Sony Rootkit Phones Home

strider44 writes "Mark from Sysinternals has digged a little deeper into the Sony DRM and discovered it Phones Home with an ID for the CD being listened to. XCP Support claims that "The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities." Also on this topic, Matt Nikki in the comments section discovered that the DRM can be bypassed simply by renaming your favourite ripping program with "$sys$" at the start of the filename and ripping the CD using this file, which is now undetectable even by the Sony DRM. You can use the Sony rootkit itself to bypass their own DRM!" Update: 11/07 14:21 GMT by H : Attentive reader Matteo G.P. Flora also notes that an Italian lawyer has filed suit against Sony on behalf of the Italian equivalent of the EFF. Translation availabe through the hive mind. Update: 11/07 15:18 GMT by H : It does appear that in fact Sony does see through the $sys$ - see Muzzy's comment for more details.

Ha Ha!

[turnipsatemybaby (648996)]

Somewhere in the distance, I hear Nelson shouting, "Ha ha!"

Uh Oh

[Honig the Apothecary (515163)]

I smell a DMCA violation on the /. front page! Cue the Sony lawyers in 4..3..2....

Re:Uh Oh

[SatanicPuppy (611928)]

Heh. But you're circumventing their copy protection using their invasive DRM package. So aren't they to blame for the circumvention? They wrote the code, after all, and adding "$sys$" to a filename is as trivial as holding down the shift key, and the shift key lawsuit was thrown out of court. If only someone else could sue them...

I think Blizzard in particular has a good case against them, since their crazy DRM is being used to circumvent some of Blizz' anti-cheating measures.

Re:cnet has a intresting article

[IDontAgreeWithYou (829067)]

I emailed this post to your english teacher. She's dead now. Are you happy?

Rip It....Rip It Good

[by Anonymous Coward]

CDex 1.51 had no issues ripping this CD.

Re:Rip It....Rip It Good

[meringuoid (568297)]

I've never met anything that cdparanoia couldn't handle, unless it was scratched to death; IIRC, CDex uses cdparanoia as its ripping engine, so it should have the same uber ripping powers.

AFAIK, the rootkit is the only protection on this CD. As they admit, it looks like a normal CD to an Apple computer - and, of course, to a Linux computer. And, for that matter, to a Windows computer with Autorun disabled... I do enjoy a truly pathetic copyrestriction system, don't you?

Re:Rip It....Rip It Good

[ModernGeek (601932)]

If it installs this rootkit through autorun when you put the CD into your Windows machine, how is this any different from a worm? Just because it isn't spread through the internet doesn't change the fact that it is a virus.

Re:Rip It....Rip It Good

[meringuoid (568297)]

If it installs this rootkit through autorun when you put the CD into your Windows machine, how is this any different from a worm? Just because it isn't spread through the internet doesn't change the fact that it is a virus.

It doesn't automatically self-propagate, so it isn't a worm. Nor does it infect files and piggyback on them to infect other machines; it isn't a virus. This particular piece of malware comes attached to something the user wants (i.e. a music CD) without his knowledge, and proceeds to infect his machine, but makes no attempts to spread itself to other machines. That makes it a trojan.

Re:Rip It....Rip It Good

[ModernGeek (601932)]

The way I heard it, it sounded like it was copying itself from the CD to the machine without the users consent. I assumed this would be called a virus as it is replicating itself. Maybe trend micro's quiz didn't educate me very well

After finding more information about it, it sounds as if it blocks programs from accessing the CD drive that are in sony's list.

Step 1: Rename your Windows Server App to ITUNES3.EXE
Step 2: Put all the config files for that server app on a CD
Step 3: Insert Sony music CD into secondary drive
Step 4: The DRM that installed itself without your consent crashed your mission critical server. Sony is liable!
Step 5: ???
Step 6: Profit!

Re:NO you are WRONG

[meringuoid (568297)]

It is illegal in this case, because you are bypassing Sony's DRM.

Ah, but you didn't say illegal, you said wrong. The equation of the two is perhaps the greatest threat to liberty in the modern world.

Re:NO you are WRONG

[meringuoid (568297)]

Nice pull of the 'liberty' strings there, you got your mod points, but you are still incorrect. Ripping this CD is both illegal and wrong; if you bought this CD, you entered into a contract with Sony, and by ripping it, you are breaking your side of the contract, which is wrong in every sense.

No I didn't. I entered into a contract for sale of goods with the record store, the terms of which were that I handed over some cash and they handed over a CD. That contract was fulfilled to the satisfaction of both sides. I have no other contractual obligations of any kind.

Re:NO you are WRONG

[stephenslashdot (661755)]

Now, I didn't buy that CD (or any others in the last five or six years) but if I had, I'd like to see where the terms and conditions of the contract that I SIGNED AND AGREED to are. If they are available for viewing BEFORE I make the purchase AND they explicitly indicate everything that Sony is allowed to do to my computer if I choose to put it in my computer, then you have a point. If not, then it is nothing more than a con, equivalent to me mailing you a letter that you open to see "the act of opening this letter means you agree to give me all your worldly assets, and none of your debts". If you feel Sony isn't WRONG, then you'd better fork over everything you own when you get that letter, because it's the same thing. Now, if I posted "the act of opening this letter means you agree to give me all your worldly assets, and none of your debts" and you open it, well, that's fair game because you had the option, and if you weren't a dumbass, you wouldn't open it. That's the difference. Sony is not providing OUTSIDE of the purchase the terms and conditions that you are claiming binds the purchasor, and Sony is NOT refunding your money if you disagree with what you find inside.

No information

[Threni (635302)]

"No information is ever fed back or collected about the consumer or their activities."

Other then your IP address, date and time it's connected to the net, the CD you're listening to, how often you listen to it...

Re:No information

[jcr (53032)]

And anything else the botnet operator who uses Sony's holes to own your machine wants to know.

-jcr

Why is this posted in games?

[PhotoBoy (684898)]

Is it the game of working out ways to piss off Sony by circumventing their crappy DRM?

Also, First 4 Internet's rebuttle

[Bananatree3 (872975)]

Mark has also just posted how First 4 Internet, the creators of the rootkit, have made a rebuttle on Mark's claims: http://www.sysinternals.com/blog/2005/11/sonys-roo tkit-first-4-internet.html [sysinternals.com]

Re:Also, First 4 Internet's rebuttle

[dylan_- (1661)]

"Rebuttle" is not a word. Neither is "Buttle". It's "Rebuttal". Look it up

Actually, "buttle" is a word. It means to pour out drink (it's a back-formation from "butler"). Therefore "rebuttle" is obviously to refill someone's glass. Or something. Ahem.

In Sony's Japan...

[w.timmeh (906406)]

DRM software bypasses... itself?! Wait...

Anyone know if the "phone home" is in the EULA?

[RandoX (828285)]

I don't have (and don't plan to buy) one of these CDs, but I would think that any external communication or use of your net connection would have to be disclosed in the EULA. It could be covered in some legalese catch-all such as "as necessary to provide enhanced services", etc. This is the kind of reason I'm immediately suspicious of anything that begins, "For your convenience"... It rarely is.

LGPL violation?

[by Anonymous Coward]

comment posted by Matti Nikki :
Also, go check Contents\GO.EXE in the cd and search for string "LAME". This is possible LGPL violation, since LAME mp3 library has been statically linked against the executable. You can see that version.c has been compiled in since it generates those version strings, and I found tables.c as well. Didn't locate any code though, apparently removed by optimizing compiler due to being unreferenced, but I couldn't test for all LAME code as I don't have proper tools available (such as sabre-security bindiff)

Re:Common sense violation?

[muzzy (164903)]

Go and check it yourself, and compare to lame sources. The data from tables.c is included in the executable in identical form (several large tables), also all the version strings are included, which the DRM system doesn't check.

The data is there, the big question is if it was linked accidently, or if it actually uses LAME code as well.

Brilliant marketing

[Slashdiddly (917720)]

I have to hand it to Sony marketing execs. Ordinarily they would be hard-pressed to sell even a few dozen copies of that CD. Throw in some DRM and now you have millions of geeks buying the CD trying to break it (or verify somebody else's claims of having broken it). That stuff is so good you can't even torrent it.

What if. . .

[smooth wombat (796938)]

you're not connected to the net? I know, horrible thought to comprehend but there are those of us who aren't plugged in 24/7.

What happens then? Do you get an error message? Does the CD not play? What if you block the ad retrieval via your firewall?

What if I turn off the monitor and walk away while the CD plays? Am I stealing ala Jack Valenti and not watching commercials on tv?

Utterly Laughable

[yakumo.unr (833476)]

These copy protection schemes are NEVER goign to work as long as the content is still available to play on regular cd players. Even if it's not, it will be hacked as long as some hacker thinks it might be an amusing way to spend an afternoon.

why are sony SO unbeleivably stupid as to think otherwise. They must be wasting hundreds of thousands of pounds on this utterly useless rubbish, that even the least technical of people can bypass.

These things are so childish no hacker would even bother with them, as stated this one even defeats itself!
It only takes one breach to distribute a copy, why piss off thousands of genuine paying clients?

The mind boggles, the only people winning are the copy protection companies living happy lives doing nothing but ripping Sony off.

aren't they supposed to do maketing studdies on things before release?
maybe employ a 16 year old to independantly test the schemes for them rather than taking the word of the people selling them this rubbish
(I'd have said 10 year old but it wouldn't be legal)

revenue lost to purchasing clients who will have to return product as it wont run. $X,0000
revenue lost to potential clients who will be scared off buying in the first place. $Y,0000
estimated reputation damage to company. priceless.

estimate of no. of pirated copies prevented. ZERO.

great...

[archen (447353)]

So you can use their own rootkit to bypass their own DRM. And exactly what level of control do you even have at the point where you are screwing with a rootkit to rip CD's on your own computer?

I hope Microsoft is paying attention here, because this could set an EXTREMELY bad trend here. Why do we have these "certified" drivers? Because a lot of them were crap. Now we have software injecting stuff directly into the OS. I can't say this is going to help MS in the security and stability department.

The $sys$ prefixing thing was apparently wrong :(

[muzzy (164903)]

Just my luck, when I make it to slashdot it's something I've analyzed wrong. I tested to rename my ripping software to begin with $sys$ and it ripped it fine, but apparently something else was the deciding factor. I can't reproduce that effect!

There's definitely something fishy going on, however, with two magic lists in the DRM system (one in installer, one in $sys$DRMServer.exe), and the drmserver scans running processes and open windows, testing them against those lists. So far I haven't figured what it does when it finds a match. The code is written in C++ and although I've found the function call, it's virtual and I need to figure which vtable is being used and it's bitchy without a debugger. I'm not going to run this crap on my development systems, and my test machine doesn't even have net access, too much work to setup debuggers on it just yet :(

Anyway, the lists for everyone to see:
http://hack.fi/~muzzy/sony-drm-magic-list.txt [hack.fi]
http://hack.fi/~muzzy/sony-drm-magic-list-2.txt [hack.fi]
The first one is from installer, the second from drmserver

Re:The $sys$ prefixing thing was apparently wrong

[muzzy (164903)]

Btw, Since distracting CD-ROM functionality by randomizing the signal a little seems to be "OK", you can expect the record companies to target P2P apps with future DRM systems. If it's OK to screw your system and ripping software, it's going to be ok to screw your p2p if they think you're sharing their stuff. This kind of malware along with DRM is a slippery slope, and you'll never know where it ends if you tolerate it even a little.

iTunes Pro

[CODiNE (27417)]

The installer list has iTunes Pro on it, that comes as a bit of a surprise to me. iTunes Pro is the app used by Apple to add music to the iTMS. Sony wants to prevent consumers from running this app or to prevent Apple from adding those CD's to the iTMS? What would the point of this be?

Weird.

Re:The $sys$ prefixing thing was apparently wrong

[muzzy (164903)]

It won't install under Virtual PC. It requires that the CD is in drive during installation, and doesn't detect this to be the case when using Virtual PC. It probably just can't handle multisession CDs...

Anyway, as a bonus, even though the rootkit doesn't install in virtual PC, it still calls home and tells sony about you :)

Re:That can't be right

[jtev (133871)]

It's called Red Book. It's a different "file" system than ISO 9660. It is standard, but it's not rippable as an ISO image.

Listing of Sony DRM'ed CDs

[tradjik (862898)]

As posted previously on another SONY DRM/rootkit article, here is a google search through Amazon listing the DRM'ed CDs:
http://www.google.com/search?q=sony+site:amazon.co m+intitle:%22%5BCONTENT/COPY-PROTECTED+CD%5D%22&nu m=100/ [google.com]

In other related news...

[xtracto (837672)]

SysInternal's Mark Russinovich has posted a new entry about Sony's XCP DRM technology. [sysinternals.com]

According to his post, it seems Sony's fix "patch" makes a little "contact home" contacting Sony servers. This even when sony claims that their software didnt made contact with them.

Slashdot covered previously [slashdot.org] the intial XCP rootkit story.

The inquirer [theinquirer.net] has an interesting article on the Sony DRM technology overall.

And it seems community have found several alternate uses for the XCP technology which include hiding game cheating software [theregister.co.uk] and even to bypass DRM technology [sysinternals.com]

Why would you do this? This is stupid.

[Biotech9 (704202)]

Matt Nikki in the comments section discovered that the DRM can be bypassed simply by renaming your favourite ripping program with "$sys$" at the start of the filename and ripping the CD using this file, which is now undetectable even by the Sony DRM. You can use the Sony rootkit itself to bypass their own DRM!"

All I've seen from people on this issue are ways to get around the DRM. Yes, there are MANY ways to get around it, audio line-out to a DAT or an iPod, using linux, a mac, CDex, Audiograbber, Audiohijack-pro...

But that is all just retarded, if you're buying this CD and you use it as Sony want you to use it, it is NO different than if you buy the CD and rip it with some workaround. Sony don't SEE a difference. The MP3s will be on DC++ anyway, it's not like they will lose sales to people ripping it for their iPods or whatever.

And if you do buy the CD, (regardless of wheter you rip it or not) you have just voted. Corporations are the Governments of today and with your purchase you vote. And buying any content protected CD regardless of what you do with it is a VOTE to Sony that DRM is acceptable to you. And that means next time it won't be some crappy nobody C&W CD that is taking over your PC, it'll be the big Sony acts. And then the big EMI acts and WB acts and so on.

Vote with your cash, buy non-DRM encumbered CDs or else just steal it. I'd prefer to take the moral issues and risk of stealing rather than just be Sony's bitch and install their shitty rootkit on my computer.

Very backward thinking on Sony's part

[mcgroarty (633843)]

I'm no copyfighting warrior. I buy all my music because I enjoy supporting the industry that makes it available to me. That said, it sure seems to me that all Sony are doing here is removing the incentive to purchase their CDs. Not only do you face the possibility of not being able to rip as you please, but you face the possibility of screwing up your system by buying Sony CDs.

What's the goal here? To stop the people who buy CDs and rip copies for a few friends... by driving everybody to rely on safer online distribution exclusively?

One and only one thing to fix the problem

[keraneuology (760918)]

Anybody who buys any CD or DVD from Sony before a VP at Sony is fired over this bears direct responsibility for this. The ONLY thing that Sony will understand is a loss of business. Losing a lawsuit just won't cut it because their insurance company will bear the brunt of the loss.

If you care about this, then don't buy Sony games, music or movies. If you don't care about DRM and spyware issues then by all means go out and buy more product from them.

Is sending a clear message that you will not tolerate corporate abuses worth going a few months without shelling out $18 for a CD that has two decent tracks on it?

Accept nothing less - the public firing of the VP who oversaw the department that gave the green light to this - or no purchase of any Sony game, music or movie.

Personally I don't think enough people value unhacked systems enough to make the sacrifice. My prediction is that Sony will essentially get away with it, may have their insurance company pay a few settlement checks, and make a better attempt next time around. Or simply write enough checks to MS to ensure that the DRM is included in the Colonel (weak joke about a police state... sorry). And write enough checks to Motorola and Intel to make sure that DRM is included at the chip level. And write enough checks to US Senators to make sure that the law will back them up next time.

Again, the only recourse is to refuse to buy Sony products until a VP is fired. Nothing else will work.

Now I'd just love...

[Vo0k (760020)]

to see the kit added to major antivirus detection list.

Trojan detected: WIN32.DrmSony.SPY@mm - Threat: medium; class: Spyware, Rootkit, OS-damage.
Known to cause CD drive malfunction, secretly uploads third party data, prevents certain userspace programs from running, hides from the OS, installs itself without user consent.
OS infection prevented.
Warning: E:\ Volume is Read-Only. The virus cannot be removed (cause: Data written to non-erasable CD.)
Recommendation: Back up all non-infected data from the medium by re-burning it to a new blank CD, destroy infected disk.

Re:Now I'd just love...

[DotWarner (56614)]

Hope you weren't joking. [symantec.com]

Re:I wonder...

[sammy baby (14909)]

Depends on whether it still has minutes left on its plan.

Re:The market provides!

[by Anonymous Coward]

Most ony customers care little for this Sony solution. My 12 year old sister doesn't seem to care one bit. Sony has the "right" to provide this feature as you're not being forced to buy it.

You're responsible for checking out a product before buying it. I won't buy any music ROM disc that doesn't have the "CD" certification logo, unless it is from an indie band. I still rip eve y CD from a CD player with an optical out into my PC. Safety first.

You obviously never read the original article. Sony didn't advertise in any way shape or form that this was on the CD, so even you wouldn't have been able to "check out" the product before buying it!

Re:The market provides!

[jacksonj04 (800021)]

But the fact still remains, CDs which have the "Compact Disc Digital Audio" mark on them cannot include DRM as it is against the CD spec. I agree that not showing software may be installed is a bad idea if not actually illegal (I haven't seen a CD in question so I don't know if it has a "This CD may install software" notice), but if you buy a "Compact Disc Digital Audio" marked CD which then installs something it is in fact false advertising, and IIRC the CD mark is quite strictly enforced.

Re:The market provides!

[muzzy (164903)]

Sorry, no bonus. The Van Zant CD with the rootkit has a CDDA logo. It's a multisession CD with real audio tracks with malware on a data track. Plus apparently one extra data track without filesystem, no idea what that is, shows up in my ripper.

In the front cover, no notice of protection. On the side, no notice. On the back, facing towards front, on left side of the cover (you know), there's "Content enhanced & Protected" text. On the reverse side, it says "Certain computers may not be able to access the digital file portion of this disc. Use subject to applicable end user license agreement". It says it needs a mac or PC with windows, pentium II, IE5, DirectX 9, 128M ram. Says that ripping with windows media player 9.0 works, and is compatible with Windows Media portable devices and Sony Walkmans.

So, yea, it pretends to be a CD. I don't know the standards to know if this is really a valid audio cd since it's multisession. It's definitely about trying to screw the consumer, though, since it tries to break the cd playback ability of the computer with the malware it ships with, under guise of "DRM".

Re:The market provides!

[marika (572224)]

Isn't it a problem if you can't read the EULA before buying the product? And since you unpacked the CD you are actually stuck with it.

Re:The market provides!

[loraksus (171574)]

Lets stop pretending that retailers allow you to return CDs.

Re:The market provides!

[phil reed (626)]

Of course, this presumes that the product and the producer don't take active steps to deceive the consumer, and presumes a technically-sophisticated consumer capable of analyzing the technology involved. Your idealistic scenario kind of falls flat when it runs into the real world.

Re:The market provides!

[Vokkyt (739289)]

Well, even though it IS possible to just not buy the stupid Sony CDs, the issue is that there is no denying that Sony is a major market force, and as a major market force, it is going to serve as a template to other companies. Yeah, others probably will copy this and that is the issue.

If others are apathetic about it, then that's fine, but they shouldn't complain when people who do care want to take issue with Sony's actions. If enough consumers take issue with it now, the message will become clear enough in the baby-stages of the new CD DRM that at least some companies will refrain from doing this. The idea isn't to just complain over a little thing, but to stop something that people do not want to happen. I don't see an issue with that.

And it's not necessarily that anyone denies Sony's rights to provide this either; people simply do not want it, or are indifferent to it. Those who are indifferent shouldn't care either way, and those who don't want it shouldn't have to have it, and as a corporation, Sony should listen to the consumers a little and realize this is technology that people do not want.

Of course, this leads a lot into the discussion of wanted technology vs unwanted technology and how a lot of the larger corporations nowadays just put enough money into things so that they live long enough to be considered common place, and hence gain acceptance, which is altogether a frustrating business model which made me stop watching television long ago...but yeah...different topic.

Re:The market provides!

[stinerman (812158)]

Stop voting in the booth, vote in the checkout aisle.

You know as well as I do that if you don't do the bidding of the right people, you won't find yourself with any "shelf space". Its white bread or wheat bread, anything else is illegal. Feel free to vote in the checkout aisle, just don't complain to anyone when your rye bread is nowhere to be found.

Re:The market provides!

[leuk_he (194174)]

Yes, that is what the sony reaction look like. They just behave as this is a non-issue.

But, by not adding an uninstaller, not putting it it in the EULA what it is doing and playing the blaim game to apple*, their software is not better than the worst spyware. They think they can install anything on a users PC, but this might be plain illegal.

If you do not care about spyware and viri, please let it pass, but if you care for your privacy and/or your pc you should not "vote with your wallet", but name it what it really is.

*(their faq keep babbling you can not transfer it ot itunes because apple did something to make their api incompatible, instead of watching their DRM solution)

Re:The market provides!

[karmawarrior (311177)]

I have to say I generally agree. There is a fundamental problem though in that most people lack the knowledge to realise that simply because something is sold as a CD, in with all the other CDs, looking identical to all the other CDs, with little or no warning on the packaging that it's not a CD save, in a minority of cases, for text that looks more like legalese worded to appear to be suggesting extra benefits of the package rather than to actually suggest the package is crippled, doesn't mean that, in fact, they are getting a standard "red book" CD. The fact that such widespread ignorance exists means that any content producer that wants to can actually remove their products from the market, as far as those who prefer open formats are concerned, and can only sell non-CDs, and all the incentives exist to actually encourage content publishers to do this.

If something isn't done about this soon, clearly network effects will result in pretty much every "CD" being DRM-encumbered, containing, as Sony did, software that actively damages the configuration of the systems the CD is meant to play upon. However, it would be entirely wrong to hold companies like Sony to account for this. They, after all, are merely trying to make money. It is entirely right that they should do so by taking advantage of ignorance to encourage people to do things that are entirely not in their best interest. If businesses were not able to do this, if businesses had incentives to make money when honest, then freedom itself would be at risk. Liberty would be in peril.

What kind of "choice" is it where you do not need to be a technology geek to decide whether or not to buy a "CD" of music? What kind of "freedom" does one have if every vendor of cellular service is telling the truth about their talk plan prices? How are we free if we do not, in practice even if we rarely do, have to hire a lawyer before taking a job or even installing software? Can we be described as supportive of liberty when a shop cannot put a price label on an item that actually reflects the retail price minus some "mail in rebate" the customer might not even qualify for, and if they do, might not get anyway?

Those who defend the intervention of government into these matters ignore market forces. Just as, say, if people like purple cars, the market will eventually end up producing purple cars, so it follows that what we're seeing here is market forces. People, through their unwillingness to spend every waking moment researching every aspect of the products they buy before they buy them, refusing to visit factories to determine environmental and employment issues, refusing to educate themselves about 14 bit 44.1KHz encoding, refusing to examine the contracts of the artists who produced the works, refusing to understand the lower level Win32 APIs and the registry, refusing to even design proxy-device drivers to understand these basic concepts, demonstrate that they want ignorance, and they consider being taken advantage of, being fooled, as actually a thing of value. We cannot have honesty in business when the market wants dishonesty.

But, no, there are those who want to smother consumers in regulation and red-tape. They want to prevent consumers from getting the products and services they deserve. And why? Because the more dishonest the market becomes, the more they scream and think something needs to be done.

This quagmire of people complaining about the market when the market is actually providing them with what they asked for will not disappear by itself. Resources need to be devoted, and unless people are prepared to actually act, not just talk about it on Slashdot, nothing will ever get done. Apathy is not an option.

You can help by getting off your rear and writing to your congressman [house.gov] or senator [senate.gov]. Tell them that the market is important to you. Tell them that you appreciate the work being done by Sony, Steam, Kevin Jones Staples and Off

Re:I need to thank Sony

[Frankie70 (803801)]

I've always been under the impression that Japanese companies (or those largly held by) were a bit more ethical than their American counterparts. Sony has proven to me that my impression was completely in error.


http://www.sonybmg.com/management.html [sonybmg.com]

2 Americans, 1 Australian & 1 European.

Re:why is this even possible?

[nick8325 (825464)]

The rootkit installs a driver. In Windows (as in Linux and Mac OS X), lots of drivers (but not all) run in kernel mode. In particular, this one does. There is nothing to stop code running in kernel mode from doing anything it likes with the machine - it is running with the highest possible privileges.

In this case, the rootkit patches the system call table, so that calls to functions to look at directory contents are intercepted by the driver, which just pretends that no files starting with $sys$ exist.

There is nothing that Windows can do to stop drivers from doing this while they run in kernel mode. It can make it harder to do, though - I think the 64-bit versions of Windows check the system call table and blue screen if they find it's been changed. To get around that, the driver would either have to take over from Windows completely (not too practical) or find the code that checked the system call table and patch it.

Of course, you do need to have the right privileges to install a driver in order to install this rootkit. Usually, that means being an adminstrator.