Wednesday, November 16, 2005

Sony vs. piracy: Sony disqualified

At the end of October, a nice article by Mark Russinovich of SysInternals caught my eye at Mark's blog: it revealed that a rootkit was present on his system, as shown by Rootkit Revealer. After some digging with a few of SysInternals excellent tools, it appeared that the rootkit was actually a DRM protection scheme called XCP from First 4 Internet, installed by a CD that Mark had bought from Amazon. The DRM system that Sony was using on that CD installed an application on the (Windows) system that protected both the CD itself and the software player included on it. This 'application' really was a rootkit, and a very poorly written one at that too. It was actually pretty trivial to crash the system with the rootkit installed, and there was no uninstall option, or any mention of it in Sony's EULA.

Barely a week after Mark posted this on his blog, it generated an outcry that the mainstream media picked up on. Subsequently, Sony released a 'removal tool' for the rootkit, along with a message that claimed the rootkit wasn't really dangerous to your system and did not create any security issues when it was installed. Besides the fact that this was complete bullshit (having something hide all files and folders starting with '$sys$' is not dangerous? hah!), their 'patch' updated most of the existing DRM software already present, and uninstalled the rootkit improperly, possibly leading to system crashes. Also, the music player on the Sony CD's was phoning home to its server, which is not in the EULA either. Sony denied this.

So a few days later, Sony released the patch and announced it to the press only. Most customers still had no idea there was a rootkit on the Sony CD's, and even if they did know, it was pretty hard to get the uninstaller at all, requiring two confirmation emails, allowing an unsafe ActiveX control and using a link to download the thing that is unique to your system only.

This complete saga has led to quite a few results, among which:

And finally, today Sony published a public message on their Sony BMG website about the 'XCP content protection technology', providing a direct link to the patch that uninstalls the rootkit. And leaves the ActiveX control behind. Which has some pretty devastating code in it.

While they originally still refused to call back any of the CD's with the XCP rootkit, they have now decided to turn around and recall the CD's and offering rootkit-free swaps. They also decided to stop making any new CD's with the XCP rootkit.

For your reading enjoyment, here are the excellent posts Mark has written on his blog:
  1. Oct 31: Sony, Rootkits and Digital Rights Management Gone Too Far
  2. Nov 04: More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
  3. Nov 06: Sony’s Rootkit: First 4 Internet Responds
  4. Nov 09: Sony: You don’t reeeeaaaally want to uninstall, do you?
  5. Nov 14: Sony: No More Rootkit - For Now
  6. Nov 16: Victory!

Oh, and on a final note, here are the one-line commands to disable the rootkit and the ActiveX control. You can enter them in the Run dialog (Start > Run):

cmd /k sc delete $sys$aries (followed by a reboot)
cmd /k del "%windir%\downloaded program files\codesupport.*"

And remember: the SHIFT key is your best friend! (Though I won't directly say for what it can be used. Might get sued for that.)

No comments: