Jump to content


Mark's Sysinternals Blog


  • Please log in to reply
67 replies to this topic

#26 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 11 November 2005 - 07:54 PM

Here's another one on BetaNews: Sony BMG Pulling Controversial DRM

Quote

For its part, Sony says it has been responsive to the situation by posting removal instructions. But Russinovich disagrees, saying, "Without exaggeration I can say that I've analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall."
Comment section had this comment:

Quote

By JediteTo add to this.. The Department of Homeland Security made an indirect mention of this situation, and what can only be categorized as a warning directed at Sony.Stewart Baker newly appointed Assitant Secretary for Policy for the DHS had this to say."I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples' [and] businesses' computers are secure. ... There's been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples' computers that even the system administrators can’t find."In a remark clearly aimed directly at Sony and other labels, Stewart continued: "It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."If we have an avian flu outbreak here and it is even half as bad as the 1918 flu epidemic, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is a matter of life and death and we take it very seriously."Credit goes to Brian Krebs from the Washington post and his blog that has a bit more on this.[url=http://blogs.washingtonpost.com/securityfix/2005/11/the_bush_admini.html[/url]

Edited by LilBambi, 11 November 2005 - 07:57 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#27 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 11 November 2005 - 08:01 PM

Hey...Sony's evil dealings earned an article in today's local paper out here in Canada!

Edited by epp_b, 11 November 2005 - 08:02 PM.


#28 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 11 November 2005 - 08:23 PM

Yes, news this bad travels very quickly and very far. ;)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#29 OFFLINE   rolanaj

rolanaj

    Board Bigwig

  • Forum MVP
  • 2,649 posts

Posted 11 November 2005 - 08:29 PM

Quote

"It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.
I think a lot of people, companies, etc  ought to remember this.

Edited by rolanaj, 11 November 2005 - 08:32 PM.

Registered Linux User #554733

#30 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 11 November 2005 - 08:47 PM

View Postrolanaj, on Nov 11 2005, 07:29 PM, said:

I think a lot of people, companies, etc  ought to remember this.
Yes, yes they should.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#31 OFFLINE   hkspike

hkspike

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 412 posts

Posted 11 November 2005 - 10:36 PM

The one thing I'm missing is a sure-fire way of knowing if any of this stuff has been installed on your PC. I have the Switchfoot CD; sure enough it autoran - that was well before this story broke - but I declined the offer to install Sony BMG's stuff. What I don't know is if the autorun installed anything before the splash screen with the EULA/etc.Ideas?AndyPS Anybody want a copy? Nah, just joking!
If you try and take a cat apart to see how it works, the first thing you have on your hands is a non-working cat.

#32 OFFLINE   Webb

Webb

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,066 posts

Posted 11 November 2005 - 11:27 PM

Get the Rootkit Revealer program, run it and see if there are any rootkits installed.  The help file says pretty much the same thing that the installation article does so you can tell which rootkits are acceptable.
The 9000 series is the most reliable computer ever made. No 9000 computer has ever made a mistake or distorted information. We are all, by any practical definition of the words, foolproof and incapable of error. - HAL-9000

You know, this used to be a helluva good country. I don't understand what's gone wrong with it.  - George Hanson, 1969

A bad day at golf is better than a good day at work.


Posted Image
Jim

#33 OFFLINE   hkspike

hkspike

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 412 posts

Posted 12 November 2005 - 07:27 AM

Unmask it:http://updates.xcp-aurora.com/Uninstall it:http://cp.sonybmg.co...lish/form1.html
If you try and take a cat apart to see how it works, the first thing you have on your hands is a non-working cat.

#34 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 7,222 posts

Posted 12 November 2005 - 12:42 PM

hkspike, read this http://www.sysinternals.com/Blog/before you decide to run the Sony uninstaller.
Liz
Registered Linux User # 401459
Posted Image

#35 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 12 November 2005 - 01:58 PM

View Postzlim, on Nov 12 2005, 11:42 AM, said:

hkspike, read this http://www.sysinternals.com/Blog/before you decide to run the Sony uninstaller.
hkspike, I agree with Liz ... definitely check out Mark's blog again. He posted about the uninstaller.For those who may want the information after Mark has added additional postings to his blog, here is the permalink for this particular posting:Sony: You don’t reeeeaaaally want to uninstall, do you?The way in which they are doing this 'uninstaller' is disturbing at best.I think that if you have ever played the CD using their builtin 'required' player (that uses autorun to launch either by directly autorunning or by double clicking on the CD drive), it would be wise to assume that you may be infected.

Edited by LilBambi, 12 November 2005 - 02:18 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#36 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 12 November 2005 - 05:01 PM

If you ever had this junkware on your system, it would be best to just wipe your hard drive, then re-install your OS and software.

#37 OFFLINE   rolanaj

rolanaj

    Board Bigwig

  • Forum MVP
  • 2,649 posts

Posted 12 November 2005 - 06:23 PM

Quote

Not sure about this site but am curious if anyone else has heard of this affecting a mac?
Registered Linux User #554733

#38 OFFLINE   epp_b

epp_b

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 4,735 posts

Posted 12 November 2005 - 06:59 PM

No, this is Windows-only software, which it is why it is such a joke.  Load the disc into any other OS -- be it Mac or some flavor of Linux -- and rip the songs of as much as you like.

#39 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 12 November 2005 - 07:16 PM

hkspike,Apparently Sony has finally made their remover available by direct download, and an offline uninstaller is apparently available in a zip file on their site here:http://cp.sonybmg.co...sh/updates.html

Quote

SOFTWARE UPDATES/ PLUG-INSNovember 8, 2005 - This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.Please note, Service Pack 2a is a maintenance release designed to reduce the file size of Service Pack 2. It includes all previous fixes found in Service Pack 1 and Service Pack 2.http://updates.xcp-aurora.com/An offline version of Service Pack 2 is also available as a zip file (1.4MB) or as an exe (1.5MB).
Someone who actually has the CD would have to verify whether this actually works offline as they say.
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#40 OFFLINE   zlim

zlim

    It's me, plodr

  • Forum MVP
  • 7,222 posts

Posted 12 November 2005 - 10:52 PM

See what songs had this rootkit onhttp://www.eff.org/d...ives/004144.php
Liz
Registered Linux User # 401459
Posted Image

#41 OFFLINE   Webb

Webb

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,066 posts

Posted 12 November 2005 - 11:39 PM

Why would anyone want to copy protect Dion, The Essential Dion (Columbia Legacy)?
The 9000 series is the most reliable computer ever made. No 9000 computer has ever made a mistake or distorted information. We are all, by any practical definition of the words, foolproof and incapable of error. - HAL-9000

You know, this used to be a helluva good country. I don't understand what's gone wrong with it.  - George Hanson, 1969

A bad day at golf is better than a good day at work.


Posted Image
Jim

#42 OFFLINE   hkspike

hkspike

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 412 posts

Posted 13 November 2005 - 01:21 AM

Thanks for your thoughts. Although I have seen advice to disable a CD drive's autoplay function, nobody has yet clearly stated that the autorun function actual does any damage. It launches the splash screen, so what? As a default, I decline all offers. I declined the offer with Switchfoot's CD. Then ripped it with MusicMatch. I've yet to see any genuinely odd behaviour but maybe there's a surprise waiting for me.So does that initial autorun actually load anything?I think epp_b's comment that you then rebuild your HD just because you legally bought a CD is a tad over the top. But then maybe Sony should be made aware of the damage they have done.As for Webb's comment about Dion, clearly it is vital that Dion be protected. CDs like this should be difficult to rip thus protecting the rest of us from the sonic assault. This stuff could have been used at the end of "Mars Attacks" instead of Slim Whitman.Will have a look at that german CD ripper, later.Where's Scot? Changing diapers?
If you try and take a cat apart to see how it works, the first thing you have on your hands is a non-working cat.

#43 OFFLINE   Webb

Webb

    Multithreader

  • Members
  • PipPipPipPipPipPipPipPip
  • 1,066 posts

Posted 13 November 2005 - 03:49 AM

Yes, the world must be protected from any further propagation of Dion songs.  If DRM spyware is the only way to do it then I may have to reconsider my position as to whether all DRM spyware is bad.On a more serious note I already suggested downloading and running the free Rootkit Revealer program.  If nothing evil shows up you don't have to worry further.
The 9000 series is the most reliable computer ever made. No 9000 computer has ever made a mistake or distorted information. We are all, by any practical definition of the words, foolproof and incapable of error. - HAL-9000

You know, this used to be a helluva good country. I don't understand what's gone wrong with it.  - George Hanson, 1969

A bad day at golf is better than a good day at work.


Posted Image
Jim

#44 OFFLINE   hkspike

hkspike

    Message Mogul

  • Members
  • PipPipPipPipPip
  • 412 posts

Posted 13 November 2005 - 06:00 AM

Ran RootkitRevealer - wow that took a long time and got this:

Quote

C:\System Volume Information\catalog.wci\00010013.ci 11/13/2005 16:38 12.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\00010013.dir 11/13/2005 16:38 344 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\00010014.ci 11/13/2005 16:56 4.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\00010014.dir 11/13/2005 16:56 348 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\00010015.ci 11/13/2005 17:11 4.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\00010015.dir 11/13/2005 17:11 348 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\CiFLfffc.000 11/13/2005 16:56 240 bytes Visible in Windows API, but not in MFT or directory index.C:\System Volume Information\catalog.wci\CiFLfffc.001 11/13/2005 16:56 384.00 KB Visible in Windows API, but not in MFT or directory index.C:\System Volume Information\catalog.wci\CiFLfffc.002 11/13/2005 16:56 384.00 KB Visible in Windows API, but not in MFT or directory index.C:\System Volume Information\catalog.wci\CiFLfffd.000 11/13/2005 17:11 240 bytes Hidden from Windows API.C:\System Volume Information\catalog.wci\CiFLfffd.001 11/13/2005 17:11 384.00 KB Hidden from Windows API.C:\System Volume Information\catalog.wci\CiFLfffd.002 11/13/2005 17:11 384.00 KB Hidden from Windows API.C:\WINDOWS\SYSTEM32\spool\PRINTERS\FP00002.SHD 11/13/2005 17:21 0 bytes Hidden from Windows API.C:\WINDOWS\SYSTEM32\spool\PRINTERS\FP00002.SPL 11/13/2005 17:21 0 bytes Hidden from Windows API.
Now I'd be the first to say that I don't really understand all that but there doesn't appear to be much odd there! Most of it appears to be indexing service backup files.Perhaps the advice to disable Autorun is a bit harsh. The Autorun just takes you to the Sony BMG splash screen. It's accepting their EULA and running their software that does the damage.Now where was that Dion CD......?Andy
If you try and take a cat apart to see how it works, the first thing you have on your hands is a non-working cat.

#45 OFFLINE   Marsden11

Marsden11

    Posting Prodigy

  • Members
  • PipPipPipPipPipPipPipPipPipPip
  • 2,078 posts

Posted 13 November 2005 - 08:36 AM

This goes beyond windows...

Quote

This is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.


#46 OFFLINE   sunrat

sunrat

    Thread Kahuna

  • Forum Moderators
  • 5,919 posts

Posted 14 November 2005 - 05:02 AM

One question begs asking - why would an operating system allow a program to install files that are so completely hidden as these without triggering a security alert? And why is there a mechanism in the OS that allows this to be done in the first place?I guess we can't trust anyone to really give us "trusted computing"The morons at sony who came up with this should be busted down to the mail room, after they get out of jail for crippling their customers computers and unleashing a safe haven for trojans and game cheats. :)  :)
registered Linux user number 324659  ||    The importance of Reading The *Fine* Manual! :D
Posted ImagePosted ImagePosted ImagePosted Image
For the things we have to learn before we can do them, we learn by doing them.

#47 OFFLINE   Eric Legge

Eric Legge

    Post Master

  • Members
  • PipPipPipPip
  • 180 posts

Posted 14 November 2005 - 11:47 AM

Microsoft's AntiSpyware utility, the new name of which is going to be Windows Defender, will soon be able to remove the Rootkit software that Sony CDs install on the PCs that play them. The Rootkit software has been vehemently and universally condemned. Jason Garms, chief executive of Microsoft's Anti-Malware Technology Team said that Microsoft regards the Sony DRM as malicious code and plans to treat it as such. Microsoft will also make the December monthly update to the Malicious Software Removal Tool and the online scanner on Windows Live Safety Centre able to recognise and remove the offending code.

Edited by Eric Legge, 14 November 2005 - 11:50 AM.


#48 OFFLINE   lewmur

lewmur

    Discussion Deity

  • Members
  • PipPipPipPipPipPipPipPipPipPipPipPip
  • 3,604 posts

Posted 14 November 2005 - 01:34 PM

View PostEric Legge, on Nov 14 2005, 12:47 PM, said:

Microsoft's AntiSpyware utility, the new name of which is going to be Windows Defender, will soon be able to remove the Rootkit software that Sony CDs install on the PCs that play them. The Rootkit software has been vehemently and universally condemned. Jason Garms, chief executive of Microsoft's Anti-Malware Technology Team said that Microsoft regards the Sony DRM as malicious code and plans to treat it as such. Microsoft will also make the December monthly update to the Malicious Software Removal Tool and the online scanner on Windows Live Safety Centre able to recognise and remove the offending code.
This is a good step.  But it is still "too little, too late."  And I'm not saying M$ is alone in having this problem.  But, IMHO, *no* OS should allow *anything* to be written to the "system" files without *explicit* permission of the computer owner.  And then only after a *full disclosure* of the *abilities* (not the intended purpose) of the code, and the ability to remove the code with a couple of "mouse clicks."

#49 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 14 November 2005 - 07:21 PM

View PostEric Legge, on Nov 14 2005, 10:47 AM, said:

Microsoft's AntiSpyware utility, the new name of which is going to be Windows Defender, will soon be able to remove the Rootkit software that Sony CDs install on the PCs that play them. The Rootkit software has been vehemently and universally condemned. Jason Garms, chief executive of Microsoft's Anti-Malware Technology Team said that Microsoft regards the Sony DRM as malicious code and plans to treat it as such. Microsoft will also make the December monthly update to the Malicious Software Removal Tool and the online scanner on Windows Live Safety Centre able to recognise and remove the offending code.
Actually, from my reading, it will only decloak, like Sony's original SP2.Check this topic under Security and Networking here on the forums.

Quote

Microsoft said Saturday that it is updating its anti-spyware software (now called "Windows Defender") to detect and remove the file-hiding capabilities of the anti-piracy software installed by some Sony BMG music CDs.
Microsoft: Sony Anti-Piracy Software Is SpywareIf you want it totally removed, it looks like you will have to go elsewhere?Unless now they will be giving the removal information to them.However, Symantec apparently has a removal tool, or at least they are calling it a removal tool here.Sophos, and Computer Associates also have classified it as spyware. McAfee with the latest dat file, will detect, remove and prevent reinstallation of the rootkit according to this BetaNews article.Although the article says that Symantec was going to send folks to Sony for the removal if it was detected, they have since come up with their own removal tool.I believe most antivirus software is going to take care of this for customers in no time.

Edited by LilBambi, 14 November 2005 - 07:41 PM.

Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)

#50 OFFLINE   LilBambi

LilBambi

    Australisches Googler

  • Forum Admins
  • 22,548 posts

Posted 14 November 2005 - 07:47 PM

Well, the plot sickens...again...

Quote

Spyware Sony seems to breach copyrightPosted on Thursday, November 10 @ 11:44:47 CET by brennoThe spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.This article is a translation of this article I wrote for Webwereld.It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.
More in the article. I put this on my blog early yesterday when I did a search on Google and found it directly, and today I found a reference to it from BoingBoing too...we must have been posting about it around the same time yesterday morning!

Quote

The evidence against Sony is compelling, and this further reveals the hypocrisy of Sony's actions. Sony claims that it needs to install dangerous, malicious, underhanded software on its customers' computers to protect its copyrights, but in order to write this malware, it has no compunction about infringing on the copyrights of public-spirited software authors who make their works available under free software licenses like the GPL.
Go Cory! :)
Bambi
AKA Fran

Posted Image
My Public Key for Email :: BambisMusings Blog :: Fran's Computer Services Blog :: MyPassionIsBooks Blog :: 5BuckReview :: CNIRadio
"The Net interprets censorship as damage and routes around it." ~John Gilmore (Time Magazine, Dec 6, 1993)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users