Mark's Sysinternals Blog

[hkspike]

The one thing I'm missing is a sure-fire way of knowing if any of this stuff has been installed on your PC. I have the Switchfoot CD; sure enough it autoran - that was well before this story broke - but I declined the offer to install Sony BMG's stuff. What I don't know is if the autorun installed anything before the splash screen with the EULA/etc.Ideas?AndyPS Anybody want a copy? Nah, just joking!

[Webb]

Get the Rootkit Revealer program, run it and see if there are any rootkits installed. The help file says pretty much the same thing that the installation article does so you can tell which rootkits are acceptable.

[hkspike]

Unmask it:http://updates.xcp-aurora.com/Uninstall it:http://cp.sonybmg.com/xcp/english/form1.html

[zlim]

hkspike, read this http://www.sysinternals.com/Blog/before you decide to run the Sony uninstaller.

[Guest LilBambi]

hkspike, read this http://www.sysinternals.com/Blog/before you decide to run the Sony uninstaller.

hkspike, I agree with Liz ... definitely check out Mark's blog again. He posted about the uninstaller.For those who may want the information after Mark has added additional postings to his blog, here is the permalink for this particular posting:Sony: You don’t reeeeaaaally want to uninstall, do you?The way in which they are doing this 'uninstaller' is disturbing at best.I think that if you have ever played the CD using their builtin 'required' player (that uses autorun to launch either by directly autorunning or by double clicking on the CD drive), it would be wise to assume that you may be infected. Edited November 12, 2005 by LilBambi

[epp_b]

If you ever had this junkware on your system, it would be best to just wipe your hard drive, then re-install your OS and software.

[rolanaj]

http://www.realtechnews.com/posts/2122

Not sure about this site but am curious if anyone else has heard of this affecting a mac?

[epp_b]

No, this is Windows-only software, which it is why it is such a joke. Load the disc into any other OS -- be it Mac or some flavor of Linux -- and rip the songs of as much as you like.

[Guest LilBambi]

hkspike,Apparently Sony has finally made their remover available by direct download, and an offline uninstaller is apparently available in a zip file on their site here:http://cp.sonybmg.com/xcp/english/updates.html

SOFTWARE UPDATES/ PLUG-INSNovember 8, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.Please note, Service Pack 2a is a maintenance release designed to reduce the file size of Service Pack 2. It includes all previous fixes found in Service Pack 1 and Service Pack 2.http://updates.xcp-aurora.com/An offline version of Service Pack 2 is also available as a zip file (1.4MB) or as an exe (1.5MB).

Someone who actually has the CD would have to verify whether this actually works offline as they say.

[zlim]

See what songs had this rootkit onhttp://www.eff.org/deeplinks/archives/004144.php

[Webb]

Why would anyone want to copy protect Dion, The Essential Dion (Columbia Legacy)?

[hkspike]

Thanks for your thoughts. Although I have seen advice to disable a CD drive's autoplay function, nobody has yet clearly stated that the autorun function actual does any damage. It launches the splash screen, so what? As a default, I decline all offers. I declined the offer with Switchfoot's CD. Then ripped it with MusicMatch. I've yet to see any genuinely odd behaviour but maybe there's a surprise waiting for me.So does that initial autorun actually load anything?I think epp_b's comment that you then rebuild your HD just because you legally bought a CD is a tad over the top. But then maybe Sony should be made aware of the damage they have done.As for Webb's comment about Dion, clearly it is vital that Dion be protected. CDs like this should be difficult to rip thus protecting the rest of us from the sonic assault. This stuff could have been used at the end of "Mars Attacks" instead of Slim Whitman.Will have a look at that german CD ripper, later.Where's Scot? Changing diapers?

[Webb]

Yes, the world must be protected from any further propagation of Dion songs. If DRM spyware is the only way to do it then I may have to reconsider my position as to whether all DRM spyware is bad.On a more serious note I already suggested downloading and running the free Rootkit Revealer program. If nothing evil shows up you don't have to worry further.

[hkspike]

Ran RootkitRevealer - wow that took a long time and got this:

C:\System Volume Information\catalog.wci\00010013.ci 11/13/2005 16:38 12.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\00010013.dir 11/13/2005 16:38 344 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\00010014.ci 11/13/2005 16:56 4.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\00010014.dir 11/13/2005 16:56 348 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\00010015.ci 11/13/2005 17:11 4.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\00010015.dir 11/13/2005 17:11 348 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\CiFLfffc.000 11/13/2005 16:56 240 bytes Visible in Windows API, but not in MFT or directory index.C:\System Volume Information\catalog.wci\CiFLfffc.001 11/13/2005 16:56 384.00 KB Visible in Windows API, but not in MFT or directory index.C:\System Volume Information\catalog.wci\CiFLfffc.002 11/13/2005 16:56 384.00 KB Visible in Windows API, but not in MFT or directory index.C:\System Volume Information\catalog.wci\CiFLfffd.000 11/13/2005 17:11 240 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\CiFLfffd.001 11/13/2005 17:11 384.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\CiFLfffd.002 11/13/2005 17:11 384.00 KB Hidden from Windows API.C:\WINDOWS\SYSTEM32\spool\PRINTERS\FP00002.SHD 11/13/2005 17:21 0 bytes Hidden from Windows API.C:\WINDOWS\SYSTEM32\spool\PRINTERS\FP00002.SPL 11/13/2005 17:21 0 bytes Hidden from Windows API.

Now I'd be the first to say that I don't really understand all that but there doesn't appear to be much odd there! Most of it appears to be indexing service backup files.Perhaps the advice to disable Autorun is a bit harsh. The Autorun just takes you to the Sony BMG splash screen. It's accepting their EULA and running their software that does the damage.Now where was that Dion CD......?Andy

[Marsden11]

This goes beyond windows...

This is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.

[sunrat]

One question begs asking - why would an operating system allow a program to install files that are so completely hidden as these without triggering a security alert? And why is there a mechanism in the OS that allows this to be done in the first place?I guess we can't trust anyone to really give us "trusted computing"The morons at sony who came up with this should be busted down to the mail room, after they get out of jail for crippling their customers computers and unleashing a safe haven for trojans and game cheats.

[Eric Legge]

Microsoft's AntiSpyware utility, the new name of which is going to be Windows Defender, will soon be able to remove the Rootkit software that Sony CDs install on the PCs that play them. The Rootkit software has been vehemently and universally condemned. Jason Garms, chief executive of Microsoft's Anti-Malware Technology Team said that Microsoft regards the Sony DRM as malicious code and plans to treat it as such. Microsoft will also make the December monthly update to the Malicious Software Removal Tool and the online scanner on Windows Live Safety Centre able to recognise and remove the offending code.

Edited November 14, 2005 by Eric Legge

[lewmur]

Microsoft's AntiSpyware utility, the new name of which is going to be Windows Defender, will soon be able to remove the Rootkit software that Sony CDs install on the PCs that play them. The Rootkit software has been vehemently and universally condemned. Jason Garms, chief executive of Microsoft's Anti-Malware Technology Team said that Microsoft regards the Sony DRM as malicious code and plans to treat it as such. Microsoft will also make the December monthly update to the Malicious Software Removal Tool and the online scanner on Windows Live Safety Centre able to recognise and remove the offending code.

This is a good step. But it is still "too little, too late." And I'm not saying M$ is alone in having this problem. But, IMHO, *no* OS should allow *anything* to be written to the "system" files without *explicit* permission of the computer owner. And then only after a *full disclosure* of the *abilities* (not the intended purpose) of the code, and the ability to remove the code with a couple of "mouse clicks."

[Guest LilBambi]

Microsoft's AntiSpyware utility, the new name of which is going to be Windows Defender, will soon be able to remove the Rootkit software that Sony CDs install on the PCs that play them. The Rootkit software has been vehemently and universally condemned. Jason Garms, chief executive of Microsoft's Anti-Malware Technology Team said that Microsoft regards the Sony DRM as malicious code and plans to treat it as such. Microsoft will also make the December monthly update to the Malicious Software Removal Tool and the online scanner on Windows Live Safety Centre able to recognise and remove the offending code.

Actually, from my reading, it will only decloak, like Sony's original SP2.Check this topic under Security and Networking here on the forums.

Microsoft said Saturday that it is updating its anti-spyware software (now called "Windows Defender") to detect and remove the file-hiding capabilities of the anti-piracy software installed by some Sony BMG music CDs.

Microsoft: Sony Anti-Piracy Software Is SpywareIf you want it totally removed, it looks like you will have to go elsewhere?Unless now they will be giving the removal information to them.However, Symantec apparently has a removal tool, or at least they are calling it a removal tool here.Sophos, and Computer Associates also have classified it as spyware. McAfee with the latest dat file, will detect, remove and prevent reinstallation of the rootkit according to this BetaNews article.Although the article says that Symantec was going to send folks to Sony for the removal if it was detected, they have since come up with their own removal tool.I believe most antivirus software is going to take care of this for customers in no time. Edited November 14, 2005 by LilBambi

[Guest LilBambi]

Well, the plot sickens...again...

Spyware Sony seems to breach copyrightPosted on Thursday, November 10 @ 11:44:47 CET by brennoThe spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.This article is a translation of this article I wrote for Webwereld.It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

More in the article. I put this on my blog early yesterday when I did a search on Google and found it directly, and today I found a reference to it from BoingBoing too...we must have been posting about it around the same time yesterday morning!

The evidence against Sony is compelling, and this further reveals the hypocrisy of Sony's actions. Sony claims that it needs to install dangerous, malicious, underhanded software on its customers' computers to protect its copyrights, but in order to write this malware, it has no compunction about infringing on the copyrights of public-spirited software authors who make their works available under free software licenses like the GPL.

Go Cory!

[Marsden11]

The MS Malicious Software Removal Tool will ship with a removal signature for the Sony DRM rootkit on the next path Tuesday.The removal tool will remove bad software. It would be useless to just "de-cloak" offending software.That means it will be offered two ways.1- Through the monthly update of the Malicious Software Removal Tool via Windows Update2- As an addition to the MS Defender product line now in beta release.This is from: According to Jason Garms, group product manager in Microsoft's Anti-Malware Technology Team, the rootkit removal signature will be pushed out at Windows users through the anti-spyware application's weekly signature update process.

[Guest LilBambi]

I am not trying to start an argument on this. I just want to clarify, Microsoft's Anti-Malware Engineering Team page (that Marsden11 posted in this topic states and I copied and quoted from the page:

We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users.

(bold emphasis mine)That tells me that it will not be removing the entire XCP software.Am I missing something here? Edited November 15, 2005 by LilBambi

[Marsden11]

Removal signature means removal from your system. If Sony's DRM installed something on your system it will be removed.Why do you think it will not be removed?

[patio]

They are now pulling product according to USA Today:Sony to pull controversial CDs, offer swapBy Jefferson Graham, USA TODAYLOS ANGELES — Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC."Sony BMG deeply regrets any inconvenience to our customers and remains committed to providing an enjoyable and safe music experience," the company said. Sony says more than 20 titles have been released with the XCP copy-protection software, and of those CDs, over 4 million have been manufactured, and 2.1 million sold.Details about how long it will take to replace the XCP CDs and about its consumer exchange program will come later in the week, Sony said.For now, pulling the CDs off shelves "could go a long way toward making a consumer feel comfortable that the CD they just purchased isn't going to mess up their computer," says record store owner John Kunz of Waterloo Records in Austin.Country-rockers Van Zant's Get Right with the Man kicked off the firestorm when a blogger traced a hidden, spyware-type file on his computer to the CD. Other XCP copy-protected CDs include new releases by Neil Diamond, Celine Dion, Cyndi Lauper and Burt Bacharach.Before Sony's announcement, Van Zant manager Ross Schilling urged the label to recall all the CDs. "I said we've got to be proactive, or it could destroy the business model," Schilling says. "Sony should be in the artist business, promoting and selling records. This type of issue sheds a negative light on their ability to do that."Sony began adding copy-protection to its CDs in June 2004 with the release of a record by the band Velvet Revolver, saying it was taking a step against unauthorized online file-sharing and CD burning.The label says it will issue all major releases with copy-protection in 2006, as will rival label EMI. The other major labels, Universal Music and Warner, have yet to release copy-protected CDs.Sony also issues copy-protected CDs using software from digital rights management company SunnComm. But those, which include releases by the Foo Fighters and the Dave Matthews Band, haven't come under the same kind of attack.However, many artists have spoken out about all forms of copy-protected CDs, including Matthews, the Foo Fighters and Christian rock band Switchfoot. Bela Fleck and the Flecktones are set to release a new album on Sony in January, and it will not be copy protected, says Fleck's manager, David Bendett.Frustrated when he bought a copy-protected Dave Matthews release and couldn't copy it to his Apple iPod, Fleck insisted that Sony not release his new album with such restrictions, Bendett says.Sony says its copy-protected CDs are clearly marked, but the front labels don't identify whether they use the XCP software. That information is included in small print on the back of the CD, which reads "?cp.sonybmg.com/xcp".patio.

[epp_b]

I doubt there is any way to truely remove every bit (pun intended) of this software barring a complete reformat & reinstall.

[Guest LilBambi]

Well, thank you patio! Your posting about the USAToday story, got me searching the web this morning...and there is quite a collection today on my blog entitled: Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com) - More Sony Problems to Be Revealed. That is just the beginning of where we go on this posting.

Several groups of privacy and security experts are expected to release research later today that points to multiple, serious security flaws present in “XCP,” the anti-piracy software used on an undisclosed number of Sony BMG music CDs. (For the record, Security Fix observed that experts were busily searching for such flaws shortly after this whole fiasco began). According to details provided by prominent security researcher Dan Kaminsky, the resulting public outcry could make Sony feel like the last two weeks of consumer backlash were a walk in the park.

One of the other articles I found was from The Big Picture: DRM Crippled CD: A bizarre tale in 4 parts which is an amazing story!

DOWN THE RABBIT HOLE: Ever come across something that only gets stranger and stranger the deeper you delve into it? That was my experience when I almost purchased a new CD -- a DRM crippled CD -- this weekend. This tale is part of a larger struggle within the recording and digital download industry -- not of P2P or piracy -- but one of innovation and competition. As you follow this odd story (broken into 4 increasingly strange parts), you will note that as it gets weirder, Artists and Consumers are the collateral damage. It makes one wonder just what the **** the Recording Industry is thinking about these days:

The rest of the story at the Big Picture link above and it is mind boggling. And don't stop at the end ... the update on October 31 leads to another big story on this whole DRM thing:Burning the Faithful - New copy-protected CDs screw over the only honest customers the music industry has left. By Eli Messinger

While lawsuits against Internet file-sharing outposts like Grokster (and a few shots at individual Napster users) have grabbed headlines, major record labels have quietly shifted their target to casual CD copying between friends and family members. This, they now claim, is the real scourge behind the industry's prolonged slump. In contrast to pay-for-play download sites, physical CDs have always been wide open, and consumers now expect that they can play the discs in standard CD players, rip the audio files to their computers for desk-side listening, download the tracks into a portable music player, burn a compilation of favorite tunes, and make a physical backup copy for safe keeping, all easily and cheaply.

Believe it or not, these are only a few of the links I posted about this morning from my Google search and postings at BBR (which by the way has some great comments and discoveries as well from it's posters.) Edited November 15, 2005 by LilBambi

[hkspike]

http://news.bbc.co.uk/1/hi/technology/4441928.stmLilBambi - Understand your skepticism but this Beeb article suggests that Sony will offer a tool to remove the program.

Sony is also providing software to make it easy to remove the controversial program from Windows computers.

"Remove" - quote/unquote!We'll see.....

[Guest LilBambi]

Not so fast hkspike! There's more to that story too. Sony has removed the link to their uninstaller temporarily.The reason is at Freedom to Tinker's site:

Update: Sony Uninstaller Hole Stays OpenTuesday November 15, 2005 by J. Alex HaldermanEarlier today Ed Felten and I reported a serious security hole opened by the uninstaller that Sony provides to users who want to remove the First4Internet copy protection software. Further testing has confirmed that computers remain vulnerable even after the uninstall process is complete.Sony’s web-based uninstaller is a three step process: 1. You fill out an uninstall request on Sony’s web site. 2. Sony sends you an email with a link to a second request form. When you follow this link, Sony’s site automatically installs a piece of software–an ActiveX control created by First4Internet–called CodeSupport. 3. After delay, Sony sends another email with a link to a third web page that removes the copy protection software. However, the CodeSupport component remains on your computer indefinitely.Due to a serious design flaw, the CodeSupport component allows any web site you visit to download and run software on your computer. A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously performed at least step 2 of Sony’s uninstall process, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.You can tell whether you are vulnerable by visiting our CodeSupport detector page.If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.

What a fiasco.More info in the articles at Freedom to Tinker. Edited November 16, 2005 by LilBambi

[epp_b]

Sony must die!!!

[Cluttermagnet]

The SonyBMG spyware rootkit story was just hitting our local 6PM TV media outlets last night (Wed 16 Nov 2005). This gives some idea how much time it takes to have a fairly 'major' story on the internet filter down to the popular media. They had it partly wrong, not having a firm grasp as to what the rootkit means technically, but they did get it right about Sony having to do a massive recall of the CDs in question. They did show a clear camera shot of the spine area of the CD case with the copy protection notation. I have absolutely no pity for Sony. Needless to say, my boycott of all Sony products is now all the more resolute. A shame, as they were once a technically excellent company with some good hardware products. But they have lost their hardware edge anyway, ceding leadership to others, and this blatant, in your face attitude about DRM etc. was the last straw for me. Have any heads rolled at Sony yet? I haven't been following this the past couple days. I'll bet that not one single person at Sony has lost their job over this- yet.