



I listed one of the intercepting functions and saw that it was part of the Aries.sys device driver, which was one of the images I had seen cloaked in the $sys$filesystem directory:



Armed with the knowledge of what driver implemented the cloaking I set off to see if I could disable the cloak and expose the hidden processes, files, directories, and Registry data. Although RKR indicated that the \Windows\System32\$sys$filesystem directory was hidden from the Windows API, it’s common for rootkits to hide directories from a directory listing, but not to prevent a hidden directory from being opened directly. I therefore checked to see if I could examine the files within the hidden directory by opening a command prompt and changing into the hidden directory. Sure enough, I was able to enter and access most of the hidden files:



Perhaps renaming the driver and rebooting would remove the cloak, but I also wanted to see if Aries.sys was doing more than cloaking so I copied it to an uncloaked directory and loaded it into IDA Pro, a powerful disassembler I use in my exploration of Windows internals. Here’s a screenshot of IDA Pro’s disassembly of the code that calculates the entries in the system service table that correspond to the functions it wants to manipulate:



I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view. Besides being indiscriminate about the objects it cloaks, other parts of the Aries code show a lack of sophistication on the part of the programmer. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described. They’ll have to come up with a new approach to their rootkit sooner or later anyway, since system call hooking does not work at all on x64 64-bit versions of Windows.

After I finished studying the driver's code I rebooted the system. The cloak was gone as I expected and I could see all the previously hidden files in Explorer and Registry keys in Regedit. I doubted that the files had any version information, but ran my Sigcheck utility on them anyway. To my surprise, the majority did have identifying product, file and company strings. I had already recognized Dbghelp.dll and Unicows.dll as Microsoft Windows DLLs by their names. The other files claimed to be part of the “Essential System Tools” product from a company called “First 4 Internet”:



I entered the company name into my Internet browser’s address bar and went to http://www.first4internet.com/. I searched for both the product name and Aries.sys, but came up empty. However, the fact that the company sells a technology called XCP made me think that maybe the files I’d found were part of some content protection scheme. I Googled the company name and came across this article, confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs.

The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies. I scrounged through my CD’s and found it, Sony BMG’s Get Right with the Man (the name is ironic under the circumstances) CD by the Van Zant brothers. I hadn’t noticed when I purchased the CD from Amazon.com that it’s protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known:



The next phase of my investigation would be to verify that the rootkit and its hidden files were related to that CD’s copy protection, so I inserted the CD into the drive and double-clicked on the icon to launch the player software, which has icons for making up to three copy-protected backup CDs:



Process Explorer showed the player as being from Macromedia, but I noticed an increase in CPU usage by $sys$DRMServer.exe, one of the previously cloaked images, when I pressed the play button. A look at the Services tab of its process properties dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows:



I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software:



I still had to confirm the connection between the process and the CD’s player so I took a closer look at each process. Based on the named pipe handles I saw they each had opened when I looked in Process Explorer’s handle view I suspected that the player and $sys$DRMServer communicated via named pipes and so I launched Filemon, checked Named Pipes in the Volumes menu, and confirmed my theory:



At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad.

I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\Control\SafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.

When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad. Windows supports device “filtering”, which allows a driver to insert itself below or above another one so that it can see and modify the I/O requests targeted at the one it wants to filter. I know from my past work with device driver filter drivers that if you delete a filter driver’s image, Windows fails to start the target driver. I opened Device Manager, displayed the properties for my CD-ROM device, and saw one of the cloaked drivers, Crater.sys (another ironic name, since it had ‘cratered’ my CD), registered as a lower filter:



Unfortunately, although you can view the names of registered filter drivers in the “Upper filters” and “Lower filters” entries of a device’s Details tab in Device Manager, there’s no administrative interface for deleting filters. Filter registrations are stored in the Registry under HKLM\System\CurrentControlSet\Enum so I opened Regedit and searched for $sys$ in that key. I found the entry configuring the CD’s lower filter:



I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec: psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back.

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

For an update on the story, read More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home.

posted by Mark Russinovich @ 11:04 AM

Comments:
Very interesting reading... I agree, things are beginning to go too far
 
"... system call hooking does not work at all on 64-bit versions of Windows."

This sounds interesting. Why not? Can you explain?
 
See http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
 
I think you're being a little genrous to Sony towards the end there... you don't really know what their motives are for permantly hiding services on your system, and they could extend well beyond copy-protection in the future. They have also exposed their customers to the risk of an exploit which leverages this rootkit - if they sell enough of this crap, I can see that being a temptation too hard to re$sys$t : )
 
Isn't it illegal for Sony to do this without authorization/consent? Seems like good grounds for a lawsuit...
 
This is shocking! Have you contacted sony? If so, did you get a response?
 
Illegal? I suppose its dependent on the presence of a EULA. Was there one for this installation? Has anyone read it?
 
Sony should pay the same fine that individuals are expected to pay if sued by RIAA. Their infringement into your operating system is just as bad as a copyright infringement.
 
Here's the EULA.

Note that there's no mention of a rootkit or the inability to uninstall or delete the software (in fact, there's a reference to being able to do so).
 
"Very interesting reading... I agree, things are beginning to go too far"

*beginning?*
 
"I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad."

He said there was no mention, I would certainly try to get a it of money offa them. :)
 
Outstanding piece of detective work.

Do you think Sony has done the same thing for other OS's (Unix, Mac OSX, etc.)?
 
I'm pretty sure that in the UK this would contravene the Computer Misuse Act..
 
Mark, this is indeed an outstanding piece of work, and I agree completley about things starting to go too far. The minute someone starts installing services as deeply embedded in a system like this, it gets to the point it infuriates you, and, this puts DRM in the spotlight. My commendations!
 
It's lawsuit time, guys.
 
How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?
 
I predict that maybe the next time you're purchasing a music CD with similar DRM software on it, you'll never open the package, instead downloading the MP3 files for that album through (illegal) P2P file sharing.

For some strange reason all DRM software is missing in those P2P downloads, leaving you with just the music to enjoy... :-)
 
Mark,

Outstanding detective work. Would you be willing to create a clean up script for us mortals who unknowingly installed this?

I can also report that does not happen on OSX. The software that plays the disc on Windows does not work on a mac.
 
Excellent work! I was about to buy the new Santana CD which comes out tomorrow and is advertised as copy protected. I’ll have to re-think this!
 
Very interesting reading. I've always been in the camp that sees DRM as too limiting to fair use in most cases; this is the second time I've heard of it crippling machines (first I had heard was what TurboTax did to me a couple of years ago with the junk it added to the MBR). This time they have indeed gone too far. I hope someone pushes this with Sony and gets an uninstaller for this thing posted on the Sony front page.
 
I have to ask. Do you still have the offending CD ??
If so, why ? We all hear that the recording companies are protecting their profits.
There is NO profit in an item that does NOT sell.
Hit them in their pocketbook. Return the CD for a full refund.
I currently do this with all DVDs that contain advertizing I cannot 'skip'.
I do not buy CDs with copy protection. Especially the SACD format.
Do what you will, but I feel no actions, no complaining.
EXTREMELY great work on this example, B.T.W. !!
===
 
I think it's fair to say that since he didn't know what this malware was, and that it isn't mentioned in the EULA, that it's fine to disassemble, reverse engineer, examine or otherwise dissect this piece of crap.
 
"If you have a Mac computer you can copy the songs using your iTunes Player as you would normally do."
http://bigpicture.typepad.com/comments/2005/10/drm_crippled_cd.html

I am more and more happy to be on a MacIntosh...
 
Do you suppose the same rootkit is hidden in the music download software Sony forces its MP3 player purchasers to use?
 
Another fine example of why the music industry is loosing support and people would generally just download music off irc or p2p. Good work sony! If sueing 8 year old kids that the RIAA cannot verify to actually exist is in question why not install a backdoor like a common botnet cracker. Dont wait in line for my purchace...
 
This software will be considered spyware under the ASC definition,

The ASC's most recent definition of spyware is:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

* Material changes that affect their user experience, privacy, or system security;

* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information.

I can see it certainly doing the first two, and doesnt need to do the third.

The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC....

Dont think that the Govt wont be taking Sony to court... they took Microsoft to task over anticompetition.,. all it takes is a letter to your Senator!
 
I guess this reinforces the idea of turning off AUTORUN of any CD/DVD deivce.

This should still allow one to listen and rip to MP3's. How so? Accoding the linked article to CNet,

"As for more basic CD player compatibility issues, Gilliat-Smith says the discs are compliant with Sony Philips CD specifications and should therefore play in all conventional CD players."

If you do not allow the CD to perform it's autorun routines, you won't have the software installed, and it should be viewable as a standard audio CD.
 
INAL, but this appears to be illegal in the State of California, punishable by a $1000 fine per computer affected.

California Business & Protections Code Section 22947.3, Paragraph C:

A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
...
(c) Prevent, without the authorization of an authorized user, an authorized user's reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(1) Presenting the authorized user with an option to decline
installation of software with knowledge that, when the option is
selected by the authorized user, the installation nevertheless proceeds.
(2) Falsely representing that software has been disabled.

This is some horribly written legislation (difficult to parse), but it appears that you must be able to specifically decline to install software (regardless of EULA conditions).
 
This is exactly the reason that I disable the CD Autorun feature on my systems. It amazes me that this feature is on by default. It allows any arbitrary code to run on your system just by sticking a CD in your drive. This, coupled with the fact that most Windows user accounts run with administrative privileges is a disaster waiting to happen.

-pf

ps Wasn't this a spooooooooky comment?
 
Re: patching.mspx...

So, mark, what you're saying is that Windows 64 comes with a rootkit preinstalled.
 
Eric... Bada Bing, Bada Boom....

That has so got it. I'd like to see someone in LA 'unitentionally' install this software and start the class action.... the only real winner is the lawer that wants to take on SOny's goons...
 
There is a "kind" of legal precedence for this. The case of Sotelo v. DirectRevenue which was recently decided in Chicago says that installing spyware is an invasion of privacy into the home. To get to this point is only a small jump from that case. I think that we should sue the ass off Sony, and I would boycott products except for the fact that Sony has its claws in EVERYTHING (half the movies you see out there are Sony stuff, even if they don't say so). It is unfortunate that this is happening under the auspice of "copyright protection" when all it does is screw over the last honest consumer who actually bought the damn product for their $18.99 Best Buy "sale" price. tsk tsk and shame! This is why free source stuff is the FUTURE!
 
Mark comments in the article:
"...I’m careful in my surfing habits and only install software from reputable sources..."

Are we entering a Personal Computing world where such assumptions about reputable sources no longer applies?

Forget ghosts and goblins. This scary Haloween story sent shivers up my spine.
 
At the very least, do consider billing Sony for your time...
 
Thanks for pointing this problem out. Most of the music I buy is from small, classical and jazz labels so I haven't come across this yet. But I'll keep an eye out for Sony. They have no write to mess with your machine so badly!
 
First 4 Internet Ltd. is a British company, hence why the .com tld didn't work. On their page they advertise their XCP Aurora "eXtended Copy Protection" software. Seems to me they extended it a bit too far.
 
Look, the EULA has been modified!
"As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise. "
 
Perhaps if you kernel level developer guys were a little less friendly and helpful on you're mailing lists you could prevent things like this being created.

Ceri Coburn of First4Internet.co.uk asking for help writing a cdrom filter driver
 
This makes buying DRM'd MP3's off the net a much more viable option.

IE, with ITMS, I know what DRM is there, and what it does and doesnt do. There are no secret root kits or such installed with the song.

Does anyone know what sort of hooks the root kit puts into the PC for remove access? call home features, etc?
 
I see what you did there.
...No, I don't, but it's a nice stab in DRM's back.
 
Has anyone else done any work on how well XCP is written? From looking at First 4 internet developer Ceri Coburn's post around various mailing lists. I would also be worried that the rootkit is actually badly hacked togeher hence the processor overhead and the half hidden files.

Has anyone checked if it calls home too?

my blog post - http://www.cubicgarden.com/blojsom/blog/cubicgarden/culture/2005/10/31/Make-no-mistake-the-new-battle-lines-have-been-drawn-rootkits-and-all.html
 
This story is featured on Digg.com
http://www.digg.com/security/Sony,_Rootkits_and_Digital_Rights_Management_Gone_Too_Far

Please Digg this story and let the word spread.
 
Damn, I thought I was first with the rootkit DRM idea. Just few days ago I wrote a rootkit that acts as a DRM system, as a demonstration about the Finnish law (and EU copyright directive) regarding effective technological measures. I was thinking I could demonstrate that the law will protect malware, too, which is obviously unintended... but to see the same techniques are used in an actual DRM scheme already being deployed, I'm shocked.

Here's a summary about my copyright projects:
copyright_projects_en.txt
 
First 4 Internet Ltd is going to have some very upset clients, after they read Mark's review of the shoddy DRM code they were sold.
 
wow, spooky story for this Halloween evening. Glad us Mac users don't have to put up with crap like this.
 
Ironically enough, you'll never find this sort of thing happening if you download off of iTunes et all. If the record companies want to try and draw music buyers away from a company they feel is stealing their market share in an "unfair deal" that they themselves cut, they might try not ravaging their customers systems. After Sotelo vs. DirectRevenue, I really think this has class action potential. So, the question is, who's going to get the ball rolling? I vote Mark, as he has all the evidence accumulated from personal experience, and because it will be awesome to read about it in this blog :)
 
I perform an average of 3 virus removals a day. Until two months ago I had never even run into a rootkit on a customer machine but now I now see one every other day (usually the same spyware program). I have a bad feeling that nuber is going to rise significantly after this.

Also, here's an easier way for editing the registry tags for most people. Open regedt32, right click the parent key (if you select the value itself you'll get access denied), select permissions>advanced>owner tab, select your user or group from the list, check 'replace owner', click OK. Now you can add your own access permissions to the key then remove or edit the values.
 
Way to go, Sony. You've really made me want to legitimately purchase music, now that it includes worse viruses than I'll find on Kazaa.
 
What will happen if an unsuspecting user have a dozen DRM'ed discs, each with their own player and each using a bit of CPU even if they are not being used, and each adding a filter to the CD/DVD drives ?
I suspect that performance and stability may take a hit.
 
So, here's the really important question. Will this thing install if you are running a limited user account? Does running as a limited user account provide any protection at all against getting rootkitted off a cd like this, or is that just another Windows fallacy.
 
per Sony's own site you need admin rights to install the player. I don't believe this circumvents the DMR/rootkit installation, however. It appears to only make the DMR encrypted media unplayable.

-d/\/
 
The more interesting question is how Microsoft will view this effort of Sony's. They have taken great pains to bend Windows to Hollywood's demands, but this mechanism CANNOT be seen as secure or of benefit to their own customers. Will the XCP signature be included in Microsoft Anti-Spyware, or the monthly Malware Removal Tool? There is no way this supports "trustworthy computing", however according to the Cnet piece Sony appears to have backed this XCP heavily.

I will be fascinated to see if major antivirus/malware outfits start flagging this (the visible evidence at least) - I don't see how they can accept this level of system intrusion, but then Sony is sooo big and this would panic a fair number of users. Maybe a Secunia advisory is warranted, too.
 
This article has been written up on WFMU's Beware of the Blog.
 
"So, here's the really important question. Will this thing install if you are running a limited user account?"

Good question...I wonder about that myself sometimes.

I believe that running as a limited user account does protect oneself against this sort of thing, unless the malware uses nefarious means to install. If there is an unpatched vulnerability in the OS that allows for privilege elevation or otherwise provides access to the areas that are usually admin-only, and the malware author takes advantage of that, all bets are off.
 
Mark, this alert (DRM software) may be activated on Administrator account (or with some additional priviledges for install drivers)?

User account not have risk to install this hidden software?
 
Being an artist myself, I find this horrific. I own 3 PCs at home, and over 12000 songs. I've basically downloaded an app to convert all these songs into .ogg format, and I've renamed them all through freedb. I think it's a shame that more artists aren't aware of this stuff, as I'm sure some would take a stand - especially now that newer medias are being considered for music distribution. I guarantee you, I will always ask the question to a record company before putting a CD (or any other medium) on a shelf.
Actually, why not get artists to change the way they copyright their music? if they own the rights to it, then the contracts they sign should include clauses to this effect, no?

Anyway, good work!
 
Mark, you missed to check several things in the article:

- how did the rootkit driver install aniway without windows asking you to install unsigned driver dialog box?

- if the rootkit driver was signed so it installed silently, who signed it?

- can the rootkit driver install on non-administrator unprivileged user account?
 
Should anyone ever need a better reason to disable autorun?!

Bad Mark ... BAD!

Add it your "Things to do after installing Windows" List!
 
First4Internet, eh?... let's see... according to public records, they were incorporated 24/11/1999. In 2004 they had a turnover of £709,941 and operating expenses of £1,301,546 -- meaning an operating loss of £591,605. In the last five years they have, on average, lost £541,067 a year. For 2004, their credit rating is "HIGH RISK" (complete with capitalisation). Meanwhile, the four directors share annual renumeration of £224,413 between them (average £56,103 each).

One of the directors, Nicholas Bingham, (appointed in 2002) was director of "Sony pictures home entertainment Ltd." from 1989 to 1997, and director of "Sony pictures television production UK Ltd." from 1996 to 2000, and director of "Sony digital radio europe Ltd." from 1994 to 2000.

A cynic might say Sony selected this inept copy protection technology because it was supplied by one of thier cronies. The reason this is a bad business practice can be seen by the software's many failings.
 
i don't even use windows, but i'll never buy another sony product after reading both this article and the one concerning the new protected My Morning Jacket CD. sony just lost the purchase of a new stereo receiver and a 55" LCD TV. further, i will never again buy a sony product and for sure NEVER buy another sony CD - where before i may have downloaded a few tracks and then bought the cd if i liked it, i will, well, you know - but not buy the cd. jesus, when will these companies learn that we're not idiots and that WE WILL SUPPORT THOSE THAT ARE GOOD TO US. if you're good, we give you money, if you're a dick, you're faded....
 
another question surfaces: what does this rootkit actually do besides hiding itself?
 
Interesting article and the EULA is just as interesting , (all third parties are considered authorized licensor's) which would seem to imply that sony takes all responsibility for any and all action (specifically, damages). Obviously there's a waiver in there, but it means crap. What I find especially interesting though (especially in regards to a lawsuit) is the mention of terminating the license. You're required to remove, delete or uninstall the software.

Now here's the thing, if the software is difficult to remove, you might need to hire someone to remove it for you. I'd imagine that this would be covered by strict liability and therefore be billable to Sony.
 
Wow, I mean, wow. Simply because I don't like the thought of rinky-dink media players galore installed on my machine, if I get any CDs that try's to deploy such software I use ISOBuster (http://www.smart-projects.net/) to rip the audio and ignore anything else on the CD. You can then also use media player to rip to your machine, or burn back to a 'standard' audio cd.
 
"making system recovery extremely difficult if any of them have a bug that prevents the system from booting."

This has already happened:
http://www.microsoft.com/windowsxp/expertzone/chats/transcripts/05_0818_mce.mspx
Apparently it crashes at least some Media Edition PCs.
 
Just out of interest, is there any way of directly playing a digital audio stream, (via fiber from a CD/DVD player) directly in windows?

That way you could listen to your tunes, and not have to deal with such crap.

I figure that most recent PC's, (even my cheapo POS) has a Fibre port on the mobo, but are they bi-directional or output only?
 
Hi,

If this is a British company, or one which operates from the UK then they may have fallen foul of UK law, specifically the Computer Misuse Act 1990 as follows:

"3.-(1) A person is guilty of an offence if-
he does any act which causes an unauthorised modification of the contents of any computer; and
at the time when he does the act he has the requisite intent and the requisite knowledge.

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing-
to impair the operation of any computer;
to prevent or hinder access to any program or data held in any computer; or
to impair the operation of any such program or the reliability of any such data.

(3) The intent need not be directed at-
any particular computer;
any particular program or data or a program or data of any particular kind; or
any particular modification or a modification of any particular kind.

(4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.
(5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.
"

It would seems that this law would apply to any UK citizen who's PC was affected by this software. It would be interesting to see what the consiquences of this would be for the company in question.

Kind Regards

Simon
 
I have refused to buy Sony products for a couple of years now because of their customer unfriendly policies. This is very painful to me, as a geek: after all, Sony make some great products. But, fortunately for us, they do still have competitors. I strongly urge others who are outraged by this behaviour to adopt the same refusal to do business with Sony. Not just for CDs but also TVs, Vaios, etc.
 
This post has been removed by the author.
 
I still don't agree that consumer music purchases are properly construed as licensed IP content. And in any event, that was certainly never clear to the purchaser of an LP, nor the purchaser of a CD. If these companies want to protect their content using the techniques of shrinkwrap software licensing, they need to make explicit reference to the capablities and limitations of the content on the outside of the package, inlcuding minimum system requirements. That might ruin the pretty cover art consumer expect, but it would also let them know that the rules have changed. They also DEFINITELY need to provide an uninstaller. As it is, Sony is simply resorting to the techniques of computer criminals and disreputable vendors. I would suggest that perhaps they think we're all criminals because that's what they are themselves.
 
I never have purchased Sony music, and this is a better reason never to.

The odd thing is, this must have been happening for some time. This had to pass under hundreds of noses.

This shows just how poor we're protected by virus scanners, while we pay ~100$ a year to line their wallets.

I think this will see many more people switching to Linux. Just look at Ubuntu (which gives away free live CDs, honestly).

If the Microsoft OS can be hack against the user this easily, they have a major problem. And if an EULA can change that easily to cover their own back sides, the law has a problem.

Robin Monks
Drupal.org Marketing
 
Interesting article, of course this only applies to Windows O.S.s (does the CD play happily in all versions I wonder?)

Have you tried to play the CD in a Mac or Linux system?

Presumably it plays OK in an ordinary CD player?
 
This post has been removed by the author.
 
This DRM stuff is getting so out of hand and thanks to Mark for uncovering it. Even though I work in IT myself, I never would have found this lurking piece of software, let alone known how to remove it.

Aren't I glad to be a record collector - yes, I buy actual vinyl LP's. No DRM mess there.
 
Now I have one more reason not to buy any copy-protected cd's.

I recommend anyone who would like to buy a copy-protected cd, to download it from p2p-networks.
 
Thanks Sony!

Now when I write my worm, all I have to do is name it "$sys$" and it'll be "Auto-cloaked" on systems you've compromised.
 
This post has been removed by the author.
 
This post has been removed by the author.
 
This needs to get into the mainstream media. The only way our views are going to have any effect, is for it to become high profile in the press:

BEWARE: ALL SONY MUSIC CD's CONTAIN A VIRUS!

Surely a competitor is willing to get this one plugged......
 
In Australia, this software contravenes the Cybercrime Act, and does it with intent (=jail time up to 10 years).

EULA's do not trump laws. You cannot contract murder, and you cannot contract your way around laws designed to prevent secret, unauthorized intrusion and modification of a system.

There are at least three sections of the Australian Cybercrime act this software contravenes.

http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001112/sch1.html

Section 477.2 is quite explicit:

"477.2 Unauthorised modification of data to cause impairment

(1) A person is guilty of an offence if:

(a) the person causes any unauthorised modification of data held in a computer; and
(b) the person knows the modification is unauthorised; and
(c) the person is reckless as to whether the modification impairs or will impair:
(i) access to that or any other data held in any computer; or
(ii) the reliability, security or operation, of any such data; "

If Sony BMG sell their CDs in Australia with this malware automatically raping PCs, it's only a matter of time before someone rings the Australian Federal Police and sees if criminal charges can be laid.

UNACCEPTABLE.

I will not be buying any more songs or albums from Sony BMG or any publisher that tries to infect my machines with illegal, offensive malware.

Artists - do you hear me? Jump ship! Insist on no DRM in your contracts or we will NOT buy your stuff.

Andrew
 
Very nice work. I would certainly not have the skill to find the rootkit, much less remove it and link it to Sony like you did.

*Note to self*: No DRM CDs.
 
This is, I think, the scariest thing I have read in a long time. Since this software was poorly written, Mark was able to find it "easily." How much software do you think is out there that was written by an excellent programmer? Someone smarter than Mark? Just one more reason for me to be paranoid...

Why can't the record companies be more open and honest with the consumers. And don't give the knee-jerk answer of "to protect their profits" because this isn't protecting their profits any more than, say, a small application that you knowingly install on your system to play content protected CD's. If you don't want to install the software, you can't play the CD's. Everything is open and in the clear, and nobody is sneaking around playing cloak and dagger on your computer.
 
Last time I checked, there isn't some sacred constitutional right to a pure and virginal Windows. You're all consumers. Build and use your own god-damned OS if you want to know EXACTLY what's where, when, why, and how? Wait... some people already wisened up and did that. Look it up, it's called Linux.
 
Astonishing article, dear Mr. Russinovich!
But really autorun can avoid this security problem? Thanks in advance.
 
Danny, it was made years before Linux ...
 
There's more information at
http://www.f-secure.com/weblog/
 
Last I checked this is illegal in the Untied States as well. If you didn't agree to it in the EULA, then it is no different than if a script kiddie planted it on your system.
 
True: There's no sacred constitutional right to a free and virginal Windows. But there are laws against tampering with computers without the consent of their owners (regardless of whether there is malicious intent), and since this software makes significant changes that are not disclosed in the EULA, I think the actions violate the intent of the law.

By your logic, no one should have any reason to trust any product or service not built or performed with their own hands. We should all build our own cars, our own houses, and perform our own surgeries on ourselves.

That's silly. There are laws to provide some basic protections against fraud, deception, and other maliciousness in commerce. Sony and other music labels are required to abide by them, just as consumers are required to abide by copyright laws.
 
It is also being covered here:

http://www.f-secure.com/weblog/#00000691

It seems that SONY is providing information about removal, on request. So nice of them. :-)

People has to start boycotting products from these companies. If you are considering buying music or games, spend some time investigating them first. I recently thought about buying the latest Splinter Cell Game "Chaos Theory". After a brief search on the net I found out that they area including a new copy protection driver from an infamous company (safedisk) that is creating havoc on users' machines. I'm not interested in the product anymore.
 
They have gone to great lengths to protect the software from tampering. The software is a copy protection. By disassembling and reverse-engineering it before finally removing it, you have not only effectively circumvented their copy protection, but you have posted it on the Internet, too. In short, you are in violation of the DMCA. Same applies for any other malware or viruses that you circumvent through the use of anti-virus software.

One anonymous coward suggested to make use of other operating systems or even a normal CD player. Again, this would be a way of circumventing the copy protection software, and thereby be in violation of the DMCA.
 
Thank you for the excellent write up and your diligent work. One question I have as an admin at my company is whether or not you need to be an administrator to install this "player" on your PC. It scares me to think that people will be bringing in their music CDs and installing this onto our machines. The possibilities for exploitation by fourth parties is certainly scary. Thanks.
 
Great work. Now front paged on The Register.
 
'ere's a neat link:

http://castlecops.com/postp605449.html

This software is not only poorly written, but it has been causing bluescreens for a while now. And if you delete the offending device drivers, your CD-ROM drive is no longer accessible. Seriously, this has class action lawsuit written all over it. Even if Sony DID go in and modify the EULA after the fact.
 
I'm AntiVirus Coordinator for a state agency...
I found the exact same issue about 2 months ago at work. Symantec AntiVirus 10 Corporate Edition's Tamper Protection was throwing a fit about this on a user's computer, and was reporting the name of the offending .dll. I tracked down the issue essentially the same way Mark did, opening the folder with the hidden files, since it was reported by Tamper Protection, then deleting them. I got bunches of errors before I figured out that the files were being loaded from the registry, and also determining the permissions issue. I wish I would have realized how important it was. Oh, I also got the company name, by right-clicking on one of the .dlls, and selecting properties. It shows there, too. I went to the company's web site, looking for an uninstaller, but couldn't find one. I also had to fight to get the CD drive back. Very annoying, and now reported to be a dangerous rootkit. I'm furious!
 
It's kind of Nerd version of an Agatha Christie novel ;)
 
pennino: Actually, the latest Splinter Cell uses "Starforce", not SafeDisc. That particular version of Starforce doesn't support 64-bit Windows (I dunno about Vista...), so I too didn't bother buying that game.

That doesn't mean SafeDisc is any better. I tried "CloneCD" a couple of years ago, and because the uninstaller left some settings under HKCU, new games (e.g. Battlefield 2) refused to run, accusing me of running "CD/DVD emulation software". Thanks to regmon I quickly located the maverick registry key entry and wiped it.

FWIW, the SafeDisc device driver (secdrv.sys) is even distributed alongside Windows Server 2003. (Probably comes with XP as well) So you don't need to be an administrator to install SafeDisc protected titles... (oh joy)

As for those pointing to this "linux" thing, claiming security superiority... Well, first time I heard of rootkits it was in the context of Linux. As long as the user can install device drivers (i.e. is running as root/administrator), malware can cause serious headache, regardless of OS.
 
I don't get why Sony do this. Surely they're attacking the genuine user? Won't people be now scared of buying Sony CDs and therefore choose to steal the tracks from file-sharing systems instead - ironically because they can be trusted more! How is that a good thing for Sony to do?!
 
I noticed the same thing on my recent copy of (Sony published) "Suspicious Activity" by the Bad Plus. (What is it with these overly appropriate disc titles?)

I didn't allow it to install the player... too many memories of "free" players and software that screw up your machine (anybody remember the Radio Shack "cat" scanner?) to make me want to install a player just to play a single CD. Looks like my suspicious instincts were dead on in this case.
 
In regard to the question by JernejL about if the driver was unsigned and if so, why there was no prompt, driver signing is only checked for drivers installed by the User Mode Plug and Play service - NOT for drivers that are installing using standard Windows APIs. This is a weakness in Windows, not something sneaky Sony did - no installation of a non-plug and play driver (e.g. CDROM burner software, antivirus, etc) gets checked if it's signed.

This is supposedly being addressed in Vista/Longhorn.
 
It seems to ne that if a company as large as SONY were to be strictly repremanded and everyone who's computer was 'Kit-ed, were paid the FULL price of a Computer Geek reformat and re-install plus damages, they may wish to refrain from such behavior.

It's ironic that Sony, the ones who brought us Fair Use in video (lawsuit protecting against Disney in the early 80s (I had beta)) are as draconian as they are now. It's clearly all about money and principal be damned.

How about some action from our legislators?
 
Spirit Wolf for President!
 
I'd like to point out that sony also installed a 'software protection service' on my system when I tried a gamedemo, it supposedly checks the legitimacy of game cd's yet obviously the gamedemo did not come on a cd, to make things worse when I uninstalled the demo the service remained.
All of this was done without noticing the user of the action.
Since then I started to boycott sony, I am not supporting a company that tries to hack my system, thank you very much..
Don't think that avoiding only music-cd's from sony will keep you safe from them.
 
Linked to at the Ziggurat of Doom.
 
Something which concerns me about programs such as this the access to the harddrive. I found my living room box wakes up a harddrive every 10 mins (sometimes it never sleeps) thanks to badly written taskbar utilities. I eventually found the only way to get drives to sleep permanently was to kill explorer.

If this DRM software is doing the same thing, there is a case of wasting electricity and causing undue wear and tear on equipement...
 
As a protest against Sony, I figured I'd download the album from a fileshare system and listen to it for free! But then I found it that it's country and western! Hell, I'm concerned, but not *that* concerned!
;-)
 
As always, your articles are as excellent as your software offerings.

small typo (I think) :-)

HKLM\System\CurrentControlSet\SafeBoot

should actually be

HKLM\System\CurrentControlSet\Control\SafeBoot

Regards,

Jack
 
Thanks for the feedback and the correction.
 
In the UK, this would be a clear breach of the Computer Misuse Act 1990. So you would not need to initiate any expensive lawsuit. Just dial 999 and let Mr Plod sort it out. If anybody gets a virus onto your computer through a channel created by Sony, this could be construed as "aiding and abetting" and will be a further offence in its own right. In the meantime, the best way you can protect yourself against this sort of thing is to stop using Windows! Think: if they won't let you read the source code of their software, how do you know it is pure?

It's a valid defence to the crime of "bypassing encryption" that you were the intended recipient of the encrypted message. In addition, you have certain statutory rights relating to reverse engineering that cannot be abridged by even a legally-binding contract, much less an unenforcible document written in pseudo-legalese attempting to deceive you into believing it has some standing. Basically, if you are the rightful owner of the disc then no true fact concerning it is a secret from you.

If your PC has plenty of RAM or two CD drives, just use Slax a simple form of Linux which loads from a CD, and includes cdparanoia {for ripping individual tracks as .wav files} and cdrdao {for creating a .toc / .dat pair}.

I might be moved so far as to go on to produce my own self-booting Linux CD which will load an OS into RAM, enable the CD to be ejected and swapped for a music CD; and then rip the CD tracks to a plug-in USB memory storage device.
 
If they ever publish a product with that kind of "protection" in germany, I am so gonna sue them. Luckily we still got some laws against that kind of computer sabotage.
 
As for suggesting a class action suit, this blog entry made it on cyberia-l (a listserve for attorneys interested in this type of law) last night, and I suggested such in my response.

The EULA changes don't seem to do much to help Sony's case, given in particular that they haven't included an uninstaller anywhere. The fact that they go out of their way to hide the software also is going to cut against their defense.

And even with the EULA, they still have problems. After all, what happens if you run into the EULA during installation, and decide not to go ahead with it? Is Sony prepared to refund your money? Or the vendor from which you purchased the CD? Unlikely.
 
My initial guess is that Sony did this because they had become frustrated with dealing with computer and software companies in trying to get DRM software and hardware incorporated into new computer systems. They essentially took the law into their own hands. Unfortunately, it looks like they violated any number of laws around the world while doing it, plus potentially caused monetary damage to untold numbers of computers under multiple legal theories (remember that trespass to chattels case that came down a week or so ago?)
 
Another option: Let the artist(s) know what you think of their label's behavior. Here's contact info from their site (http://www.thevanzants.com/)

Contacts
Management:
Vector Management
Ken Levitan and Ross Schilling
P.O. Box 120479
Nashville, TN 37212
Phone: 615-269-6600
Fax: 615-269-6002

And thanks for the great article!
 
Found a link to this article on BoingBoing, and read it with trepidation, even though some of the heavier tech was a bit over my head. I think it's the hypocracy that offends me most about it...I'd try to boycott Sony completely if possible, but they have more fingers than there are pies to go around, so fat chance. So I did the next best thing that I could think of, namely link the story and let more people know, albeit in not quite such a code-laden idiom! Good to know people like you are catching these things on behalf of the hapless end-user multitudes. I salute you.

Velcro City Tourist Board
 
Chad:

"... How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?


How the heck are you supposed to tell what is covered in the EULA without having to stumble across it while cleaning up apparent malware? If Sony was all that interested in keeping people from reverse engineering the software, they should have specified what software they were talking about instead of simply hiding it and crossing their fingers. Thats like being charged for trespassing because someone redrew the property lines around you without your knowledge or consent.
 
everyone here talking about stop using windows, what do you think will happen when/if linux becomes the most popular desktop of end users?

do you think virus writers and big corporations will not adapt?

do you realize that this thing doesnt happen to linux not because it cant, but because right now its just not worth it with an end result of only infecting about 3% of the end user/consumer population.

mark,
once again you have effectively delivered valuable information! thank you!
 
I just spoke with Chris at Vector Management, who represents the VanZants. He was very apologetic about the whole deal, and apparently his company didn't know Sony was doing this until the story broke last night. He did agree that his company would be contacting Sony to attempt to recify the situation.

I made it quite clear that I would never buy any DRM'ed music CDs and would probably never again buy a Sony Music CD of any kind.

Hopefully someone will do some serious legal bashing of Sony - has anyone contacted the EFF about this?
 
If the law will not act (yet to be tested) why not contact the big news companies CNN, the BBC etc get Sony some bad publicity as the big company that has one rule for it and another for everybody else....
 
In order to combat their installation of crap like this, I wonder if it's possible to charge them for cpu time and disk space?
 
Sony must be using two versions of this shit because Mediamax is the one I've been seeing here in the states. Hides malware the same way. Wonder if Sony's using different names for their Anti-Rip code in different parts of the world. Damn underhanded if you ask me.
 
>How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?

I'd say that since he was uninstalling, he was in the process of terminating the license, and under those circumstances I'd say whatever means necessary.

stealthaxe.
 
I'd be curious to know if you have doen any similiar investigations in the heavy handed world of game copy protection? It's even more insidious here, because you *have* to install the software. Games like Space Rangers use a copy-protection scheme called "Starforce" that already has shown to be broken with Win64:

http://dubiousquality.blogspot.com/2005/10/space-rangers-2-and-windows-xp-64-bit.html

It installs a device driver that, I guess, scans the CDs to make sure it matches a non-pirated version, or some such.

I also had a problem with an JoWooD game that refused to run because I was running Roxio's Copy to CD program, and I got:

Message: Potential Conflict with Disc Emulator Software detected.

when I tried to play my legally purchased game.
 
Is Sony's Blue-ray DVD's going to have this same DRM nonsense? This sonds like a good reason to back HD-DVD's instead of blue-ray.
 
I'm tempted to install this software, then intentionally break the driver, then call Sony and demand support
 
Say, anyone have a copy of the offending device drivers, most notably crater.sys?

XCP doesn't offer a download, and I'm not paying money for a DRM-corrupted CD I probably won't listen to anyway.
 
Sony owns Epic Records too. I bought a Dead 60's record and it installed this crap on my computer and I ranted about it in my blog: shaddupandlisten.com. About a month ago I had some computer crashes and Microsoft told me it was being caused by First 4 Internet. I didn't connect the dots at the time, but I was very pissed. I didn't install anything by First 4, and I just wanted to uninstall it. But I couldn't find it or uninstall it. After about a month, I gave up and reluctantly "updated" the First 4 software. It is still on my computer. Aarrrrrrgh!

Epic has a LOT of artists and this DRM/Malware may be massively distributed on disks by Fiona Apple, Tori Amos, Audio Slave, INXS, Franz Ferdinand, Ben Folds, Shakira, Oasis... and More.
 
Sony is huge. According this Wikipedia article, http://en.wikipedia.org/wiki/Sony_BMG_Music_Entertainment, they own Arista Records, Columbia Records, Epic Records, J Records, RCA Victor, RCA Records and many more.

I just Googled and found at least 2,160 CDs with copy protection on Amazon.com, and judging by a quick-scan, it looks virtually all are distributed by Sony BMG.

Just do a Google search for site:amazon.com "[CONTENT/COPY-PROTECTED CD]"
 
... this is a bit offtopic but...
have you ever heard about the palladium project? sony's DRM is just a little in front of it...
just for the ones who don't know, the control will be in hardware too, not only in software...
google for it...
 
Rune: you are right, it's not SafeDisc on the latest Splinter Cell but StarForce. Anyway, the entire trend is disturbing. Although a little less heavy handed than SONY, even online game players have to start being careful about the games they choose to play:

http://www.rootkit.com/blog.php?newsid=358

It's a different technique from the "rootkit method" explained by Mark but a scary trend nonetheless.

By the way, to those interested in better understanding the concepts explained by Mark in this post I strongly suggest watching the webcast he presented last june at Teched:

http://urlsnip.com/262439
 
"I think it's fair to say that since he didn't know what this malware was, and that it isn't mentioned in the EULA, that it's fine to disassemble, reverse engineer, examine or otherwise dissect this piece of crap.
# posted by Chris : 6:09 PM, October 31, 2005"
You what? Who cares about the EULA, oh - am I allowed to check what crap has been installed and keep my PC clean, No! cause I clicked Agree to some bullshit EULA.
Its HIS computer, why shouldn't he remove malware?
 
"I think it's fair to say that since he didn't know what this malware was, and that it isn't mentioned in the EULA, that it's fine to disassemble, reverse engineer, examine or otherwise dissect this piece of crap.
# posted by Chris : 6:09 PM, October 31, 2005"
You what? Who cares about the EULA, oh - am I allowed to check what crap has been installed and keep my PC clean, No! cause I clicked Agree to some bullshit EULA.
Its HIS computer, why shouldn't he remove malware?
 
More reasons to use a macintosh computer.
 
MAC, Linux, Winders? Come-on... you people are not that stupid. One reader stated it correct. Once Linux or MAC gains market share we will attacking those platforms. then again, don't hold your breath... we have been hearing about the year of UNIx for nearly 25 years. the MAC was released somewhere in 1984. 20 years and less than 5% market share. Aint gonna happen folks!
 
iTunes, at least for me on XP, would not import the Van Zant CD. Had to use the built in software to write (DRM'd) .wma's, burn a CD/RW, and then import into iTunes. PITA.

Sony's latest DVD releases (Bewitched and Lords of Dogtown) also have a new anti-copying scheme using unreadable blocks. Just watching LoDT on my computer gave my LiteOn DVD burner a nice clicking noise whenever a disc is inserted.

Nice catch Mark. Now I need to clean up my computer that had the vanzant CD in it. And never buy Sony products again. None.
 
My scan tools will trip over this as an altered system call. Meaning much more work for me, much more work for the systems administrator and much pain for everyone all the way around in the longer run. So if I have to do forensics on a box, I wonder if I can send the bill to Sony. Or how’s about all those small businesses who will have to deal with this one. Makes a great legal excuse when someone finds a root kit from Sony on the box, and if the hackers find a way to co-opt the software to do what they want it to do, everyone gets off free, no legal recourse, because the evidence of a root kit or Trojan immediately takes the responsibility for doing something bad away from the person you thought was doing something bad. Legally, this ties the Hades out of my hands and managements hands along the way.
 
"In short, you are in violation of the DMCA. Same applies for any other malware or viruses that you circumvent through the use of anti-virus software."

This is a joke, right? Malware and viruses protected by the DMCA? Let's see some case law, please.

I can't imagine any politician or court protecting virus writers.
 
So Mark, you wouldnt want to write a removal app for this evil Sony rootkit, and maybe a nice piece of software that keeps it from getting installed. In fact, this is the way a couple other DRM programs work, so I wonder if someone has ever written a program to protect against all of them?
 
This isn't 'just as bad' as a copyright infringement, it's at least a quadrillian-septillian times worse! Nobody is hurt or loses productivity in the event of copyright infringement. If your computer was exploited by something taking advantage of this however- sensitive information could be stolen, downtime could be detrimental, you see where I'm going with this.
 
"so I inserted the CD into the drive and double-clicked on the icon to launch the player software"
 
Uhm, what I was trying to say is that all you folks telling Mark to turn off AutoRun, well, he didn't just let it autorun.
 
Microsoft ought to be as pissed as anyone about this. It's just this sort of thing which is largely responsible for the fact that MS Windows is the flakiest OS on the planet. Though I suppose one could argue that it's MS's fault for building an OS where a vendor can get away with this sort of funnybusiness. Another reason to turn off autorun on your CD at any rate...
 
Arthur Nonamiss 7:30 AM, November 01, 2005 said...
"Someone smarter than Mark?"

Do you belive that is possible?
Not!

Thanks Mark for a great story.
 
Mark - I'm glad to see this. Thought I was the only one steamed about this. I bought a reissue of an obscure jazz trombone album from 1964. It had this DRM on it. Sony has a site in the UK that deals with customer issues regarding this. I returned the CD and asked that they tell me how to remove this software. They have to install MORE software in order to remove this software. After trying with Sony, I wrote First 4 Internet directly (at support@xcp-aurora.com), regarding the removal process of their XCP-Aurora software, and asked what the ActiveX software was they need to isntall in order to remove the XCP software. Here is what they said, on October 27:

Dear Tom:

The updates site initially prompts the user to install an ActiveX control which detects if there is an XCP - Aurora installation and then selects the most appropriate update. To remove this activeX control simply open the folder ‘systemroot\downloaded program files’ (On a windows XP computer with a default installation the systemroot folder will be ‘C:\Windows’) and delete the file ‘codesupport.ocx’.

When the activeX control has been installed the Updates Site will display one of two screens. The updates site will either inform you that it cannot find an XCP installation or it will offer the download of Service Pack 1. Service Pack 1 contains several updates and workarounds but is essentially the same software that was originally installed from your purchased CD. If the Update Site displays the screen informing you it cannot find an XCP installation then the previous uninstall attempts have been successful.

If however the Update Site prompts you to install Service Pack 1 you can follow John’s instructions and the new uninstall should be successful. All you will be left with is ‘codesupport.ocx’ which is from the website not the CD so isn’t part of the uninstall process. ‘Codesupport.ocx’ is easily removed following the instructions above.

The FAQ (Frequently Asked Questions) for the Update Site contains detailed information regarding installing the activeX and downloading updates. The FAQ can be viewed here http://updates.xcp-aurora.com/faq.aspx.

If you have any further issues or the FAQ doesn’t resolve your questions please do not hesitate to reply to this email.

Very Best Regards,

The XCP – Aurora Support Team
http://updates.xcp-aurora.com
 
Nice. I wonder if they like jail time. By your description the program and it's failure to disclose and ask permission to do what it does, would be FELONY COMPUTER TAMPERING. Under Illinois law, what that does is a class 4 felony. Other States have similar laws.
 
the trick is to install it and sue sony in small claims court for removal costs or in regular court for electronic trespass.

i'm tempted to do it.
 
What's next?
CD software installing firmware updates to your hardware?
 
To David Solomon:
thanks for clearing up the matter, i thought the drivers are much more checked, such as in cases when they are copied to system folders or loaded by the windows.
 
Nice work Mark! Always good to read more of your insightful work.

I have to admit I'm not totally against DRM. I think it's good in times of innovational transition like we are with digital music distribution today. However my problem is the fact that not only are you paying for a limited use product in that you could purchase a digital copy or a standard CD, but now YOU the consumer have just paid for a free mal/spyware infection (including decreased system performance, higher internet safety liability, and more) - Unfortunately this is part of a growing precedent.

Simply being taken advantage of hurts - paying for it really just makes me boil.
 
Do you think this rootkit comes standard on Sony PCs and notebooks?
 
My daughter's computer had this crap on it but I was unaware of what it was... I ran Blacklight yesterday which is when I discovered it. Her computer is running W2K and a couple of weeks ago she was a victim of a drive-by installation (visiting a lyrics website) which dumped a bunch of trojans, adware etc. on it. When I finished cleaning the mess (4 hours later) it had broke Windows Update. Fix for that was reinstall (repair didn't work) of the system.

Anyway, great job and I hope someone does something about such behavior in big business. I'm gonna warn the kids not to install any such programs again...
 
It is a shame to see that F-Secure has likely "borrowed" your hard work without attribution.

Let's see: Mark's analysis came out on Oct 31, and somehow F-Secure has virtually the same info on Nov 1! Coincidence?
 
My daughter's computer had this crap on it but I was unaware of what it was... I ran Blacklight yesterday which is when I discovered it. Her computer is running W2K and a couple of weeks ago she was a victim of a drive-by installation (visiting a lyrics website) which dumped a bunch of trojans, adware etc. on it. When I finished cleaning the mess (4 hours later) it had broke Windows Update. Fix for that was reinstall (repair didn't work) of the system.

Anyway, great job and I hope someone does something about such behavior in big business. I'm gonna warn the kids not to install any such programs again..."


They should ideally be setup to only have user level access anyway. Only the Administrator (presumably yourself) should be able to install anything. Not sure how this stacks up with root kits but its a start on Basic Security 101.
 
I think im gonna forward this article onto BBC Watchdog, a TV program in the UK that investigates anti-consumer practises and see if they can get an official comment from Sony. As some of you have said, by doing this Sony are screwing the people who are legally buying their product. Its sickening and something needs to be done.
 
This is absolutely appaling. I was planning on purchasing a Sony CD tonight, but I will now be forced to download the music I want instead. Sorry Sony, your plan just backfired. I don't care if it doesn't do much. Installing a rootkit without notice fundamentally wrong and should be illegal.
 
Very VERY Interesting.

This action violates many local and international laws. Lets look at some of the ones mentioned.

DMCA anyone? Whos's the one NOW circumventing security? Wouldn't be grand if the DMCA was used AGAINST the RIAA and associated for the very same thing they are sueing other people for?

By sony installing rootkits they are effectly bypassing any security put in place and IF someone uninstalls it, they can completely screw up their computer.

I know someone in fact has installed this on a government computer that has TIGHT security. How do you think they will feel knowing SONY has willingly put on and changed a ROOTKIT.

Great news for computer repair's across the country. Is SONY going to pick up the tab because THEIR DRM software screwed up the computer?

Also if buy a CD and it doesnt work, fraud anyone? It's very clear if you buy something and it doesnt work, you are entitled to get your money back else it IS considered fraud regardless of any EULAs or store rules.

What is really ironic, I know a senators child who just happened to buy a number of SONY cd's with the DRM. Won't it be interesting when they install it on DADDY's computer.

SONY did you consider what happens when you piss of a senator? You think he is going to be happy to find out out about, and heaven forbid his kid try and remove it. Then he'll REALLY be mad.

-----------------------------------

This software will be considered spyware under the ASC definition,

The ASC's most recent definition of spyware is:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

* Material changes that affect their user experience, privacy, or system security;

* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information. - thank you Mellisa

-----------------------------------

"The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC.... " - thank you Mellisa

-----------------------------------

INAL, but this appears to be illegal in the State of California, punishable by a $1000 fine per computer affected.

California Business & Protections Code Section 22947.3, Paragraph C:

A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
...
(c) Prevent, without the authorization of an authorized user, an authorized user's reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(1) Presenting the authorized user with an option to decline
installation of software with knowledge that, when the option is
selected by the authorized user, the installation nevertheless proceeds.
(2) Falsely representing that software has been disabled.

- Thank you Erik

-----------------------------------

Computer Misuse Act - UK

Ever think of this one? It may be old but it's broad, however it does cover what is mentioned that they do.

-----------------------------------

Even if they changed the EULA, it's been proven that the DMCA OVERULES THEM. After all the RIAA has used the DMCA to overrule EULA's before theyby setting a precendence for others to use against them AND thier associates.

I love how they shoot themselves in the foot.

Also as previously stated the rootkit and can used by other programs to future exploit the system. So SONY has thereby placed a method to where others can hack the machine.

-----------------------------------

I look forward to a class action suit. If nothing else, bad publicity will hurt them more then anything.

Remember the embarassing bypass with a marker anyone?
 
This post has been removed by the author.
 
We would be interested in speaking to any California residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme. You can contact us at gw@classcounsel.com.
 
This is part of the reason we use products such as DeviceWall on our systems. It helps not allows us to block contractors from plugging in iPods into our corporate networks, but also helps keep crap like this off of our systems when employees bring discs in from outside the office.
 
If someone wants to copy a cd, then you can, a easy step to copy a copyprotected cd like this would be to get a discman or anyother non-computer cd drive that plays cd's (sound system, dvd player). Then, from the headphone jack or audio out jack from whatever player your using, simply plug it into your microphone input on your computer. Then, using any high quality audio recorder (adobe audition), you can record the sound being directly feed into your machine. You shouldnt loose quality if you do it right and dont use low quality soudn recording software.
 
In response to Chad:

He cannot be held responsible for violating the restriction against decompilation or reverse engineering because there was no indication that the DRM rootkit was a part of that software package until after he disassembled.

Thus, there is no possibility of mens rea being present that might meet statutory requirements for culpability.

Plus the fact that this is total bullshit. Extra software installed in a way that endanger the stabilty of the system with a rather sophisticated cloaking mechanism... this immediately casts doubt on the legitimacy of the software publisher (unauthorized access of a computer is governed by the Computer Fraud and Abuse Act in the United States). You could argue that the publisher is liable for legal violations rather than the other way around, and in that case the dirty hands doctrine would absolve anyone of legal liability.

Of course, with the mess that copyright laws are, I wouldn't want to be the one fighting the good fight. I wouldn't have nearly enough money to pay hundreds of laywer-hours if the EFF didn't throw itself into the fray.
 
VampiressX-

They should ideally be setup to only have user level access anyway. Only the Administrator (presumably yourself) should be able to install anything. Not sure how this stacks up with root kits but its a start on Basic Security 101.

Yeah I know... and even though she's 17 I should put her as a user. Sometimes certain software won't work then but oh well... I have her keep her data files on a separate partition and I'm gonna create an image of her c: drive in this pristeen state. She's not going to like it but she's the only one of my 2 girls at home (the other is 20) that gets into this sort of trouble.

As for the drive by installations, I had to help a co-worker who's daughter also got hit with crap pushed to her computer, as well as someone I know (same thing, got a $100 Safeway card out of it).
 
I found google cookies and few pages in the cache that are hidden from the system. I have google toolbar and I think it comes from toolbar.
 
I had posted a while back in CDfreak's "Audio" forums on how to disable this protection so you can rip the CD Music. I do not believe there is anyway to remove all the files on your system.

http://club.cdfreaks.com/showthread.php?t=151461

XCP2 (First 4 Internet) http://www.xcp-aurora.com/

How to identify: There will be a file called “VERSION.DAT” if this is opened with Note Pad it will say something like “VERSION=XCP2, Version 1.7”

Win98/ME/2K & XP

Step 1. Press F8 during startup to boot into safe mode.

Step 2: On windows partition (where Windows is installed default is C:/ drive) Search for a file called “$sys$caj.dll” and delete it.

The default path is C:WINDOWSsystem32$sys$caj.dll

Step 2: Reboot PC and go to “Device Manager” and uninstall all CD/DVD drives and then rescan for hardware changes.

Now the XCP protection is permanently disabled.
 
I have a solution. Learn to use Linux or buy yourself a Mac. :)
 
The comment about Aries.sys and jumping into invalid memory - occured after trying to copy music from a CD for my wife.
Restarted the system after the music was copied only to find a BSOD involving Aries.sys. Lets just say that Sony's little tricks resulted in my needing to completely reinstall windows...
 
From my point of view, Mark has done an excellent work since I also do not tolerate ANY software that does not comply with the rules, publicly set by the owner of the proprietary code. This is clearly a case for the law authorities, that simply HAVE TO RESPONSE in a proper manner, that is to fill a law suite against the Sony corporation. And no, I am not exaggerating. I have also found numerous of malware on my system, without taking necessary action! And ... I'm still mad about it! The goal does not devote the mean ... with no exceptions!!!
 
This post has been removed by the author.
 
Re: Oasisob1
That doesn't presume that their software has to be hidden! Eg. If you uninstall it, you know for sure, that something won't work! That's the way things are done in an enterprise environment And this things are even published in a user guide. I can comply with many things, as long as I know them and as long as I can discontinue to use them ... even if a have not actually read the whole EULA with assistance of my lawyer...
 
Perhaps contacing Van Zant Brothers directly to let them konow how Sony are corrupting their music might help. They have no email address, but their m anagement company can be contacted at:

Vector Management
Ken Levitan and Ross Schilling
P.O. Box 120479
Nashville, TN 37212
Phone: 615-269-6600
Fax: 615-269-6002

If they get enough disgruntled and rightly furious people ringing them up night and day, they might act themselves. It is often the case that the Artists themselves actually hate this as much as their fans do as it p*&^es people of so much that they might stop buying the bands music, blaming them for this abuse rather than their record companies.

If it's alright, I'm going to send an email concerning this blog off to 'PC Pro', a widely read PC Magazine here in the UK. I suggest that everyone who posted a comment here do the same with some of their favourite computer magazines and maybe even television shows. Perhaps then, Sony will be shamed into acting like human beings.

# posted by BadHead : 7:16 PM, November 01, 2005
 
Very interesting, thanks for sharing your insights. Your article has been mentioned in the Austrian news that's how I stumbled over it http://futurezone.orf.at/futurezone.orf?read=detail&id=276825

I hope that Sony will pay for it. This goes far beyond any reasonable copyright protection
 
I recommend saving a copy of the EULA before they change it again.
 
This post has been removed by the author.
 
I SAY BOYCOTT THE BASTARDS!!
 
I SAY BOYCOTT THE BASTARDS!!
 
Where's the script so I can run it on my computer? Once the script is written distribution pretty much happens automatically doesn't it?
Hey-hey! Now there's an idea!

mabell
 
Thank you very much for publishing this for the world. I was directed to this site though an article I read today. Although I now have a Mac, I first ran the disk on my PC and was horrified by this pathetic and frustrating program. I exchanged a series of emails and called BMG at just about every office they have to try to find out how I could get the software to let me listen to full quality audio (it only allows windows media player to play at a 128 bit rate) only to find out that the software does not allow it. And now to find that I cannot uninstall the software… On the BMG website they offer a go around for iTunes users (to burn a cd with WMP and rip that into iTunes) and also encourage iTunes uses to write apple to get them to cooperate with Sony and support the software. I wrote to do just the opposite and finding this only supports my gut suspicion of this software. There is no live support for it, at least not that I could find in my two hours on the phone. Infuriating. So I am spreading the word in an effort to start a boycott of BMG music.
 
Remind me to attach a EULA to my next root kit, that way its all good and dandy.

/kinda sarcasm
 
Great info as always. I have passed this on to the readers over at Productivity Hacks
 
Cool, now we can all start to distribute new viruses, rootkits and spyware ourselves, knowing that they will remain hidden through Sony's assistance. Just stick em in system32, and put sys at the start of their name.

WoHoo.
 
Originally posted by: _Jon

"I recommend saving a copy of the EULA before they change it again."

I would also recommend doing that.
Sony has stepped the line...
And you must bring them back over it through some means.

Great find too.
Keep at it. We'll need the information you obtain.
 
To Oasisob1: you said Sony changed the EULA - Mark told me he compared what you posted above with the EULA he has and they are the same...

So where is the change you refer to, and when did this change occur? Do you have a before and after version we can see?
 
Wow, I just found this site thru the Inquirer, and all I gotta a say is: DAMN, you're a friggin' genius, Mark...

Makes me want to sharpen up on my (feeble) skills.

Anyway, thanks for opening my eyes to the underhanded shenanigans being perpetrated by the named companies.

Sheesh... they think they can do whatever they want - and no matter how many lawmakers they "persuade" (bribe) into this bull, it doesn't make it right.
 
FYI - I have been trying to pull together information on this subject at http://bhayden.blogspot.com/, but more from a legal point of view than technical. I should note that I did include the lengthy comment by legal buff above.
 
Mark, thank you for "opening up this can of worms" especially before Christmas!
Anything that has to do with Sony and thier other affilated companies (as someone had posted earlier in this blog) certainly will not be on my Christmas shopping list!

Somehow this must get out to the mainstream media such as BBC, CNN, MSNBC, FOX etc. for the "average PC user" to HEAR on the NEWS.
 
If you plan on boycotting, let the offending company know. They need to know that they are loosing customers and WHY. Perhaps others companies will get the message as well. -2 cents- :P
 
Great article. But honestly, as long as people that read this just whine around and say "I'll never buy a Sony product any more" exactly _nothing_ will change. If sales drop the music industry passed fault to p2p networks and increases DRM activity.

Don't avoid Sony CDs! Do the opposite! Buy them, and if they come with one of these DRM thingies like the one Mark discovered, than sue them! What they did with this DRM scheme is illegal in most civilized countries. The more users in different countries sue them for manipulating their computer, the sooner companies like Sony will realize that this goes to far.

Just being harrased and talking about that doesn't change anything. If You all avoid Sony products You just deliver them more arguments to justify DRM...

Just my 0,02c

Ben
 
this is now on MSNBC's tech blog: http://www.msnbc.msn.com/id/6409077/ - not quite the mainstream, but getting there. Also, check this from time to time to see who is picking it up: http://news.google.com/news?hl=en&ned=&q=Sony+Rootkit
 
the sad thing is that (i'm sure) a good number of people that DO care to do something about this are too dirty to pursue the RIAA/Sony without anything backfiring in their face, and the people that ARE clean enough to fight the RIAA could care less as they don't buy enough music for it to affect them. as usual, the consumer are the ones getting... bent over.
 
Has anyone put a review of this CD on Amazon with a link to this article???
I think someone should
 
Mark, would it be possible to detect thie rootkit using BartPE?
 
Hy Mark!
Thanks for the hint!
I wanted to ask you if the "DRM packager" that used to be distributed by sony-ericson in order to add DRM tags to Mp3 ( in order to be able to use them as ringtones on sony-ericson phones ) is the same software you are refering to.
or in alternative can you give me a hint to discover the presence of the sw when no special sw is installed on the machine (I don't have filemon nor RootkitRevealer ...) ?
Thanks
Bruno
 
I love my Linux.
 
Mark, I have a rootkitrevealer feature request for you. It doesn't recognize junction points. Also try testing it on SFU. There is a number of files the rootkitrevealer considers hidden. Maybe they are junctions too, but I'm not sure.
 
Oh this is cool. Anybody put a sniffer between the pc and network connection yet? hahahahaha
 
hey there...

i've found this article over www.orf.at and found another article earlier this this about this "protection": http://futurezone.orf.at/futurezone.orf?read=detail&id=259880
 
i confirm this doesnt install with restricted accounts. I am in a corporate environment and inserting the cd that autoruns presents users with an error saying they need to see their administrator (me).
I tell them to click cancel then to open windows cd player...
Never use an admin powered account for day to day things, take linux's example!!
 
The system Sony is using appears to be the XCP Aurora system:

http://www.xcp-aurora.com/

Produced by this company:

http://www.f4i.co.uk/

Best regards
Steve
 
Ironic isn't it? In an attempt to prevent "illegal" copying of their material, Sony is willing to violate the rights of their honest paying end user!

This makes me more reluctant to by new product than ever as I don't want crap installed on my machine, especially unauthorised stuff. As if there isn't enough problems with malware/spyware from the internet, now we have to deal with it from stable media.

Corporate terrorism at its best.
 
Has anyone found e-mail contacts within Sony I've looked and they're not available on the public sites. A concerted effort on our part is called for. Unfortunately I think this article is too technical for the general public and media to digest, but I think we do need to raise awareness & tell these corporates that they cannot cross the boundaries whatever their size and influence.
 
I have always considered DRM to be Commercial Malware - not due to political considerations, but because practically, that is what it is. At the rockface of combat coding, intention is meaningless, actual code behavior is all.

DRM is software that hides from the user, resists user management, does things the user doesn't want, is from legitimate vendors (so av is unlikely to detect it, and scanners that do are subject to litigation), and which is "motivated" by commerce/revenue considerations.

How is the above different from 180Solutions, NewDotNet et al?

The sick joke is that criminal law (in a society conveniently polarized against privacy and civil rights by 911 etc.) may preclude you from asserting (or attempting to regain) control over your own PC.
 
What would Windows be like if every vandor did this?

If you had 50 conflicting hidden DRM schemes running in the background, wouldn't troubeshooting be fun?

Else if there's to be only 1 such scheme (Sony's), what makes Sony special that they can do it and others can't?
 
ooops

F-secure doesn't recomend using the Removal-tool - but it will at least find the Sony/BMG "virus".


From their blog:
"If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form and ask for directions on how to remove the software from your system. We've test driven this and they will provide you with tools to do this. However, they will install additional ActiveX components to your system while they are doing this so be adviced."
 
This is bull crap. I have already worked on a computer with this crap and the registry was locked and corrpted. I was not sure what was going on till now.
Right after the stuff was installed. The customer is planning a rather large suit and he is a multi billionaire going full force.
 
"F-secure doesn't recomend using the Removal-tool"

The fact that they include a removal tool at all is a dangerous and disservice to their customers. Like I've said in all my talks and articles on rootkits that, unless you have specific removal instructions or tools that target a specific rootkit from a knowledgeable source, your best bet is to reinstall. Otherwise you run the risk of leaving your system in a compromised state.
 
Great article by Mark and scandalous behavior by Sony.
 
How do we remove this shit??? Have anyone made a removal tool or will it aut. come in antivirus programs or ad-aware.....??
 
Okay I can see that F-secure has the tool. So i'm sure all the others has it to or will have it soon.
 
I think education plays a part here too - as in, educating everyone that there's NO NEED to let an audio CD install software on your computer, that the software it wants to install is ALWAYS BAD, and that they should NEVER LET IT HAPPEN. Of course, some people will be discovering this too late... :(
 
This is somewhat scary, because it shows how far companies are willing to, even breaking laws themselves, just to make sure YOU the innocent citizen (until anything else is prooven) do not break the law.

We've just denied the use of Sony CDs on all our machines as of today. It's a small meassure, but you have to start somewhere.
 
Upon Reading Luke's comment and being for some time worried re the IBM sale to China:

"... this is a bit offtopic but...
have you ever heard about the palladium project? sony's DRM is just a little in front of it...
just for the ones who don't know, the control will be in hardware too, not only in software...
google for it..."

Is there a chance Lenovo might be made by the Chinese goverment to install into the hardisk a manipulative element governing user's writing/surfing?

I'm about to purchase a new notebook to replace the IBM T20 aged one and this is a real concern, on the personal as on the moral level. I'll appreciate your friendly response.

Luke, I was looking for your blog ane all I your link brought me to was an empty one.

Many thanks and much adoration to Mr. Mark Russinovich for the amazing revelations.

Corinna Hasofferett
 
Bastards!

Nice detective work!
 
Yes, I agree with Robin Monks, the discovery by Winternals shows more than one problem:

- Sony has gone too far (shame!)

- hacker protection software offers a dubious pleasure to hackers

- Microsoft (and myself: as user of Windows) has a severe security problem.
 
How would the average person check to see if they have a cloaked file installed. Malware or from DRM?

Is there a free diagnostic tool I can use, like a pest scanner or such that will find this?

Also, with the find you had on your pc, what is to stop someone from creating an active-x file that installs such hooks automatically piggy backed onto something like Macromedia Flash. There are so many sites that re-direct you to update Flash, but are they really sending you to the site to get it or can they spoof it somehow, like with a Java exploit. I have heard of people doing something similar with a Java buffer overflow, but just wanted you ropinion on this.

With all the traffic your getting, I say its only a matter of a few days before there is a working exploit to use this in an internet worm. There needs to be a way to stop ANY file from being installed. If anyone knows of a program utility to catch silent installs like this $sys$ crap, please post it here or on my site.
 
It's like discovering that your cough medicine actually changes your DNA in irreversible ways... and nothing on the label says so. Then you find out that the reason for the DNA change was just to make you allergic to knock-off cough medicines, not to make you any healthier. In fact it could kill you.
 
Ummm, are these cds sold in the state of Virginia. There are CRIMINAL penalties for installing this sort of unremovable malware in Virginia. They are no joke, either, it's something like 5 years in "pound you in the ass" state prison for each offense. Also, our AG is the only one who is actually prosecuting these scum.
 
Sony BMG in Norway does not know about these findings. Yet.
 
This should be reported to the FTC as well as your local FBI branch.
I think the case can easily be made that Sony's nefarious installation of rootkit software on your PC is criminal. It is especially notable that the software masquerades as a plug and play component.
 
I recently ran into this problem with the new Switchfoot CD on the Sony label. After doing some digging, I found a work around posted on the Internet by the bass player of the band! It is important to remember that Record Company is the bad guy here, not the artists. From his post:

Let me first say that as a musician AND as a music fan, I agree with the frustration that has been expressed. We were horrified when we first heard about the new copy-protection policy that is being implemented by most major labels, including Sony (ours), and immediately looked into all of our options for removing this from our new album. Unfortunately, this is the new policy for all new major releases from these record companies. It is heartbreaking to see our blood, sweat, and tears over the past 2 years blurred by the confusion and frustration surrounding this new technology. It is also unfortunate when bands such as ourselves, Foo Fighters, Coldplay, etc… (just a few of the new releases with copy protection) are the target of this criticism, when there is no possible way to avoid this new industry policy.

See the whole thing here:

http://www.actsofvolition.com/archives/2005/september/switchfoot

Someone please post an email or phone number at Sony to register our complaints too. I hope they get buried in bad press and public outrage for this type of tampering.
 
Yet another compelling reason to use a Mac.
 
So...anyone want to try this? :

http://www.theregister.co.uk/2005/11/01/sony_ships_psp_media_tool/
 
This story has been featured on Aftonbladet - the largest daily newspaper in Scandinavia.
 
The article in Aftonbladet includes a comment from Per Sundin, CEO for Sony in Sweden. He says that this kind of copy-protection is not used on the European market and that they will not use any such software until it works well for both them and the consumer...
 
Yet another compelling reason to break the law and just download your music using P2P - it's much safer on your computer.

So what if the DRM isn't in the EULA? Suing Sony for this would be like pushing your own tax reform bill through congress.
 
I'm reminded of a similar experience myself, when I installed a very highly regarded AV and to my surprise found a tool called backwater present on my system commonly used by spyware to do ET phone home stuff.

The usage of it turned out to be completely legit, as their way of automatically upgrading virus definitions, however I feel their blurb/readme should have been a bit more explicit about the fact that it used a tool that will trip most spyware-detection applications.

I know many people use this AV knowing full well what it uses and are quite happy with that situation (and it IS a good AV).

I'm assuming here the rootkit doesn't contain any nasties such as RAT, ET Phone home, etc. As much as we dislike the whole concept of DRM and the companes that choose to implement it, this does not automatically mean they are out do nasty things, as such its not really computer misuse under the law.

The main beef here is the security compromise, poor performance and system instability induced by installation of the software.

It would be analagous to installing a (very) poorly-written device driver from Company X (and who here has not had that happen to them).

The normal reaction here is to swear a lot then ditch Company X choose Company Y's product because its got a better driver - but not to prosecute Company X for messing up your machine, think about this as a precedent. There wouldn't be many 3rd party hardware companies that couldn't be prosecuted.

That said, Sony should include in the readme prior to install that this will trip up RKR, backlight and other products and not to use these products to remove the tools they install.
 
A few years ago I had aproblem with a protected cd (What's wrong with this picture by Van Morrison), it would not play in my Phillips cd player. The only way I had was to convert it into mp3 in my computer and then revert it into an audio file so I could hear it. I wrote about this in amazon, but it seems that the record companies really want to destroy even those who still buy cd's because they want to support the artists. The cd said explicitly that because of this technology the cd may not play in some player. However I din not believe it would not play on a Phillips that cost me 1000$ 2 or 3 years before the cd was released. Since then I dont touch any cd with protecting technology (sorry, Van Morrison). But even by these standars Sony has gone too far, and should be banned from any buyers lists. Now, if someone is sued for downloading music from the internet he may say that he does so because he likes music but he wants to save his computer from viruses. What do you say, Mr. Jones???
 
great article Mark! I only wish I'd have found it last night when I was tracking down the rootkit malware that had badly infected my laptop. In the end a system restore and several hours of re-tweaking it and the system was functional again.
 
I just made a request to The National Association of Attorneys General (http://www.naag.org/) to look into this; but not being in law, I don't know how serious they will consider my request. Perhaps more requests to them would help get the ball rolling. They have a "Contact Us" at the bottom of their web pages, but please be considerate of which contact to use. The more intelligent and educated our request, the more likely they will act (perhaps by passing it onto the states' attorneys general).
 
Obviously Mark didn't go to all this trouble to profit from his findings so stop with the lawsuit bs. It does appear that a direct violation in personal rights is violated. Should this merit a congressional hearing?
 
I wonder how many of sonys gOOns are swarming here by now.. Laugh Out Loud.. Oh by the way I build high end custom pc's for a living. DID JOO HEAR THAT SONY!!


Thanks Mark
 
EXXXXXXXXXCELLENT write up. I see that the EULA has been modified, but I have 2 larger questions that I am not sure have been asked ....
1) Has Sony modified the software to prevent it's exploitation by malware?
2) Is /will Sony be liable if computer system's are compromised due to XCP's failure to secure their software?
 
If you want to uninstall the software, you have to fill out a form at the Sony Web Site:

http://cp.sonybmg.com/xcp/english/form14.html

I would try this but I don't want to get their crap software on my system
 
P.S. Small claims court might be another route to pursue this. Sue them for $1,000 of your time.
 
Sent an email earlier today to New Media Manager, Stein Vegusdal @ SonyBMG Norway. In his reply he states that Mark has violated the DMCA act when he tried to find the installed rootkit and manually removed it. As per, he states that it clearly says in the EULA that customers have to contact Sony customerservice for getting removalinstructions. As to try to remove it yourself, Sony seems to think of it as a breach of the DMCA act and other applicable laws around the world. Further he states that First4Internet is a Symantec-partner and that Symantec has posted it as not harmful.. Seems like we can wait for forever for a Symantec removal tool against this shit then.

Further he defends the rootkit, by saying that the gamesindustrys copyprotection schemes are not being critizised, even if they have stricter rules... As if that makes the Sony case any better...
 
Sony did not include it originally in their EULA. Furthermore, Mark's initial intent was to remove "unknown" software that had been surreptiously installed on his system. If Sony tries to hide behind the DMCA, they are going to start a firestorm, not to mention the public outcry, damage to their "intangible goodwill" and probably the loss of a significant amount of revenue. Sony PR better get prepared because this will probably make national / international headlines.
 
Pberholzer & Strump published a paper in 2004 documenting that file sharing does not have an adverse impact on cd sales. See
http://www.unc.edu/~cigar/papers/FileSharing_March2004.pdf

Their Abstract:
A longstanding economic question is the appropriate level of protection for intellectual
property. The Internet has drastically lowered the cost of copying information goods and
provides a natural crucible to assess the implications of reduced protection. We consider
the specific case of file sharing and its effect on the legal sales of music. A dataset
containing 0.01% of the world’s downloads is matched to U.S. sales data for a large
number of albums. To establish causality, downloads are instrumented using technical
features related to file sharing, such as network congestion or song length, as well as
international school holidays. Downloads have an effect on sales which is statistically
indistinguishable from zero, despite rather precise estimates. Moreover, these estimates
are of moderate economic significance and are inconsistent with claims that file sharing
is the primary reason for the recent decline in music sales.
 
This post has been removed by the author.
 
Just for the hell of it, I sent a removal request to Sony BMG and will post their answer when I receive it
 
Wow, I've been in this business for 30 years. and I remember very well the first commercial use of a "copy protection" scheme used on a 5-1/4" floppy put out by Lotus 123. It was a simple scheme that took all of about 6 hours to be "defeated" nationwide. And then the copy protection that Norton Utilities put on their distribution disks, the company that made the "laser hole" "unbreakable" copy protection even offered a fantastic sum of money to anyone who could break this copy protection. Within 24 hours, the company received 6 "working" copies from various hackers that had broken the protection scheme. Norton and Lotus ceased copy protecting their disks because of dropping sales revenue. What is happening here is the same thing on a different scale. This is Carnac's prediction: History will repeat itself 1)Sales will drop 2)Sony will drop "copy protection" and 3) the protection company (First 4 Internet) will go "belly up"
 
GOOD GRIEF! 8 scans every 2 seconds on our CPUs... 240/second or 14,400 per minute... This is an outright hijacking of computer resources!!
 
This is really becoming an "Epidemic", recently a friend of mine bought 6 CD's from a very reputable record club, 4 of the 6 CD's bought would not play on his or my PC unless we agreed & installed a built In player (which we didn't). The label was Sony-BMG. Artists/Musicians etc...should be made aware of this A.S.A.P. so that they can remedy the situation, as it stands now these artists/bands etc...will lose mega $$$ by lost sales. If Sony Corporation is doing this without the artists consent maybe the artists involved should look into this urgent matter & resolve this issue before more revenues are lost. Personally I will be much more cautious when purchasing Sony/BMG prod. in the future. This is my opinion only. Regards: dejc/aadservices
 
Thank you for the hard work, sir.

By the way, I recently bought a Sony DVD burner that came with a free copy of the Nero utility. I have virtually no computer expertise, is there an easy way for me to tell if Sony has installed this spyware on my computer?

Sony has certainly made me aware of how untrustworthy a company they are. I'm thinking about every Sony product I have, and it makes me angry to think they might have been doing this to me all along.

I think from now on, I'll just buy all my stuff through CoolWebSearch and cut out the middle man!
 
Copy protection is futile, it easly hacked and based on the article I cited above, these copy protection schemes do not "protect" sales (profits). These programs just hog resources and make our systems unreliable.
 
Where's DVDJon when you need him?
 
Copy protection schemes depending on anything other than law, ethics, and reasonable pricing are futile and doomed to failure.
 
This makes me increasingly happy about dealing with smaller record labels directly. Its a constant pleasure to deal with the likes of Qoush, Next Generation and Essential Platinum to name but a few. Companies who value their customers and actually listen. I can, and do, purchase completely drm free high quality mp3's from these guys (as well as more traditional cd's and even 12" vinyl) at very resonable prices.

I guess this is the way its going, smaller companies where you know the artist is going to be (well) compensated for their work and genuine labels that charge resonable fees for the service they provide.

As for this news, im shocked and appalled (yet strangely not surprised) at sony for stooping to this level. As a consumer its an insult :-/

I purposely stopped using sony hardware since I bough my Hi-MD recorder a while back. The whole purpose of this was to be able to record sets from my gigs on a small portable machine, preferably with not having to change batteries half way through. The portable Hi-MD had everything, optical line in (direct from mixer) hours upon hours of recording life from a single AA batt, large capacity as resonable bitrated and the Net-MD system to transfer it to pc for mastering. Great, an awesome piece of hardware \o/

Until I found the ugly drm restrictions (unable to copy optically recorded media back to pc etc) and massively closed, inferior buggy software.

Gobsmacked, I couldnt believe such a wonderful piece of hardware had been crippled in such a way.

Rant over! ;)
 
excellent writeup Mark, and great discussion! Wonder what this will lead to - certainly shows how uncomfortable we are with stuff we can't control ourselves.

It's why all my kids at home don't have an admin account on the PC (mind you, they also don't get to play many games - many just won't work without admin rights...).

Naturally, I'm too lazy to use an unprivileged user account myself, so I could easily be tripped into this - even though I also consider myself careful and won't install anything from an untrusted source... I'll have to rethink that now.

/Guido
 
Thank you very much for bringing to light what Sony is doing. I have purchased many thousands of dollars of their products over the years. Next years purchases will be zero. Good luck Van-Zant or whomever chooses Sony as a partner
 
So, in the grand scheme of things, how was the music on the Van Zant CD itself? Because I'd be really, really, mad if the music sucked AND I had to go through all of this.
 
Has anyone thought deeper to the fact that this was common practice (Hooking) early on in the Windows 95 realm? VXD hooking was common practice back then, which cascaded into Windows NT4, and Windows 2000 since they were Architected with the same 16 bit code with 32 bit emulation, and further was allowed to exist due to Windows XP being architected after its predecessors but in fuill 32 bit code format.

With the onset of the Windows XP 64 bit article quoted here earlier (first or second post) it mentions that Microsoft doesnt condone doing this in the 32 bit arena, but cannot programmatically stop it because of breaking compatibility...due to this being common practice.

FTR - The EULA is misleading...It isnt installing Software, it is installing a Player (software) + a service with hooks to monitor Kernel calls to both the CD, AND results of Directory indexes. The CD Hooks were common practice since 95, however the Directory / Registry index filtering is commonpractice too but only for Malicious Malware programs that need to be hidden.

As for the security on the ENUM key...that is default security...PNP is always executed under the system account, by default Creator owner gets full control, everyone else gets read.
 
Same thing happened when I inserted the latest Foo Fighter's CD, In Your Honor, into my computer. Seems that at some point a driver was installed that enabled DRM. I do no recalling consenting to any installation of this software. A Google search directed me to a solution and I was able to remove the driver and was able to copy the files from the CD.
 
This post has been removed by the author.
 
Good work!

I hope that you don't mind me linking to this article in my blog.

I am currently contacting Sony and explaining to them exactly why I will not buy ANY CD that they produce until such time as they provide a written statement affirming that they have stopped the practice of installing this sort of software on the computers of their customers.

I am urging anyonre who reads me to do the same.
 
Btw, I checked with a sniffer. The DRM system connects to connected.sonymusic.com and www.sonymusic.com and tells them an id number, apparently identifying the album. So, sony knows your ip address and what you listen to.
 
A marvelous piece of work! Very informative. Fortunately I stay away from DRM media, since they will not play on my Linux computers. Stories like this make me happy, that I've banned
Windows from my systems long time ago.
 
Thank you for your Bolg on this!
How can Sony do this? as Consumers I hope that we all stop using all Sony products!
 
Sony sucks, i was looking forward to buying a PS3 but will instead go for the 360. I have had troubles with Sony computers and cameras, after hearing this I am through with Sony all to gether. I am boycoting all Sony products for good.
 
Sony sucks, i was looking forward to buying a PS3 but will instead go for the 360. I have had troubles with Sony computers and cameras both undependable for long term use, after hearing this I am through with Sony all to gether. I am boycoting all Sony products for good. including software and music.
 
It looks like Sony/BMG has a "fix" for this situation. They now provide an update allowing removal of the software: http://cp.sonybmg.com/xcp/english/updates.html

I'm sure their player will no longer work, but at least it may clean up the mess on your computer.
 
This post has been removed by the author.
 
What angers me is how much this Sony crap damages my old 750mhz laptop. After a clean OS install, this computer runs Word, Photoshop, Firefox, whatever without much problem. But once these Sony turds chew up 2% CPU, the system becomes unusable. It is absolutely infuriating that this arrogance of Sony and Symantec degrades overall window drawing & switching performance while I'm trying to get work done.

What do we do when 5 to 10 companies decide to install this stuff on my computer? My computer can't handle it.
 
If new versions of Windows 64 prevent Sony's CP software from working, does that mean that Microsoft is violating the DMCA because it has made changes to its software to prevent copyright protection from working.
 
This post has been removed by the author.
 
i got two pretty neat sony products, and i was planning on purchasing vaio notebooks, but this is it. no more computer-related sony products for me. they have gone too far. i hope this will spawn a number of lawsuits and i'm glad it has gotten into the press and will get noticed even by the ordinary buyer.
 
The threats to sue Sony are hollow. No one in this discussion is going to do anything.

The threat to boycott Sony is equally worthless. You might last a week or two, but then if a music or software title comes out on Sony and you want it, you will buy it.

All the threats of "consequences" for Sony are laughable.
 
I am glad that Sony is following up its loss-making announcement with this new stuff. This will be one more nail in the coffin. Much as I like its products, I despise its arrogance and world-domineering attitude which says, "We are Sony. We make things. You have to buy them". Things like Betamax, ATRAC, Memory Stick, Blu Ray DVD, etc. I own a Sony handycam and also once bought a Vaio for work. Both of them needed repairs and in both the cases, the technicians were downright rude, to put it mildly, as if castigating me to expect Sony products to last longer then 90 days.

Thanks, Mark for this excellent piece of investigation. I am waiting for the day when Sony realises (too late) that customers are its main source of income.
 
November 2, 2005 - "This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers". Apparently this is "supposed" to work. Regards: dejc...

http://updates.xcp-aurora.com/
 
Oh man...

I just read some more of the various posts (excerpted below)... these posts scream with helpless anger & apathy. Should, Would, Could -- not one of us is going to do anything.

I was finding this cynically funny at first, but in the end, these posts are extremely depressing.

"...Musicians ...should be made aware ...they can remedy the situation......will lose mega $$$..."

"Small claims court might be another route to pursue this"

"Should this merit a congressional hearing"

"perhaps by passing it onto the states' attorneys general"

"should be banned from any buyers lists"

"This should be reported to the FTC as well as your local FBI branch"

"There are CRIMINAL penalties for installing this sort of unremovable malware in Virginia. They are no joke, either, it's something like 5 years in "pound you in the ass" state prison for each offense. Also, our AG is the only one who is actually prosecuting these scum"
 
Mark,

Your analysis indicates that they attempt to operate even in safe mode. But I'm seeing comments, here and elsewhere, that indicate that it can be seen and removed while in safe mode. I'm wondering if you had time to actually try safe mode, and see if it hides there or not.
 
It's not just Sony, either:

http://techdirt.com/articles/20051102/103241_F.shtml
 
I simply sent them an email and asked them if its true. If they respond that it is, I will easily boycott their products. Not only music and dvds but also everything else I buy and the company buys on my behalf.
 
Fortunately my grandma has the skills of a sysinternals-wizard and I expect that she will have no trouble removing such a rootkit from her system, nor should the average user have any trouble purging this malware... or maybe just a little trouble.

There's karma in business - Sony will reap what it sews for this one.

Nice work Mark!
 
Well, after supporting Vaio laptops' running Linux for 4 years and other things, like those mentioned in this article, Sony, who's name used to stand for quality, is anything but! Vaio warranties, back then anyway, if not registered were only good for 90 days and if they were registered it was only 1 year. Try to order parts and they won't even tell you the part numbers, after you've navigated the call system prompts from he11. Customer service? NOT!

My last camcorder purchase went to Canon (Elura 90 for $650). My laptop of choice for work (I'm the IT guy) is now IBM (T43p $2800). Gamesystem? XBox soon to be 360.

The days of Sony quality and service are long gone. And so is my support of their brand.
 
If Sony damaged your computer, please outline the damage (ie, this article) and file a complaint with the US Department of Justice (http://www.usdoj.gov/), and your state's attorney general (CA: http://caag.state.ca.us/).

I know the California State Attorney General is very good about responding and acting on citizen complaints.

They'll want to know which laws are being broken (see the SPY ACT in this thread).


r,
-craig
 
This is scary! Who gave SONY permission to log what a person listens to?
Does this go out even through Software firewalls like Zonealarm et al?

Btw, I checked with a sniffer. The DRM system connects to connected.sonymusic.com and www.sonymusic.com and tells them an id number, apparently identifying the album. So, sony knows your ip address and what you listen to.

# posted by Matti Nikki : 12:48 PM, November 02, 2005

 
I suggest everyone who reads this article and is as outraged as I am file a complaint with the Better Business Bureau:

http://www.bbb.org/

If enough people do this, hopefully Sony will get the picture.

In the complaint filing process, searching for "Sony Music Entertainment" should yield the proper company, and I imagine its best to choose the one located in NY (550 Madison Ave.).
 
So you go to BMG's site, and click through... and...

XCP Support

ActiveX Unsupported
Sorry, your Internet Browser does not support ActiveX Controls.

Please use Microsoft Internet Explorer to continue.

Download Internet Explorer from the Microsoft website

WTF.
 
Sonys problem is not going to be any kind of a legal threat - It´s going to be the massive media impact. This story was allready featured on some of the major media-websites, and its going further...
 
Well - and I say this truly - despite having broadband etc I have never yet downloaded music or other content illegally. Mostly due to laziness and disinterest, but also due *wanting* the guys who make the stuff I like get paid. But now I've had it. If I can't legally get products that don't mess with my machine I'm definitely not going to bother paying for them.
 
Great article.

Why must we turn this into a Linux vs Windows vs Mac fight again?

The bigger issue is DRM which many have suggested is a pointless exercise for the record companies, as the cracks for the DRM code follow soon after.

Personally, I like the philosophy of MP3tunes.com including the decent royalty payments that musicians get & the lack of DRM.All it would need is a few big artists to swap to them to make Sony & the others start to think...
 
Sony to patch copy-protected CD
Facing fears that its piracy-proofed CDs could help virus writers, record label is working closely with antivirus companies to offer patch.
Wed Nov 02 10:55:00 PST 2005 | Read Full Story http://tinyurl.com/drbeg
 
Sony to patch copy-protected CD
Facing fears that its piracy-proofed CDs could help virus writers, record label is working closely with antivirus companies to offer patch.
Wed Nov 02 10:55:00 PST 2005 | Read Full Story http://tinyurl.com/drbeg
 
Sorry to say it, but this is likely as much Micro$oft's doing as much as it is Sony's. MS is the great champion of DRM, and it's unlikely that Sony is doing something like this without MS's knowledge and/or assistance.

Remember who you're dealing with!?! Remember Bill Gates' open letter to hobbyists? The whole Windows establishment is bringing DRM to fever pitch, and we pretend to be mad at SONY...
 
So, I called Sony's tech support at 800-222-7669 and eventually the obviously Indian rep told me told me to call Sony BMG at 212-833-8000.

The operator at Sony BMG in turn directed me to call the Sony tech support number. Talk about a run around.

So, I did a whois on Somy BMG's website, and called the technical contact at 212-833-7305. This resulted in me being transferred to an individual who indentified himself only as Sony's internal techincal support. He was very rude, said that he wasn't even supposed to be talking to me, and ultimately directed me to Mark's post and told to download RKR to remove the DRM rootkit. I attempted to explain to him that this program only works on NT and was no help to me since I'm running Win 98. He said that he couldn't do anything else. When I said that I wanted to speak to his manager, he told me that management was unavailiable, and when I said that I didn't appreciate this unauthorized and apparently illegal modification of my system, he said, "So sue us."
 
Just as a point of interest; what bearing does the ethnicity of a tech support representative have on this conversation?
 
That does it! I am never buying a Sony product again. Be it a CD or a PSP.

This has definitely gone too far. M$, Sony, Intel etc, have no right to abuse our privacy. I feel that the EULA should be null and void in case of any privacy abuse or possibility of privacy abuse. I guess protecting profits of big companies is important but equally (or even more) important is protecting the privacy of people.
 
I have been a Sony Playstation fan since the beginning. This has given me reason to change. Regardless of the technology (just thinking about saying it makes me want to barf :\ ) XBox360 may be my console of the future.
 
isnt there a law against installing software without your permision like viruses
 
Sony is so skrood up - on one hand they sell DVD writers, on the other they wish to protect their copyright ed media. Schizophrenic? I recently bought a Vaio laptop and they fill it with a bundle of garbage software (it was v. cheap and I did a hatchet job on the factory install). I really don't understand as they have the potential to be the digital media product leaders of Windows land but they just can't get the collective fingers out of the corporate sphincter and have ended up smelling rather noxious.
 
>Just as a point of interest; what bearing does the ethnicity of a tech support representative have on this conversation?<

Cut it out. I certainly wasn't slandering Indians and only noted the ethnicity of the rep because it was clear I was dealing with an outsourced foreign call center.

The guy kept asking me for the model number of the CD, fer christ's sake...
 
Mark, I'm very impressed with your Windows system knowledge and
debugging ability. Just as impressive is the concise write-up and
screenshots used -- well done.

There's been a lot of talk about "making Sony pay" for this covert
action, and I think it's appropriate. Several posters here, however,
doubt that anything can be done to exact some form of retribution from
the company. I disagree.

First, I think there are grounds for a lawsuit. The simple fact that
Sony changed their EULA once news of this mistake surfaced means someone
over there felt they weren't protected well enough. I also believe that
the company, First4Internet, was spun off from Sony in order to mitigate
legal risk as Sony executives planned to push the limits of DRM. Note
that I am not a lawyer and I could be mistaken. I just sent an email to
EFF and hopefully we'll hear something from them shortly.

Second, we can get the word out about Sony. A lot of people who have
previously had bad experiences with Sony can now add this one to their
message, and boycotting the company's products this holiday season would
send a very clear message. Simply registering www.SonyStinks.com
(available as of Nov 2 19:19:40 2005 EDT) and pointing it at this page
would make it easy to spread word of Sony's latest attack.

Third, we can help with grassroots anti-marketing. Things like: What
does S.O.N.Y. stand for? Here's a short list I came up with
off-the-cuff:

System's Ours, Not Yours!
Sony's Obnoxious, Nab a Yamaha
Sony's Out to Nail You!

As anyone who's studied marketing can tell you, negative marketing works
better than positive marketing. Best of all, it's really up to us as to
how well it works.

I haven't bought a piece of Sony equipment since 1994, when I purchased
a boom box from them for $150. Less than a year later I sold it for $50
and bought a JVC that I still use to this day (much better sound and
features). Before that, a brand new Sony SCSI Sony DAT drive I
purchased died just a few days after its warranty expired. I replaced
it with an HP C1537 that's still going strong (10+ years)!

I remember that back in the 80's, the Sony logo was gold. Their name
stood for quality. Now Sony just sucks.
 
SONY ISSUES PATCH


[QUOTE] After a chorus of criticism, Sony Corp.'s music division said Wednesday it is distributing a free software patch to reveal hidden files that automatically installed to hard drives when some of its music CDs were played on personal computers.

The offending technology was designed to thwart music piracy.

Sony BMG Music Entertainment and its partner, UK-based First 4 Internet, said they decided to offer the patch as a precaution, not because of any security vulnerability, which some critics had alleged.

"What we decided to do is take extra precautionary steps to allay any fears," said Mathew Gilliat-Smith, First 4 Internet's CEO. "There should be no concern here."[/QUOTE]

http://seattlepi.nwsource.com/business/1700AP_Sony_Copy_Protection.html
 
"Buy a Mac"? I don't think so:

"Users of Apple Inc.'s iPod -- the dominant portable media player on the market -- have no way of transferring tracks from protected Sony CDs to their device, since Apple has not yet licensed its own DRM technology for use with copy-protected discs."
--http://www.washingtonpost.com/wp-dyn/content/article/2005/11/02/AR2005110202362.html
 
I understand that Phillips still has say on what and what not can be called a CD.

In fact, I've heard that they say that if a CD has any kind of DRM or copy-protection, then it cannot be called a CD. I have also learned that some are trying to circumvent Phillips' conditions by using a logo other than the standard 'compact disc digital audio' logo we are accustomed to seeing.

I'm not sure where to look but you may want to see if there's anything posted at Phillips' website that can give us more info on the matter.
 
I Love My Linux PC I see people's point about this being mostly due to Windows' popularity but honestly there's a lot to be said for package managers like Portage, apt/synaptic, etc...

Since the application is not in control of it's installation (the package manager is) anything that's installed is sandboxed and doesn't need root (a.k.a. Administrator) privileges (not to mention it's cleanly uninstalled as the package manager tracks all installed files and configuration changes on your machine). Maybe this is why Microsoft hired Daniel Robbins?
 
Steve Gibson of GRC.com has a great AUDIO file discussing over this mess now (well done MARK!) Find and listen to it here:
http://www.grc.com/securitynow.htm

Also, I guess it finally is leaking out to the MAIN STREAM media (finally) there is an article found on the Washingtonpost.com site:
http://www.washingtonpost.com/wp-dyn/content/article/2005/11/02/AR2005110202362.html?sub=new

My question is.. fine, Sony FINALLY has made available something to fix this mess that should have never been around in the first place.. but what about the average JOE BLOW that has no idea what the heck is going on with his PC -- all he did was play a CD he just bought! Further.. would if - just would if- there are people out there that DO NOT have internet connection to INSTALL the so-called FIX provided by Sony? YOU can't DOWNLOAD it from work and take it home to fix your PC.. This is all so ugly!
 
Well, many now cannot even download the fix at work because many sysadmins use web content filtering software now to not only block porn or other things like that, but also to block access to download sites as well, including even bug fix things like this.

I know for sure that Blue Coat's system has a category for downloads, and so does WebSense, and likely all the others as well.
 
Great work, Mark
You got me a bit scared now, so I dl'ed your tools and started scanning my own computer. But, no such thing to be found!
This might be beacause I've disabled autorun, I never use the embedded software to listen to the cds from the drive, (I've got a cd player for that), I just rip them with audiograbber and put the mp3s in my music library.
 
By official legal definition (and to prevent trademark infringement) any Compact Disc that has any form of copy protection are NOT Compact Discs and the music product can NOT carry the Compact Disc Digital Audio Logo ... no wonder AMAZON can not advertise the music product as being a Compact Disc Digital Audio, and instead is advertising it as CD as to do otherwise would be false and misleading in manner and particular. Please make sure that you only purchase and use audio music products that carry the licensed Compact Disc Digital Audio Logo.

...

Red Book is the standard for audio CDs (Compact Disc Digital Audio system, or CDDA). It is named after one of a set of colour-bound books that contain the technical specifications for all licensed CD and CD-ROM formats.

...

http://en.wikipedia.org/wiki/Red_Book_(audio_CD_standard)


...
 
I read all 67 pages of text here with great interest.

I am sad to see how people fly off the handle and talk shit about law suits, blah blah...

Boycotting should have been done years ago. A company as arrogant as Sony and their memory sticks, and insisting on separate standards for DVD -/+ R media not being able to play home burnt disc in their crappie CD/DVD players and what ever other proprietary systems they came up with should have given you reason to STOP buying from them years ago.

With that said we (as a population in whole) bring this on ourselves. Each and everyone of us has the ability to call, write or personally visit a congressional representative (or other law making authority depending on where you reside) and tell them you are not happy about the DMCA and how it has taken you rights to fair use away from you. You could contact any number of consumer watch group agencies, your local newspaper news hot line, the list goes on and on...

Right now I'm as pissed as anyone, and first thing tomorrow I'm going to go about my life like nothing ever happened. Oh I'll talk some shit but it'll fade in a few days. I'm being a lot more realistic and certainly a lot more honest than most of you.

If you/we banded together we could get the results we wanted but apathy keeps us from setting the ball in motion.
 
Just found the skinny on the licensing of the term 'CD'.



http://www.licensing.philips.com/licensees/conditions/mad/
(Note: Sony is also a CD Patent & Copyright holder.)

You might dig around there, as there could be more about this, and hopefully a 'smoking gun' regarding copy-protected CDs.
 
That article at Washington post is fantastic. Balanced, yet scathing.

Naughty Sony, Naughty!

Our work system is separated from the internet by a fairly solid firewall, but we allow our staff to play their CD's (as long as they are the origional) on their work PC's.... under the theory that audio CD's will not install anything malicious, (they have very limited user accounts also).

If this, or other software installs an application that we are not aware of, or that 'could' be malicous, we will have to 'ban' all audio CD's in work computers. While the analysis shows that the DRM Malware wont install without an admin account, we cant take the risk.

Perhaps our work cafeteria should start selling IPODS and have an ITunes computer set up.... because they wont be selling CD's...
 
"Users of Apple Inc.'s iPod -- the dominant portable media player on the market -- have no way of transferring tracks from protected Sony CDs to their device, since Apple has not yet licensed its own DRM technology for use with copy-protected discs."

This is false and one has nothing to do with the other: put a protected Sony CD in iTunes, rip it, transfer to iPod. Done. No DRM involved. You don't have to transform Sony's DRM into Apple's (that would be plain stupid).
 
First, excellent work there Mark!

Australian residents submit a report here: http://www.ahtcc.gov.au/crime_reporting.htm

An email I sent to F-Secure:

"Hello,

I am an IT consultant in Australia. In the course of my work I come across extensive system problems on servers and workstations that require research, resolution and often installation of software solutions to prevent recurrence. I have frequently found answers to my problems on your website, and even recommended your products to customers on numerous occasions.

However THIS[link removed] article on your website leaves me in shocked disbelief. The information presented on your website is clearly stolen from Mark’s Sysinternals blog[link removed]. I very VERY strongly suggest at the VERY least you credit Mark with finding the information you have presented as your own... and possibly go to the steps of sending him an apology for stealing his work. If you fail to do this it is my sincere hope that Mark prosecutes you for copyright infringement to every extent of the law.

I will be avoiding your website in the future, and I will no longer be recommending anything you produce to customers – quite the opposite, in fact. Poor form, F-Secure…"


I've also contacted the news teams of all the major networks in Australia - hopefully they will pick it up.
 
Well done Mr. Russinovich. I have never been so pissed as I was about Sony's underhanded ploy. I just know that there was even more devious marketing issues thought of by them and their cronies. The fear now is what unexploded mines are in unsuspecting peoples systems. I fear all problems haven't surfaced yet. Reinstalling an OS is not trivial and a damn patch is unacceptable!
 
The CEO of First 4 Internet, Mathew Gilliat Smith, boasted to a European IT website -- "IT Enquirer" in July 2005, that their XCP-1 copy protection software is now in use by "most of the large record labels around the world" http://www.it-enquirer.com/main/ite/more/digital_rights_management/ . Is Sony just one of many companies that have been doing this??? It looks like maybe people who have the skills to follow Mark Russinovich's lead may need to start searching for rootkits on their machines if they have used any music CD's from any number of companies that are known to have, or might be suspected to have, copy protection.
Note that this Wired article http://www.wired.com/news/digiwood/0,1412,67696,00.html from May reported that First 4 Internet's clients include Universal Music Group, Warner Music Group and EMI, in addition to Sony/BMG.
 
This is some scary stuff. Just imagine all the corporate and government users that play CD's at work. Many have admin rights (unfortunately) and could be exposing corporate/government systems to malicious code that is sure to come up.

Think about it, what kind of virus writer wouldn't take advantage of such a juicy hole? Even antivirus software couldn't see the files! Just hide the worm/virus file and executables/registry entries using Sony's code (I'm sure it could be improved too)

I hope that major vulernability scanning companies (Eeye, ISS ect...) get this into their vulnerability scanning products (Retina, Harris Stat, ect...)quickly and hopefully Microsoft can make some sort of patch that blocks what Sony is exploiting.

In this day and age, hackers will come up with an exploit the same day it's released to the public....look how quick worms are made the day microsoft releases security patches.....I wouldn't be surprised if it's already being exploited. Microsoft just released about 9 patches for Windows and there were viruses/worms out the same day the exploits went public exploiting the holes.

As far as Sony saying the code is not dangerous...that's a bunch of crap....Mark already proved how he can completely hide files just by renaming them with the $sys$ characters. Doesn't take a genius to realize that could be exploited with a little creativity....believe me there's some good creativity far above the idiot who wrote the code for Sony.

I hope IT security managers get this notice and ban all use of all Sony media on systems and implement controls to enforce.

As far as buying anything from Sony ever again....never. If they did it once, they'll do it again and I don't want my money paying for their malicious research. Spread the word people....tell all your friends, family and co-workers....boycott all Sony products!

One more thing...Sony can't hide behind their EULA and accuse Mark...if that was true malicious software writers could just put Eula's with all their code to cover their butts and do whatever they want....come on!

I hope Symantec names the new virus W32.Sony.mm and it gets CNN coverage!
 
Some people here seem to think that F-Secure stole the excellent work done by Mark. However, this information seems to be completely false:

http://www.f-secure.com/weblog/#00000694
 
And heres the gist of F-Secures blog for those who are too lazy to click, and too happy to flame.


http://www.f-secure.com/weblog/#00000694
---
We've been getting lots of hate mail today. People are accusing us for stealing the (quite excellent) research work done by Mark Russinovich at Sysinternals relating to the "Sony rootkit" incident.

This is not the case at all.

We published our technical description and blogged about the case yesterday, several hours after Mark had broken the news in his site. So to some it looked like we were just recycling his work without credit.

In reality we started working on this case on 30th of September when a user of our F-Secure BlackLight rootkit detector started discovering these files on his system and contacted us.
 
http://poptech.blogspot.com/2005/11/block-cddvd-drm-and-rootkits-easily.html

The only solution is to disable Autoruns. So much for convience.
 
here's a longish comment on sony and why they might be so clueless. this isn't a tech piece, but neither is why they are using rootkits - the rootkit follows from prior decisions about sony's business practice made in a business culture context.

we should remember that the company is based in a japanese cultural model. this emphasises two related workplace customs. the first is commitment to the employee, which we notice if we consider the example of the japanese salaryman with a near-guaranteed job. the second is the right of the incumbant employee to promotion over the appointment of an outsider. both of these have solid social welfare outcomes in a well managed company.

sometimes, unfortunately, these two customs also have the unfortunate side effect of ensuring that the incompetent remain within the company and rise to fill all positions of authority, with senior management unwilling to take the responsibility for firing anyone. the cronyism of the incompetent becomes possible at this point.

sony has in recent years been a victim of this effect, as witnessed by their radical (for japanese business) decision to appoint a non-japanese ceo (speculation suggested that he might have been chosen for his western approach regarding dismissing employees during restructure).

sony's success was founded on a solid understanding of the value of industrial design and the notion that a clever, simple and revolutionary object (think walkman) could be customised at minimal cost for all target markets. the focus was not on these customisations - the focus was on ensuring the core idea was a sound one. the customisation then enabled personal identification with the product across sectors. think of all the different case models for the walkman over its history and you'll see what i mean. a simple personalised solution to a unique problem.

i have recently heard some substantial design industry gossip about sony marketing practices (in this case in south east asia) that suggest regional sony divisions now approach marketing with minimal understanding of this history, as they dilute sony's message in an attempt to be literally everything at once to all possible customers in their particular country. this approach to marketing suggests a company run by idiots in damage control mode. it runs counter to sony's clarity of approach in previous decades.

we can now see why sony might play such a strategy; in damage control mode, incompetence will try anything at all, rather than simply focusing on core values of simplicity and cleverness that made success possible - especially when incompetence had nothing to do with the success in the first place.

i predict that sony will not exist as a distinct market identity in a decade's time. it will either be broken up, merged, or collapse under its own inertia. i personally will be sorry to see the radical and innovative company of the sixties, seventies and eighties collapse, but that's the evolutionary nature of the market.
 
The threats to sue Sony are hollow. No one in this discussion is going to do anything.

The threat to boycott Sony is equally worthless. You might last a week or two, but then if a music or software title comes out on Sony and you want it, you will buy it.

All the threats of "consequences" for Sony are laughable.
# posted by checkyourhead : 2:08 PM, November 02, 2005


Geez, looks like Sony has sent some of their henchmen into the wild. Or perhaps your a complete n00b...
 
EMI does the same thing. It's little more than a nuisance, because I paint out the digital track with a felt-tip pen and rip a usable CD in the usual way as a matter of course. Trouble is, it's fiddly work to get the track without covering the audio, but a teenage shop assistant showed me the trick after my Macca CD wouldn't work on my Philips CD player.
 
BBC have picked this up now...

http://news.bbc.co.uk/1/hi/technology/4400148.stm
 
Ok, you managed to remove the software. But i dont know by the name this tools! How it's an average user suposed to do the same?
 
This is awful. It's hard enough to keep a Windows PC up and running without "reputable" companies adding to the misery. I will *never* buy another Sony CD music *ever ever ever* again!!!
 
did anyone try the uninstall kit / service pack Sony is offering ?

http://cp.sonybmg.com/xcp/english/updates.html

is this service pack indeed removing the rootkit or is it only making it visible / removable ?
 
Public apologies to F-Secure - looks like a lot of wires got crossed in the last few days over this issue.

Whether or not Sony accepts responsibility for it, I do believe they should be prosecuted by governments as a matter of course - you can't let a multinational get away with criminal practices just because they're a big company! Do you think courts would be lenient with virus writers if they said 'We CLEARLY mentioned in the attached text file what parts of the system were being affected while we pwn3d each user's PC. If they wanted to remove our virus, all they had to do was contact us at the listed help desk number and pay $4.30 a minute, fill out some forms and download the removal tool. Trying to remove the virus on their own was clearly not part of their licence agreement and they deserve what they got!'? I think not...
 
who is the idiot that dreamed this up? anybody any place actually taking CREDIT for this stuff?

sony, in CASE you read this.. ya won't sell me anything, or my family anything, or any of my friends that listen to my ranting anything..

ever. i don't forget.
 
From the BBC-article:
"Mr Gilliat-Smith said Mr Russinovich had problems removing XCP because he tried to do it manually something that was not a "recommended action". Instead, said Mr Gilliat-Smith, he should have contacted Sony BMG which gives consumers advice about how to remove the software."

ROFL

Henry
 
Someone should email the Van Zants publicist ross@vectormgmt.com to let them know about all this negative publicity and that no one who goes to Amazon will ever buy this based on the negative Sony reviews. Maybe they should get a new label.
 
This is just the final nail in the coffin as far as new music. I'm going back to my collection of 33 1/3 LP's, and taping off the radio onto my old ANALOG reel-to-reel. Screw Sony and all the other record companies.
 
Gah. Scary. And they want people to buy CDs? I'm not buying any Sony CD until I'm sure they remove such crap....
 
I hate the idea of DRM so much that I *almost* didn't buy a Sony Digital camera because of the DRM on Sony's Memory Sticks until I discovered I could use Compact flash in the camera as well. I've already had strange problems with files on Sony Memory sticks with DRM. Makes me wonder if there's a Rookit installer on these memory sticks if you even insert one on your Windows PC.
 
Quoting matti nikki:
"Btw, I checked with a sniffer. The DRM system connects to connected.sonymusic.com and www.sonymusic.com and tells them an id number, apparently identifying the album. So, sony knows your ip address and what you listen to."

This is in direct violation of their OWN EULA "Sony does not gather any information from your system"

Quoting bradb:
"It looks like Sony/BMG has a "fix" for this situation. They now provide an update allowing removal of the software: http://cp.sonybmg.com/xcp/english/updates.html

I'm sure their player will no longer work, but at least it may clean up the mess on your computer."

Should someone check this as well to see if anything becomes crippled by removing the player / DRM?

Quoting reed:
"If new versions of Windows 64 prevent Sony's CP software from working, does that mean that Microsoft is violating the DMCA because it has made changes to its software to prevent copyright protection from working."

Windows XP 64 just doesnt support the System Call Hooking like in the 32bit version. System call hooking was a bandaide for developers to bypass certain kernel calls once you OK using the bandaide, unfortunately it becomes supported, and this was never Microsofts Intention Read my last post on Nov 2nd @12:31PM...also pls see the link posted by mark russinovich.
 
I notice nobody mentions not purchasing a PlayStation. Why not???
 
Reply to Stephen Whetzel:

After an unrelated disagreement with Sony I used the money I had saved for a PSP to buy a new PDA.

Another question (to anyone)...

If Microsoft can get into a load of trouble for bundling a media player with its OS then can Sony get into similar trouble for not only bundling but forcing you to use their music player, if/when this type of DRM is used for all Sony releases across all their labels?
 
SONY corp invites all malware/virus writers just name your file $sys$filename.ext, guaranteed to get a few systems at least!
 
Well, this definatly makes ME want to purchase more CDs.
 
I complained on the aurora site yesterday about the Active-X removal tool they posted. I explained that I don't use Internet Explorer, and an Active-X removal tool was therefor unacceptable. I demanded a stand-alone executable which would remove their hideous program. Just checked a few minutes ago, at "http://updates.xcp-aurora.com/", and a 3.7 MB executable is posted for download. Can someone with more experience test it? I don't trust their stuff. Thanks!
 
Well SONY all this nobody will be bothered to 'sue' is about to end.

you had better watch out for the Blizzard's (World of Warcraft)Lawyers I think they'll be a callin soon.

http://www.securityfocus.com/brief/34
 
A couple of points.

In one of the 300+ posts above this, someone pointed out that the making of the root kit claimed to have most of the major record companies as customers. But in another blog yesterday, someone pointed out that the other companies, at least right now, limit their use to pre-release music - which is a big, legitimate, problem for them. Only Sony, so far, seems to be utilizing this on post-release music CDs.

The idea that you have to go to the Sony site to get the uninstall software is frankly absurd. Someone pointed out that you can't download software through a lot of firewalls. But just as importantly, legitimate products almost always include uninstall code, and essentially install it as part of their installation.

So, Sony is expecting non-computer literate people who have no idea what Sony installed on their computers, to know to go to their web site, to download the uninstall stuff, and then run it, assuming of course, that they aren't running 98, etc. And I bet it doesn't even show up in the Add/Remove Programs control panel.

I do think that it would be extremely counterproductive for Sony to sue Mark for disassembling its root kit malware. It would just turn him into a cause celeb, and garner a lot of notoriety and support.
 
Here's yet another news story someone found just this morning. I'm also quoting part of a Usenet post in an antispam newsgroup about this.

http://www.securityfocus.com/brief/34?ref=rss

"World of Warcraft hackers have confirmed that the hiding capabilities of
Sony BMG's content protection software can make tools made for cheating in
the online world impossible to detect."

Sony's anti-copy DRM rootkit vs. Blizzard's anti-cheat Warden spyware. Now
that's an *ugly* match! Pass the popcorn..
 
This post has been removed by the author.
 
The only thing I have to say in all of this is that once upon a time Sony and other music labels promised that CDs would be cheaper than cassettes and LPs. I am still waiting.
 
Very nicely written Mark. Nice detective work.
 
Wow! I'm not real computer savvy, I turn it on surf the web, wade throught the spam that clogs my inbox and just want to be able to use that damn thing! Now I gotta worry about the ratjapbastards trying to hijack my computer? Truly this is fucked up stuff. I read this article and not knowing a rootkit from a root canal I'm glad there are people out there keeping an eye out for us trusting dopes! Thanks for your efforts on behalf of people like me.
 
Well, Sony published a tool to make the 'protection' vissible, but it won't uninstall the Sony Software

::

An offline version of this Service Pack is also available as a zip file (3.4MB) or as an exe (3.6MB).

http://cp.sonybmg.com/xcp/english/Update031105.zip on http://cp.sonybmg.com/xcp/english/updates.html

Funny thing is that when you look at the exe's properties >Version> comments : it says: "Malware Security Fix" That's the first thing they get right in a long time :)

::

It seems AnyDVD software will prevent the rootkit from installling in the first place:
http://www.cdfreaks.com/news/12624

(This "anti rootkit protection" is not a new function of AnyDVD , rather it is the nature of AnyDVD to filter all undesired stuff between a CD/DVD drive and the operating system. )
 
The absurdity of Sony's position is that frylockontop is typical of the user community. Not Mark. Not a lot of those here. But frylockontop said he didn't know the difference been a root kit and a root canal. I am sure that no one else in my family (except my ex wife) knows either.
 
I'd rather have a root canal.
 
I checked Amazon.com for mention of this DRM fiasco in the comments/reviews. At last count there were 85 comments, almost all mentioning this DRM problem, and the net rating for this album was one star. I suspect that it was rated that highly (sic) simply because Amazon's UI requires a rating.
Many comments mentioned this web site and thread. Just a suggestion, but if you are really outraged about this, you might want to email Amazon chieftain Jeff Bezos and ask him about a boycott. While it is not in his financial interest, he must see the potential for lost business, returns/refunds, and ill will. As one of the recording industry's biggest customers, it seems he could bring significant pressure to bear.
 
This is an absolute disgrace I am over the moon you have chosen to highlight this and maybe if we all express our opinion in the correct channels (unlike Sony) then we could have something done about this. Sony have a lot to answere for and the sooner they are forced to remove the Van Zant album from the shelves the better..it's utter shiznett of the highest order !!
 
Very frightening.

Is there a way to possibly block the installation of the rootkit up front, maybe through Norton Internet Security or through a utility that can block programs from running.

Or, as an alternative - if we turn off AutoPlay on the CDROM would this prevent it from being installed to begin with?
 
We have contacted suesony.com to put up a form for a class action lawsuit against this company and the company that made the DRM. Since the company who made the broken is UK based this is a direct violation of the Computer Misuse Act. We have the support of around 1500 people and it is growing daily. As mentioned earlier here are some of th laws that can be used against this type of action.

-----------------------------------

People may mention the EULA, but what I think most people are forgetting is that RIAA has already set a precedent that current LAWS OVERIDE EULA in their case with grokster and many others.

With that presedent the presence of a EULA is a MOOT point since the laws are above it. You cannot contract murder, nor sabatoge, nor any other illegal action. Since this is also an electronic for of agreement, this is argueable not even valid with current contract law which requires a SIGNATURE between 2 parties. Since electronic signatures can be forged, this is also a disputable point for EULA's.

-----------------------------------

This software will be considered spyware under the ASC definition,

The ASC's most recent definition of spyware is:

Technologies deployed without appropriate user consent and/or implemented in ways that impair user control over:

* Material changes that affect their user experience, privacy, or system security;

* Use of their system resources, including what programs are installed on their computers; and/or
* Collection, use, and distribution of their personal or other sensitive information.

-----------------------------------------------------------------------------

"The Securely Protect Yourself Against Cyber Trespass Act, or SPY ACT, makes spyware illegal, but it is unclear if the SPY ACT defines spyware the same way as the ASC....

-----------------------------------------------------------------------------

California Business & Protections Code Section 22947.3, Paragraph C:

A person or entity that is not an authorized user, as defined in Section 22947.1, shall not, with actual knowledge, with conscious avoidance of actual knowledge, or willfully, cause computer software to be copied onto the computer of a consumer in this state and use the software to do any of the following:
...
(c) Prevent, without the authorization of an authorized user, an authorized user's reasonable efforts to block the installation of, or to disable, software, by doing any of the following:
(1) Presenting the authorized user with an option to decline
installation of software with knowledge that, when the option is
selected by the authorized user, the installation nevertheless proceeds.
(2) Falsely representing that software has been disabled.

-----------------------------------------------------------------------------

Computer Misuse Act - UK

"3.-(1) A person is guilty of an offence if-
he does any act which causes an unauthorised modification of the contents of any computer; and
at the time when he does the act he has the requisite intent and the requisite knowledge.

(2) For the purposes of subsection (1)(b) above the requisite intent is an intent to cause a modification of the contents of any computer and by so doing-
to impair the operation of any computer;
to prevent or hinder access to any program or data held in any computer; or
to impair the operation of any such program or the reliability of any such data.

(3) The intent need not be directed at-
any particular computer;
any particular program or data or a program or data of any particular kind; or
any particular modification or a modification of any particular kind.

(4) For the purposes of subsection (1)(b) above the requisite knowledge is knowledge that any modification he intends to cause is unauthorised.
(5) It is immaterial for the purposes of this section whether an unauthorised modification or any intended effect of it of a kind mentioned in subsection (2) above is, or is intended to be, permanent or merely temporary.

-----------------------------------------------------------------------------

Australian Cybercrime Act

http://www.austlii.edu.au/au/legis/cth/consol_act/ca2001112/sch1.html

Section 477.2 is quite explicit:

"477.2 Unauthorised modification of data to cause impairment

(1) A person is guilty of an offence if:

(a) the person causes any unauthorised modification of data held in a computer; and
(b) the person knows the modification is unauthorised; and
(c) the person is reckless as to whether the modification impairs or will impair:
(i) access to that or any other data held in any computer; or
(ii) the reliability, security or operation, of any such data; "

-----------------------------------------------------------------------------

Lastly the infamous DMCA.

Section where it states that it is ILLEGAL to circumvent copy protection. Applied to person and business computers with antivirus and other anti virus / spyware.
 
Sony Music issues fix to anti-piracy program http://www.msnbc.msn.com/id/9911371/

You did it, Mark! You took 'em down!

Well played!
 
This scares the hell out of me. I don't understand it all, but what I do understand I don't like. I wrote to Sony and to First4Internet to ask them what was going on.

I am now scanning with the rootkit thing for the root virus or spyware or whatever this is all about. It's taking forever to scan but I'm so afraid I put one of these covert CDs into my computer a couple of weeks ago. How do I konw Sony or someone isn't monitoring my musical tastes? They seem happy enough to infect my computer with hidden files, I wouldn't put it past them to spy on me.
 
sony's "fix" (i tried the zip) is merely a removal of the cloak. the patch actually reinfects your system.
 
What we need here is everyone here and across the Globe to email Sony and its partners to let them know that this will not stand. Only when enough noise is made either through the media or by any other means will they concede that its best not to continue in the course they are currently taking.
1 Email won’t do much but thousands upon thousands will have an impact. Also as some others here suggested " " Not purchasing " any SONY product will also have an impact on there bottom line.
Let’s all Stand up and be counted.
It takes just mere seconds to email them.
 
For people who'd like te email Sony about this:

ContentProtectionHelp@info.sel.sony.com
 
Smokin aritcle Mark. Maybe we can send the "We absolutely will not buy DRM'd music" message to ascap and bmi. Most artist signed with major labels are members of one or the other organization. I will try to get back with actual email addresses. If anyone beats me to the punch, great.

www.ascap.com
www.bmi.com
 
Mark,
now that the INQUIRER and others have raised the hugh and cry, Sony has posted a "patch" that removes the cloaked software.

Any chance you have a look at how it works? Who knows what it actually does.

Here is the link to the Sony patch

http://cp.sonybmg.com/xcp/english/Update031105.zip
 
So has anyone stopped to hear this audio file yet ? (I posted this earlier.. quite good)
Steve Gibson of GRC.com (who also provides Shields Up!) has a great AUDIO file discussing over this mess now (well done MARK!) Find and listen to it here:
http://www.grc.com/securitynow.htm

@ Dustin.. you mention "sony's "fix" (i tried the zip) is merely a removal of the cloak. the patch actually reinfects your system."
Has anyone else verified this yet?? and if what Dustin says is true, THAT ALSO needs to be reported to all the mainstream media!!

And now the hacker news begins.. thank you for that article link James! (I wonder what Blizzard's response will be!! World of Warcraft is going to be overtaken by hacks now! LOL )
" http://www.securityfocus.com/brief/34?ref=rss

"World of Warcraft hackers have confirmed that the hiding capabilities of
Sony BMG's content protection software can make tools made for cheating in
the online world impossible to detect." "

SHAME ON YOU SONY!
 
Mark -- good sleuthing work. As a former NT blue screen debug tech for Microsoft, I know how convoluted these detective jobs can be and, as always, you did a brilliant job. I guess that's why even at Microsoft, we always used your tools to do our daily work.

Have you looked at Blizzard Entertainment's invasive anti-hacking measures in the "World of Warcraft" game? They do things like poke into the filesystem and enumerate *every single process* on your system to see if it matches certain fingerprints, and will ban accounts permanently based upon this information.

Of course, this is a huge, huge, huge privacy concern -- since they're looking at window titles (among other things), there could be credit card info and other personal data gathered as part of the "Warden's" data ("Warden" is what this component is called). And, of course, Blizzard claims that none of this data will ever be collected and used for anything other than anti-hacking tests. But all of us who've been in the biz for a while know just how reliable these kinds of "promises" turn out to be the first time the company making them is under any kind of financial stress...

What I'm wondering is how long it'll be before something like this (code-injection attacks, process & window scanning, etc.) is coupled with rootkit tech. to basically make the total corporate-sponsored spyware platform. And how long it'll be before some black hats take this system over to *own* hundreds of millions of computers...

I think that the core problem here is EULA's -- forcing people to agree to *legally binding contracts* that they may have never read (oh come on, how many of you thoroughly read the EULA before clicking on that annoying "I Agree" screen? who has the time??) and probably can't understand if they're not lawyers.

I think that shrink wrap licenses and the basic concept of the EULA are fundamentally broken, and incidents like this and the Blizzard situation are the *inevitable* result of corporations believing that a EULA gives them complete access to and control over what your computer does.

Bottom line is: big corporations like Sony and Blizzard are now just as suspect and dangerous as any virus/spyware writer. Perhaps moreso because they have dozens or hundreds of coders working for them, and hundreds of millions of dollars to devote to outfoxing everyone else.

Thank god for hackers (and I consider you a prime example of that non-perjorative category, Mark)!

-- Tom
 
[quote]Perhaps if you kernel level developer guys were a little less friendly and helpful on you're mailing lists you could prevent things like this being created.

Ceri Coburn of First4Internet.co.uk asking for help writing a cdrom filter driver[/quote]

Well here's his email address:
ceri@first4internet.co.uk

Incase any of you want him any questions on this rootkit virus.
 
First of all, thank you Mark for a great job and an informative article.

Hmm... Let me see... To me the name "First 4 Internet" sounds like one of those dodgy companies that installs browser hijackers to me. If I found a piece of software on my computer called "Essential System Tools" with "strange" module names from this company my first thought would be that it was a piece of scumware and I would attack it. If somebody tried to prosecute me for tampering with a DRM system they would have to prove I knew I was doing wrong. If the module data had been honest and identified the program as "Sony Digital Rights Management System" they would have much more of a case.

Our biggest problem is that the Government makes money out of Sony et al behaving like this. They see revenue out of sales and corporate taxes from each sale. Freedom makes them no money; Fair-use makes them no money; Making me buy an album again because I lost the licence when my hard drive crashed makes them $1. Granny having to pay the local repairer $50 to reinstall windows for her when it all goes wrong makes them $5 (It's far better for them than her keeping that $50 in the bank of her cookie jar) All this money increases consumer spending and makes the stock market happy.

This issue is unimportant enough to most people that it won't change the way they vote. All the time this continues our politicians are free to carry on collecting taxes and political donations from the entertainment industry safe in the knowledge that it won't cost them their jobs.

I was on a foreign trip recently. On the way to the departure gate I saw Avril Lavigne's Under My Skin on the front display of the store. It was displayed with other CDs and there was no clear indication on the front that it wasn't a regular CD. I was in a hurry (Yes, I had a plane to catch!) and in my haste to buy it _and_ catch my flight I didn't check the back of the CD for the small panel that said it was protected and wouldn't play on anything other than Windows. I am now the very resentful owner of a piece of plastic which I can't enjoy on any piece of equipment I own (I don't run Windows so I can't play it in my laptop and the even if I could I wouldn't be able to transfer it to my music player)By the time I got home I was past the 28 day deadline to return the disc to the store as being faulty.

This disc is no good to me. I can't listen to it on my equipment and I'll be damned if I'm going to spend more money so I can start running Windows and buy a new music player to listen to it. Maybe Sony are assuming that my player will wear out in a few years and I whatever I replace it with will have DRM; Maybe they intend to get their paid politicians to introduce a law that makes it illegal to distribute an operating system that doesn't support DRM. Bill Gates must be nearly wetting himself in anticipation of his competitors' products to be encumbered by DRM patent royalties or for them not to be able to play music any more.

The IFPI have helpfully suggested I get myself a CD player if I won't use Windows. http://www.theregister.co.uk/2005/09/23/mac_linux_users_told_to_buy_cd_players/ . Well... I travel a lot and I don't want to carry more weight or bulk around with me. I'm into excess baggage on every flight now; I added all the $/per kilo together from every excess baggage ticket I've bought in the last year and they come to about $600 per kilo. I am not going to pay $600 per year to stagger round the planet with portable CD player and a pile of CDs- That's what I bought my mp3 player in the first place to avoid. If I'm forced to drop my music player and carry say 100 CDs then that figure comes closer to $2500 per year. Get bent!

I won't die if I don't get to listen to Under My Skin. I can't be bothered to spend my time trawling the net for cracks that may contain worse malware than Sony's and will make me a criminal. As long as Sony go on producing discs I can't play, I make no apologies for for the fact that I won't be buying any more. Bye Avril, it was fun whilst it lasted.

I also recently bought Janet Jackson's Damita Jo and The Scissor Sisters' first album. Both discs are unprotected; I enjoy them very much and will be buying more.

The only way this madness will stop is by commercial pressure. It needs to cost them more than it makes them. Sony will carry on with their little plan to deploy this wrecknology unless their revenues drop so far down against other companies that they cannot blame it on piracy any more. I'm sure all the other companies are watching with interest to see if this works for Sony before doing something similar.

I will not be buying any protected media. If I do buy any by accident I will return it to the store as being unfit. Further more I will not be buying any equipment from Sony (So far they have lost the sales of 1 pc, 2 laptops, a portable media player, a dvd recorder, 2 camcorders , 2 digital cameras, 4 cell phones and numerous PC optical drives in my household) I used to buy only Sony but now if I see their name I walk away. As a professional I am frequently asked by my friends and co-workers what they should buy; I now recommend against Sony every time. I avoid the use of their professional equipment at work as well. I intend to get an HD plasma TV (Pioneer) and a progressive-scan DVD (Denon) this year so Sony can add those to the list of lost sales too.

I avoid these products as I simply don't trust Sony not have hidden a DRM bomb inside. Their will to do so is clear from Sony Pictures Entertainment US senior VP Steve Heckler's comments here: http://www.theregister.co.uk/2000/08/23/we_will_block_napster/ I like Sony equipment and I will come back to the fold as soon as their policy changes. Until then I won't be doing business with them or with the equipment manufacturing arm of any company that joins them.

Good luck,
Rick.
 
http://legalbuff.blogspot.com/

You'll find it interesting if nothing else :)

I normally dont write much, but this is really outrageous.
 
Four days after the discovery of the Sonygate Affair the prevailing opinion of literally ten-thousands of computer users from all around the world on Sony and DRM shifted towards bewilderment and major uncertainty.

Sony BMG music label incorporated a DRM software into their audio cds that installed clandestine and used routines normally used by hacking tools known as rootkits.

These are commonly used for gaining stealth superuser / root access to computer systems, disregarding any security system that may be present on the system.

Obviously Sony did not install a real backdoor on millions of windows boxes but installed software that could help an armada of malware and spyware software streamline into these boxes not detectable by mainstream security software like virus scanners or spyware removal tools.

But there are some serious questions turning up.

Besides the fact that it seems grossly negligent to release software that will hit millions of pcs produced by engineers not really knowing what they do there are some other things that strain the consumers confidence in Sony BMG in the first place and globally operating companies with equal market powers at closer inspection.

These questions center about the positions of consumers and manufacturers on the one hand and ways for political intervention on the other. The key is: who can and who will be held liable if such a thing gets out of control?

Who can be called to account when for example security holes in operating systems allow script kiddies to blast windows boxes away like it happened in 2003 with the infamous Blaster Virus and its variants Lovesan and Sobig?

A 18 yr old boy from Minneapolis / USA?
A 19 yr old boy from Verden / Germany?
The Company that allowed that flaw to exist for 4 yrs before exploitation?

Starting with DRM (Digital Rights Management) it is an accepted opinion that music labels and others have the right to protect their properties.

The key sentence of Mark Russinovich on that matter, commonly echoed by global coverage of Sonygate: "While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet."

The crux of the matter is that the same laws that give pressure groups like RIAA, GEMA, et al the right to pursue copyright infringements also cover the integrity of computer systems worthy of protection against compromisation.

That includes home pcs as well as business installations. In this case Sony probably ignored the adequacy of resources in their doings.

It is conceivable that some of those that are struck by problems arosen from that software will initiate legal actions against Sony BMG. The DMCA (Digital Millenium Copyright Act) and other laws gives those heavy caliber ammunition for a series of lawsuits.

Another side-show could be the collaboration of Sony with First 4 Internet, the producer of the software. Questions shareholders could ask could point to the circumstances First 4 Internet got the deal to deliver that argueable piece of software. One of the directors of First 4 Internet is an ex long-time director of different Sony Corp. spin-offs.
Having the huge negative publicity impact in mind, possible claims for compensation from artists and consumers and consequential decline in sales this one could get hot for Sony.
 
@ Dustin.. YEP you are right.. read this bit from an article here:

"The funniest part is that you don't actually remove the software with this tool, only make it visible, and you are still infected up and down with DRM. Should you be lucid enough to realise that you don't want this crap within a few miles of your system, you have to go through the grilling process above. Want to make it seem even more surreal? If you remove the malware and DRM infection, you can't play the CD anymore. Nope, the money you spent on Sony products is gone. Mal-way or the highway.

If you try to remove it yourself, you risk breaking your optical discs, or it kills them for you. Mark from Sysinternals is more than smart enough to figure out how to fix this, but are you? Off the top of your head, how do you do that again, no looking it up? To make matters worse, it installs itself so it runs in safe mode, and if it conflicts with something, you are really hosed. Sony's response? "This component is not malicious and does not compromise security.". There are already exploits out there that take advantage of this.

Sony compromised your system and will not directly allow you to remove it without compromising your privacy. It also will not replace your defective CDs with non-infected ones. If you hose your computer or network with this infection, and want to play your music, do not pass go, do not collect $200. Really, it won't help customers who simply don't want this, read #3 in the FAQ. "

Link to full article here:
http://www.theinquirer.net/?article=27426
 
I have been able to find loads of other stuff on this. Googled for 'Sony DRM rootkit' and Google claims at the time I searched, 177,000 hits on this alone.

http://www.google.com/search?hl=en&q=Sony+DRM+rootkit&btnG=Google+Search

There is also stuff on the same search found in Google's news pages also, check that as well for additional stories.
 
I think if your one of the people that are concerned about Blizzards server being circumvented from this latest (Sony)Rootkit DRM issue then my guess is just stop paying it. I don’t play WOW (World of War craft) myself but I know enough that’s it’s a HUGE cash cow for Blizzard.

EQ (Ever quest) is owned by Sony. So if your ranting and raving here and at the same time your paying to play EQ , one of Sonys HUGE cash cows then you need to rethink things.
In the end I am still confused as to how this is allowed to happen to users of MS Windows and not Users of MAC
I mean how can no one at MS have anything to say about this ?? .....is beyond me .
 
Mark, how come that i found 2 files calles MGE.exe and LS.exe on my system.

properties showed them to be from Sysinternals...???

Location : Docs and Settings\username\Local Settings\Temp

The MGE.exe I found in memeory (while the rootkitrevealer was active).
 
Did you see the article at http://www.securityfocus.com/brief/34 "World of Warcraft hackers using Sony BMG rootkit" about how gamers are exploiting the Sony copy protection program to hide their game cheating?
 
Here is a nice link to a forum of World Of Warcraft Hacker/cheaters alreay planning the next move.

I like the "Hey anyone burn an ISO of the disk so we can reduce the cost to zipola?" comment just about sums it up .

Pirating the DRM protection ...Priceless.

http://www.wowsharp.net/forums/viewtopic.php?t=7251
 
This makes me glad I:

1) Don't allow anything from Microsoft into my home,
2) Don't purchase Music CDs anymore, and
3) Stay far away from anything with DRM.

(I read the first third of the comments, skimmed the second third, and looked for keywords in the last third.)

This is a failure not only on SONY's part, but on the MicroSoft Windows OS as well. True, just telling everyone to get a Mac or switch to Linux is stupid, but this kind of thing wouldn't be such a big deal install/uninstall-wise on a nix OS. On a nix box, the OS wouldn't allow this to be installed system wide unless root authorized it. Even if it was installed on a per user basis, it would be a cinch to remove. "rm -r ~/.SONYDRM" or something. No big deal. The sheep-y argument that Windows OS is full of problems only because it has more people using it is ignorant at best. The Windows OS fails when it comes to security, plain and simple. I'll keep my thoughts on the whole anti-virus racket to myself.

B) Boycotting SONY isn't a good idea. It would be better to slap 'em up for this crap hard enough that they'll avoid it in the future, rather than driving a company with experience into the ground, only to be relaced with a newer, less experieced, dirtier one.

C) I was eagerly awaiting the PS3. I still am. I don't like Blue-ray, but I don't see the big deal if its just for games. Shouldn't a PS3 game need to be legit and only work on a PS3 console? I think so. If they incorporate anything that infringes on my privacy or ability to use my own, legit property, however, that's going too far.
 
I posted this on another site, but figured I would paste it here as well:

In the UK we have a law called the Sale of Goods and Services Act. Under that law is a requirement that the seller of a product/service gives an accurate representation of the product/service they are selling. It is also required that any faults should be disclosed as well. Now since this software introduces a security threat, in so much that malicious software can hide under the DRM's cloak, it has a fault. That fault was not disclosed by Sony to its consumers.

As a result of failing to meet the requirements of the Sale of Goods and Services Act, the EULA (which is a contract) is void, since the vendor (Sony) have failed to meet statutary requirements in presenting that contract.

Now, since the EULA is void, this leaves Sony open to charges under the Computer Misuse Act as well, as it is regarded as a criminal offense to modify someone's computer without consent. So even though they may have given/implied consent by clicking "I Agree" on the EULA, since the EULA is void and a not a legal contract, charges under this law can also be applied.

There needs to be a serious review of how EULAs stand in regards to contract law. It is no secret that the majority of people who come across a EULA never read it, and Sony know this as much as everyone else, so they are trying to take advantage of the situation, which is morally and ethically wrong.

Corporations need to be held more accountable for their actions and in a time where identity theft and internet fraud are rife, a company that breaches criminal law in this fashion and leaves their consumers wide open to further criminal attacks and compromises of security, should be prosecuted.

I have already started discussion with law enforcement here in the UK regarding this matter. What makes the situation worse has been the actions of Sony in the last 24 hours.

First they release this "patch" saying it will unhide the "rootkit" then in a public statement, they claim they have found new ways to hide their software. Yet people are supposed to believe this new software is not just as bad just hidden in another way?

Secondly, they state (again as a public statement) that the CD has only been sold in the US and that there are no copy protected CD from Sony anywhere in the UK. It took me 30 seconds to find an Avril Lavigne CD in my collection which is distributed by BMG and has copy protection software on it and is in the UK. Furthermore the FAQ on their own website states that they only produce one commercial version of an album for the whole world and that they all have Sony copy protection on them. So again they have lied, and again they have violated the Sales of Goods and Services Act in the UK by publicly misrepresenting their products, as there most certainly are cds in the UK from Sony with copy protection.

They also made another public statement that the software does not add any security risks to the consumer's computer. This is another lie, as has been clearly demonstrated, any system that is running this "rootkit" is vulnerable to other malicious software cloaking itself behind it. So again, a breach of the Sales of Goods and Services Act.

Not to mention how they changed the EULA in order to try and cover themselves in light of the public outrage over this matter. What about people who do not have internet connections? How do they get the patch or view the new EULA?

I have stated elsewhere that all Sony CDs should be removed from the shelves of retailers in the UK until such time as the legal issues surrounding this scandal are clarified. Failure to do this, will leave millions of people at risk, simply through being able to buy one of the "20" titles released with this "protection" embedded.

So whether or not the US consumers have any comeback on this legally, the UK most certainly does and I will be following every avenue available to make this matter as public as possible and to ensure that Sony and First 4 Internet receive the maximum penalties under the law.
 
This post has been removed by the author.
 
Having read all this with interest it reminded that I have just bought a cd by Faithless called No Roots. When this cd was inserted into my pc I immediately recieved a message box on screen entitled APlayer saying "System files are Updated. System will now reboot" With a "yes" and a "no" button. But no option not to install the software! Whenyou click "No" you get an error and a broken music player launches.

The cd is produced by Sony/BMG.

There is no EULA anywhere on the cd - either on the case or in the data on the cd itself nor any mention of DRM or other copy-protection. I too resent having my machine altered without permission and will be harrassing BMG/Sony.
 
Forget about Eula. Sony misrepresented their product while somebody purchased the stuff, huh? Hey, since u get the cd via amazon and it was mailed over state boundaries, it could be federal crime, mmh?
 
In the European Community, there is such thing named the European Parliament, which has representatives of all the European citizens from the State Members.

We, European citizens, should all contact urgently our representatives in the Parliament, to put pressure to elevate this matter as high as possible. This is a World threat, nothing less than a new kind of terrorism that we, simple and honest citizens, are confronted now to live with: The terror of being infected in uninimaginable ways for all kind of unbelievable abusive software technologies from big companies.

I vote that we, citizens, fight to get this kind of offense qualified as cyberterrorism, because this is exactly what it does: terrify us.
 
I agree that the sheep argument doesn't hold. In fact I think it's the opposite. If there are more users of a product I would expect more bugs to have been found and fixed and the product to be of better quality. Unfortunately this seems not to be true in certain cases.

IMHO no competent OS should allow processes or files to be hidden from the system administrator. It invites rootkit-type attacks and gives no benefit I can think of.

I think a Sony boycott is a good idea. The deployment of this technology needs to hurt them. Somebody needs to have to stand in front of Sony's board and explain why their sales are down but all the other major labels aren't. I'm not proposing a permanent boycott; I will gladly go back to them when they mend their ways and show that they value my custom.

Isn't the crime of sending mis-described items by USPS mail fraud? I'm not sure that there is much mileage in mail fraud but am I right that if somebody perpetrates more than a certain (not that large) number of counts of it that it becomes recketeering? Who would be guilty? Amazon for mailing the mis-described item (in good faith) or Sony for making it? IMHO anything that would make retailers wary of stocking these items can only be good for us though.

We just need somebody squeeky clean to take them on...

Regards,
Rick.
 
Please someone drive this nail into the heart of the industry proper. Where are all the damned lawyers?
 
This has far reaching affects for security in the pharmaceutical industry. The company I work for sells mass spectrometers that cost between $300K to $2 million. Analyzing and operating the machine's data is very processor intensive and anything that consumes processing time can interfere with normal operation. Security is also a big issue with our customers as well. I will definitely be consulting with others within our company to determine the next course of action to protect our customer assets. We cannot afford to have a half million dollar instrument be crippled by malware such as this.
 
After all these, don`t you think sony SHOULD let the removal package http://cp.sonybmg.com/xcp/english/Update031105.zip be opensource ?? :)
 
Good work on finding the rootkit.
Firstly I must emphasise that I do not mean to be cheeky in any way but, do people not realise that "copy-protection" can be overcome by simply turning off Auto-run.
I have several CD that feature "copy protection" but once I disabled auto-run prior to first putting them into my CD drive I was able to play the CDs in a music player of my choice (visualisations and all) and then make backup of the music I had purchased.
I too agree that some sort of action should be taken against Sony by those who unknowingly installed this software (as anyone who has read this blog then installs the DRM software and subsequently starts a law suit could be accused of entrapment).
 
I think I confused myself a dozen or so comments back there ^

I don't think SONY as a *whole* should be boycotted. I don't think anyone should be buying these CDs, but I don't think we should just stop buying everything that bears the SONY name.

The music division is separate from the Playstation division and the electronics division, right? So the SONY headquarters or whatever should have its hand slapped (hard) with law suits, but the other divisions shouldn't suffer, should they? If no one buys the CDs, the music division will learn a lesson, but the Playstation shouldn't suffer because of some greedy record guys. I'm not a business expert, but I think that's how it works.
 
check this cnet article out:

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

Sony noticed this blog.

"The issue came to light late on Monday, when computer developer and author Mark Russinovich published a blog entry detailing how he had found the First 4 Internet software hiding deep in his computer, after he had listened to a copy-protected CD distributed by Sony BMG."

Supposedly, they have given patches to antivirus companies to remove the rootkit. While the program will still kill your CPU's processing time, there supposedly is a fix to that to:

"The patch that will be distributed through Sony BMG's Web site will work the same way, Gilliat-Smith said. In both cases, the antipiracy software itself will not be removed, only exposed to view.

Consumers who want to remove the copy-protection software altogether from their machine can contact the company's customer support service for instructions, a Sony BMG representative said. "
 
Has anyone had the problem of this type of CD breaking their iTunes? After I went through the process with the new G3 Live in Tokyo album my iTunes will not acknowledge any new cd that I put in, if i put in a cd i have already ripped it sees it fine and I can play it. I even installed the supposed fix by Sony and it is still having the same problem. Has anyone else experienced this?
 
LOL wonderful sony.

Now game hackers are now using this technique based off your rootkit to make hacks for games such as WOW that check runtime files.

I dont think blizzard is going to like that little trick.

http://www.wowsharp.net/forums/viewtopic.php?t=7251
 
I have no plans to purchase this cd as I don't like this type of music.

That being said, the harder record companies make it for people to do the things they want to do with their music, i.e. listen to it on their computer, rip it to mp3, load it on their iPod/MP3 player, and make mix CD's, the more they will look for easier methods to do these things.

Doing a quick search online (spent about 3 min. of my time), I have verfied this album is available via bittorrent and allofmp3.com. A quick little download, and I have full control over the content. I get what I want, and Sony gets nothing.

The average user is always going to seek out the easiest method to do what they want. Legality is very often not a something people worry about.
 
- listen to it on their computer, rip it to mp3, load it on their iPod/MP3 player, and make mix CD's, the more they will look for easier methods to do these things.

OFF TOPIC- where is the best all-inclusive program for what you just described Chris?
 
Congratulations, Mark! Your story has reached the "mainstream" press with this story by the BBC:

Sony slated over anti-piracy CD

Includes a screenshot of your blog entry.
 
Great work Mark!

Yes, I had a similar problem last week after listening to the Black Rebel Motorcycle Club's CD Howl, which is a copy protected disc. The next couple of discs I tried to listen to using Sony's SonicStage software would play about 8-10 seconds and hang. I couldn't even kill the hung programs. They simply wouldn't die and every program I started after the hang also hung up. I would then take 15 minutes to shutdown...
That's when I started googling Copy Protected CDs...

I did find a work around by accident. I started up Windows Media Player and tried to play a disc and then accidently started up SonicStage. The disc played fine in SonicStage. I tested the work around with other discs and it seems to work.

I'm not a good enough hack to figure out what exactly is going on, but it is a similar problem to the one mentioned above.

I am still very concerned about having this software on my computer and not sure what to do about it.

Hopefully the PR will get so bad for Sony that they have to fix it.

Skoegahom...
 
Just imagine if every music label installed its own spyware and its own music player on your PC. What kind of mess would that be? Well, it just wouldn't be possible to build an integrated music collection at all, and the PC would become unusable.

I've now decided to avoid ALL Sony products, both hard and soft, until they come up with a more consumer friendly attitude.
 
In Australia I have brought this to the attention of our consumer watchdog the ACCC. They are currently investigating and assure me that while they cannot force Sony from removing the software from CD's they can force them to make the instalation more transparent and offer a means to remove it.
The choice is then that of the user. Refuse to install the software and not have computer access to the CD or succumb.
My choice will be to boycott all Sony music.
 
Hehe, guess the time has come for all 'media disks' to be played under a VMWARE machine :-)
 
VMWARE, yes !
 
Richard,

You can extract the CD tracks from Anvil Latrine's "Under My Skin" album {and probably everything else using CDS200 protection} using cdparanoia. This will extract a bunch of .wav files which you can encode with oggenc or lame, or listen to with sox. {These are primarily Linux programs, but they can be persuaded to compile on Macs without too much effort.}

I bought this exact disc just for the h4x0r challenge factor -- and I actually felt kind of disappointed when it turned out to be so easy to rip.
 
yep, big time media - and international, too

La Stampa, italian daily
 
Intresting that the kit seemed so badly coded, but not surprising. Do you know any proficient coder who would lend their abilities to this kind of subterfuge?
I really do share Mark's frustration. He's long been promoting the viability of NT as a genuine alternative to *nix. While I don't happen to agree, I think its things like this rootkit (don't tell me Microsoft aren't implicated) that undermine the good work people like Mark, and others, have been doing to make Window's data structures more transparent.
I'm not trying to capitalise on it, though. The article shows plainly, that with enough nous, these things can be opened up to the community. I mean OSes have enough exploits without ham-fisted coders sneaking potentially vulnerable code through the cd tray.
 
This is CRAZY, I think now they have gone alittle bit too far. We shouldn't support this, i.e. I will not buy any of those "protected" CDs ever...

Suomessa meidän tulee olla tukematta tälläisiä systeemitiedostoihin menevää kopiointiturvaa myös. Siis jaloillaan/lompakollaan voi äänestää.
 
Nice work.

Sony are disgusting. And they are lying on there site when they say that this rootkit doesn't compromise your systems security.

I bet there are exploits out there now trying to creat $SYS$ directories to hide stuff.



Personally I have never bought, and never will buy a product from Sony. , they
 
Mark,

If an activex component was written (a malicious one) and was named $SYS$nastyactivex or whatever. Would a system compromised with this DRM even notice the activex component being downloaded and give the usual warnings? Or would the cloack work on incoming files as well as ones already resident on the system?
 
In reference to my above comment, I am just curious if simply browsing the web and hitting a site with malicious activex using this naming convention would compromise your system. If so that makes the issue even more serious.
 
This is definitely an amazing discovery! Great job Mark!
 
Uninstalls are available through cp.sonybmg.com/xcp
 
No they are not. There is a patch which unhides the cloaked files. there is no uninstall available. If you wish to uninstall the enter thing, you have to fill in a form on their website and wait for customer services to phone you. Or at least that is how the media are reporting it.
 
Will this be of any help?:

http://updates.xcp-aurora.com/

http://cp.sonybmg.com/xcp/english/updates.html
 
As stated in my last reply (just above yours) this only unhides the software (and updates the DRM) it does not remove the software. You would seriously trust an "update" from these people? Especially since in a recent public statement to the press they said they now have different methods of hiding their DRM software?
 
This also shows that the windows system has been planned and written by Microsoft to allow this kind of installations or better said manipulations.

That makes me angry. Thats exactly why i.e. the European Union didn't trust the windows system. Now here is the proof.
 
The rootkit of all Evil!"

A new article from the BBC.

"..Fortunately, it is possible to avoid buying discs like this. Philips, who defined the CD standard and then made it widely available, has been very clear that these music delivery systems do not count as Compact Discs and cannot use the CD logo..

http://news.bbc.co.uk/2/hi/technology/4406178.stm
 
This also shows that the windows system has been planned and written by Microsoft to allow this kind of installations or better said manipulations.

That makes me angry. Thats exactly why i.e. the European Union didn't trust the windows system. Now here is the proof.
 
is dmg work on a linux os ??
 
I can't BELIEVE CNN has not reported on this at all! I finally see it now on www.foxnews.com reported yesterday:

http://www.foxnews.com/story/0,2933,174334,00.html
and here:
http://www.foxnews.com/story/0,2933,174452,00.html

This news of this so-called Patch released by Sony.. will NOT rid you of this problem but only unhides the hidden files - you are STILL infected with this crap.
As this article points out here:

Sony DRM is worse than you might think
.."The funniest part is that you don't actually remove the software with this tool, only make it visible, and you are still infected up and down with DRM."
Link:
http://www.theinquirer.net/?article=27426

I think the MASS media out there really needs to let people know they have to go a step further if they want to truly rid of this on their PC.
 
Good work, guys like you are the watch dog against the malicious use of technology. Corporations use it for "protecting" their cds but what next?
If they can do that for cd, another kind of bussiness will do the same and so on.

But a quetion went to my mind, who wrote this software, was he informatic wizzard like you who has been hire by the company?

I know that my post is not directly on topic but it is connected to.

You guys are essentials to us to keep the balance. Again Good Work.
 
Does anyone have information about potential similar intrusion by Apple's new iTunes version?
 
@ Karsten.. someone earlier posted this bit on this blog which also concerns me:
"Has anyone had the problem of this type of CD breaking their iTunes? After I went through the process with the new G3 Live in Tokyo album my iTunes will not acknowledge any new cd that I put in, if i put in a cd i have already ripped it sees it fine and I can play it. I even installed the supposed fix by Sony and it is still having the same problem. Has anyone else experienced this?
posted by Sam R : 10:35 PM, November 03, 2005

The album he speaks of does NOT have the "Copyright Protect Enhance version" bit shown on it that CD that I could tell when I looked it up on Amazon.. however the LABEL is SONY and this CD just came available LAST month. And we all know that First4Internet has now moved on to different "technology" as reported on various news articles in defense of the mess thats been exposed. hmmmmmmmm really makes me wonder..

And I am not sure what version of iTunes Sam has on his pc...
 
This is in direct violation of Title 18 Section 1030. "Fraud and related activity in connection with computers" (aka The Computer Fraud and Abuse Act). Someone at Sony should be arrested and prosecuted for this crime. Preferably several someones.
 
Massive article points back to the research here:

DRM this, Sony!
By Molly Wood, section editor, CNET.com
Thursday, November 3, 2005

"And Mark Russinovich, who created a root-kit detection utility and was one of the first to blog about the Sony intrusion, discovered another little gem when he tried to remove the DRM drivers. It broke his computer--disabling his CD drive."

http://www.cnet.com/4520-6033_1-6376177.html?tag=nl.e501
 
yep, u're definitively a guru, mark
mrique
 
Is there a SYSINTERNALS removal tool that will safely remove it?

http://cp.sonybmg.com/xcp/english/updates.html

Is 3.4 mb ,.. my question is, HOLY cow WHAT is that thing doing to remove this monster if the REMOVAL tool is 3.4 mb ???

Can it be trusted.

Suspicious Canadian
 
Suspicious Canadian, that is NOT a removal tool. This has been stated over and over now, all that does is unhide the DRM software and update the DRM software (hense why it is so big).
 
I just reported this to the California Attorney General. I suggest everybody do the same:

http://ag.ca.gov/consumers/mailform.htm
 
Does anyone have good contact info for Sony where we can write and complain?
 
The four faces of the Sony DRM FAQ

Sony have so far had three differnt FAQ's posted on their site at here:
http://cp.sonybmg.com/xcp/english/faq.html

I have a complete summary listing of the exact wording here

http://netweb.wordpress.com/2005/11/05/sony-and-the-xpc-faq/

I have hyperlinks to the cached pages of are there also.

Interestingly in the first version I have from MSN Cache there is not a single mention in the enire site for any form of the words:-

'Update', 'Security', 'Uninstall' or 'Remove'

The main additions to the FAQ are:-

Two versions of "I heard this is malware?'
The addition of 'How can I update this software?'
The addition of 'How can I make my computer secure?'
Two versions of 'How do I uninstall the software?'

Does Sony now have suffecient wording here???

And a couple of other little things I wrote regarding Security Issues this raises.
http://netweb.wordpress.com/2005/11/04/cd-audio-standards/
http://netweb.wordpress.com/2005/11/04/why-rootkits-are-global-security-breaches/
 
When I first encountered this from Horace Silver's Silver Blue re-release, It caused numerous BSOD's until I went to Aurora to get a patch for that. Nobody could tell me how to uninstall it. I guess I'll have to follow your lead.
 
Mark,

Outstanding work. Sobresaliente.

Just a stupid question: what happens if I had a file named $sys$filesystem inside my system32 directory, before playing any protected CD?

A nice playing software would change slightly the name to use rather $sys$systeme_de_fichiers or something like that, but it does not seem to be in line with what we know of the programming style so far...

However, the alternatives are not really fun: perhaps the software will assume that if the protection is already installed; so would make a really easy way to circumvent the protection: just create a file under this name, and you are done: your i386 Windows will behave exactly as a x64 one, i.e. be immune.
Or, the software might be a bit more aggresive, for example deleting the user file to install itself at the place it expects... No need to tell the problems this kind of actions did bring to societies like Intuit/TurboTax...

Freightening.
 
@ Racerx----
Here is what I found as far as contact info to Sony BGM.
General SONY BMG: 212-833-8000
Arista Records: 646-840-5600
SONY BMG U.S. Latin: 305-695-3600
J Records: 646-840-5600
Jive Records: 212-727-0016
RCA Label Group Nashville: 615-301-4300
RCA Records: 212-930-4000
SONY BMG Corporate Press: 212-833-5047

When I checked Duns & Brastreet it shows thier HQ address as:
SONY BMG MUSIC ENTERTAINMENT
Headquarters location
550 Madison Ave
New York, NY

I also went to
NYS Department of State
Division of Corporations
Entity Information
to just verify if they are actually incorporated in NY - see this here:
http://appsext5.dos.state.ny.us/corp_public/CORPSEARCH.ENTITY_INFORMATION?p_nameid=3161101&p_corpid=3164190&p_entity_name=%53%6F%6E%79%20&p_name_type=%41&p_search_type=%42%45%47%49%4E%53&p_srch_results_page=1

Anyone got an EMAIL address for Sony BGM in the USA?
 
I don't have time to go through this list at the moment as I am about to go out for an hour, so I thought I would post it here.

Re: Emails @ Sony

http://www.google.co.uk/search?hl=en&q=mailto%3A+sonybmg.com&btnG=Search&meta=

Obviously this list will need filtering extensively to pick out one that is relevant, but there are literally hundreds of sony email addresses in that google search.

Happy phishing guys. (and gals)
 
Thanks so much Mark for your excellent analysis and documentation.

Thanks to F-Secure as well for repsonding to this and the rootkit issue in general.

A couple of people have already commented on "challenges" within the executive level @ SONY and how this is impacting on quality control, customer support, market research etc.

If you are curious about the context on this DRM-Katrina-Gate saga, here's something worth reading...

http://www.post-gazette.com/pg/05180/530332.stm

Meanwhile on the ground, just this last year there have been tremendous problems with SONY multi-media software bundled with portable players and laptops.

This is just the tip of the iceberg...
http://www.club-vaio.sony-europe.com/clubvaio/mvnforum/viewthread?thread=17467

And customer service? This is just one of a number of petitions that have been circulating on the net recently.

http://www.petitiononline.com/mod_perl/signed.cgi?Sonymd

So you can start to see how this is "just another day in hell" for SONY and a bloody nightmare for everyone.

Aside from PC users who might not have the expertise to deal with the very complex consequences of a possible infection as a result of installing the DRM software, I really do feel sorry for the artists invloved. Making a good record often involves months of preparation and hard work.
 
fyi I've got a follow up post with More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
 
""If you have a Mac computer you can copy the songs using your iTunes Player as you would normally do."
http://bigpicture.typepad.com/comments/2005/10/drm_crippled_cd.html

I am more and more happy to be on a MacIntosh..."

It has nothing to do with a Macintosh being more secure or not. They just havent bothered to get around to it yet. Also, it's just as easy to circumvent this type of DRM protection on any OS. With all the effort that has gone into it, the actual protection scheme used here is very poor.
 
In addition to boycotting Sony/BMG discs, I have just finished cancelling by BMG Music Club membership.
 
This makes me download from now on from p2p networks. I will never ever buy a CD again, because you don't know what you install on your computer. A p2p file can be at least checked by a virus scanner....
 
I happy there are people like Mark R in this world. I just finished sending out tons of emails to those involved and or those of the press . I know it is not mouch but at the very least i can say that i took the time to do it.
My next step is to contact my local counsillor and government and complain through the proper channels here in Canada in hopes that many ,many others will do the same so as to bring enough press and awareness to what SONY is doing is just plain out being DEFIANT of any responsibility and Blame for this .

On another note, i just took my nephews PLaystation and all the games to EBGAMES and traded them in for an XBOX . The little guys had asked me a week ago and well...now i was more then happy to make it happen. Cheers.
 
I posted this note to Sony Music at this site: http://www.sonymusic.com/about/feedback.cgi

Dear Sony Music -

In response to the rootkit software issue making its rounds on the internet this week, I'm writing to signify my intent to boycott all SONY products containing said software. When I purchase a CD to lawfully use with the software of my choosing, I do not wish other extraneous resource-hogging software installed on my system. If I did wish for such programs, I'd purchase them and install them with complete knowledge of how they would function -- very much opposed to the hidden tactics you as a company seem to be using to infect people's computers with your DRM schemes.

I was going to purchase the new Neil Diamond release, "12 Songs," as a gift this coming week but now I will not. Whenever Sony chooses to release a copy of this recording without rootkit or other software issues, then I might reconsider. It's too bad because the writeup in Rolling Stone on Rick Rubin's production seemed like another comeback akin to that of the late Johnny Cash. I was really looking forward to hearing those songs.

It's tiring that the music industry seems to be treating all of its client base as criminals. Treating legitimate customers in such a manner is reprehensible. The fact that removal of this rootkit can render one's CD-ROM drivers useless is borderline criminal.

In addition, I intend to not purchase any Sony electronics as long as Sony continues to support such deranged and fraudulent DRM schemes. While I can understand the company's desire to defect piratization, I would encourage Sony to seek out methods that do not involve the surreptitious installation of software that can do harm to a user's computer.

Yours sincerely from a disappointed customer,
 
I am an independent record label/musician, and the only DRM I would ever use is itunes and the like, because I could care less if people were to decrypt my songs. Even then, you can go to Emusic .com and get 50 free mp3's (i.e. download my album), and I would still get paid for it.
 
Do EULAs include an open slather license for software installation.
Does agreeing to install a "media player" allow the company free rein to install anything else on the system? ie a media-player converts a recorded data stream to audio-visual music it doesn't mess with CD-drivers, file hiding or OS level procedures.
 
"I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying"

Mark, you've just discovered the fat end of that wedge. There's no such thing as a copy protection mechanism that works but doesn't interfere with fair use and the user's enjoyment of their own property. Sony's malware DRM isn't wrong because it goes about things in a more obviously dangerous way than usual; it's wrong because DRM is wrong.
 
We would be interested in speaking to all U.S. residents that have experienced this problem before the EULA was changed. We have looked at many DRM cases and Sony went too far with this particular scheme. You can contact us at gw@classcounsel.com.
 
" Sony's malware DRM isn't wrong because it goes about things in a more obviously dangerous way than usual; it's wrong because DRM is wrong. "

I have to agree with you Adam. 100%

DRM is the real issue here.
As for the Company’s like Sony is concerned, they have lost focus long ago what is the most single important thing and is also what they exist for. That is the end user or customer. They are in the business of making products that we (well most or many of us) used to Love and recognize and affiliate the name SONY as Brand that meant the Highest Quality above all else. Then something happened, they grew and expanded into the market and now are part of the Music industry as one of the largest (if not THE largest players). In doing so there greed has blinded them as has happened to many other corporations and have lost focus as to what made SONY as house hold name that meant something. Now they are just self destructing in what appears to be the greed of making profit at whatever expense even if it means alienating the loyal fan base that was part of the Brand Name Sony. It makes me wonder what SONY Japan is thinking about all this.
I could be wrong but I think this will have repercussions for them in the long run or maybe not but I think it will.
 
I'm thinking Sony is WRONG here!

Looks like they will simplify virusmakers life a lots.Because ugliest viruses are distributing rootkits with their bodies (stuff like infamous msdirectx.sys) and this stuff catched by antiviruses quite well... Sony makes things a way easier:there is no need to distribute stupid rootkits (which are detected by antiviruses aggressively) anymore - just use Sony's crap instead to hide a virus :D.That's all.

Even if Sony will release promised patch to allow anti-viruses to see hidden stuff, this WILL NOT HELP ANYWAY.Their system is a rootkit.Nothing more, nothing less.

Facts are simple:viruses are not 100.0% discovered by anti-virus companies efforts.Lots of viruses reported by users who got some suspicious stuff and send it to anti-virus company for further researches.And of course there is no antivirus which can find unknown viruses well(antivirus can try but anyway this will often fail).Now what can happen?

1) Someone creates new virus using Sony's crap to hide it.
2) Users are unable to find such virus because they denied to see some objects.
3) Virus hasn't been reported to antivirus company.Because user cannot report thing he can not find.Simple, huh?
4) Antivirus software may be able to scan those files but once virus is unknown, antvirus will not recognize it.
5) Moron will go on, hidden and dangerous... at least unless virus not spreaded planet-wide so it is impossible to ignore it and antivirus companies or skilled guys discover this virus.

Yes.Thanks Sony.For f...ng up users using their moneys.This is increadible idea.
 
I know that probably nobody is reading by the 429'th comment, but I'm sick of people complaining that the fix doesn't fix the problem. The problem here isn't that they install software to keep you from using the CD normally... they warn you of that (hence it being copy-protected). The problem was all the cloak-and-dagger hacker methods they used to make it look like the program wasn't installed (and openned security holes). I don't like DRM's, and the software might suck, but by removed the cloaking it's no longer a security threat.
 
Of course it is still asecurity threat. there are probably millions of people around the world who know absolutely nothing about this threat or the patch. They are all still vulnerable. Of them some undoubtedly run no antivirus, so when the AV patch is released, they will not receive it. Then what about people who don't have internet? Malicious software does not just come from the internet. There was a situation in the UK a few years ago when malicious software was being distributed via magazine cover cds, so just because you don't have the internet it does not mean you are not at risk.
 
On spyware and this rootkit and 'phoning home'.

If you use a web content filter, some of these are adding spyware/malware to their list of categories. Gone are the days of these just blocking pornography or gambling, many companies are using them too. Mainly to block 'time-waster sites' such as sports and news sites, unless the site is needed for business purposes.

Now if this rootkit really DOES phone home, we need to submit any URLs that can be ferreted out as to where it goes to, and submit them to the content filter providers. A short list:

WebSense
Blue Coat Web Filter (formerly Cerberian Web Filter).
NetNanny
CyberPatrol.
CyberSitter.

Many other majors can be found with just a simple search in Google.

Once any URLs are found, simply email them and tell them of all of this and ask them to add 'spyware' to the categorization of the site they already have for it. Blue Coat does this along with anything else. For example, they will rate Sony as being 'arts/entertainment' and maybe a couple of other things, and also 'spyware/malware' if we let them know of specifics about the rootkit and the malware it hides.

That way, the next time the software attempts to 'phone home' after the user's database (Blue Coat does this online already) has been updated, the attempt will be blocked.

This will benefit many other users and not just those who know about the rootkit, as there are now serious privacy issues involved given the alleged report
 
I work in radio and I am also on the college radio broadcasters list serv.

It looks like word is spreading around there too and stations are starting to ban Sony CDs because of this.

Most stations run their current music rotations off hard drives with automation software, so this is a major pain in the tail for them (not to mention all the students who freely use the station computers for their personal entertainment). Bills from college administrators for damaged equipment and downtime are soon to follow. So at least Sony will get hurt on that end.

I am somewhat caught in-between on this since I am a freelance producer who is a liscensed and satisfied owner/user of several excellent Sony Media Software programs.

If a music CD can send my security to hell, God knows what their pro-audio programs have done to my machine.

No more Autorun for me.

Thanks for the info Mark!
 
Mark,

Is there anyway some testing can be done for the following?

1. What happens when you UPDATE this mess, and make it NOT hidden, and you do a "System Restore" when it was hidden, or you restore a backup like Ghost for an example?

2. If you completly remove it and then do a "System Restore" when it was hidden or do restore a backup like Ghost for an example?

In any of these cases, is your system screwed up, and could you end up having a Hidden and Non-Hidden version?
 
Here's an interesting article, aimed at developers, about DRM ... with the message they should avoid it if they can: Digital rights management: When a standard isn't.
 
I use a Sony VAIO computer system running the media edition of Windows xp. I would not have been able to trace and expose the problem caused by simply playing a Music CD. I wonder what suprises from Sony await me on my system not related to music CD protection?

Thanks for letting me know...DJ
 
" I use a Sony VAIO computer system running the media edition of Windows xp. I would not have been able to trace and expose the problem caused by simply playing a Music CD. I wonder what suprises from Sony await me on my system not related to music CD protection?

Thanks for letting me know...DJ
# posted by edj37 : 9:18 PM, November 04, 2005 "

Well you could always sell your VAIO on EBAY :) , um though i would wait a little while , say a year or 2 *grin* just kiding .
 
[URL=http://www.cdbaby.net/articles/courtney_love.html]The real pirates.[/URL] --- by Coutrney Love

This blog just demonstrates how right she is. I'll stick with Linux and ogg-vorbis I think.
 
Damn...........wrong syntax
http://www.cdbaby.net/articles/courtney_love.html
 
Ok like I posted earlier the sec hole Sony opened "$sys$" for er um...well. It works 98,2000,ME,XPSP2,WMC,W2K3...prob nothing earth shattering about that. But even nicer is that the cloak was written sooo shody that it is possible to intercept packets locally and append what connected.sonymusic.com is getting and the command stay alive is already there....hmmm. Disturbing is that I see only a couple culprits being named like Sony BMG and First 4 Internet. There are a few more. It will be difficult to track since they change names like my friend "Crazy Mexican"....weekly.
 
It's the end of the world - serious multibillion dollar company is making computer viruses.
 
Jo-Pete Nelson said:
"I'm sick of people complaining that the fix doesn't fix the problem. The problem here isn't that they install software to keep you from using the CD normally... they warn you of that (hence it being copy-protected). The problem was all the cloak-and-dagger hacker methods they used to make it look like the program wasn't installed (and openned security holes)."

but what about:
a) Not giving a proper indication in the EULA or elswhere of what exactly is being installed.
b) The program constantly using CPU time even when no Sony protected CD is inserted.
c) Continuing to deny that there ever was a Security issue.
d) Still trying to force users to use an adware-type uninstall procedure.
 
PC games publishers thank Sony and EA for your losses, because from now on I will not by any PC game because it can have Rootkit DRM or any other viral program. If Sony can install Rootkits then everybody is capable of doing this.
 
The Sony feedback URL is:

http://www.sonymusic.com/about/feedback.cgi

I would suggest that everyone who has posted here should also post a short pointed letter of protest on to the Sony site (simultaneously if possible).
 
They have really gone too far. Rootkit technology? My god! Class-action lawsuit, please!!
 
Great investigation... things seem to be spreading; I read a related articicle in one of the mayor german papers with the link to your page.

Just tell me what happeneds to the article once you load the intire page with all the comments. The lines starting from second paragraph get inverted (eg. detrevni). Is this caused by one of the posts?
 
In case anyone is still reading, especially Alexander Hanff:

I checked out the Van Zants "CD" at amazon.co.uk and the description does not even mention that this is a copy protected disc. I wonder if the copy protection notice is only given at amazon.com and whether this opens up amazon as a potential legal target as they are, potentially, misrepresenting a product they know to be copy protected. They should certainly know by now that this disc is bugged.

http://www.amazon.co.uk/exec/obidos/ASIN/B00092ZM02/qid=1131230743/sr=2-2/ref=sr_2_11_2/202-9386257-9648655
 
We Need a NEW Law that says:

("Any Software or Hardware, that attempts and/or succeeds to hide itself, its files, or parts thereof, from ANY operating system function, process or program, which would otherwise be capable to find it, shall be deemed malicious, be default").

Gives a whole NEW meaning to "You Can Run But You Can't Hide!" ;-)
 
A followup to cindyrilla's comment re: CNN's apparent lack of coverage:

If you search CNN.com for "Sony DRM" you don't find the story but in the results of a Google search I noticed a link to a story I had noticed on CNN.com a month ago about artists telling consumers how to get around record companies DRM and the Sony stuff was mentioned there (though not the rootkit and the recent concerns). The link is dead now so they've removed it BUT wonderful thing that Google is, their cache of the page is here:
http://72.14.203.104/search?q=cache:XEBgyZq7-WIJ:www.cnn.com/2005/TECH/ptech/10/04/music.copy.reut/+what+cd%27s+have+sony+drm&hl=en

Here is a TinyURL to it in case that is too long:
http://tinyurl.com/74loh

The story itself isn't as damning as the newer revelations but the fact they've removed the story altogether speaks volumes... Seems that news providers' parent companies may be more than willing to tweak the news to fit their shareholders concerns.
 
How about some prison time for the dummy who signed the papers to put this software online? At least 2-3 months of community time would be nice.

Ater all, this software looks like spyware, acts like spyware and is almost virus-like in behaviour. Why would we make an exception because it's a big corporation?
 
I'm a PC enthusiast and as such i'm by far and above the average user, my system contains only the finest components and has been painstakingly tweaked for security and performance, fortunately ive never let anything install on my system thats tried to if ive not needed it as i see it as nothing but useless shit i'll never use anyway. Being an admin at Maxitmag.co.uk i find this extra interesting and will no doubt be contacting sony in an official capacity to see what they have to say for themselves. in the meantime id say dont just boycott sony, but contact every record artist you can think of and make them aware also, i dont take kindly to a lowly harmless junk file being on my system, let alone this.
 
Mark et al,
Came across this story some time back when a local journo (Garry Barker) emailed to ask if the Sony DRM issue affected Macs, his "beat" and my preferred OS.

Did some research and ended up here.

There is a SonyBMG FAQ re getting music to the iPod, and of course how to write to Apple to complain about ITS DRM.

In the FAQ, you can message SonyBMG about a specific album, where you bought it and your country. I used a Dianna Krall album I listened to last night at friends'.

A few minutes after posting to SonyBMG, an email arrived:

"From: ContentProtectionHelp@info.sel.sony.com

Thank you for contacting Sony BMG Online.


We appreciate your purchase of our CD and apologize for any inconvenience. Please follow the instructions below in order to move your content into iTunes and onto an iPod.

[Macintosh]
If you have a Macintosh computer you can copy the songs using your iTunes Player as you would normally do.

[Windows]
If you have a PC place the CD into your computer and allow the Sony BMG audio player on the CD to automatically start. If the player software does not automatically start, open your Windows Explorer. Locate and select the drive letter for your CD drive. On the disc you will find either a file named LaunchCD.exe or Autorun.exe. Double-click this file to manually start the player.

TIP: If your CD does not contain either the LaunchCD.exe or
Autorun.exe files, it may not be compatible with this iPod
solution. Please reply to this letter for more information.

Once the Sony BMG player application has been launched and the End User License Agreement has been accepted, you can click the Copy Songs button on the top menu.

Follow the instructions to copy the secure Windows Media Files (WMA) to your PC. Make a note of where you are copying the songs to, you will need to get to these secure Windows Media Files in the next steps.

Once the WMA files are on your PC you can open and listen to the songs with Windows Media Player 9.0 or higher (or another fully compatible player that can playback secure WMA files, such as MusicMatch, RealPlayer, and Winamp). You can then burn the songs to a standard Audio CD. Please note that in order to burn the files, you will need to upgrade to, or already have, Windows Media Player 9 or 10.

Once the standard Audio CD has been created, place this copied CD back into your computer and open iTunes. iTunes can now rip the songs as you would any normal audio CD.

Please note an easier and more acceptable solution requires cooperation from Apple, who we have already reached out to in hopes of addressing this issue. To help speed this effort, we ask that you use the following link to contact Apple and ask them to provide a solution that would easily allow you to move content from protected CDs into iTunes or onto your iPod rather than having to go through the additional steps above:

http://www.apple.com/feedback/ipod.html

Thank you for the opportunity to be of assistance.

The Sony BMG Online Support Team
CCKM


This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.

Original Message Follows:
------------------------
Email Address: lesposen@mac.com

Case ID :
Packet :

Artist Name : Dianna Krall
Disk Title : The Girl In The Other Room
Store Name : Australia
Country : Other
Language :

Problem Type : IPOD
Device Type : iPod

Manufacturer :
PC Brand :
Model : iPod
OS :

Auto Mfg :
Auto Model :
Auto Year :

Message : iPod

(email ends)
 
Complain to the FTC at http://www.ftc.gov/

and post any response you get here!

See "File a complaint" at the top of their web page.

Also - - Let your Member of Congress know that these are important issues. They may have additional suggestions in the course of representing the public.
 
Wow, what a great display of how to use your software. They probably wish it hadn't gotten on your computer now. The copy protection needs to stay on the CD not the users system. The upsetting part is the resources being used and the fact that you can't remove it. I sometimes wonder why it seems like my system is bogged down even after killing unwanted processes. I guess I'll be running RKR right about now. Awesome article!
 
You know what the worst thing about this is? Sony will insist that they're doing nothing wrong with this crap. Makes me want to go out of my way to download their stuff, just on principle.
 
Just out of curiosity I just filled out the uninstall form (http://cp.sonybmg.com/xcp/english/form14.html) using one of my "trash" email accounts and received the following response:

Thank you for contacting Sony BMG Online.

Sony BMG and First 4 Internet have released a Service Pack update that
removes the rootkit style cloaking technology that has been discussed
in various articles recently published regarding the XCP technology used on our DRM content protected CDs. To alleviate any concerns you may have about potential security vulnerabilities, please visit the update site below to download and install Service Pack 2:

http://updates.xcp-aurora.com

If you wish to completely uninstall all of our DRM software, visit the
form below using the computer where the software is currently installed. After submission you will be emailed a custom uninstall link within 1 business day (M-F).

http://cp.sonybmg.com/xcp/english/form9.html

Your "Case ID" is: *******.

TIP: The uninstall request form will require an ActiveX plug-in.
Y may also need to temporarily turn off your pop-up blocker.

TIP: A non-ActiveX uninstall process is in development. However, until it is released, our online process is the only removal tool available. If you prefer, or require a non-ActiveX solution, an offline uninstaller is due to be released later this month at:
http://cp.sonybmg.com/xcp/english/updates.html

Thank you for the opportunity to be of assistance.

The Sony BMG Online Support Team
CCKM


This message and any attachments are solely for the use of intended
recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly
prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated.
 
awesome info man!
awesome info man!
ok so heres a thought im not sure if was very touched on among the 300+ posts but what if sony dvd burners are tripped to let sony know data miner style when a sony dvd is being copied/ripped/etc or if a basic log is kept in a hard to find area...this could really cause some issue when you try to go up on them as they can return the favor with the info even though the eula said there not looking at your info we are also told that fluoride is good in the water supply....just a thought
--
 
I don't (and until they mend their ways won't) own a Sony CD or DVD writer. I know people who do however and their experiences have been that Sony drives are about the only ones that won't read protected discs using some of the cleverer audio extraction tools. I take this as clear collusion between Sony's music arm and their harware manufacturing division. There is clear corporate will here so I consider a boycott of all of Sony fair game.

I wonder if Sony's obsession with anti-copy technology comes from staff they took on when they bought CBS Records. I remember CBS stuff always having the "Home taping is killing music" symbol on it. I also remember the Copycode fiasco about 20 years ago when they tried to introduce a frequency notch in vinyl records that was supposed to be detected by cassette machines to prevent recordings. They pushed and pushed this thing saying it had no adverse effects and was perfect. When they put on a demo at Abbey Road Studios the hi-fi magazines were horrified about what it did to the sound of the Abbey Road grand piano. Suddenly CBS back-tracked, said that they'd never said the system was inaudible and it was never heard of again. They seem not to have learned from history and to be busy repeating it.

Now the movie industry are talking about "fingerprinting" the audio of cinema prints of movies and forcing manufacturers to include a detector in Blu-Ray DVD players to stop playback if the owner tries to play a pirate DVD from a cinema recording. I don't buy these kinds of recordings: they are generally so poor they annoy me. From the ones I have seen the sound is usually terrible which would mean that the "fingerprint" is going to have to be really deep to get recorded and be detected by the player. Tell me that's not going to spoil the quality of the sound in the theater. History repeating itself?

@ajs> Thank you for your help. It was very nice of you. My point is that Sony have made a statement that they don't want me to listen to what they are offering on the equipment I own. Why should I waste my time and money and become a criminal by buying and finding out how to crack something they have said they don't want me to have? I will respect their wishes and buy somebody else's product.

Best regards,
Rick.
 
@ andyn2112 Thank you for that bit regarding CNN - I am very disappointed in them. And I don't care if they are "sleeping" with the enemy - they have a RESPONSIBILITY to report the NEWS.

Are any of you reading Mark's continuing story on this? Please check it out here:
"More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home"

Link:
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
 
Now that I know that Sony is apparently employing hackers and virus-writers I don't see how I can trust *anything* they sell that might be connected to a computer. Here's hoping I don't own any Sony stock!
 
Mark;
I just ran RootKitRevealer and got 38000+ entries. Must be me I guess.
Too many sites via StumbleUpon.
 
That is why I don't buy CDs anymore. I think the last one I bought was about 5 years ago.
 
In regard to the question about blu-ray doing this kind of thing, I heard that the idea is that the new DRM protection system works by running code in the drive itself.
Not that windows vista and other DRM doesn't run a lot of DRM code in windows of course, but that's the concept of the HDDVD players, to make protection more robust by actually putting code dynamically on the hardware of the players to enable them to beat hackers by updating protection as it is hacked.
(they hope)
 
NEW ROOTKIT FOUND??? !!!

This CD installed a rootkit. I don't know if
it's the same as the one in the news.
It BSOD'd the PC a while after installing and playing, I think without EULA.

JOHN MAYER-HEAVIER THINGS
CD EXTRA
Put CD in drive for access to unreleased...

Branding:
THE COURTS+MEDIA WILL LOVE THIS:
"Specific Harm Music (ASCAP)"
Sony, Columbia, AWARE...

Uh-Oh...I've got a "bug" on my cursor.
 
I have recently posted this information to my political party's mailing lists which includes many government members of parliaments and local authorities around the UK.
 
Listen to this, Mark:
http://www.npr.org/templates/story/story.php?storyId=4989260

There it also reaffirms what you said about the sony execs blatantly denying that anything gets sent out.

As well as this little comment
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
-Thomas Hessa (President of Sony BMG's global digital buisness)
 
SPECIFIC HARM MUSIC

It's rootkit was first detected as a keylogger by Zonealarm and then it went nuts, and all of a sudden many random
programs wanted to use the internet.
It installed AOL messenger...
It made a fake MSN messenger that demanded to be upgraded...
It gave all the stupid programs internet access after figuring out the passwords...
MSPAINT is trying to use the internet
NOTEPAD.EXE ...the internet
ICON IMAGE ISTALLER is trying...internet
IOMEGA ZIP DRIVE... use the internet...
FIREWALL PREVENTED SPYBOTS&D
SPYBOTS&D tried to change firewall...

SPECIFIC HARM! in fine print.
more than once too.

Imagine if Sony had a band called "Breaking Windows"?
(With a rootkit) ha! wow!

DIE piRIAAtes DIE!

Let's sing THEM a SONG!

Specific Harm Music
It's time to face your music
Your boat hit the MS Titanic
Lets laugh instead of panic.

No one ordered DRM
Would you like some Tea
Ship it to Lake New Orlean
Time for another Tea Party

I don't want my HDTV
Specific Harm ASCAP hack
For the greatest HARMmony
The analog hole you'll Pack

When the fart goes bang,
We'll sing and sing and sing
It's over when the fat lady sings,
and when she stops, she sang

So then the song is sung,
The genie's popped his bottle
And it cannot be undone
What wares you sell are peddled.

We see you sunk in the sea
You no longer sue baby dog and me
Your loot floats to the top
Your noise of terror stopped

So remember DRM
So remember the evil disease
So remember what they did
So remember,they killed our cat!
(poor little Napster!)

Now that they are gone
Ring a bell and bang a gong
Volume 12, guitar on
bang the drum and sing a song!

This awful song and all others are
brought to you by the Public Domain
all-music source known as the
Champernowne Constant!
 
Whatta Buncha Bast***s! Maybe Sony's customers should develop a virus that will spoil any DVD containing the virus. This should hit them in the pocketbook, as the virus spreads around the world. At least, it'll drive the rats out from under the slimy rock where they lurk and expose them to the light of day.
 
....first of all, thanks for sharing....second, get a lawyer and start a class action suit!!!
 
TWO CLASS ACTION LAWSUITS HAVE BEEN FILED AGAINST SONY BMG MUSIC ENTERTAINMENT

The first, filed in state court in California, alleges:

1. Violations of the Consumer Legal Remedies Act (Cal Civil Code Section 1750 et seq.);
2. Violations of the Consumer Protection against Computer Spyware Act (Business and Professions Code Section 22947-22947.6); and
3. Violations of the California Unfair Competition law (Business and Professions Code section 17200 et seq.)

The second, filed in the Southern District of New York, alleges:

1. Computer fraud under 18 USC 1030;
2. Deceptive Business Practices under New York Law (Sections 349/350 of the GBL); and
3. Common law fraud.

For information on how to join in these Class Action lawsuits:
Consumerlaw1@earthlink.net
 
Computer Associates has declared Sony's DRM Rootkit as spyware.

http://www3.ca.com/securityadvisor/pest/collateral.aspx?cid=76345
====
XCP.Sony.Rootkit

The following are the Spyware Encyclopedia pages for the pests which relate to Sony BMG's rootkit-based Digital Rights Management software, which is being distributed on audio CDs.

XCP.Sony.Rootkit

Music Player

XCP.Sony.Rootkit.Patch

XCP.Sony.SP2
=======
 
I wonder what national $sys$security issues crop up, with all those Sony-installed $sys$ files just waiting to be hijacked ($sys$rundll.sys anyone)? Personally, I've sent Sony an email that I won't be buying ANY of their products this holiday season. Guess I'll just catch the new Santana on radio.
 
Something you need to think about is that Sony has many subsidiaries. For instance, BMG, EMI, Arista, and Epic are all subsidiaries that I have CDs with the copy protection logo. There may be more as I am an audiophile and it will take me some time to go through all the CDs I've purchased in the past year or so...

BTW, the Sarah McLachlan afterglow live CD/DVD has a sticker on the front of it that states:

The CD in the release is protected against unauthorized duplication. It is designed to play on standard playback devices and appropriately configured computers (see system requirements on the back). If you experience playback problems, please go to www.sunncomm.com/support/bmg.

The system requirements on the back require a magnifying glass to read them. Certainly not something you will happen to have with you in the CD store...

I have been following this blog and researching copy protected CDs for a couple of weeks now. Some interesting websites that you may want to take a look at are:

http://ukcdr.org/issues/cd/bad/

http://www.fatchuck.com/z3.html

http://www.emimusic.info/us_EN/

I highly encourage everyone to go to Sony's website and post intelligent protests to Sony's malfeasance.

http://cp.sonybmg.com/xcp/english/form1.html

Maybe, if they get enough bad press, they will admit their mistake and fix the software...
 
Great work Mark ! I too will be joining the list of people who will not purchase anything Sony related.

Speaking of which, here's an interesting read for those of you with Sony Vaio laptops.

Hidden accounts on Sony Vaio laptops

http://www.securityfocus.com/archive/1/415971/30/0/threaded
 
Am I right in assuming that the protection software only gets installed if the CD is allowed to auto-start? On my system I don't let any CD's auto-start so I should be able to play said protected CD with my CD playing software - not media-player - just like any normal audio CD, or have I missed something somewhere.
 
Taking a cue from Musical_One, I sent the following email to Jeff Bezos of Amazon.com:

"Sir:
I am very upset by recent information that has surfaced regarding the illegal installation of software on end-user computers by Sony in the name of copy protection (link removed). I have 2 teenage children. I have tried to teach them that downloading music illegally is morally reprehensible and ethically wrong. I have encouraged them to BUY all their music, whether from Amazon, local retailers, or from download sites. Over the years, my kids and I have encouraged their friends to see how damaging stealing music can be.

Having SONY or any other company install software without our permission from a CD we BOUGHT(!!) is completely unacceptable!

I believe you can do something about this. I have purchased through Amazon for years, and really like this company. I will not purchase any music from any artist which includes the words COPY-PROTECTED CD in the title. I will ask my children to refrain from such purchases, and to warn all their friends that the very people who are trying to support copyright protection (by BUYING music) are being targeted by manufacturers and retailers. I hope you will bring pressure to bear in any way you can to stop these practices."

Hope it helps...
 
Mark, great work ... unfortunately it was mostly over-my-head but interesting none the less.

Ok I must be paranoid now. An earlier post asked the question if other Sony software was installing rootkits ... beginning to wonder. I got a Sony PSYC mp3 player a few weeks back, installed sonic 3.0, upgraded it to 3.2, then also downloaded from Sony, the suggested Moodlogic, which was supposed to “improve” on the idiosyncrasies of Sonic. Loved the hardware but all of the software completely sucked. Uninstalled everything and sold the unit last week (before “rootkit-gate”).

Surprisingly, when installing the software for my new IRIVER, up pops a window asking if I want to allow Moodlogic to install ( was it the new Microsoft Spyware checker that asked ???? I think so). Anyway I was confused, I didn’t remember any mention of Moodlogic in the IRIVER manual, or their web site!!! Then it dawned on me it was the “uninstalled” Sony Moodlogic ….. now being aware of “rootkit-gate” I denied it install privileges (I had a few days before run Marks rookit detector ... no ‘$sys$’ was found) .

You will not believe what happened next ... no CD drive present!!!! Ok, before you guys go haywire it came back after a reboot ... freaking upset at the time though. I honestly don’t know what exactly I did and I’ll be dammed if I’m going to try and recreate the whole process to test case it.

Big Sony fan before this (got a Sony MasterCard for points. etc), not so big now – will never by Sony ‘anything’ ever again.

KC.
 
I haven't seen any postings in this blog that point to Sony's comments...

http://cp.sonybmg.com/xcp/english/updates.html
 
http://www.eweek.com/article2/0,1895,1881592,00.asp
 
Online Petition -

http://www.petitiononline.com/sonydrm/
 
brilliant work mark, I'd thought so from the start, but only finally got a blogger account so I could post this, as I haven't spotted it elsewhere yet :

BBC article, 'rootkit of all evil'

excelent article, no pussyfooting about, or ponying up to the large corporation. Sony have done MASSIVELY wrong, and they publicly call them out on it. I was getting worried no mainstream news service was going to do this.

"The executives who signed up to use the Force 4 Internet software probably did not realise that they were unleashing a public relations disaster of biblical proportions, but my pity will not help them."

"If I was a PC user faced with a disc that insisted on using some non-standard player to let me listen to the music I had just paid for I would have no compunction at all about heading off to the nearest peer-to-peer site to download clean, high-quality copies of the songs I wanted."

There are Sony products I adore, vaio, ps2, psp, probably the ps3, but this DRM rubbish hurts none but the legitimate consumer (and Sony's bank ballance paying for this inaine, utterly ineffective software)
 
Holy crap! This stuff goes way too far. (I have just now joined Blogger.com so that I could respond to this). Can you say CLASS ACTION FREAKIN' LAWSUIT? Guys (and girls, but I meant 'guys' unisexually), we really need to get on this stuff. I agree with the general sentiment here: I outright refuse to buy anything Sony forever. I was about to purchase some nice new A/V equipment too. Sucks for them, but not me. There are plenty of great companies out there who will now be getting my money. I agree with another comment I read, which basically stated that if a company is nice to us, we'll buy their stuff. Once we're shafted, they can kiss our asses. Kudos Mark on some fantastic work (albeit very disappointing,frightening, and outright angering).
 
According to this blog post over at Washingtonpost.com's Security Fix, a class action suit targeting California victims of Sony's DRM technology has already been filed, and a second nationwide class action is expected to be filed on Wed in New York.
 
I find Sony's hypocrisy astounding. This is the same company which makes $$$millions in profit every year from sales of cd/dvd writers and blank media. What on earth do they think these devices are used for? Time they were brought down a peg or two!
 
I refrain from any Sony products afap.
There is a rumour that Sony minidisc
(mini-disk?) will only allow 3 copies, even if you recorded yourself on a banjo. Is this rumour correct?
 
i think someone should bite sony in the rear the way they bit us
it would be intresting if someone installed an unwanted malware on sonys computers without notifiying them
how fitting it would be just as they did to us mortals
 
Great. I will stop using Sony CDs for my daily backup routine now coz I dont know what might be on them. I plan to buy a cell phone which obviously wont be one made by Sony coz I dont know what software might be installed on it. My plan of buying a laptop will end with a company that will not engage in EULA manipulation [ read this as any company but Sony ]. And yea, I dont plan to work for any DRM firm [ usually loaded with pathetic programmers with no sense of ethics].
 
After unwittingly inserting a Columbia (Sony) CD, I noticed afterwards that I was not able to digitally play a completely different CD from 1991! (I was able to rip from the 'protected' CD without any problems - go figure?). In fact, every time I tried to access the music data from the 1991 CD, it would lock up the entire system (which can only happen if a driver behaves badly) forcing me to hit the big switch to hard-boot. Very ugly.

After weeding out all these $sys$FOO's from my system, I am now able to read and play tracks from this old CD without losing all my current work and potentially hosing up the entire PC by being forced to pull the plug to reboot.

Forcably and stealthily installing software that can bring ones entire system down surely can't be legal.

XCP CD: Emma Roberts, Unfabulous and more, CK-93950
1991 CD: Terri Nunn, Moment of Truth DGCD-24451
 
Game developers are doing this for ages. But now they ar getting real "generous".
Starforce... if you install a game protected by the latest version of Starforce, you actualy install a filedecription pogram at driver level. If you're done playing, and you want to remove this "tool" from your system, your chances are being left with a corrupted OS.
Even after uninstallation you find problematic "trash" left by this program.
Strange thing : this copyprotection is only used for european game releases. The releases for the US, Australia,... are less agressive protected. Anyway : I don't buy starforce protected games because it gives me more trouble than fun, and no confidence in the gamepublisher. Even for a "must have played" game.
 
Great Work. I'm glad there are such knowledgable people around. Your reward should be huge compensation from Sony. Theirs will be no more sales to me. I now need to hunt for a list of the brands and labels that Sony own.
 
sign it and send it on to whom ever you please

http://new.petitiononline.com/sonydrm/petition-sign.html
 
Quite simple, Stop buying CD'S

The price is wrong for a start.
The fact they are putting so much effort into stop you playing it on a CD player makes the whole exercise stupid.

Yeah lots of people have pcs, which will take over you life, stop you going to work, stop you earning money, stop you buying things.
I tell you computers are taking over, we are all doomed, doomed i tell you.
 
A link to an australian newspaper

http://theage.com.au/articles/2005/11/03/1130823323159.html

Part of what they said

Sony BMG Music Entertainment and its partner, UK-based First 4 Internet, said they decided to offer the patch as a precaution, not because of any security vulnerability, which some critics had alleged.
 
In a fit of anger over the Sony fiasco, I registered FairUseLaw.com and it is now live. The purpose of this site is to monitor all erosions of our fair use rights. Please visit and help me make this site worthy...
 
My name is Eugene Lee and I'm an attorney in Los Angeles, California. I'm investigating bringing a class action lawsuit against Sony and First 4 Internet. If you have purchased Sony music CDs and run into the problems Mr. Russinovich has mentioned, please contact me at eleeAT1to1lawDOTcom.
 
EFF.org now has a statement on this:

Uproot Sony-BMG's Invasion of Your Privacy and Your Computer
 
Sorry, this got cut off from my previous post.

The foregoing is an ADVERTISEMENT.

Eugene D. Lee
 
I am a Mac man who knows nothing about all this code, but that was an excellent story. Orwell would be happy with the validation of his prediction of the future.

How about an A/D converter. Out from your standard cd player and into your machine. Sounds like it's time for some listening parties. Real time recording--remember records.

Thanks for the buzz!
 
We don't buy Sony in this house anymore. The last Sony product I bought was a Viao notebook advertised to run 3-4 hours on battery. That was in 1999. I later learned of desktop processors being installed in notebooks when processors were in tight supply. My Viao ran 1 hour 45 minutes at best when it was brand new. Apples were running four hours and more. Sony's answer was the specification said "typical". When questioned about an intermittent mouse button on this brand new computer there solution was for me to ship it to California and wait a month or two for repairs. They have no product support on the East coast. None in Washington DC.

A friend had a Sony Cassette recorder that he dropped. It was a $200 unit and he liked it a lot. He brought it to the Sony service center who shipped it off. They charged him $39.95 and didn't repair it. They told him they had a flat rate for repairs and this one was too expensive to fix. He told them he was willing to spend what it cost. They told him that policy was to fix it for the flat rate and if they could not fix it at a profit for the flat rate, it would not be repaired at any price.

The computer monitor I bought from Sony is coated with an antiglare coating. It is peeling off.

Their camcorder died after less than ten hours of recording.

Their high end VCR costing $400 had binding in the capstan motor. The picture jumped every few seconds.

The Sony 27" TV blew out the Red CRT gun.

There is nothing made by Sony working in this house anymore. I replaced all of it with other brands. We don't buy Sony in this household and I discourage my friends from making that purchase mistake as well.

Concerning this malware, I am surprised that it has not hit the cable news channels. It's pretty obnoxious conduct. I hope the trial lawyers make hay with this. Really, the answer it to avoid Sony products. Then you won't be disappointed.
 
Okay, the only real effective punishments are economic. Are there ways we can convince:

1. Direct holders of Sony stock to dump it?
The bad publicity is bound to start it falling anyway, and IMHO an investor should never put too much in any one stock anyway...

2. Mutual funds holding Sony stock to dump it? I could imagine this would be easy for "socially responsible funds"?
Of course the "vice funds" now have a new one to pick up...just peachy...
 
Sony hit with DRM lawsuit
Correspondents in Los Angeles
NOVEMBER 10, 2005

RECORD company Sony BMG has been hit with a class-action lawsuit by
consumers claiming their computers have been harmed by anti-piracy software
on music CDs.

The claim states that Sony BMG's failed to disclose the true nature of the
digital rights management system it uses on its CDs and thousands of
computer users have unknowingly infected their computers, according to court
documents.
The suit, filed November 1 in Los Angeles Superior Court asks the court to
stop Sony BMG from selling additional CDs protected by the anti-piracy
software and seeks monetary damages for California consumers who purchased
them.
A spokesman for Sony BMG declined to comment.
Sony BMG is a joint venture of Sony Corp and Bertelsmann.
ADVERTISEMENT




The lawsuit claims that around June 2005, Sony BMG began to issue some CDs
that install digital rights management software that continuously monitor
for rights problems, depleting a computer's available resources. The suit
says the technology cannot be removed without damage to the system and that
Sony BMG does not advise consumers of the existence or true nature of the
program.
Reuters
 
Lets all contact CNN

http://edition.cnn.com/feedback/forms/form11.html?1

And help them out with this newstory about sonys rootkit.
 
Mark, thanks for revealing this intrusion.
I have a question Roxio is able to copy the CD. Does this mean that the rootkit has been installed even though the cd has not been played with the included player software ?
 
Despite my username --- I generally do not subscribe to Conspiracy Theories. But when I look at this blog and step back and look at the broader picture I have a different concern.


First, let me say that I do not know if you currently are or have in the past been in the employ of Microsoft. A quick review of the Blog and a google serach reveal some contact with the company and its management.

"…...A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon."
"Mark E. Russinovich is the author of the Sysinternals Web site (www.sysinternals.com) and cofounder and chief software architect of Winternals Software (www.winternals.com), specializing in advanced systems tools for Windows 2000. He writes the “Internals” column in Windows 2000 Magazine. Formerly at IBM Research, Mark holds a Ph.D. in computer engineering from Carnegie Mellon University."


Next lets look at the history of key events leading up to this point:

*October 2002 - Microsoft releases the Media Center Edition of Windows XP.


*May 2005 - Microsoft Announces the Next Generation X-Box will incorporate a Mediacenter extender. (MTV Premiere)
http://www.engadget.com/entry/1234000617043196/

*Sony announces that the Blu-Ray Disc will incorporate new DRM technology.
(In a heated battle against HD-DVD Sony agreed to add the DRM protection to convince 20th Century Fox to back the technology)
http://www.businessweek.com/technology/content/oct2005/tc2005106_9074_tc024.htm

*Bill Gates gets into a heated argument about the adoption of this technology.
(A significant blow against MS if users can be prevented from streaming/downloading data to the PC significant damage could be done to both the X-Box market and the Media Center Edition of XP.)
http://www.microsoft.com/presspass/press/2005/may05/05-17mcee32005pr.mspx
http://www.businessweek.com/technology/content/oct2005/tc2005106_9074_tc024.htm

*October 2005 - The "Sysinternal Blog" publishes detail that could prove legally damaging to Sony's DRM Strategy.
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

One begins to wonder if these events are all unrelated……….

Or just merely coincidence…….

The impact will have far reaching consequences well beyond copyprotection………

Will a positive move for consumer copy protection rights be a financial coup for Microsoft?

Better yet would a setback in the DRM strategy for Sony change the playing field for the HD-DVD campaign?

Would this setback help to promote future X-Box sales over the Next Generation Playstation?



Just Curious -----

I haven't heard of this Music Group --- 'Van Zant' (CD Title "Get Right")
Perhaps they are in the top 20 just not in my genre. Supposedly there were 20 artists that have there CD protected by this technology.
Does anyone know who they are or if a better known/charted title is affected?
Again --- this may not be my Genre of music and Van Zant may be very popular…….
 
You can find the list of artists here:

http://slashdot.org/~xtracto/journal/121088
 
As a public service, and dedicated to Remembrance Day, I've created a little program called SonyDRMxcpRootkitRevealer.exe which you can download from http://downloads.technutopia.com/antivirus/SonyDRMxcpRootkitRevealer.exe

This program is based on the detailed information found in this excellent blog.

Basically it issues a 'net stop "Network Control Manager"' command, issues a 'sc delete $sys$aries' command to remove the service from the registry, checks for the existence of the aries.sys driver in the \$sys$filesystem\ folder and deletes if found, checks for existence of the $sys$filesystem folder and reports if found, checks for the registry entry "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\$sys$aries" and reports if found, and advises of the presence of the \MediaJam\Unicows.dll file in the Program Files folder.

Visit the forums at http://www.technutopia.com/forum/showthread.php?t=1321 for more discussion.

Mark - kudos to you for the excellent ground work to expose this dastardley piece of litterware.
 
Just as I was reading the article "Sony Test Technology to Limit CD Burning" at http://news.cnet.co.uk/digitalmusic/0,39029666,39189658,00.htm, there was a section on the page called More News. The first article in that list is Sony: Who cares about rootkits.

The comments from Thomas Hesse, president of SonyBMG Global Digital Business Division had this to say: "Most people don't even know what a rootkit is, so why should they care about it?"

Mark, please send him a copy of your article with pictures so he can understand how dangerous the system they are using really is. I hope that he is smart enough to retract those comments.

Also, there is an article for EMI stating they don't use rootkits.
 
Well....this all makes me want to get rid of all my file sharing programs and go out and buy a bunch of CD's.

I think Sony just gave the world the finger.
 
Sony has taken a lot of heat in the press over this, rightfully so. Nobody wants this garbage on their computer.

What about Microsoft? These disks play on Linux and Macintosh's. There is apparently something in windows preventing these disks from just playing.

If it's a bug, one can hope for a fix from Microsoft and solve this whole problem.

- or -

The conspiracy theorists amongst us might think that Microsoft deliberately designed the CD-ROM driver stack to allow the creation of audio CD's that cannot be played.

Which is it? A bug or a feature in Windows?
 
this is f****** gay/stupid/really stupid/somewhat scary.
 
Mark u r a real genious pal, the way u have explained even a newbie like me can get phd in windows internals. seriously u shud take a lead in case against sony bmg filed in California. JayD
 
First off, yes there are now a couple of big class action suits in the works, I'll get the link to the article later, it's on the BBC news site.

But something even more damning, it has been found that spammers are beginning to use this rootkit to hide their tracks, so have virus creaters as feared. Expect even more spam now. From a Usenet post in an antispam newsgroup, includes link:


"A computer security firm said on Thursday it had discovered the first virus
that uses music publisher Sony BMG's controversial CD copy-protection
software to hide on PCs and wreak havoc. "

http://news.yahoo.com/s/nm/20051110/wr_nm/sony_hack_dc
 
Found the BBC news page link about the class action lawsuits being filed against Sony.

http://news.bbc.co.uk/1/hi/technology/4424254.stm
 
Sony is probably going to face worser charges in court now that virus writers have exploited this crappy DRM software of theirs to compromise systems that would have otherwise been safe.
 
I just want to say, Mark... you're my hero. Thanks dude!

They should put the people that did this in jail, not let them off with a fine - a couple of million is a slap on the wrist to SONY - do you think that'll stop them?
 
My letter to SonyBMG
--------------------------------
This may not be the best point of contact about this issue. If not, please advise me.

I have recently found that my work laptop has been infected by a rootkit (computer malware) which Sony are apparently bundling with audio CDs to snoop on computers and enforce intellectual property rights. Can you point me to an uninstaller ? The laptop no longer functions correctly.

Also, since this software is almost certainly in contravention of the UK Computer Missuse Act (And I have raised this issue with the Home Office, scotland yard computer crimes division, and my local member of parliment) could you provide me with uninstallers for all versions of this software, both those delivered by audio disk and those delivered by DVD? Actually I insist you do.

As a result of this incident my workplace now has banned the use of any Sony/BMG audio CDs onsite - since they now consider them an IT risk. It may well spread to an outright ban on audio CDs from any label.

Currently, anyone found onsite with an infected audio CD will be summarily dismissed under the security provisions in their contract, whether it has been used on a computer or not.


I really do hope that the class action suits against you (despite your probable US government protection) open your eyes to growing public opinion... just as it has recently opened mine to the validity of fileshare MP3s as an alternative to wicked, deceptive and plain illegal corporate practices.

I certainly shall not be purchasing any more Sony products (And that includes the Vaio I was considering buying my daughter for UNI) or those of its music/video partners. From discussing this matter online I now know many others feel the same. I shall continue to be vocal about this issue until Sony publicly apologise for their actions and start showing that their customers (and the music) matters more than squeezing every last cent by any means neccessary.


I'm not a very political person, neither have I ever been interested in filesharing networks - however, I now see fileshare as an alternative, and am joining a group lobbying government for reform against restrictive and intrusive DRM.

Please provide me with...

- Uninstallers for *ALL* computer based DRM software distributed on Sony audio/video media.
- A complaint contact for this issue
- A contact for your press and legal office

Many thanks for the music you have given me over the years. I look forward to a day when we can do business again.

Regards,
-Monica
 
If one tells the truth one is sure, sooner or later, to be found
out.
 
I use Sony Media software products (Vegas, SoundForge, Acid) for video and audio editing. They contain lots of DRM support. God knows how far Sony has taken this accross their software products. I am still waiting for a statement from Sony Media tech support on what might installed on my system.
 
I would suggest that ALL people in the US who read this, take the opportunity to visit:

http://www.ala.org/al_onlineTemplate.cfm?Section=alonline&template=/ContentManagement/ContentDisplay.cfm&ContentID=108214

This month, the public are able to post comments which will be considered in the review of DMCA next month. Everyone should take the opportunity to post protest about DRM techniques being used. Judging by the amount of noise this Sony rootkit issue has raised, I expect if enough people post to the comments section below:

http://www.copyright.gov/1201/comment_forms/index.html

They will be forced to listen and act on consumer concerns.
 
The irony of all of this - Last summer a friend made a copy of Horace Silver's excellent CD "A Song For My Father". I had never listened to his music at that point. Since then, I have purchased all of his currently available CD's, with the exception of the "Best of..." CD's. Plus I have purchased half a dozen CD's that are out of print.
 
CONGRATS! YOU TOOK 'EM DOWN! SONY HAS STOPPED THE PRESSES ON ALL CD'S WITH XCP TECHNOLOGY!!

http://today.reuters.co.uk/news/newsArticle.aspx?type=technologyNews&storyID=2005-11-11T183106Z_01_MOL166114_RTRIDST_0_TECH-SONY-COPYPROTECTION-DC.XML&archived=False

Now it's just a matter of how bad are they going to get hit with all of the pending lawsuits.
 
According to MacInTouch news for Thursday, November 10, 2005

http://www.macintouch.com/

the rootkit installs on the Macintosh:

Darren Dittrich followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:

"I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.
  Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site."
 
this reply is for MICHALE MOORE, I loved your work on farenheight 911, if you are the same moore. there are lost of other artists that have been affected. Switchfoot is a very well heard of band on X96 here in ogden utah. that is how I came to have this crap installed on 2 of my home network computers before realizing what was going on. I suppose that anyone could look at any string of events and find a way to relate and question them. The important thing here is that the MASSIVE SECURITY RISK was brought to the publics attention by Mark. Imagine if you will for a moment how all this would have looked 1 year from now if he had not discovered and/or mentioned anything about it. I would be willing to bet that at least over half the computers in the USA would be infected and VIRUSES would be wreaking havoc all over the US and WORLD!!! VIRUS writers and hackers have already started to exploit this NASTY security risk/threat... I promise you one thing hackers love to do is HACK. and when they cant get the CD to RIP or BURN and COPY, on their computer, they did real deep and start to become consumed with a godlike sence of motivation to beat the copy protection...

I know this because I spent 4 days trying to bypass the DRM copy encryption, using every resource and software I can find on the internet. now I just want the crap off my computer, and the damage reversed!

professionla hackers and virus writers would have exploited this and caused MASSIVE damage like one can not immagine, if this had been overlooked and unnoticed for much longer... A million thanks to Mark, U the MAN!
 
Mark... Now that I have this DRM crap on my main computer and my laptop, how safe is it for me to connect to the internet with those computers? I have high-speed cable internet, does that compromise my computer or my personal info?

I also have over 10,000 MP3 files on my hard drive. Can sonys DRM program detect my MP3 stash and report it to sony? they are legally obtained. I just dont want to end up on the record industrys hitlist and flagged!

Oh ya I am behind a router, does that help keep me safe if I connect to the internet?
 
Open a paypal account and a lawsuit...Ill dontate today.
 
really, I don't think I'll ever actually buy a CD again before all this drm stuff blows over.
I was buying lots of cds before the copy protections entered the market. nowadays, you don't really know what you get, and if it's even playable. and now, this about rootkits installed by sony on peoples personal computers, where they have their important files, work, entertainment... is just it.
no more cds for me.
 
This Sony issue causing you probs like it is us? Email Andrew Lack!!
http://www.sonybmg.com/mgmt_andrewlack.html

andrew.lack@sonybmg.com
 
Folks, I just filed a complaint to the attorney general of California, my state. I believe you should do the same.
Also, here is the contact info of those folks in the UK who created that sneaky piece software.
http://www.first4internet.com/contact.aspx
I'm going to send a comment to the CEO, and his VPs tell them what people think of their technology.

Bottom line is, consumers got to do something to stop this creepy wave of DRM laws, technologies, and lobbying -- and finally this.

I personally believe that Sony BMG are scum bags for doing what they did, and those who provide them with such software are no better.
I like to think that I OWN my PC, that I paid for with my hard earned dollar, and similarly, I OWN my music -- can convert it to MP3s or whatever. No one has the right to install anything on my PC without my permission, nor can they ever claim that I'm purchasing the right to listen to music. If that's the way it's going to be, they can keep their SH**, I can live without it anyway!!!
Thanks to Mark for bringing this out in the open, and thanks to many bloggers here for their thoughtful comments.
 
Here is a list of Sony BMG employees worldwide. I think everyone should write them to let them Sony BMG. Be polite and educate them on THEIR customers:

thomas.sem@sonybmg.com
rachel.fontenot@sonybmg.com
april.taylor@sonybmg.com
cindy.mabe@sonybmg.com
cp-general@sonybmg.com
cp-ipod@sonybmg.com
allen.brown@sonybmg.com
chris.melancon@sonybmg.com
cynthia.grimson@sonybmg.com
heather.mcbee@sonybmg.com
dan.anderson@sonybmg.com
ConnecteD@sonymusic.com
sarah.weinstein@sonybmg.com
kevin.beisler@sonybmg.com
Mercuri@sonybmg.com
Tom.Cording@sonybmg.com
mia.mcleod@sonybmg.com
vanessa.judd@sonybmg.com
joanne.wong@sonybmg.com
melissa.lee@sonybmg.com
liz.morentin@sonybmg.com
Tarantini@sonybmg.com
toimisto@sonybmg.com
info.sweden@sonybmg.com
lars.hoglund@sonybmg.com
sara.marmsjo@sonybmg.com
kristin.hansson@sonybmg.com
Funk@sonybmg.com
Arno.Hartfiel@sonybmg.com
coni.ely@sonybmg.com
wes.vause@sonybmg.com
Lisa.Markowitz@SonyBMG.com
Lois.Najarian@SonyBMG.com
maggie.wang@sonybmg.com
aranya.tomseth@sonybmg.com
david.frossman@sonybmg.com
Gianluca.guido@sonybmg.com
arianna.daloja@sonybmg.com
Valtanen@sonybmg.com
ari.Holmgren@sonybmg.com
atja.Toivanen@sonybmg.com
Jyrki.Niskanen@sonybmg.com
Kari.Närvä@sonybmg.com
info.ch@sonybmg.com
roswitha.bettstein@sonybmg.com
cristiane.simoes@sonybmg.com
lana.palmer@sonybmg.com.br
jeremy.meyers@sonybmg.com
arianna.daloja@sonybmg.com
giorgio.cipressi@sonybmg.com
Gianluca.guido@sonybmg.com
michael.roberson@sonybmg.com
filip.adamo@sonybmg.com
edith.vazquez@sonybmg.com
kerstin.lamb@sonybmg.com
doreen.schimk@sonybmg.com
Salavarrieta@sonybmg.com
mika.elbaz@sonybmg.com
martin.myers@sonybmg.com
dualdisc@sonybmg.com
doreen.dagostino@sonybmg.com
lance.mccormack@sonybmg.com
comps.au@sonybmg.com
danielle.mcewan@sonybmg.com
info.nl@sonybmg.com
musicinfo@news.sonybmg.com
Daniel.mandil@sonybmg.com
theupperroom@sonybmg.com
cory.shields@sonybmg.com
katja.neese@sonybmg.com
cathrin.eidenhammer@sonybmg.com
dustin.mcclung@sonybmg.com
piia.sarajuuri@sonybmg.com
antonietta.mille@sonybmg.com
giorgio.cipressi@sonybmg.com
cory.shields@sonybmg.com
allen.brown@sonybmg.com
sarah.takenaga@sonybmg.com
angela.salomon@sonybmg.com
rudy.tee@sonybmg.com
claus.thune@sonybmg.com
kate.head@sonybmg.com
renee.murphy@sonybmg.com
renee.murphy@sonybmg.com
heiner.peschmann@sonybmg.com
hermann.kessler@sonybmg.com
shauna.jessiman@sonybmg.com
kathy.baker@sonybmg.com
 
Here's another story. Got it off podcastingnews.com.

http://www.sophos.com/pressoffice/news/articles/2005/11/stinxe.html

Has some information about the TroyStinks-E trojan that takes advantage of the rootkit's cloaking technology to hide itself in spam, and the article has samples of spam to watch out for that deliver the nasty payload.
 
Well, Microsoft has now said they've determined that the Sony DRM software is malware and they are developing detection and removal tools to be released in December. Is it possible to actually say yay for Bill Gates?

http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx
 
Thanks so much for the hard work you put into making this public. And, good job listing email addresses etc for the people that knowingly harmed potentially millions of peoples' computers. I don't think I'll ever buy anything with "sony" on it again....I would encourage everyone to do the same, and let the people at ALL branches of Sony's empire. I don't know how to dig up email addresses for the people that run the show on the corporate level, but I'd love to send them the same email I sent all the folks at the music label. Maybe they don't understand that this won't just influence the music business....I doubt I'm the only person that will think of this every time I see "Sony" on a TV, DVD player, or any one of the other thousands of products they make. It's just a bad business decision all around. They should be ashamed.
 
Hello - Do you know if there is anything similar put on a user's computer after installing Sony Acid Pro 5.0 trial edition? Since I installed this I am getting random reboots and computer is acting strange.
 
The only thing worse than purchasing a Sony-BMG CD and not having the ability to transfer the already 'paid-for' content to iTunes, is breaking your Sony VAIO in the process!

I have been a long-time customer and advocate of Sony products, including hardware, software and music for decades. But that does it!

I own not one, but 2 Sony VAIO laptop PCs, 2 Clie brand PDAs, a Cyber-shot digital camera, a top-of-the line CD Walkman, a half-dozen memory sticks, as well as an arsenal of various other Sony audio/video products including a drawer full of Columbia, Epic, and other Sony label CDs... oh yeah and only one [1], count it, just one, Apple device... an iPod.

So while the powers-that-be at Sony may think they have simply prevented me from transferring Sony-BMG-licensed music to my iPod (thereby somehow bullying me into purchasing the inferior 'Walkman' brand digital music player), they have not! What they have done, is managed to alienate a loyal customer to the core.

That being said, thanks so much for making my future buying decisions much easier and clearer. Instead of purchasing the new VAIO FJ-series notebook for my wife this Christmas, I will be heading to the Apple store for a new iBook instead.

P.S.
The CD drive on my $2,000 notebook still doesn't play correctly, and Sony has yet to resolve the issue after multiple phone calls. They're latest recommendation? Uninstall iTunes and try again. Well, I've done that, and it still doesn't work. Ironically enough, the problems started around the time I attempted to cancel the installation of player software bundled on the copy-protected re-issue of Teena Marie's Robbery CD. Go figure.
 
Yes, it is OK to say "yay" for Bill Gates. Seeing all the negative Microsoft/Bill Gates comments which are so often posted, either contextually out of place, or lacking substance, or both is becoming so very pedantic, if not downright silly. Gee, I look cool using a US dollar symbol for the "S" in the abbreviation for Microsoft. This is about Mark's stunning discovery about Sony's actions. To paraphrase from Steve Gibson (as I do not remember the quote exactly): "It's MY computer."
 
Sony should not forget that if they continue to piss off their customers... Their customers are the ones that hold the ulimate power to put them out of business! If their customers decide to gang up on Sony and play unfair like Sony has just done then Sony is History!!!
 
I read your article which discussed the Sony's DRM issue. I had purchased a Sony Ericsson phone about a year ago and it came with software to connect to the computer. In the instal directory there is another directory called XCPC_setup. Do you think this is the same technology that is in the DRM cds? The cd jacket mentions that the CD contains copyrighted material not developed by Sony.

Oh, as a side note I have an external CD and an internal CD drive, but my internal CD drive has not worked for quite a while.

jbus
 
nerverasp, if you read my post all the way through I provided a link to the info that Microsoft is providing about what they will do to fix this problem. That's why I brought up Microsoft, not to specifically diss Mr. Gates, although I certainly DO personally know enough "of substance" that I would feel comfortable doing so - but obviously, this is not the place for that discussion. I'm just really pleased that Microsoft has jumped on it so quickly and wanted to share the info and the link.
 
This post has been removed by the author.
 
This post has been removed by the author.
 
Ok what is wrong with this picture? Sony has installed software on user’s machines for what purpose? Has anyone gotten an answer from Sony asking them what the hell they are using the software for? Are they sending an inventory of user’s software back to Sony? What the hell is it that they need this damn software on our machines so bad? I bought the new Switchfoot CD and noticed this crap was installed on my machine. I noticed it after seeing a crap load of services running that weren’t there before. My second question is why in the hell is Microsoft waiting till fricking December to give us a patch? I want this god damn software off my machine NOWWWWWWWWWWWWWWW??? I hope the hell that Sony gets their asses sued to hell and back on this one. This is an invasion of privacy beyond belief......
 
This post has been removed by the author.
 
Mark - really good job describing this process you had to go through to remove their code. But did you stop to consider you committed a felony crime? It is breaking the law to remove copyright protection and now Sony can ask the Fed's to come after you.
 
But did you stop to consider you committed a felony crime?

First of all, that's questionable.

Since the Sony/F4I trojan was a) concealed and b) had its files named in an intentionally misleading fashion, it's arguable that he wasn't quite aware what he was doing until it was already done. And aside from that, the malicious software was put on his computer under false pretenses, and proved to be causing a detrimental effect to the performance of his computer.

And aside from that, I don't think Sony really wants anyone to see a headline that reads: Sony Retaliates Against Whistleblower
 
Now i prefer to continue buying pirate CD and downloading illegal mp3s rather then buy much more expensive audio CDs with such an awful contents.
 
I just tried the uninstall link on the Sony page. But I won't run their ActiveX after I've read it transmits encrypted information, so here's what I emailed them:

I have lost confidence in your company when you breached my trust by adding this spyware to a CD I purchased.

So I will not run your Active X control. I do not know what it does and I am concerned that it will transmit information to you that I don't want you to receive.

So I will not perform an online uninstallation of the Sony spyware. Please send me a link to a standalone removal tool that will remove teh software without transmitting any information to Sony.

If you fail to comply, I will have the software manually removed by a consultant engineer and forward the cost to you, reclaiming it through the courts if need be.

Best regards,
Alanah
 
I read just now that Microsoft have deemed it Spyware and will develop detection and removal tools for it's Anti-Spyware program.

Blog entry from the anti-malware team at Microsoft: http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx
 
I made an official report to the Australian High Tech Crime Centre (the department of the AFP devoted to computer crime) and this was their response:

"The Australian High Tech Crime Centre (AHTCC) has reviewed your complaint, and on the information provided there does not appear to be any criminal conduct disclosed. As such the AHTCC is not able to take any action regarding this matter.

If you are unhappy with a Sony Music product you should complain to the company in the first instance. If the matter cannot be resolved to your satisfaction you may wish to refer the matter to your state/territory office for consumer affairs and fair trading or to the Australian Competition and Consumer Commission.


Regards,

Operations Monitoring Centre
Australian High Tech Crime Centre

Phone: +61 2 6246 2101
Fax: +61 2 6246 2121
Web: www.ahtcc.gov.au
Email: onlinereport@ahtcc.gov.au

GPO Box 401, Canberra, ACT, 2601"

Obviously being a multinational corporation means that when you break the law you're not REALLY breaking the law, because it clearly doesn't apply to Extremely Large Corporations in the same way it applies to the rest of us... *rolls eyes in disgust*

I did send them a reply pointing out specifics of which laws were broken and how, but they haven't gotten back to me. Probably running an investigation to see if there's a way they can lock me up for a Very Long Time :-/
 
HAHAHAHA, here's me laughing at SONY/BMG in particular and the whole 'legal' music industry in particular!!!!

I haven't paid a nickle for music in over 10 years and I'm sure glad I haven't now.

Shame on SONY for trying to pull such a dirty, rotten, sneaky trick on its customers, and my condolences to the people who actually **paid money** to have to put up with such a hassle.
 
Hey eres lo maximo,con lo de estos malware y de las impresoras laser color que dejan punto ocultos sobre la identicicacion del usuario ya no se puede confiar en nada...segui asi!
 
Hola sos un genio segui asi asi pateamos a esos de sony que bien merecido la tienen...
 
I congratulate on a truly brilliant deduction & investigation. I wonder if in the Sony executive collective mind the realization that this was a really big mistake is beginning to settle in & also wonder if others in the entertainment industry are taking very careful note of all this...I hope so!...I've nothing against 'piracy' of anyone's work being punished under the law but to view & punish everyone by assuming they're a 'pirate' at the point of sale of your wares is simply unacceptable & although as yet unaffected by this by living in the U.K. I am annoyed that this is now how the corporate mind now view 'we the public'...I've loved telling people about this for the last week or so & every time I do they are as outraged as me on the issue...Sony have certainly tainted their reputation with this action!...It requires a top level apology to rebuild some trust & fix it too!...Thanks Mark for outstanding stuff, absolutely brilliant!
 
can you guys tell me if this looks like a rootkit?

HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0030\Config\Mixer\SpeakerConfig:
Description: Data mismatch between Windows API and raw hive data.
Date: 11/13/2005 5:28 PM
Size: 39 bytes
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0030\Config\Mixer\Fx1Select:
Description: Data mismatch between Windows API and raw hive data.
Date: 11/13/2005 5:28 PM
Size: 39 bytes
HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0030\Config\Mixer\Fx2Select:
Description: Data mismatch between Windows API and raw hive data.
Date: 11/13/2005 5:28 PM
Size: 39 bytes
HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0030\Config\Mixer\SpeakerConfig:
Description: Data mismatch between Windows API and raw hive data.
Date: 11/13/2005 5:28 PM
Size: 39 bytes
HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0030\Config\Mixer\Fx1Select:
Description: Data mismatch between Windows API and raw hive data.
Date: 11/13/2005 5:28 PM
Size: 39 bytes
HKLM\SYSTEM\ControlSet002\Control\Class\{4D36E96C-E325-11CE-BFC1-08002BE10318}\0030\Config\Mixer\Fx2Select:
Description: Data mismatch between Windows API and raw hive data.
Date: 11/13/2005 5:28 PM
Size: 39 bytes
:
Description: Hidden from Windows API.
Date:
Size: 0 bytes
\$Tops:$T:
Description: Hidden from Windows API.
Date: 10/22/2005 7:56 AM
Size: 1.00 MB
\$Txf:
Description: Hidden from Windows API.
Date: 10/22/2005 7:56 AM
Size: 0 bytes
\$TxfLog:
Description: Hidden from Windows API.
Date: 10/21/2005 11:54 PM
Size: 0 bytes
C:\$Extend\$RmMetadata\$Tops:
Description: Visible in directory index, but not Windows API or MFT.
Date: 10/22/2005 7:56 AM
Size: 0 bytes
C:\$Extend\$RmMetadata\$Txf:
Description: Visible in directory index, but not Windows API or MFT.
Date: 10/22/2005 7:56 AM
Size: 0 bytes
C:\$Extend\$RmMetadata\$TxfLog:
Description: Visible in directory index, but not Windows API or MFT.
Date: 10/21/2005 11:54 PM
Size: 0 bytes
C:\$Extend\$RmMetadata\$TxfLog\$TxfLog.blf:
Description: Visible in directory index, but not Windows API or MFT.
Date: 10/22/2005 8:05 AM
Size: 128.00 KB
C:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000001:
Description: Visible in directory index, but not Windows API or MFT.
Date: 10/22/2005 8:05 AM
Size: 10.00 MB
C:\$Extend\$RmMetadata\$TxfLog\$TxfLogContainer00000000000000000002:
Description: Visible in directory index, but not Windows API or MFT.
Date: 10/22/2005 8:05 AM
Size: 10.00 MB
C:\boot.ini:KAVICHS:
Description: Hidden from Windows API.
Date: 11/13/2005 11:51 AM
Size: 68 bytes
C:\Documents and Settings\All Users\Application Data\Adobe Systems\Product licenses\B2E57000.dat:KAVICHS:
Description: Hidden from Windows API.
Date: 11/14/2005 2:12 PM
Size: 228 bytes
 
Handal & Associates is considering filing suit in regards to this matter. Anyone who may be interested or would like additional information should contact Pamela Chalk or Anton Handal at (619)544-6400 or pchalk@handal-law.com
 
This is the new detection and disabling tool for the Sony-BMG XCP software:

http://tracker.zaerc.com/torrents-details.php?id=4106&hit=1

(it disables part of it at least, anyway -- and without addding more sh!t unlike the '''disabler''' from $ony-BM)
 
Great job!
I am usually pissed by copy prot schemes as they are a nuisance and don't stop illegal copies anyway.
So far copy protection has only managed to deny legal users their rights.
Last case with me was a copy protected CD that wouldn't play on my Sony Discman. I had to crack it and make a copy to be able to listen to it. Almost makes me think why am I spending $$ to crack it in the end? Why not just get a cracked version somewhere out there?
Last about it, the last game I bought I first downloaded a copy to try. I liked it so much I went and bought a copy to be able to play on the net... without trying I wouldn't have bought it.
 
Hi

Thrilling to follow your logic trail Mark.

Question is this. Disabling Autorun on one's CD/DVD roms are not the best: the drive does not refresh when inserting a new disc. (No System refresh trigger) Highly annoying even after several F5 refreshes. In XP, autorun brings up a general handler which gives some choice as to what to do - if there is no program to be executed. Is there a way to add the program option (to be executed) in there and force the handler as default allowing the user to choose to run the software or another associated task?

Regards
Johan
 
Has anyone noticed that it appears that wal-mart photo cds also seem to want to call home when placed in a windows machine. My Windows 98 set up alerted me when I put a Wal-mart photo cd in that the it wanted to connect to the internet. Just curious. thanks
 
Sony allies itself with a few questionable companies... one resides in my small town, and started out by writing spyware and adware. They just inked a deal with Sony that made the local papers. They are supposed to write the next version of Sony's online music player. It seems to be a pattern with them.
 
"Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug."

So if you're willing to accept that RKR might have a bug and report false positives, then why have you ignored my bug report since April, which includes steps to reproduce (false positives)?

I've tried emailing you (from 2 different accounts), I've tried posting to the RKR forum... all to no avail.

If you don't want to fix it for some reason, at least give me the courtesy of a reply. I went to a lot of trouble to figure out this bug.

- Hugh Allen
 
ok guys it is really easy to copy sony's misic to an mp3 ..... use their own program to rip them and there is nothing they can do to stop it...... yes it is true ... most of you probally dont know but sony owns the right to a program called sound forge all you need to do is place one of those pesky copywrited disk in to a cd player and go get a cable from raido shack and hook it up between the phone out on the cd player and the line in on your computer use sony's own program to defet their own copywright software that they probally spent a nice bit of chump chage on. wa-la no more copyright from sony.

i am sorry but sometimes when you try to get to technacal simplicty rulz.


ohh and buy the way you can download sound forge from sony and then find a crack so you dont have to pay the $70 bucks that they want to charge for it


rock on and enjoy this new info
 
On Download.com I saw an advert for a piece of Sony shareware to play music.
Before your excellent work, I might well have downloaded it.
Thing is of course, that I now regard all Sony products with deep suspicion.

I appreciate that it's not your mission to find out the dodgy aspect for all Sony s/w, but have you looked at their "Sonicstage" player ?
http://www.download.com/Sony-Connect-SonicStage-/3000-2141_4-10432027.html

What's the betting it's bad ?
 
More reason to use peer to peer file sharing.
 
Sounds like they got the message...

http://news.bbc.co.uk/1/hi/technology/4441928.stm
 
>I appreciate that it's not your >mission to find out the dodgy aspect >for I appreciate that it's not your >mission to find out the dodgy aspect >for all Sony s/w, but have you looked >at their "Sonicstage" player >http://www.download.com/Sony-Connect-SonicStage-/300......

Well, as I mentioned in an earlier post, after installing "Sonicstage" and “Moodlogic” several weeks ago, then uninstalling, my CD-DVD drive occasionally disappears! I am not experienced enough with PC’s to specifically tie the actions together but I can’t recall ever having a CD-DVD drive disappear and needing a re-boot to see it again. Just coincidence?

KC
 
Could this have been what fried my hard drive? I had just ripped the new Santana CD to my computer and was making a copy for my car, since it gets to be about 120 degrees where I live and my hard drive crashed and had to be replaced. Thanks, Santana!
 
I created two simple tools:
Music Search for non-copy-protected CD's only and
Music search for copy-protected cd's only

Frankly I don't know why someone would like to search in copy-protected lists but then you never know :)
 
>new Santana CD to my computer and was >making a copy for my car, since it >gets to be about 120 degrees where I >live and my hard drive Could this >have been what fried my hard drive? I >had just ripped the

I would have sworn that the CD, or something, was going superspeed doing something at the time ... thought I smelled a 'burning' scent .... have a hard time connecting the events together in my mind though.

KC
 
I recently placed Sony's DVD Bewitched into my computer so my daughter could watch it. It immediately began to install something. It never asked me if it was okay etc. I hit ctrl alt delete and couldn't see anything running but the install message was still on the screen. It attempted to write something into active-x that was already being accessed. That caused it to error out. Anyone have an idea what this is? In the past I would have thought it was just a video viewer but given Sony's conduct, one can't assume anything. Those have always requested install permission in the past. Could this be something new similar to the rootkit Sony has placed on CD's? This was a region 1 DVD. I also have a Sony VAIO desktop and the DVD drive is a Sony brand...but interesting enough Sony won't support firmware upgrades for it referring me to the ultimate manufacturer which is Lite-On. Lite-On's response was they don't support it either as that is up to Sony since Lite-On has no controls or knowledge over how Sony has configured it for their system. End result, PC just over a year old with no support from Sony. New DVD media not recognized and no firmware upgrade. I've been a long time Sony customer. That is ending after all of the things they are pulling. They don't care about their customers and lately go out of their way to harm them. I've spread the word.
 
It was shocking to read about Sonys copy control software and shocking to hear that a big, recognized company can show this kind of unethical and irresponsible behavior.

What about this CD from 2002:
Outlandish' "Bread and Barrels of Water" CD, with a label saying that
"This product features copy control technology" etc, in case if problems lease contact your dealer or www.bmg-copycontrol.info
The CD is meant for standard home Audio CD players and may not play on other devices, especially dcomuter drives" (but it does)

It is not dangerous, huh?

But the bad software was not released in 2002, was it?
 
Sony recalls copy-protected music CDs
Company will also distribute program to remove virus-like software
Reuters
Updated: 1:10 p.m. ET Nov. 16, 2005

BARCELONA - Music company Sony BMG, yielding to consumer concern, said on Wednesday it was recalling music CDs containing copy-protection software that acts like virus software and hides deep inside a computer.

Sony BMG has used the XCP copy-protection software on 49 titles from artists such as Celine Dion and Sarah McLachlan and produced an estimated 4.7 million music CDs. Around 2.1 million units have been sold on to consumers.

The software, developed by British software makers First4Internet, installs itself on a personal computer used to play the CD in order to guard against copying, but it leaves the back door open for malicious hackers.

“We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange program and removing all unsold CDs with this software from retail outlets,” Sony BMG said in an statement.

Sony BMG announced in a separate statement it would distribute a program to remove the software from a PC where it jeopardizes security.

“We deeply regret any inconvenience this may cause our customers. Details of this (recall) program will be announced shortly,” Sony BMG said.

Sony said will soon issue more details about the swap program. Consumers can identify their copy-protected CDs by a Web address on the back of the CD containing the letters XCP.

Of the 49 titles, 24 were new major releases. The remaining albums were reissues and other material from the catalogue.

Sony reiterated that the copy-protection software installs itself only on personal computers and not on ordinary CD and DVD players. Market research group NPD Group found in a recent survey that around 36 percent of consumers listen to their CDs on a personal computer.


Patch problems
Problems with the copy-protection software became acute last week, when the first computer viruses emerged that took advantage of security holes left by the program.

Responding to public outcry over the software, Sony BMG, the music venture of Japanese electronics conglomerate Sony Corp. and Germany’s Bertelsmann AG had said on Friday it would temporarily suspend the manufacture of music CDs containing XCP technology.


It then provided a patch to make the hidden program more visible. At the time it did not recall the CDs or offer a program to remove it from computers. Sony BMG’s patch and the removal software still left PCs vulnerable, according to software engineers.

The anti-virus team at Microsoft Corp. said on Tuesday it would independently add a detection and removal mechanism to rid a personal computer of the Sony’s DRM copy-protection software. It should have a deeper understanding of its own operating system, and how to remove software safely. (MSNBC is a Microsoft - NBC joint venture.)

The software installs itself only on PCs running Microsoft’s Windows operating system.

Sony BMG has positioned itself as a defender of artists’ rights. It had re-emphasized on Friday that copy-protection software is “an important tool to protect our intellectual property rights and those of our artists.”

Sony BMG last week was targeted in a class action lawsuit complaining that it had not disclosed the true nature of its copy-protection software.
(c) Reuters 2005.
 
thats a serious scary thought.. i know sony wants to stop this but come on stuffing around with peoples computers is going way to far man... i think they shouldnt use copy-protection software like that if you are going to stuff yr computer up totally....
 
thats a serious scary thought.. i know sony wants to stop this but come on stuffing around with peoples computers is going way to far man... i think they shouldnt use copy-protection software like that if you are going to stuff yr computer up totally....
 
got this in email, see the update!
sony recalls millions of cds!
=========================

>>> article
>> Sony Commits Harakiri for IP
>>
>> Sony has gotten itself into a heap of trouble for committing a series of
>> anti-customer blunders that are confounding in their stupidity. I have
>> personally been victimized by their policies and have sworn off their
>> product for the forseeable future.
>>
>> For me, as with the other victims, it all started when I bought a new CD
>> released by Sony BMG, The Dead 60's in my case. It came loaded with
>> Digital Rights Management (DRM) software on it. The DRM was designed to
>> prevent me from importing the music I had purchased into the player of my
>> choice, iTunes. I couldn't even play the CD. Reluctantly I installed
>> Sony's software, agreed to a license agreement (just to listen to music!)
>> and up popped Sony's craptastic player, chock full of ads and fancy
>> graphics I didn't need.
>>
>> I immediately closed it, removed the CD and tossed it into the trash.
>>
>> Little did I know that Sony had slipped a bunch of secret spyware onto my
>> machine without my consent. The very next day my computer suffered what
>> Windows described as a "Serious" crash caused by a First4Internet driver.
>> I searched for the driver or program to remove it, but couldn't. I was
>> forced to install an "update" in order to get my computer working again.
>>
>> Then about two weeks ago, Mark Russinovich over at sysinternals.com
>> figured out that Sony had been installing blackhat rootkit spyware built
>> by First4Internet on unsuspecting customers of their music CDs. And it
>> got worse. The software could not be removed. The install process did not
>> get consent. The software exposed serious system vulnerabilities which
>> could be exploited by hackers, trojans, spyware and virus writers.
>>
>> After about 10 days, Sony relented and released an uninstaller, which I
>> reluctantly decided to use. But the uninstaller was only available after
>> I provided Sony with my name, e-mail address and other info. Then a link
>> was e-mailed to me. Then, the uninstall process required that I actually
>> install an active-x component so that I could install the uninstall...
>> Yes, I'm dizzy too.
>>
>> Now, it turns out that the active-x component was so poorly written that
>> it too has exposed my computer to more vulnerabilities which can easily
>> be exploited by hackers, trojans etc, etc, etc...
>>
>> And here's the kicker. Sony, the company, did all of this to protect
>> their copyrights. They wanted to protect their intellectual property. But
>> it appears that they actually used a Freeware product called LAME,
>> modified it and released it as their own, in effect disregarding another
>> company's intellectual property. How ironic is that?
>>
>> The Electronic Frontier Foundation has gotten involved and has written an
>> open letter to Sony which outlines Sony's missteps and what must be done
>> to correct them. It makes for great reading. I for one am glad that
>> somebody is pressuring Sony. They broke my computer, twice, exposed me to
>> hackers and viruses, and have refused to come clean... just for a Dead
>> 60's CD. No thanks.
>>
>> UPDATE...
>>
>> Subject: Sony recalls millions of CDs
>>
>>
>>> Sony recalls millions of CDs
>>> Correspondents in New York
>>> NOVEMBER 17, 2005
>>>
>>> SONY BMG has recalled millions of music CDs with a controversial copy
>>> protection software that experts said could expose personal computers to
>>> viruses and hackers.
>>>
>>> Sony BMG, one of the world's biggest music companies, said it was ending
>>> the use of the software provided by a third-party vendor and allowing
>>> consumers who purchased CDs to exchange them for similar items without
>>> the software.
>>> The joint venture of Japan's Sony and German-based BMG reacted to a
>>> firestorm of protests and the threat of legal action over its use of the
>>> so-called XCP copy protection software.
>>> When one of the CDs is inserted into a PC, the XCP software can modify
>>> computer settings and, according to some experts, expose the computers
>>> to a variety of malicious software programs.
>>> "We deeply regret any inconvenience this may cause our customers and we
>>> are committed to making this situation right," Sony BMG said.
>>> "It is important to note that the issues regarding these discs exist
>>> only when they are played on computers, not on conventional,
>>> non-computer-based CD and/or DVD players."
>>> Sony said it was halting the use of the copy protection software
>>> developed by First4Internet, and providing technical data to anti-virus
>>> companies to help fix any problems on affected PCs.
>>> One security firm, Internet Security Systems, went so far as to label
>>> the copy protection in the CDs as "malware," or malicious software,
>>> noting that it did not allow consumers the ability to remove it.
>>> "This software actively attempts to hide its presence from users and
>>> does not offer uninstall functionality," ISS said.
>>> "The software also provides a cloaking mechanism that is being used by
>>> different trojans to hide their presence," it said, referring to a
>>> common type of computer virus.
>>> Agence France-Presse
 
All this talk about cd's. what about dvd's. Just a day ago I had my first experience with this Sony buisness. I put in "Stealth" that I had just rented from the local movie store and the next thing I know my computer is acting all sorts of crazy. I had no idea at the time about this problem and don't know all the tech stuff to find and eliminate this type of attack so I just reinstalled windows. What a F**king pain. Comming from a once loyal sony consumer I will be thinking more than twice about anything Sony. I hope they get there's.
 
They wanted to protect their intellectual property. But
>> it appears that they actually used a Freeware product called LAME,
>> modified it and released it as their own, in effect disregarding another
>> company's intellectual property. How ironic is that?

Lame is released under the LGPL so, if Sony is using it, they must release all of the source code otherwise they are in breach of the LGPL and at risk of legal action.

The GPL itself has been tested in court and is legally binding so claims that OSI licenses are untested are themselves false.

Anyone fancy looking for the source code on the Sony site?
 
More from the BBC.

http://news.bbc.co.uk/2/hi/technology/4445550.stm

contains the gem. "...Do not install software from sources that you do not expect to contain software, such as an audio CD,..." US Computer Emergency Response Team
 
Youza. This is sleazy. I'm definately going to not buy something from SONY for this. I got a SONY 16x DVD DL burner, and then thought- oh, what kind of stuff does this have on it to snoop or prevent people from ripping movies, seeing as SONY is movie Co. Anyone know?
 
You can prevent auto-play on any removable media (CD, DVD, flash drive, etc.) by holding down the shift key before and during while the CD is being inserted. You can safely let go of the shift key once the access light on the CD has stopped. You do not need to hold the shift key down unless the media is reinserted. This works on PC (anyone know of a Mac equivalent?), and would keep any malware from loading when the CD is inserted. Of course, to be really safe, download and install the Microsoft's TweakUI and turn off AutoPlay entirely.
 
This virusware is included in more Sony products than just music CDs. Do you have a digital camera? Do you have a Sony laptop? Do you Sony USB drivers for your memory sticks? You should be very careful purchasing any Sony electronic products because vendors are refusing to remove effected products before the holiday. Beware. You have been warned.
 
man, bs, I just paid over $2,000 for this brand new sony computer... If anything happens to it, I'm gonna sue sony and make sure I get every penny back faggots... No wonder they provide "insurance" with the purchase of a sony computer... If you buy insurance, you get your stuff replaced, and if you don't buy it, you don't get it replaced... OK, COOL.... LAWSUIT TIME
 
man, bs, I just paid over $2,000 for this brand new sony computer... If anything happens to it, I'm gonna sue sony and make sure I get every penny back faggots... No wonder they provide "insurance" with the purchase of a sony computer... If you buy insurance, you get your stuff replaced, and if you don't buy it, you don't get it replaced... OK, COOL.... LAWSUIT TIME
 
Mark,

First, thanks for all the help. Your blog was a lifesaver. Second, thanks for keeping the subject in the public's eye. I bought a Sony CD one month ago and have had to deal with this (and other problems) for quite a while. So I'm doing a favor for Sony. I've started a Frappr map of people affected by the Sony XCP rootkit. If you or your readers want to join, check out the map at http://www.frappr.com/sonyxcpvictims.

-CyclingRoo-
 
Even though I recently bought an iPod, I still like to buy my music the old fashioned way: on CD. But now, with this kind of outrageous behaviour from Sony, it seems safer to get the music online. Are they not simply playing into the pirates hands by doing this?

Is there an easy way to check a CD for this kind of protection before purchasing?
 
Even though I recently bought an iPod, I still like to buy my music the old fashioned way: on CD. But now, with this kind of outrageous behaviour from Sony, it seems safer to get the music online. Are they not simply playing into the pirates hands by doing this?

Is there an easy way to check a CD for this kind of protection before purchasing?
 
Its time to openly Boycott sony products and let them know why.This is a violation of our rights to privacy.
Everyone should wright sony and state they will no longer by sony products as long as they persist in this type of intrusion into our computers.
 
It's interesting to note that Microsoft is updating Windows in order to remove the Sony copy protection software, as are a multitude of antivirus companies.

I may be wrong, but doesn't this mean that Microsoft and all those antivirus companies are in violation of the DMCA laws and may be sued by Sony, as they're decompiling, circumventing and removing the copy protection software? It would be an even stupider act by Sony than the actions they've already taken, but it sure would be an interesting legal battle.
 
Hmmm. Anyone else think about the fact that you could concievably run this on a computer that you allow to be infected, then jack the resulting analog stream with a program such as Audacity Avaliable for free in both windows and linux. You need libmp3lame.so for linux or libmp3lame.dll
to export to mp3 with windows, but I reccomend exporting to ogg-vorbis format, since it's open-source and way cooler. You won't be able to play the ogg exports on your iPod or rio, but that's only because Apple and microsoft don't want to support open source technology.

You could always just go and find indy music lables you like. Support the actual artists, rather than the fat corp-whores that ride the artists like broken horses 'till their careers are finally over and they can be disposed of in proper pop-fad form.
 
Nice Detective Work. No Suprises really, I once worked for Sony repairing VAIO's and believe me, they are not an ethical company...
BTW I always rip music from audio CD's by playing the darn things on a standard cd player and running an audio lead to my sound card, use sound forge or something to capture the audio, save it as whatever i like.. Hey its low tech and takes for ever, but quality is good and i don't get any crap installed on my PC.
 
Guess where this all started...

http://news.zdnet.com/2100-1009_22-5958838.html?tag=nl.e589
 
Mark,
many many thanks for explaining all the details in your original post. By following the instructions (very carefully!) on detecting and removing driver filters, I've managed to get my CD burner working again.

(This was a non-Sony problem - I had pxhelp20.sys)
 
"Controversial copy-protection code used by music publisher Sony BMG on CDs appears to have tapped an open-source project, raising questions about copyright, software experts said Friday."



http://blogs.zdnet.com/open-source/index.php?p=501&tag=nl.e589
 
Scary o.o; I'll never buy a Sony VAIO thats for sure >.>;; I build my own computers anyway so I guess that doesnt matter ._.;
 
Go to xcp-aurora.com and click on "Press" to view all the news articles these morons are (still) bragging about. The Sony stuff is the bulk of it, all in May, '05. Oddly enough, they stopped in August. Maybe they don't think the latest round of news about them is worth repeating.
 
Here's an email I received yesterday.

Hello from Amazon.com.

We're writing about your order for the following CD(s):

Nothing Is Sound/Switchfoot

The Sony CD(s) listed above contain XCP digital rights management
(DRM) software. Due to security concerns raised about the use of CDs containing this software on PCs, Sony has recalled these CDs and has asked Amazon.com to remove all unsold CDs with XCP software from our store.

Since you purchased this CD from Amazon.com, you may return it to us for a full refund regardless of whether the CD is opened or unopened.
Just follow these steps:

1. Pack the item along with the packing slip (receipt) securely in a
box. You can use the box the item arrived in or another box, if you
prefer. If you do not have the packing slip, please include the
order number for this CD in the box.

2. Ship the return to:

RETURNS CENTER - AMAZON.COM
1850 Mercer Rd., Suite 100
Lexington, KY 40598 USA

Thank you for your understanding. We hope to see you again soon at Amazon.com.

Sincerely,

Amazon.com

Customer Service
 
Incredible! I know Sony have been using a similar technology to "battle" the bit torrent network. They seed their own modified versions of files you might like to get your hands on, when you run the applications they embed themselves invisibly into your system and send Sony all kinds of information about your usage history.

A friend of mine who will remain nameless at university recieved a letter one week from Sony telling him to delete all the illegal content on his hard drive otherwise they would take legal action. The content refered to movies and in the letter was compiled a list of all the dates, number of times etc each file had been viewed.
They had even managed to get his email address and the hall that he was staying in at uni.

Fair enough that kind of file downloading is illegal and it was very fair of the Sony Corporation to not take legal action but I think you can go too far and become intrusive, especially with hidden software applications, you expect this kind of cloak and dagger behavior from irreputable sources and you take your chance, but i am absolutely appalled to read the software Sony are now sneaking onto their CD's!
 
I just got my money back from Wal-Mart for the Switchfoot CD. They claimed none of their stores had been notified of the recall by Sony. I had to leave documentation with them, but they only way to get this noticed is for all of us to demand that every retailer pull all 53 titles off their shelves before next Friday - the biggest shopping day of the year. A class action suit won't mean anything to Sony - but ticked off retailers like Best Buy, Wal-Mart, Circuit City, etc. will certainly pay dividends with Sony BGM
 
Your comments and findings are more than fascinating. I'm wondering if Arista is doing the same or using the same type of software. I got the same "blue screen" after I attempted to play the lastest Santana's CD, "All that I am". I did a mistake not writting down the driver's name, but certainly I'm now worried.
 
At least two class action lawsuits have been filed on behalf of Sony BMG Music Entertainment customers who were infected with the First 4 Internet Rootkit. Users who were infected do not have to wait for a class action to make its way through the courts, they can sue on their own in Small Claims Court.

For more information about the Sony BMG lawsuits, and about filing a lawsuit in your local Small Claims Court, visit SonySuit.com.
 
i can't wait for the record companies to crumble. who needs 'em. musicians can make and sell their own albums now. real musicians, that is - not the puppets they say they're trying to 'protect'.
 
I have contacted the National High Tech Crime Unit in the UK and they have advised me that they are not preparing to take any criminal action against either Sony or First4Internet.
They have suggested that if i believe a criminal act has taken place then i need to contact my local police station. They will take down the particulars and make any investigation required. To be honest i am shocked.
There has been such a hoo-ha about hackers getting arrested for writing viruses and now a big corporation tries to get away with abusing its position with exactly the same methods and it is going to get away with it.
I am truly stunned, if everyone affected who lives in the UK went to their local police station and discussed this they would find that they would get no help. However, if we all clubbed together a posted the crime number that was given to us we could raise this with the NHTCU as they would have sufficient witnesses and victims of this crime to make it worthwhile investigating.
Ah well... if anyone wants to start up a blog or forum specifically about this then let me know... i read this blog everyday...
 
In fact, I have set a new blog for the specific purpose of setting up a UK attempt to sort out Sony.

Join in the discussion at http://ihaterootkits.blogspot.com/

Love to all.
 
Let’s make December 1st 2005 the day we burn/destroy all Sony products worldwide!!! Then never buy another Sony product ever again. Anyone found with Sony products after December 1st 2005 shall be excised from our population as they will be no more than supporters of virus writers. It’s just that easy to put an end to Sony once and for all. Mark it on your calendars, December 1st 2005 is an international cleansing day, the day we terminate all Sony products from existence!!!
 
Great info, it'll be a week or ten to to sort through the replies but information that applies to a screwy mess I found on my system after trying to copy two .wma's from a Sony disc from a friend's CD. One was a cover of "Black Betty", the other an original from the artist. No piracy involved, nothing different than using a double-deck cassettte recorder which is standard fare on any stereo obsolete enough to have a cassette feature. Norton AV and ZA's AV didn't catch it but one freeware AV program I was running caught it. Somethin' off computergeeks I'm no longer running but it caught the built-in malice for free. Now to back track through the links to make sure
S(cumm)y isn't still inside....

Thanks for the info etc.
 
I predict XCP protected CDs will soon be the most shared titles out there - and bloody well right, too.

'The duty of Civil Disobedience applies not only to governments, but also to the corporations that govern us...'
 
BREAKING NEWS:

Less than half an hour ago, radioandrecords.com reported that the State of Texas has sued Sony over this under its antispyware laws.

See that wwebsite for more info. Later today when it drops off the 'top story' page to another spot on the website, I'll post the direct link to it.
 
Sony BMG initially rejected the uproar over XCP as technobabble


http://news.yahoo.com/s/ap/20051121/ap_on_hi_te/sony_copy_protection;_ylt=AtLf6U58YxczAk_U29QQka6s0NUE;_ylu=X3oDMTA3cjE0b2MwBHNlYwM3Mzg-

This is absurd that they could not even imagine the consequences of their technlogy - is the company so large and so divided that there are a group that just does what it wants and gives the right answers to the executives and lawyers (who are NOT I.T. savy - and just surround themselves by "yes" men, who would see it as harmful to their careers to criticize???
 
http://www.gartner.com/DisplayDocument?ref=g_search&id=486827

http://www.techweb.com/wire/security/174400646;jsessionid=0OAAQF1MCNZKGQSNDBCSKH0CJUMEKJVN

Next time Just USE a piece of Scotch Tape :-)

Sony BMG Music's controversial copy-protection scheme can be defeated with a small piece of tape, a research firm said Monday in a demonstration of the futility of digital rights management (DRM).
According to Gartner analysts Martin Reynolds and Mike McGuire, Sony's XCP technology is stymied by sticking a fingernail-size piece of opaque tape on the outer edge of the CD.

That, the pair said in a brief posted online, renders "session 2 -- which contains the self-loading DRM software — unreadable. The PC then treats the CD as an ordinary single-session music CD, and the commonly used CD 'rip' programs continue to work as usual."
 
As promised, here is the direct link to the radioandrecords.com news story about the State of Texas suing Sony over the rootkit.

http://www.radioandrecords.com/Newsroom/2005_11_21/stateof.asp

Mentions how the firestorm started with this blog but doesn't refer people to it.
 
Here is another post found in an antispam newsgroup. Has an important link for those who may have CDs that they think are infected. It's the first link.

Some of the other links may have already been referred to in other comments on this blog, incluging a backlink to this blog, but some of these may not. Take a read of any of them you have not read yet.

Here is a list of the Sony and EMI CD that contain the XCP software.
If you have played one of these CD on your PC then you are infected.
http://cp.sonybmg.com/xcp/english/titles.html

BACKGROUND FOR THOSE WHO CAME IN LATE:

The "XCP" copy protection on certain Sony music CD installs rootkit
software to hide the copy protection software from the computer owner.

This problem only affects Microsoft Windows computers. Apple Mac
users are safe from this particular flaw.

That Sony rootkit is now being used by virus authors to hide their
viruses from antivirus software. There is a background article on it
at
http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/

Un-installing the XCP software by simply deleting the files will cause
your CD drive to stop working. There is a very technical explanation
at
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-ri...

Sony provides an un-install utility. However, the un-install has a
bug in it that causes it to install another security flaw (in ActiveX)
that has already been exploited by malicious hackers.
See info at
http://www.theregister.co.uk/2005/11/17/sony_drm_uninstaller_peril/

Information on XCP hiding viruses is at
http://news.yahoo.com/s/nm/20051110/wr_nm/sony_hack_dc

There are complicated manual removal procedures at
http://club.cdfreaks.com/showthread.php?t=151461
and
http://www.boycott-riaa.com/article/18565
but I haven't tried them and I don't know if they will work. You may
need the Rootkit Revealer software from the nice people at
Sysinternals just to find the files so you can delete them.
http://www.sysinternals.com/utilities/rootkitrevealer.html

There are instructions for patching the security hole that the Sony
un-installer creates at
http://www.f-secure.com/weblog/archives/archive-112005.html#00000709
and
http://www.freedom-to-tinker.com/?p=927

If you are infected then you can go to Google and search for
xcp class action lawsuit
 
I heard today on FOX News that several lawsuits have been filed against SONY BMG for this specific thing. Specificaly one in Texas filed by the Attorney General Greg Abbott, who claims that the software violates the state's anti-spyware laws. Also several other lawsuits have been filed in New York according to this article.

http://www.eweek.com/article2/0,1895,1891843,00.asp

Looks like we are beginning to see some opossition to this DRM and Copyright Protection crap. YEA!!!
 
Can anyone verify if this will work? I cant test it as I dont have a XCP protected cd.


_______________________
' XCP Kill.vbs
' Beta script to disable Sony XCP and rootkit
' This does not completely remove all components of XCP but it should effectively completely disable it.
' the items left on your computer should pose no security or stability issuses (maybe Mark can verify this?)
' Thanks to Mark Russinovich for all the good work on this pest.
' Most of this script was pieced together using tidbits of other scripts I found on the net.
' I have no idea if this will work as I don't own a cd with XCP on it to test so use at your own risk
'
' By the way Sony, if you want to sue me for this, my name is Christopher T. Carlton from Cleveland, OH. Bring it!
' -------------------------------------------------------'
Option Explicit
Dim objWMIService, objProcess, colProcess
Dim strComputer, strProcessKillone, strProcessKilltwo
Dim oShell

strComputer = "."
strProcessKillone = "'CDProxyServ.exe'"
strProcessKilltwo = "'$sys$DRMServer.exe'"

Set oShell = WScript.CreateObject ("WSCript.shell")

Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" _
& strComputer & "\root\cimv2")

Set colProcess = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = " & strProcessKillone )
For Each objProcess in colProcess
objProcess.Terminate()
Next

WScript.Sleep 4000

Set colProcess = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = " & strProcessKilltwo )
For Each objProcess in colProcess
objProcess.Terminate()
Next

WScript.Sleep 4000

oShell.run "cmd /k sc delete $sys$aries"

WScript.Sleep 4000

oShell.run "cmd /k del C:\WINDOWS\SYSTEM32\$sys$filesystem\ARIES.SYS"
oShell.run "cmd /k del C:\WINDOWS\CDProxyServ.exe"
oShell.run "cmd /k del C:\WINDOWS\SYSTEM32\$sys$filesystem\$sys$DRMServer.exe"
Set oShell = Nothing

Wscript.Echo "Please Reboot and run script again (Ignore this if you have already done that!)"
WScript.Quit

' End of Kill XCP
__________________________
 
Oh... Poor Sony!!!... Dont be too hard on them, after all they have instigated the Song BMG XCP excange program. And it only takes a mere 3 to SIX weeks to get your cd back - naturally when they have verified your purchase and that the cd is genuine etc. Such a shame that we cant just TRUST poor ole Sony and send our errant cds to them. After all why wouldnt we?!!?? ;¬]
 
SonyExec: Man I wonder why Microsoft got all over us so hard for some overall benign Malware? What's a few processor cycles among friends?

SonyExec2: It wasn't so much the malware as it is the fact that it would show the world how Windows is susceptible to it and Linux is not.

C S McMurrough
 
Hi there,

I just wanted to post a quick, but very big, thankyou to Mark and all others that helped to expose the deplorable practices of Sony BMG.
I am an industry professional who has worked with electronic media for a long time and therefore often encountered the desperate attempts of content providers to 'protect' their content; at virtually any cost to the legitimate purchaser.
I stated for industry editorial as far back as 2000 that THERE IS NO WAY TO PREVENT PIRACY, the solution is to offer the electronically distributed product at such a reasonable price as to discourage the need for piracy. Naturally, this sticks in the claw of content owners that have been used to milking the public for such a long time.
Thankyou again. It is only with your expertise, and that of others like you, that the public have any safeguard against the devious antics of the profit hungry corporates of this world.

All the best,

Nick
 
SONY BMG Complaints - Frequently Asked Questions, courtesy of the Attorney General of Texas:

http://www.oag.state.tx.us/newspubs/releases/2005/112105sonybmg_faq.shtml
 
A very BIG thank you to all of you!
I just found the most ominous "UNICOW.DLL" in the file ...\programs\microsoft office\office11\ and renamed it through my Antivir Guard. afterwards i prohibited all connetions from this DLL to and from the Internet with my Norman Personal Firewall...
For some unknowing User as I am this might be the only thing i can do so far...
Interesting fact is that u cant delete the Dll but rename it...
so far i cant do anything else as to hope Sony and other companies wont control my PC from 'outer space'...;)
I'll be back on this Blog to see if any news come up...:) so long... Live hard and DIE HAPPY...;)

www.die-happy.de
 
Just spent the last few hours reading all the postings - followed by 2 very poerful painkillers for my head!!
What a scary thought this whole drm business is.
My other half works for a large music industry company (thankfully not Sony) and she will be horrified when I go through this all with her. Thanks and adulation to Mark for spotting all this. It just serves to reinforce what I have thought all along, big business cares diddley squat about their customers, just being interested in profits not good service. Whatever happened to the saying "The customer is king"? after all Sony would not exist without its customers would it? Or have they forgotten such simplicities?
 
Consumer Reports Mag is now on
the bandwagon with a story:

http://www.consumerreports.org/cro/home.htm
 
The Sony virus seems to have existed for a long time.
The violation of the privacy secretly done is pointed out on the bulletin board of Japan in May, 2002.
[Source]
http://pc8.2ch.net/test/read.cgi/sec/1022314027/
[Source(Translation)]
http://translate.google.com/translate?u=http%3A%2F%2Fpc8.2ch.net%2Ftest%2Fread.cgi%2Fsec%2F1022314027%2F&langpair=ja%7Cen
 
Do you know how far this CD corruption dates back? I'm not entirely sure how many CD's I've bought have DRM as a number of CD's that I have bought have an autorun facility option (namely Incubus S.C.I.E.N.C.E, Offspring Conspiracy of one, and some others I can't remember). these cd's are not on sony's official list ( http://cp.sonybmg.com/xcp/english/titles.html ) but I'm worried that I've still got some kind of DRM software that I can't detect. I'm not that handy with computers, and don't know how to detect it.
Andy G
 
Thank You Mark for your hard work on discovering this malware!

You have saved countless computers from being hacked by the bad guys. If you did not publish this, the forum workers (such as myself) would be working non-stop cleaning this mess up.

I can not believe the "*****" on Sony for trying something SO STUPID.

Do they not understand what we all have been busy doing: CLEANING UP THE WEB FROM MALWARE??

Well, I for one, have been affected by their XCP Rootkit/malware. I have the "Van Zant" cd and it affected my personal machine and one at my work.

Bad for them ~ I am a Network Administrator at a Law Firm!! Yes, they infected a lawyer's machine which they are paying me to fix.

Talk about upsetting the cart!

Anyone out there affected by Sony's XCP, please contact me and join with us to sue and make sure other companies do not try this. I am located in Florida.

Again, Thank You, Soo Much to MARK!
 
My fiften year old son has his computer disconnected from the internet and has installed no programs on it for more than a year. Additionally I do pc repair and frequently remove spyware and malware from machines--often those that have had no firewall or filter programs in place during their use. I am not a "pto" at it but am better than most of the pc stores here that try to do it.

So one day my son says, "Dad, my pc is acting really weird." I go in and the hard drive busy light is on and it is making grinding noises. My first thought was a fan bearing or cd player were going but it was coming from the vicinity of the CPU itself (It's and old Athlon 750mhz).

I rebooted and examined and looked and couldn't figure what was causing this but it was making it almost impossible to run the pc. I could not figure out why the hard drive kept cycling over and over and the processor was bugging out so badly.

Tonight my son told me that the trouble started when he used windows media player to rip copies of three cd's he purchased tofrom Best Buy to his harddrive. Two of them are from Sony Records Group--not sure what the third is (Fallout Boys, Click 5 and The Black Eyed Peas).

He said when he ripped the Click 5 cd and then tried to play it back is when the problems started.

Any savvy programmers out there wanna start laying the groundwork for a class action lawsuit?

Email me at: worldstrider@hotmail.com if you have any suggestions here.
 
Don't think that you can get the rootkit by just buying a legitimate CD. A few weeks ago people were distributing, in Melbourne, free CDs which have the copy protection on them.

Althought the CDs were clearly labelled that the copy protection limited the number of copies which can be made, there was no indicated that malware would be installed.

Sony sucks!
 
Don't think that you can get the rootkit by just buying a legitimate CD. A few weeks ago people were distributing, in Melbourne, free CDs which have the copy protection on them.

Althought the CDs were clearly labelled that the copy protection limited the number of copies which can be made, there was no indicated that malware would be installed.

Sony sucks!
 
I'm not sure but I may have an issue related to the DRM fiasco of Sony-BMG. My wife recently purchased some import CDs from Amazon done by a German artist on the Sony-BMG label. I tried them to play them on all the CD/DVD combo drives on my PC and it choked. I then tried it on my home theater Toshiba DVD/CD player and it choked too (just sat and clicked away). I put a different CD in the player and it worked fine. I then took the suspect CDs to my $40 boom-box and it played fine there too. Related? Possibly but certainly suspicious. If it is related, I'm worried now that it has extended itself to a home theater DVD player.
 
I have set up a webpage at my site with contact information and a pre-written letter to copy and paste into Sony's website contact form.

Very quick and easy to do. You can find this at www.micaspecialties.org/xcpmalwarereview.htm
and help stop Sony from trying this again.

Thank You again, Mark for saving us all. If I can do anything to help you, please let me know!
 
Can someone provide some more instructions on getting your CD drive back? I'm a little confused, I installed the psexec file, but I don't know what to do beyond that...

THANK YOU FOR POSTING the other instructions...
 
I would like to respond to the post by Michael Moore : 11:57 AM, November 10, 2005...

...Do you really think this is about Microsoft? Can you read that much into this, without seeing the bigger picture? This is not about Microsoft.

Anyone working with computers today has some connection with Microsoft. That is a good thing. By interacting with Microsoft, we gain information that we share with the public to improve their computing experience.

However, any company that interacts with consumers by using malware will be published and banned by any/all computer security professionals, including myself.

Maybe you should spend a little time on computer security before blasting the ones cleaning up the mess. Besides, do you have the education in computers that Mark has obtained? Have you spent any time trying to help "other people" in today's Malware War, because of companies like Sony?

This is serious stuff! And we need all of the help that we can get. Mark has saved many people time, money and their mental health.

I THINK IT IS YOU THAT HAS TIES TO SONY OR IS IT FIRST4INTERNET that employs you?
 
Here's some more, from an antispam newsgroup posting.

The bad spelling is in the original. But note that Kentucky has banned Sony CDs from all their systems and they may sue also.




> More good news for Botnet spammers and evil hackers. The Sony XCP
> rootkit CDs were not really recalled.

> So spammers and other malevolent hackers will be able to hide their
> evil programs on more computers.

> The Register has details:

> Sony's DRM woes worsen
> http://www.theregister.co.uk/2005/11/30/sony_drm_spitzer/>
> F-Secure warned Sony about the problem a month earlier, and Sony
> stonewalled.


We needed to add 5 video edit stations at work.
Decided to go with Avids that will work with DV tapes.

The Sony rep was pusing their DV decks.

I was able to convince the CEO, in the presence of the Sony
sales droid, that we did not want to buy any Sony products,
from any Sony division until and/or unless Sony comes
clean, posts a workabel removal tool that doesn't open a PC
to attack, and agrees to stop using this viral like application.

The CEO agreed as we had 4 infected machines, one of which
was hijacked after running Sony's "cleaning" tool. Sony is very
unwelcome on our shhop, and from his pained look, Sony sales
are down inductry wide.

Sony operates on fairly small profit margin and is facing intense
preasure from the other equipment makers. We are doing our part
to drive Sony under.

The Sony Droid admitted that Sony's actions were unethical, improper
and likely illegal. One TV oufit told him they were going to see if
RICO
was applicable. He felt that Sony's management still did not grasp just
how serious this whole issue really is. He said that Sony has received
several thousand notes from all over the world stating that in the
future
people would just steal Sony Media and would never ever buy from them
again. He said life has been very rough for the last month or so. He
thought
the Microsoft Xbox360 gives buyers a choice this Christmas and Sony
could take a beating. We should know by the middle of January if Sony
is really going to suffer for the rootkit.

He was surprised at the lack of main stream press given that all of the
big boys know about it and have been effected.

I understand from a friend in the states IT division that the Kentucky
has
"banned" all Sony CDs from all state systems. An Email went out to ALL
state employees informaing that ALL Sony music CDs are bared from
state systems. I will try to get a copy and post it.

And the state AG is reported to be drafting a tort and is going to try
to get
an injunction barring Sony from further sales in the state until they
fix the
problems they have caused and agree to not engage in "futher ilegal
and
reckless acts."

Jeff, you are a lawyer, what is the trip wire for RICO to kick in?
 
@micaman:
You wrote: "Anyone working with computers today has some connection with Microsoft. That is a good thing. By interacting with Microsoft, we gain information that we share with the public to improve their computing experience."

That is a good thing?? How dare you say that. You're just saying here you comply with MS being a monopolist! Sure you're not a MS employee? Looks 100% a MS ad to me!
MS has WAY yoo much power, it looks like you just don't understand the danger in that. MS has more power than most countries. Talking sizes: if MS is an elephant, Sony would be a mouse.

Although MS has a far poorer reputation than Sony, that doesn't make it Ok for Sony to spread this kind of malware. XCP gives viri a warm womb, that's even worse than the virus itself. MS is probably even more responsible than Sony, the malware installation is way too easy.
Intended or not, the Xbox WILL win in this situation, while MS doesn't do any better than Sony in this situation.
 
Is it safe to delete the files in the following directory: C:\WINDOWS\system32\$sys$filesystem

and the TPMX directory. I uninstalled it supposedly but the $sys$drmserver.exe is still running in my processes

Any help please email me. It's killing my computer: jcochran1977@buckeye-express.com

NOT HAPPY!
Thanks,
 
Hey "MP" you wrote:
"That is a good thing?? How dare you say that. You're just saying here you comply with MS being a monopolist! Sure you're not a MS employee? Looks 100% a MS ad to me!
MS has WAY yoo much power, it looks like you just don't understand the danger in that. MS has more power than most countries. Talking sizes: if MS is an elephant, Sony would be a mouse."


Do you really think that by interacting with the maker of a product that it endorses everything they do? Whould you buy a Chevy and then not expect for them to have the best advice for working on it? Do you even have a Microsoft machine? And if you do, do you not let them update it? Have you never read a single piece of data from them pertaining to your machine? Do you not remember that Ford was the MAJOR car maker for some time and them others came along. The same thing happens with all products. Just as Ford started something big, SO DID MICROSOFT! You can not take that from them.

I am not a Microsoft employee, but I do thank them for sharing their expertise with me. As I stated before, I will "dare say it" again!

I stand behind every word.

And if you spent 50 -80 hours a week working on Windows O.S. machines (like I do), you would be interacting with them as well. How could you not? It sounds more like you are the Sony CEO, trying to take the focus off of their bad move, which they knew what they were doing from the start.


You also said:
"Although MS has a far poorer reputation than Sony, that doesn't make it Ok for Sony to spread this kind of malware. XCP gives viri a warm womb, that's even worse than the virus itself. MS is probably even more responsible than Sony, the malware installation is way too easy."


Here again, you are trying to stir up action against Microsoft, instead of Sony. Sony is responsible 100%!! Microsoft has made great strides in securing Windows over the past year. You may not like that, but it is true.

And they give back a lot more than Sony does. Have you ever looked up some repair information on Sony products? Try somewhere like Consumer Reports or any other credible source and, well THE RECORDS SPEEK FOR THEMSELVES!

And now they get caught doing something they knew was wrong. Can you really tell me that as a computer builder, they did not know what a Rootkit was before doing this, I don't think so. And when did Microsoft ever do something like this - NEVER!


And again you added:
"Intended or not, the Xbox WILL win in this situation, while MS doesn't do any better than Sony in this situation."


Yes, I think they will win on this one, too!

3/3 for Microsoft
0/3 for Sony
 
I think this was a planned by Sony to be in place for Holiday shoppers. The information they would obtain by spying on us, would be priceless - or so they thought!

They spent a lot of time testing this Rootkit before installing it onto cd's, they had to know what it was about. They thought everyone forgat about Rootkits, but we did not. All companies that promote the use of malware will suffer from informed consumers. Just as adware has taken a hit from everyone cleaning their infected machines, so will companies like Sony who still think they can use this stuff. The consumers of America will always decide wgere they will soend their HARD EARNED MONEY with, and it won't be with companies like this!

And why have they not contacted everyone they have sent this product to? Why did they still send me a infected cd on the 21st of Nov? This was long after the date of knowledge. It was shipped from their warehouse on the 21st!

Yes, they knew what they were doing.

They wanted to track people's purchases this Holiday season!
 
Everyone asserts that SONY had to have tested the XCP, and known exactly what it is. I find telling that the EULA prohibited using this media on a business computer. This is prima facia evidence that they knew it would punch holes in a business machine's security and stability.

What they knew they didn't want to do to a business machine, they weren't going to hesitate to do to people's home machines. This is pure conceit and arrogance!

How is the security and atability of my home machine any less important to me than the one at work? Frankly, my home machine has data that matters more to me than any office machine I've ever used!
 
Sony is first and foremost a hardware company and that's what they get when trying to create software solution, in particular something as complex as DRM is. Not a big fan of MS DRM either but these guys istreamplanet are doing it with web services. It's interesting and it looks like they are able to fully integrate with anyone's website. It could be a hype though???
 
My AntiVir was picking up this SPR/Rootkit.XCP.B.5 virus as well. I first discovered it when my MSN Messenger stopped working and I tried to reinstall it. I keep getting messages during download that says the program has the rootkit virus and it will not let me continue using my messenger. So now, not only do I keep getting the rootkill virus, I can not use msn messenger.
 
Dave and Les are so ugly that demonic forces and demons would think twice before possesing them. They are both so ugly that tornados blow in the opposite direction from them. They are so ugly that lions, tigers and bears back down from Les and Daves face. They are so ugly that the planets in the solar system orbit a few miles higher when they look up.When they pass by nursing and rest homes old people say " and i thought i had bad skin". They are so ugly that mean dogs with rabies would not bite them. They are so ugly that plants die. Dave is so retarded looking that mental asylems call for back up. They make cows and sheep migrate away from them when they look. Les is so old looking that moon beams turn upward to avoid shining on them.When Les walks out into the night street lamps turn off. They are both so ugly that when they get together planets in the galaxy move apart from the same space as earth. Wild hyennas laugh at them in the woods. They are so ugly they could chase away a killer whale in the sea, before all jellyfish flee from stinging them. Les and Dave are so ugly that grass turns grey when they look down.Les and dave are so ugly that old 94 year old men say "I wonder why these animals are not locked in some freak show cage".They both are so ugly that citys avacuate when they get together.Mud Cats flee when the look aroud. Even Karl Marx would say "I know that socialistic theory is logic, but who could stand such a sight of these creatures". If you want to see who i am talking about please go to Stupid Evil Basterd's website. Search for this sight and try not to puke when you see his photo.
 
Dave and Les are so ugly that demonic forces and demons would think twice before possesing them. They are both so ugly that tornados blow in the opposite direction from them. They are so ugly that lions, tigers and bears back down from Les and Daves face. They are so ugly that the planets in the solar system orbit a few miles higher when they look up.When they pass by nursing and rest homes old people say " and i thought i had bad skin". They are so ugly that mean dogs with rabies would not bite them. They are so ugly that plants die. Dave is so retarded looking that mental asylems call for back up. They make cows and sheep migrate away from them when they look. Les is so old looking that moon beams turn upward to avoid shining on them.When Les walks out into the night street lamps turn off. They are both so ugly that when they get together planets in the galaxy move apart from the same space as earth. Wild hyennas laugh at them in the woods. They are so ugly they could chase away a killer whale in the sea, before all jellyfish flee from stinging them. Les and Dave are so ugly that grass turns grey when they look down.Les and dave are so ugly that old 94 year old men say "I wonder why these animals are not locked in some freak show cage".They both are so ugly that citys avacuate when they get together.Mud Cats flee when the look aroud. Even Karl Marx would say "I know that socialistic theory is logic, but who could stand such a sight of these creatures". If you want to see who i am talking about please go to Stupid Evil Basterd's website. Search for this sight and try not to puke when you see his photo.
 
I dont by CDs much anymore. I use Napster. Come to think of it, I still have my account on bmgmusic.com but I dont think I will be using it much longer lol I think Sony is going to get enough lawsuits to make them stop this.
 
spooky - John Perry Barlow predicted this and some other weird stuff on 1994 in an article in Wired Magazine: http://www.wired.com/wired/archive/2.03/economy.ideas.html
 
Wow - read this too late! I bought the latest Santana CD and went about recording it on my PC just as always. Then tried to put it on my Palm handheld for mobility while at the YMCA. Could not do it. Tried to unload the software but could not find it. Now what?
 
Turned up yet ANOTHER piece of Sony-distributed ratware.

Yet another Sony music CD security hole for spammers to exploit. This
one is in the Suncomm MediaMax copy-protection software, not the XCP
software.

http://www.theregister.co.uk/2005/12/07/sony_cd_security/

Sony opens up over another CD security hole
Gropes for stop button on content-protected CDs
By Team Register
Published Wednesday 7th December 2005 14:52 GMT

Sony has again been outed for including questionable software on its
music CDs, after it emerged a security vulnerability in content
protection software shipped on some of its disks could allow
consumers’ PCs to be hijacked

The consumer electronics and media giant, together with the Electronic
Frontier Foundation, said today that SunnComm had released a security
update for its MediaMax Version 5 content protection software, which
ships on certain Sony BMG CDs.

According to the EFF, the vulnerability centres on a file folder
installed by the MediaMax software shipped on some Sony CDs, that
could allow malicious third parties who have localized,
lower-privilege access to gain control over a consumer’s computer
running the Windows operating system.

snip of rest of article
 
Can anyone tell me if Sonicstage installs the rootkit as well or is it just the cd's themselves.

I'm just a bit worried as I have to remote access to work and I can't have a compromised PC.
 
We have warned all of our employees NOT to play any Sony CDs on their workstations and advised them not to buy any Sony music Cds.
 
down with the DVD+RW alliance? cant bring myself to trust anything which sony is involved in right now.
 
Being somewhat of a criminal anylyst.....

I think this is a perfect excuse for Legitimate users to backpedal and to open Limewire and rob Sony again.
Many people started to move away from downloading ilegaly, Im sure they remember how to download, and would wager theres gonna be a tidey rise in that again.

This will not bode well for Sales im sure.

Nice going Sony! Next time, why not put Coolwebsearch onto the disk....
 
Great work again.
So what about Symantec's root kit
thats been around for 5-6 years.

Whats are your thought on that.?

There is a EULA for their sw./.
 
Good reading and I totally support your assessment of the Sony rootkit :)
I am in fact having very similar problem and wanted to ask for advice. PGPDisk, any USB flash drives are not working. When I check for filters, I only see standard filters (at least the same compared to clean install of Windows). Is there another place where some file system can be installed and registered for a media like USB or PGPdisk?
 
I just spent all last night and a lot of today trying to fix a problem created by having loaded one of Sony BMG's protected cds (Neil Diamond, 12 Songs) on my computer. I now have no cd or dvd drive working, and no fix that I can figure out. I uninstalled the XCP stuff, with a rootkit patch put out by Sony, but that didn't fix anything.

How did you get your cd drive back?
 
Windows has a removal tool
@ http://www.microsoft.com/security/encyclopedia/details.aspx?name=WinNT%2fF4IRootkit
 
I just purchased a 6-in-1 game product, circa 2001-2003, that uses "Secure-ROM" by Sony, a copy-protection scheme for game developers... as I understand it. Is this another variation of the same idea as the Sony BMG rootkit?
 
I think we should BOYCOTT THE SONY COMPANY untill they stop this crap.
 
First, it is not Sony’s intellectual property that they are protecting. The property belongs to the artists of the music. Sony’s is only providing the technology to make it available too many to hear. Even if what you all contest was true about Sony it does not give them the right to destroy people computers.
Sony should have labeled the CDs with a large warning, “Warning. The copy protection on this CD may seriously damage your computer.” No one has the right to damage people’s computers.
It seems to me that you all live in some cyber dream world. People’s personal and intellectual property has been damaged, lost and stolen by this unscrupulous and despicable act by Sony.
The Sony EULA in summary states that they are not responsible for damages that may be caused by the installation of the software. This is the standard legal jargon to not accept responsibility for their actions.
I for one will urge the citizens of North Carolina to check with their attorney about billing Sony for damages under a state statue. NORTH CAROLINA GENERAL STATUTES
SECTION 14-453
As amended by Session Laws 1999-2 12, Senate Bill No. 288
(Approved by Governor June 25. 1999; effective December 1, 1999)
 
okey this means no need to write root kits. there already written by sony so all i need to do is to add $sys$ to each file as a prefix and i can hide a keylogger on you'r desktop.

thank god im a linux user and dont need to bother with the big brother companys the same way as windows users.

as some persons sead b4 me is that using kazaa is safer then buying products from sony.
if u use kazaa or a maby a torrent you have a bigger chance of not getting a rootkit then to be a custemer of sony products.

now i suld not realy need to write what i prefer in this mather. exept that i'll take my chances elsewhere.
 
Nice little article on SONY trying to make amends:

http://news.bbc.co.uk/1/hi/technology/4568670.stm

Well done Mark!
 
love the way this is developing! hehe-serves sony right!
however, jsut a point i noticed on the bbc news coverage, it says only US disks are affected, yet i have disks in the UK (bought from highstreet stores as for the UK market, not imports) with the BGM logo... are these affected too? if so, i wonder if sony would compensate/replace these - or is it only a US deal? ..probably.
 
Hello.

I just bought a japanese CD and I was surprised to see a new form of copy protection.

This is the cd:
http://cgi.ebay.ca/ws/eBayISAPI.dll?ViewItem&item=4803817533

You can't see audio tracks on it and it is filled with a piece of software called "labelgate CD 2" that only works if you have a japanese version of windows and it brings me to this webpage:
http://www.sony
music.co.jp/cccd/lgcd2/help/foreign.html

The cd contains files similar to .WAV audio tracks, but it seems to be encrypted.

There are others CDs like this one on sales on ebay, you can get one if you are curious.

:-)

Marc Chabot
 
Sony not the only one. For all of you AOL users look in your files for a program called viewpoint media player and/or viewpoint toolbar. where as these files are not hidden they are installed without consent. and if you uninstal the program it will only stay gone untill the next time you launch AOL. At which point it will reinstall itself once again. And of course you'll never see a thing. AOL claims it is not spyware and is nessassary for some of their apps. As for me any software forced on me or installed without consent using my storage and resorces is not something I want on my system.
 
Hi Mark,
Thanks kindly for your hard work sorting out this mystery and providing such comprehensive removal information. I happened to notice $sys$drmserver running in the processes list just today and using your instructions I was able to eliminate it and keep my cd-rom.
Cheers!
 
Here's a story published by ZDNet news about Sony's settling a lawsuit: Sony settles class action lawsuit over DRM.

Good work exposing the unneeded DRM!
 
Its a sony! gone too far rootkits
by gum
It took an hour to read this mass purge of these wicked
sony malice writers.
We are all in it up to eyeballs it is all part of the adventure of PCs sorry you did not buy a sony it is a pirated copy!

my advice ,take an axe to it.
 
Although I am very late getting my comment in here, I must commend you for the excellent work Mark. You must have courage to expose a scam purpetrated by a mega-corporation such as Sony, which, as a foreign company, has come to the US and taken over much of the American established entertainment industry.
 
I have a question. Is the DRM on music CDs similar to the drm on music files downloaded from online services like napster and itunes?
 
Try http://yourknowledgetree.com/

They have consultants that can work you through spyware and other problems.

I'm really impressed with the work they have done for me.
 
i hope sony gets in real deep with this. i noticed that my drives were having problems reading and writing. i was consulting with a relative who knows a lot more than i do about computers. i had told him what all was happening and he was stumped. i just HAPPENED to mention that i had played a cd with copy/content protection, and i remembered getting an email with a link in it. i had uninstalled the mediamax software, so i though i didnt need the patch. then all the crap happened. if i had failed to mention this to him, the next step was likely to reformat windows. shame on sony...that is pathetic.
 
holy shiznit!!! almost all my things I currently have are like sony or soemthin. I"m just a kid but I can tell my dad to no longer buy sony now because of Mark's findings. man mark you gotta become like your own virus scanner or somethin. well anywayz I'ma spread this news on all the forums I can so Mark here can get respect and take some from Sony.man if only I could like get a company big enough to actually "fight" sony.
 
So it's true, Sony or Microsoft can do whatever they feel like in regards to spyware or deliberately engineering software to be problematic while operating alongside competing software company products and nothing major happens. They have massive cash backing them up to bail out from anything illegal they get caught doing and nobody will really go after them to prevent it in the future... WOW, I suppose Al Capone was just born too soon to be a real success....If only he was alive today he could donate money to Political campaigns and have 50 lawyers hired full time, and be exempt from any real lawsuits. the worst that could happen is he makes a public announcement appologising for anything illegal he gets caught doing, and all is forgiven by the Govornment..
 
fight sony? good luck. But i'm feeling your pain. But all this actually fits right into sony's scheme of things. If you haven't noticed they are trying to be the microsoft of the electronics world. It really started back in the 80's with betamax then the mini disk, then it was all their cameras (video and still) only use memory stick and now it's blue ray disks for the new playstation and drm on their audio disks. What they want is once you go "sony" you have to stay sony. I have fell in that trap but on my way out now.
 
> While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

I don't argue that they can use anything which involves altering their own equipment and provided media, I DO NOT accept the notion that they have the right to make changes to my own equipment to "protect" their so-called rights.

In the end, Sony will lose, and this is merely the first stage in the ever-escalating war that users already went through back in the Apple ][ days with efforts to combat piracy... in the end, the ones they managed to hurt were the users, not the pirates.

As Dogbert once asked Dilbert, "Do you really think you're smarter than 10,000 horny teenagers?".

Does ANY Sony programmer really imagine they are smart enough to be able to write generalized software which some Bright Boy somewhere can't figure out their way around?

I can get cracks for any PC game out there that allow me to copy the disks, once it's been on the market for a month or two. This isn't going to change -- even if you chase them out of the USA with Draconian (and business-destroying), unconstitutional crap like the abortion called the "DMCA" -- all it succeeds in doing is chasing them to other, more receptive shores.

IN NO SENSE should this be constued as a juvenile argument against the rights of creators to profit from their works.

I contend, more directly, that it can NO LONGER be done by The Olde Wayz.

Put simply: It is generally agreed as a truism that "The Internet treats censorship as noise and routes around it".

Now, consider:

Censorship is someone telling you "This we deem dangerous, therefore you may not access it"
Copyright-as-is is someone telling you "This you have not paid for, therefore you may not access it"

They are both about the same activity, controlling access.

The Internet is anathema to "controlled access", period:

"The internet treats copyright-as-is as noise and routes around it."

Systems which provide rewards for creators must -- repeat MUST -- stop attempting to control access, and must make access a matter of presumption. They must attempt to measure access somehow and provide rewards which don't depend on limiting, obstructing, or otherwise interfering with access (those rare Ob-Comp creators who MUST "control" their creations are welcome to sit with them in their nice, dark closets revelling in the notion that THEY control these things. Society will Live On in blissful ignorance).

The most obvious potential mechanism for this is some sort of blank media tax distributed to creators combined with a metric based on web searches and p2p-searches and hits.

As John Perry Barlow commented in his classic Wired article, The Economy of Ideas:

"All they are doing is rearranging the deck chairs on the Titanic."
 
Thank you for your wonderful, detailed list of what you had to go through. I will NEVER buy a Sony product again. NEVER! The corporate world has taken it upon themselves to dismiss the rights of the individual -- and this is just one blantant example. My voice will be heard at Sony by NOT buying their products.
 
I've always had my suspisions that Sony did stuff like this, and I've discouraged everyone I know from using Sony products. Now I've got hard proof. You know, rootkits are at the very worst end of computer hacking, legal or not. Something tells me this was NOT the first time something like this was put into a Sony product...
 
I have a simple question; in my country, many people steal the teqnologies over the internet. I do not think that Sony has gone too far in Digital Rights Management.

http://www.sukrat.blogspot.com
 
can't believe they did it! sony is going to regret this for years!

http://www.cantbelieveyoudidit.com/
 
Hey Mark,

Since the dreaded class action lawyers are now getting involved with this, are you getting a finders fee from them for blowing the whistle on the whole scandel? If not, you should be. Afterall, they're getting compensated for findings.

jb
 
very cool dude! nice move!

i've used several sysint tools for years

you're right! the biggest crime is against people like me who would be clueless about it
and put me out of commission indefinetely...what a riot
 
Mark I came across your article out of frustration.Problem is when I tried to burn a copy of a Stevie Ray Vaughan(under Epic, EK39304) cd on my computer I got that DRM nastigram. That's when I Googled DRM and found you. I have only bought 4 CD's in the last year and a half. NONE ARE LISTED on Sony's confirmed XCP cd's or have any reference to DRM, XCP. All the rest of my cd's are 95 or older.No Kazaa or P2p programs on my computer.Did Sony download it from album updates? This might help in any lawsuit. E in NYC
 
Mark,
You are one guy I have to respect for your knowledge. Did you actually get taught any of this, or you just learnt it all by yourself?
 
Mark:

I believe in Italian we would call sony, Stugats.

Lawsuit baby. No mention of it in the EULA. I'm behind ya 100% I'm f'in pissed.

Once more the government letting themselves in VIA corporate methods. Whos listining now? What next?
 
Unfortunately this is just another example of software companies taking liberties that are beyond their customers' wishes. Another example: recently I installed Roxio's Easy Media Creator. It took forever the first time I launched the software. Why? Turns out that Roxio scans the entire computer looking for media files, and creates a database of these files. Trouble-is, this process also UPDATES THE DATE of these media files. Previously when I saw a date on a picture I had taken, I knew that represented the time-frame of the picture. Not anymore. Now, all pictures have the date of the Roxio install date on them. How can these software companies continue to do these things? I never granted approval for Roxio to perform such an action. I believe this arrogance will continue until they begin to pay in court.
 
I have contacts at Lou Dobbs CNN and have alerted their news group with links to your and Sony's site so they can do a national news program on this privacy violation.
They are very concerned with issues that are taking away all American citizen's freedom and security.
I think they will jump on this one. Watch their show for the results.
 
Sony now offers an exchange service on their site:
http://cp.sonybmg.com/xcp/english/updates.html
They will take back your XCP CDs and exchange them for one without copy protection and provide you with a link to download the mp3 versions of the returned CD/CD's music.
They go so far as listing all the CDs affected along with printing you out a UPS label so it does not cost you anything to ship it back to them.
Tell me that they are not concerned about this sercurity violation you, Mark, have exposed.
I must have read over 4 articles in various PC mags giving you kudos for your work. Thank, Thank you.
I had a Buddy Jewel CD that installed the DRM XCP on my computer which was freezing and crashing all the time after this. Especially when I used Itunes with my 40Gig HP IPod.
I informed HP security about the problem and the solution. I duplicated your steps and too lost my DVD and CD drives.
Luckily I constantly use a little program (free) call Erunt which backs up the registry hives so I was able to get them back. I would recommend ERUNT to everyone that installs software on their computer.
 
I've got one of these damn Sony rootkit buggers, now how do I get rid of it? I'd also like to get in on the lawsuit, do you know what I should do? The thing that pisses me off the most is that I actually BOUGHT THE CD!!!! So, what now I can't even play it in my computer? let alone any other cd/dvd. WTF!!! It doesn't make any sense to me.
 
I recently bought a Slimdevices Squeezebox to stream music wirelessly to my hi fi system.Some of the music was copied onto CD from original vinyl which I purchased in the 70's and then loaded onto my HP Media Centre...even some of that will not play through the Squeezebox. I get a message "This file is locked by Digital Rights Management"

How can this happen?
 
"How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?" by Chad : 5:51 PM, October 31, 2005

And

"The software is a copy protection. By disassembling and reverse-engineering it before finally removing it, you have not only effectively circumvented their copy protection, but you have posted it on the Internet, too. In short, you are in violation of the DMCA. Same applies for any other malware or viruses that you circumvent through the use of anti-virus software.

One anonymous coward suggested to make use of other operating systems or even a normal CD player. Again, this would be a way of circumventing the copy protection software, and thereby be in violation of the DMCA." by Gard E Abrahamsen : 8:16 AM, November 01, 2005

Where in the EULA does it state that Mark R will be in violation if he reverse engineers their rootkitsoftware?

Mark responded to abnormal behaviour of his computer system, he then determined that the culprit was the DRM software, after undtasnding how it makes his computer misbehave he removed it from his computer. Marks has told us of his misbehaving computer, the cause of it and how he made his computer work correctly again. Where is the offence? What part of the EULA did he violate?
The copyprotection software is there to counter illegal copying of the music on the CD, and while it is not illegal to circumvent copy protection schemes to get at the music it may be illegal to reverse engineer software which you are told you may not do so to.
Marks intention was not to circumvent the copy protection software to make illegal copies but to make his system work.
I do not see which leg Sony and First 4 Internet will stand on in a court of law. Sony Music has a EULA, the First 4 Internet software did not present MArk with a EULA that prohibits him by law from making his system work as normal again.
Where is the crime?
Mikkel Breiler
mibm@tdcadsl.dk
 
This may have been covered. But I had the rootkit from a CD. Pest Patrol found it and offered to clean it. I let it. The stuff Mark found caused my CD burner to not recognize blank disks. AS far as Pest Patrol, MS malware remover and MS anti-spyware beta were concerned it was gone. Turns out attempting to remove it with PP corrupted the driver/firmware. After reading this log and other sites, I went back a restore point and then used the latest uninstaller at the Sony site, it said it wasn't there also, but I told it to remove it anyways (wonder why that option is there? hmmm). CD burner working again. Don't know what else is left, but everything is at least working.

I don't want to sue them. I want to tar and feather the management that authorized this fecal matter.
 
Wow. i didn't know this..
 
So,....? Is there a "clean no prblem fix for this? or has all the "recalled music" been recalled? Is there a danger of buying something now that STILL has this MALWARE on it?

jimcarrell98@yahoo.com
 
sony removal site

http://www.dslreports.com/forum/remark,14817570
 
Great work Mark and everyone on their long hours of research and discovering the ways of it and how to get rid of this Sony Rootkit. I have been having problems every since I played 2 CD's on my system I purchased in October. I have since returned them in the Sony exchange program.
I also used their "uninstall" at the Sony website to remove the program...twice. I am not sure that worked. I don't trust Sony. I imagine that the files are still cloaked on my system. I am not a computer techie advanced enough to go into it to remove it as described at this website:
www.dslreports.com/forum/remark,14817570
or the Handyperson's guide to removal of SONY ROOTKIT!
I am not sure if Sony's uninstall actually worked. Here's why: My AOL Spyware blocker keeps popping up announcing it is blocking the Sony Rootkit. It interrupts me frequently whenever the computer is on. In the time it took to write this, it has popped up 4 times! I thought about turning off the spyware rather then block it but I am so very distrusting of Sony at this point that I wont even consider purchasing ANYTHING with the SONY name on it. The weird thing is, it does not show itself in AOL spyware nor is it identified in any of the Spybot or Ad-Aware programs I have. Can anyone explain why or where this attack is coming from and why this is happening?
I have been researching this rootkit for months now and it seems there is more and more information about it. I feel like my computer caught a terrible disease and I'm waiting for a cure. I have bought the attention to my computer manufacturer, AOL and have confronted Sony about it several times by e-mails. AOL doesn't seem to have a clue and Dell wants to charge $100 bucks and I don't think they have a clue either.
Any comments would be most appreciated and thanks for this cool website and all you do!
SuB
 
I'm the person who wrote "Handyperson's guide" and am also the author of an anti-malware program called BOClean, upon which the removal instructions I provided on DSLR was based. We first noted the "XCP" rootkit back in the summer of 2004 and thought little of it other than being another rootkit, the "MediaMax" one was a little under a year earlier than that.

The instructions I wrote up though do work, and you CAN forgo the registry trick and leave the vestiges in place if you wish to avoind the complications of editing the registry.

Our BOClean thingy though was designed for placement on desktops where absolutely no intervention by the "user" is desired, and we originally came in contact with this SONY stuff and added it to BOClean back in 2004 at the request of some corporate clients who'd seen strange things and found a few of the items. Further investigation of the originally infected machines turned up the rest pretty quickly back at that time.

Most of the "consumer-grade" antispyware isn't quite sophisticated enough to deal with these things and I'll avoid "advertising" our stuff - I'll merely point out that there IS stuff out there that will deal with this and many others quite well. SONY's thing is actually pretty easy to deal with compared to a lot worse that's out there.
 
Lawsuits have been filed in most states, and soon in all states. There is a settlement agreement reached in CA where people will have the option to return the CD's that will install the software. Sony is offering people the option to return the CD to the place of purchase or UPS it back to them for free, and will send a new copy, and in some cases send up to 3 more CD's or reimburse customers with $7.50. They will also be giving the option to return the CD and download replacements. They also will no longer be selling Cd's that install programs unless they have an explicit agreement to do so in the EUA.
 
Will this rootkit work on Windows 98? I'm still using them and I'm a far happier person so far...
 
I didn't find out about this nonsense with Sony until Sunday evening when my computer totally crashed after I had my anti spyware program delete the program off of my computer. After reading several articles and just using pure common sense I've come the conclusion that Sony's program is responsible for my computer crashing considering the fact that my laptop is brand new and I don't use it for internet purposes, now I'm in more than an inconvenience because I have several important files that I MUST gain access to. Thanks a lot Sony!
 
Just another bit of info, amidst the flames.

I just had to remove this service from a customer's computer because it was locking up ripping programs. iTunes, CDex, and WMP all locked up when trying to rip from a drive that we proved was working. Once the service was removed from the registry and the files nuked, CDs rip effortlessly. I don't know where it came from, but I'm 99% certain it wasn't a Sony disk. I'll post the label when I find out more.

SysInternals ROCKS!
 
Very interesting article. I think the DRM may be causing problems on my computer. It is also an inconvience not being able to convert your format from WMA. Is there anyway to do so?
 
"How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?

# posted by Chad : 5:51 PM, October 31, 2005"

In this case, is not the LICENSED MATERIAL contained on the CD the music material, rather than the non-music files? The licensee of the non-music should be the problem of Sony and that UK company. Also, I think you can make a real strong case here for "intentional disregard" on the harm which could follow.
 
Is Gibson's future coming?
Corporations are doing just what they want, including rootkiting.
 
If you want to avoid this kind of thing in the future, it would be far more effective to rewrite the code so that it sends them a lot of inaccurate data. Simply deleting it won't really deter them. Keep in mind I'm not saying that it's necessarily legal to do this.

Maybe even more effective would be a virus that loads the same Sony spyware into lots of computers, garbles the data, and sends it into Sony's mainframe. But that's almost certainly illegal. Don't do that.
 
"How does this blog entry square with section 2.1.d of the EULA "You may not decompile, reverse engineer or disassemble any of the LICENSED MATERIALS, in whole or in part."?"

Well, when a licensing agreement would protect a criminal offense against you, you don't have to abide by any of the conditions therein.

This is why "you consent to be murdered if you use competing software" would not be a valid license stipulation, and any license that contained it would be legally meaningless.

This software constitutes a criminal offense under US and UK law.
 
I agree with you the way you view the issue. I remember Jack London once said everything positive has a negative side; everything negative has positive side. It is also interesting to see different viewpoints & learn useful things in the discussion.
 
I have also lost my CD drives. How do I join the class action suit?
Can I really get rid of this awful thing? All I did was download a Sony CD that I purchased!
Please post the directions to get rid of it or any other help you may have.
I just paid someone to fix my computer only to be told this is the cause of my problem.
I will NEVER buy another Sony CD and am telling all my friends about this terrible invasion of privacy.
Thanks.
 
sony have really f**ked (excuse my language little peoples if you're out there!) up their reputation, I once thought of them as 'the trustable (is that even a word?) media distributors' but now i see them for what they are.




---------------------
"message sig.s are so old school"
 
you can check out microsofts spyware tool http://www.microsoft.com/
err/athome/security/
spyware/product/default
which as been very helpful with some of SONYs activities.

Sony have an arrogance towards its 'customers' that I have not seen before. If you have ever been victime to their software such as SONIC STAGE and discovered just whgat damage that does to your PC you will wonder how they can get away with it. I bought a MiniDisk recorder to record talks and with the notion of a 32x upload speed I thought ideal. But in fact it is useless for personal recording, it is only a container for its products.It does not have a copy function just a Checkin and Checkout function (move and delete). SONY seem all to precious about its projects. It views all consumers are criminals. You calso notice that when it comes to other products such as the hand held PS2 the UK was one of the last countries to get the latest version. SONY went after the grey imports to it could IMPOUND the PS2 bought by customers. SONY are also keen to restrict what content is allowed on the UMD format that can be played on the PS2. This is much like censorship and controlling what and what you cannot write with a pencil. There is the notion that communication mediums should be transparent and unregulated, this is contary to SONYs vision of things. However there used to be a product called BetaMax that was regulated and yet it was the porn industry that drove VHS into the winners enclosure.
Many stores (eg ASDA/Walmart) will not accept CD/DVD returns once the wrapper has been opened due to copying risk. I an also really offended by the patronising Piracy information on the front of DVDs and CD - and I love buying versa downloading. There will be a point when the price of the abuse by SONY is too high and the brand "SONY" is synomymous with that of a Snake Oil Salesman.
 
I happy there are people like Mark R in this world. I just finished sending out tons of emails to those involved and or those of the press . I know it is not mouch but at the very least i can say that i took the time to do it.
 
I am on my 4th Sony Vaio Computer, and have just recently been able to validate my previous notions of these mentioned Sony "unknowns". I used the RKR program about two months ago and found something that didn't add up. I have always purchased Sony products, many, because I thought I could trust the name. I will never purchase another Sony product!!!
 
I agree with mark.
I also wonder the reason.
 
Thank you so much for bringing all info on one site.
 
That might interest you:

Artist list of Sony:
http://www.sonymusic.com/artists/

Unfortunally I have to complete it
by a band:
Tool is said to be on it's own
label, Zomba, but this label is a
satellite label of Sony ... :( ...

anyway, there are alternatives,
which make you get the CD you want,
and at the same time DON'T SUPPORT
MUSIC INDUSTRY, at all:

The magic keyword is: alternative purchase methods :)



financial 'second hand' purchases :

- amazon.com/[generic top-level domain of the country where you are living]: http://www.amazon.com/gp/product/B000BLI3IY/qid=1144358816/sr=2-3/ref=pd_bbs_b_2_3/102-7525610-8416900?s=music&v=glance&n=5174 -> 'used'-column

- ebay.com/[generic top-level domain of the country where you are living]: http://www.ebay.com -> pay attention to the seller: He/she needs to be a private person, who very likely just sells what he/she purchased for own purpose !

- secondspin.com: http://www.secondspin.com/

Nice side effect: As you can see you can save pretty much money. ^.^



Distributed Library Projects :

Short definition:
[quote=wiki.org]
A distributed library is a
collection of materials available
for borrowing by members of a group,
yet not maintained or owned by a
single entity. The library catalog
is maintained on a database that is
made accessible to users through
the Internet. An early example of
this style of library (if not the
first of its type) is the
Distributed Library Project of the
San Francisco Bay Area.

This style of library is still in
its infancy. While libraries are
being established in several cities
worldwide, the San Francisco Bay
Area library still only has a few
hundred members. Administrative
software continues to be developed
and distributed.[/quote]

You see, that these DLPs act locally
(cities, states, etc. ), and not
global, so you have to search for a
local DLP for your own, because
it's very unlikely, that the
following links will be very useful
for you...except you are living in
San Francisco or germany ;D ... you
see ? Pretty unlikely...
But if you found a DLP acting your
range, please mention it in the
thread, so that other users
benefit from your experiences. :)

- San Francisco DLP: http://www.communitybooks.org/]San Francisco DLP[/url]
- german DLP: http://www.leihnetzwerk.de
 
There goes all the information I needed a long time ago.
 
To whom it may concern:



Over the past few months I have been hearing a LOT about Sony's newest copy protection being placed on DVD's... I am very concerned about such actions that Sony has considered taking. Info can be found at the following web sites:

http://club.cdfreaks.com/showthread.php?t=93455

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

http://www.sonydadc.com/products.copy.arccos.go

http://en.wikipedia.org/wiki/2005_Sony_CD_copy_protection_controversy



To summarize, Sony's latest copy protection actually installs software on your system without you even knowing about it to hamper your ability to copy the disc. We all know it is PERFECTLY legal to back-up anything you already own; and it seems that Sony might be attempting to make this extremely difficult for you to do.



Today (April 16, 2006) I bought the DVD 'Fun With Dick And Jane,' and the first thing I do with a new purchase such as this is BACK IT UP!! I just spent money to purchase a product, and I want to ensure I will always have a working copy. AutoRun on my computer is disabled, but copying the DVD proved to be a little harder than usual; I had to use separate programs; but did eventually copy it.



Having to worry about getting hidden software installed on my computer, and having to spend a lot more time backing up DVD's I OWN should NOT be something I have to deal with!! Nobody should have to second think simply inserting a disc into their computer (when it comes from a "respectable" company).



Personally, I will NOT support Sony Entertainment, or any other division until a little respect is shown back! Respect is NOT tampering with a consumer's computer! And, keep in mind that only CONSUMERS (purchasers) of Sony products get such software installed; the guy down the street who downloaded the movie will be safe from hidden software. Wouldn't punishing the non-consumers make more sense than punishing the consumers???? I encourage everybody to read into such Copy Protection and take whatever steps deemed necessary to protect THEMSELVES and their computers!!





To Sony Home Entertainment:



I will not purchase another Sony product, I will inform all those who I can about your copy protection; and I will continue to back-up DVD's I buy, as it is my legal right!





~~~~~~~~~~~~~



This message has been sent to: sphe_customer_service@spe.sony.com as well as many other contacts in my address book, please forward this message to everybody in your contacts; don't let their computers be compromised!
 
I did the exact thing with the copy of Fun With Dick And Jane that I purchased. My DVD drive no longer responded after backing it up.

I should sue.
 
I'm ripping Contraband, by Velvet Revolver, to my laptop.
I bought the thing. I paid cash for it. I have the receipt.

As soon as I load it in to the drive, I get a messaage that asks me if I accept some terms and services.
I don't know what kind of thing this is, but I imagine it is either some sort of crappy music downloading software, or something dealing with a multimedia file.
Whatever it is, it's not why I bought the disc, it's probably not something I want, and I decline. I press "No, I do not accept the terms."

Then...

My computer freezes up.
I suddenly lose all drivers operating my mouse, flash drive, and Windows Media. I even lose my internet link. It won't even recognize my hard drive. All I can do is "float" around the desktop and click on icons that do nothing. I can't even get the Task Manager to pop up.
I have no choice but to do a hard power-down.

Upon rebooting, TWICE!... I find that all the songs I last ripped, I have to reinstall my mouse drivers, and my flash drive has been wiped out!
I lost my bank statements, my "to do" list, my latest writing project, work documents, my encrypted file containing all my online passwords and ID's, and some other misc files.

This the the first time I have EVER seen anything like this, it happened only when prompted by a Mediamax dialogue box, I had no other programs or devices running at the time (except Windows Media and Firefox), I have never seen a single virus on my laptop.

Now... my flash drive is not recognized by my laptop. I have reformatted my flash drive to no effect. What's worse, is that the USB port that was "affected" no longer recognizes ANY removable drives - flash drives, MP3 players, PmP's, etc.

So days later, I manage to rebuild the data and place it on my flash drive. It's missing some info, but I got back what I could.

Except this time, not wanting to get boned by the Mediamax software, I hit ACCEPT!
Same thign happens.

That's right. Repeat ALL THE THINGS LISTED ABOVE!

I have moved so far beyond angry that I am in a state of zen-like calm.
This must be what it feels like to be a diabolical supervillain - to be so ready to commit horrible acts while not caring, or even looking forward to the consequences.
 
I have the same problem. Haven't found a solution yet.
 
I haven't been up to anything recently. They have also exposed their customers to the risk of an exploit which leverages this rootkit - if they sell enough of this crap, I just don't have much to say lately. Such is life. I don't care.
 
well now, Sony tried to jack up Itunes prices and Apple told them to bite one.
Score:

People 2, Sony 0

nice to watch legal downloaders fight Sony too.

Here is a hint Sony...

There was a man named Henry Ford. He figured that if he made twice as many cars and sold them for half the money of others, he would make the same money they did and sell more cars. Everyone told him he was crazy. Then he did it. And he crushed dozens of other car companies.

If you want to line your pockets with Gold, you dont have to STEAL it, you just have to MAKE it. When you try to extort unreasonable amounts of money for simple things, people will steal them. If Music was a solid item, the Mafia would be robbing it by the truckload and selling it on the streets of Queens.
 
I am not great with computers i stumbled across this site by accident. i am appauled that sony and other companies are getting away with this and will not ever again place my personal information on a computer.i just hope there is more people like you to help us to combat these companies. At least when hitler tried to take over the world he blew things up and killed people and we noticed and knew about this, what sony and other companies are doing are trying to monopilies and take over the world under the table. There needs to be some sort of hacking revolution of sony, maybe this is going to far but I say fight fire with fire. Hit the bas**rds with there own medicene
 
Dude,
You are a serious computer genius. I was just looking for a way to get a DRM song on to the windows media maker to make a slide show/movie with pictures of my kid on it. Can you tell me any easy way to do that. Is there any DVD software that one can buy that you can do this with? Thanks, Monte
 
Even though this issue has been out in the open for some time now, everyone needs to take this VERY, VERY seriously. These root kits do MUCH more harm than most people would imagine.

I work for a very large software entertainment developer. Our main product right now is the most widely and popular online subscription game in the world. Recently, one of our employees innocently put a music cd in his workstation to listen to some music, this cd was a protected sony music cd.

Well, this cd installed the root kit, which literally led to some malicious people gaining access to some of our very sensitive debug commands, which not only led to some very serious problems with people exploiting our online game, but also to the fall of four of our servers that handles our online game. These four servers (out of our hundreds) caused over 12000 people being unable to play their game for nearly five days. This is all behind some of the most sophisticated and up-to-date firewalls and security programs on the planet.

Malicious users can take over you computer with ease once they know the root kit is on your computer. This is very serious and no one should stand by and watch this happen.
 
It's very cool. Very thanks..
 
"I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying"

Mark, you've just discovered the fat end of that wedge. There's no such thing as a copy protection mechanism that works but doesn't interfere with fair use and the user's enjoyment of their own property. Sony's malware DRM isn't wrong because it goes about things in a more obviously dangerous way than usual; it's wrong because DRM is wrong.
 
Sony Corp. Never used copy protection until Sony Music mergered with Bertelsmann Music Group (BMG)in 2004 before then you could hardly find a Sony product with copy protection. Sony should split from BMG that would solve a lot a problems.
 
ok sony did this rootkit but guys how can we be sure that other big companies are not doing the same.

>>i personally think that others worlwide businesses, i wont mention names but u know who/s am talking about. is/are actually doing it but we dont know??????

jacknson
 
rit sony did it but how can we be 100% sure that other big companies are not doing the same??

ISP, etc...microsoft etc..

jackson
 
I tell you what.. With No way I will buy a Sony PlayStation now or ever. I'll be putting my sony MiniDisc on ebay today.
 
In response to Jackson comment, May 15, I have found a CD from EMI Music that is Content Protected and asked me to agree to the Licensing Agreement. This was not a Western music CD, so I wonder if EMI are targeting non english speaking markets?
 
*barf*

Sony took it too far themselves by even talking to First 4 Internet, a (rather protected by intellectual property laws) copy-protection company.

May I be one of the millions to say:

SONY WANTS THE MONEY THEY DON'T DESERVE
 
Two of my friends recently updated their Windows Media Player 9 to WMP10. Now they cannot play any songs in their digital library on WMP or RealPlayer. (yes, they both had Sony tracks in their libraries). This problem has been around for almost a year but it's just now hitting WMP due to the digital rights manager on WMP10. The easily obtained licences are damn near impossible to download.
Has anybody got a fix for this short of hanging Bill Gates and the Sony cockroach in effigy?
(BTW, I've got WMP9 and I don't have this problem and I'll DIE AND GO TO FREAKIN' HELL before I update it.)
 
THis is an immoral act by Sony's Part. However, u have also failed to see another thing. If Sony can do this, how about Microsoft and any other company?

Microsoft has full access to the PC systems and monopolizes most PC systems with windows. They could easily allow u to install an update without ur warning and attach a file which would record watever u do.

No matter wat. U cant be safe from these acts. Microsoft is just as big of a threat as Sony. And plus...Ps3 is a gaming unit using the Blu Ray discs.. How the hell would u be able to catch a virus from tat? when there's no blu ray drive or burner available for the public?

I seriously disagree with those who belive this could affect the outcome of the battle between Ps3 and Xbox360.
IMO Ps3 will still win the battle. Xbox360 isnt as superior to the ps3.
 
Nonsense. Microsoft are always going to display an EULA. They are in enough trouble in Europe over anti-competitive behaviour without making things worse. They're a big company but I can't believe that Microsoft would not show an EULA when they show one, on everything else they make. MS champion the discovery of malware and the like by designing stuff like Windows Defender. So it doesn't follow that they would design s/w to self install by stealth - thats a conflict of interest. And you say they are capable of secretively installing Rootkits??...Oh Purlease...
(Off-Topic) how can you make a statement that the PS3 is better than an Xbox 360, when Sony can't make a PS3 yet, and no-one has one. They are nowhere near production. Sorry that's just a load of tosh.
Sony have been kicked in the nuts and rightly so. Woe betide any other company doing the same when we have decent individuals like Mark Russinovich around. Jolly Well Done Sir. Greeting from the UK
 
Sony BMG rootkit settlement finalized

The agreement covers anyone who bought, received or used CDs with flawed digital rights management software after August 1, 2003.

They can file a claim and receive: a non-protected replacement CD, free downloads of music from that CD or money .

 
There is a MUCH easier way of bypassing Sony's "security" features. This also applies to ANY software you want to try or temporarily use, but don't want mucking up the registry. I personally use Virtual PC for ALL temp software installs. I mean think about it - you can install all the software in the world with malware, adware, rootkits, or whatever! When you are finished using it, you turn off Virtual PC and delete the changes.

What I would have done in Mark's case would be to install the Sony software in Virtual PC, make my music copies, then transfer those copies into the host. If Sony comes up with a way to imbed trackers or audio garbage into the songs by using their copy software, I would start recording playback using audio editing software (I use Adobe Audition), transfer the wav files into my host, then turn off the Virtual PC instance. It's annoying to do, but you get your music without any Sony rootkits or audio trackers, and you get unlimited copies, which is the way CD's are meant to be used anyway! Unless Sony comes up with some way of disrupting wav recording capabilities while in CD playback, their "copy prevention" software is totally moot.

I use the aforementioned method of getting themes from themexp.org. I have tons of themes and guess what? NO ADWARE! I've disabled my internet connection in Virtual PC while I install their adware for different themes and nothing is able to cry out for help by using my internet connection.

My personal belief is that the virtual domain should be used to install ANY suspicious or unwanted software and try it out first before doing the real thing on your own machine. Also, I keep a backup of my virtual hard drive in case I get my virtual OS messed up with adware, spyware, rootkits or whatever.
 
If you check this site: http://tweakers.net/nieuws/43117/Oude-versies-software-erger-dan-malware.html you can see, that also the uninstaller delivered by sony has vulnerabilities and/or malware in it. And it is so terrible bad, that they made the top 15 vulnerable applications list!!!!
 
"While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far."

Yep, no kidding. Though it was the hard way for everyone, at least they learned that transparency, and at the least HONESTY is necessary in all business relationships, even in such "small" ones as client/company or customer/corporation.
 
Has anyone confirmed Virgin Records use of similar tactics on their content protected CD's? It seems that after agreeing to the EULA on "Thirty Seconds to Mars" Processor use spikes to 100% randomly. I've run the Rootkit Revealer and come up with nothing, but I am fairly positive that this problem is a direct result of something on this CD.
 
I just downloaded that entire CD on Limewire. Its free of malicious code and chock full of chewy goodness! Thanks Sony!
 
Post a Comment

This page is powered by Blogger. Isn't yours?

RSS Feed

RSS
    2.0

Index

Full Blog Index

Recent Posts

The Bypass Traverse Checking (or is it the Change Notify?) Privilege
Registry Junk: A Windows Fact of Life
Multi-platform Images
The Case of the Intermittent (and Annoying) Explorer Hangs
Unkillable Processes
Running Windows with No Services
The Case of the Periodic System Hangs
Popup Blocker? What Popup Blocker?
An Explosion of Audit Records
Buffer Overflows in Regmon Traces

Archives

March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer