Sony Rootkit Phones Home

strider44 writes "Mark from Sysinternals has digged a little deeper into the Sony DRM and discovered it Phones Home with an ID for the CD being listened to. XCP Support claims that "The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities." Also on this topic, Matt Nikki in the comments section discovered that the DRM can be bypassed simply by renaming your favourite ripping program with "$sys$" at the start of the filename and ripping the CD using this file, which is now undetectable even by the Sony DRM. You can use the Sony rootkit itself to bypass their own DRM!" Update: 11/07 14:21 GMT by H : Attentive reader Matteo G.P. Flora also notes that an Italian lawyer has filed suit against Sony on behalf of the Italian equivalent of the EFF. Translation availabe through the hive mind. Update: 11/07 15:18 GMT by H : It does appear that in fact Sony does see through the $sys$ - see Muzzy's comment for more details.

Rip It....Rip It Good

[Anonymous Coward]

CDex 1.51 had no issues ripping this CD.

Wow, users like Sony's Rootkit

[slashnutt]

The Register [theregister.co.uk]
World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect.

----
Did you like the placement of the comma?

Also, First 4 Internet's rebuttle

[Bananatree3]

Mark has also just posted how First 4 Internet, the creators of the rootkit, have made a rebuttle on Mark's claims: http://www.sysinternals.com/blog/2005/11/sonys-roo tkit-first-4-internet.html [sysinternals.com]

Re:Uh Oh

[SatanicPuppy]

Heh. But you're circumventing their copy protection using their invasive DRM package. So aren't they to blame for the circumvention? They wrote the code, after all, and adding "$sys$" to a filename is as trivial as holding down the shift key, and the shift key lawsuit was thrown out of court. If only someone else could sue them...

I think Blizzard in particular has a good case against them, since their crazy DRM is being used to circumvent some of Blizz' anti-cheating measures.

The $sys$ prefixing thing was apparently wrong :(

[muzzy]

Just my luck, when I make it to slashdot it's something I've analyzed wrong. I tested to rename my ripping software to begin with $sys$ and it ripped it fine, but apparently something else was the deciding factor. I can't reproduce that effect!

There's definitely something fishy going on, however, with two magic lists in the DRM system (one in installer, one in $sys$DRMServer.exe), and the drmserver scans running processes and open windows, testing them against those lists. So far I haven't figured what it does when it finds a match. The code is written in C++ and although I've found the function call, it's virtual and I need to figure which vtable is being used and it's bitchy without a debugger. I'm not going to run this crap on my development systems, and my test machine doesn't even have net access, too much work to setup debuggers on it just yet :(

Anyway, the lists for everyone to see:
http://hack.fi/~muzzy/sony-drm-magic-list.txt [hack.fi]
http://hack.fi/~muzzy/sony-drm-magic-list-2.txt [hack.fi]
The first one is from installer, the second from drmserver

Listing of Sony DRM'ed CDs

[tradjik]

As posted previously on another SONY DRM/rootkit article, here is a google search through Amazon listing the DRM'ed CDs:
http://www.google.com/search?q=sony+site:amazon.co m+intitle:%22%5BCONTENT/COPY-PROTECTED+CD%5D%22&nu m=100/ [google.com]

In other related news...

[xtracto]

SysInternal's Mark Russinovich has posted a new entry about Sony's XCP DRM technology. [sysinternals.com]

According to his post, it seems Sony's fix "patch" makes a little "contact home" contacting Sony servers. This even when sony claims that their software didnt made contact with them.

Slashdot covered previously [slashdot.org] the intial XCP rootkit story.

The inquirer [theinquirer.net] has an interesting article on the Sony DRM technology overall.

And it seems community have found several alternate uses for the XCP technology which include hiding game cheating software [theregister.co.uk] and even to bypass DRM technology [sysinternals.com]

Re:I need to thank Sony

[Frankie70]

I've always been under the impression that Japanese companies (or those largly held by) were a bit more ethical than their American counterparts. Sony has proven to me that my impression was completely in error.


http://www.sonybmg.com/management.html [sonybmg.com]

2 Americans, 1 Australian & 1 European.

Re:NO you are WRONG

[Anonymous Coward]

What DRM? No autoplay, no EULA, no DRM.

Re:Rip It....Rip It Good

[meringuoid]

If it installs this rootkit through autorun when you put the CD into your Windows machine, how is this any different from a worm? Just because it isn't spread through the internet doesn't change the fact that it is a virus.

It doesn't automatically self-propagate, so it isn't a worm. Nor does it infect files and piggyback on them to infect other machines; it isn't a virus. This particular piece of malware comes attached to something the user wants (i.e. a music CD) without his knowledge, and proceeds to infect his machine, but makes no attempts to spread itself to other machines. That makes it a trojan.

Common sense violation?

[Anonymous Coward]

Don't get your panties in a wad, genius. The LAME string exists because that is one of the pirate programs that the DRM software specifically looks for. Simply having the string in your program doesn't make it a LGPL violation. That would be LAME.

Duh.

Re:Anyone know if the "phone home" is in the EULA?

[RandoX]

I did some looking and found the EULA [sysinternals.com] online. To answer my own question, it doesn't seem to mention the "phoning home".

Re:In Sony's Japan...

[muzzy]

It would've indeed been super funny. However, the rootkit is made so that processes starting with $sys$ can see all files and processes that begin with $sys$ ... Try it with task manager, command prompt, or even explorer.exe (just kill the already running instance first)

Something else let me rip the track the first time, so the DRM system probably bugs. Every other time I tried, that trick didn't work. I'll know more when I've finished analyzing the rootkit, but it's taking time...

Re:The market provides!

[jacksonj04]

But the fact still remains, CDs which have the "Compact Disc Digital Audio" mark on them cannot include DRM as it is against the CD spec. I agree that not showing software may be installed is a bad idea if not actually illegal (I haven't seen a CD in question so I don't know if it has a "This CD may install software" notice), but if you buy a "Compact Disc Digital Audio" marked CD which then installs something it is in fact false advertising, and IIRC the CD mark is quite strictly enforced.

Re:Common sense violation?

[muzzy]

Go and check it yourself, and compare to lame sources. The data from tables.c is included in the executable in identical form (several large tables), also all the version strings are included, which the DRM system doesn't check.

The data is there, the big question is if it was linked accidently, or if it actually uses LAME code as well.

Re:Rip It....Rip It Good

[zootm]

The way I heard it, it sounded like it was copying itself from the CD to the machine without the users consent. I assumed this would be called a virus as it is replicating itself. Maybe trend micro's quiz didn't educate me very well

Nah, viruses copy themselves, this one is installed by another part of the software when the CD is inserted, then does not copy itself. The difference is subtle, though. "Trojan" is very accurate.

Re:why is this even possible?

[nick8325]

The rootkit installs a driver. In Windows (as in Linux and Mac OS X), lots of drivers (but not all) run in kernel mode. In particular, this one does. There is nothing to stop code running in kernel mode from doing anything it likes with the machine - it is running with the highest possible privileges.

In this case, the rootkit patches the system call table, so that calls to functions to look at directory contents are intercepted by the driver, which just pretends that no files starting with $sys$ exist.

There is nothing that Windows can do to stop drivers from doing this while they run in kernel mode. It can make it harder to do, though - I think the 64-bit versions of Windows check the system call table and blue screen if they find it's been changed. To get around that, the driver would either have to take over from Windows completely (not too practical) or find the code that checked the system call table and patch it.

Of course, you do need to have the right privileges to install a driver in order to install this rootkit. Usually, that means being an adminstrator.

Re:why is this even possible?

[cortana]

The fix is to upgrade to amd64. I believe Windows on amd64 does not allow patching of the kernel function call table (#include correct technobabble here).

Re:Common sense violation?

[hey!]

Well, this is the same argument SCO made about, was it errnos.h or some such?

Copyright covers expression, not data or collections of data.

Re:The market provides!

[muzzy]

Sorry, no bonus. The Van Zant CD with the rootkit has a CDDA logo. It's a multisession CD with real audio tracks with malware on a data track. Plus apparently one extra data track without filesystem, no idea what that is, shows up in my ripper.

In the front cover, no notice of protection. On the side, no notice. On the back, facing towards front, on left side of the cover (you know), there's "Content enhanced & Protected" text. On the reverse side, it says "Certain computers may not be able to access the digital file portion of this disc. Use subject to applicable end user license agreement". It says it needs a mac or PC with windows, pentium II, IE5, DirectX 9, 128M ram. Says that ripping with windows media player 9.0 works, and is compatible with Windows Media portable devices and Sony Walkmans.

So, yea, it pretends to be a CD. I don't know the standards to know if this is really a valid audio cd since it's multisession. It's definitely about trying to screw the consumer, though, since it tries to break the cd playback ability of the computer with the malware it ships with, under guise of "DRM".

Re:The $sys$ prefixing thing was apparently wrong

[Richard_J_N]

An alternative to VMWARE is the excellent, and free QEMU.

purchase != contract

[Anonymous Coward]

Ripping this CD is both illegal and wrong; if you bought this CD, you entered into a contract with Sony

Breaching a contract may be illegal, but buying a product is not the same thing as entering into a contract. Not even implicitly. It never has been.

The whole EULA thing has thrown some mud into the water, but the distinction remains...you don't enter into the contract until you click "accept"...simply buying the product does not automatically accept the EULA.

With CD's, there isn't even an EULA, hence no contract. Their content is protected under copyright law alone...which is quite a different thing from a contract (and includes clauses which may allow for personal backups).

Also, whether or not ripping it is wrong is not so finally decided. Morality tends to be a bit relative, and obviously some people have different opinions on the matter than you do.

Re:The market provides!

[paulthomas]

I purchased the 2 Fast, 2 Furious soundtrack from Barnes & Noble several years ago to see what the Digital Restrictions were like.

If it were only the sound that offended me, I would have simply thrown away the disc after my experiment (and trust me, this is by far the worst movie soundtrack I've ever encountered). However, I had problems actually listening to the disc.

I took the CD back to Barnes & Noble and explained the problem. They offered to exchange my opened disc for the same title. I then proceeded to explain that all discs in the lot were defective and that it was intentionally crippled by BMI (if I recall correctly). After less than 7 minutes talking to management, I left the store with cash in hand for my returned, defective disc.

Sometimes returning things is not easy, but if you can make the case that you were sold defective goods, any sane manager will accept the return. Your assertion is only true if you take the initial answer they give you.

The EULA didn't advertise this

[MemeRot]

Why don't you people bother to read the article? It's a very interesting article and goes into a lot of detail both on what the technical side is, as well as frustration with Sony's poor support. From TFA:

There's more to the story than rootkits, however, and that's where I think Sony is missing the point. As I've pointed out in press interviews related to the post, the EULA does not disclose the software's use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There's no way to ensure that you have up-to-date security patches for software you don't know you have and there's no way to remove, update or even identify hidden software that's crashing your computer.

The EULA also makes no reference to any "phone home" behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony's site and sends the site an ID associated with the CD.

See? Not advertised in the EULA. So how are you supposed to know about it? It's one thing when it's hidden at the bottom of the EULA in small type - it's something else when it is ommitted from the EULA altogether. The comments in the article also detail problems several people had with the software - like a gamer with a 64-bit system who had his CD/DVD drive 'disappear' after installing this software - a piece of software with NO uninstall utility. All you get from Sony is a patch that removes the hiding of $sys$ files - they so far have refused to provide an uninstall utility for the software itself.

Re:Now I'd just love...

[Anonymous Coward]

I think it would be great to see something like this.

I was running Symantec Antivirus 10.0 Corporate and had the client installed on my gaming box. Afterwards I tried to loadup both GameSpy3D and GameSpy Arcade. Of course the antivirus software detects both of them as adware, and removes the entire program. OK, I think, maybe I will try to add it to my ignore list. So I do this, and with GameSpy3D it still completely removes the program, and with Arcade it keeps removing my profile. I have no idea why it detects these programs as Adware.. granted they can have ads, but I have the registered copy which has ads disabled. Nevertheless, I quickly reverted back to Symantec 9.0.

If you see crap like this in spyware definitions, there is no reason why Sony's rootkit shouldn't be in there either.

Re:That can't be right

[jtev]

It's called Red Book. It's a different "file" system than ISO 9660. It is standard, but it's not rippable as an ISO image.

Re:The $sys$ prefixing thing was apparently wrong

[muzzy]

Heh, it's OK. I should've nuked the first comment the very moment I realized it was wrong, not after getting submitted to slashdot. I didn't realize I could do that since I only created blogger.com account to post to Mark's blog and was totally unaware of any features it had :o

Ohwell, all publicity is good publicity, even if it makes me look like a jerk for a day :)

Re:why is this even possible?

[MemeRot]

One of the comments on the sysinternals story was from someone with a 64-bit system. He said the next time he rebooted, after installing this program his cd and dvd drives were not visible in Windows. He did admit that it was very effective copy protection, but wasn't very pleased that his gaming system had no usable optical drives.

NOT GOOD FOR 64bit USERS, October 9, 2005
Reviewer: tvideo (NJ, USA) - See all my reviews
Since, I don't care about stealing any music, the "Copy Protected" warning didn't bother me in the least. I am a Hardcore gamer I have a high end 64bit PC running Windows XP Pro. The CD claims it is compatible with Windows XP, it does NOT specify which versions so I assumed I was OK.

I installed this CD and I was forced to accept some agreement and then it installed some lousy music player. Everything seemed fine until next time I rebooted my PC both my DVD and CD drives had literally disappeared! That's right this so-called copy protection destroyed access to my drives!!! The copy protection REALLY works great they just disable all your CD/DVD drives so you can't use them with ANY discs anymore - UNBELIEVABLE!!!

Re:Now I'd just love...

[DotWarner]

Hope you weren't joking. [symantec.com]

Re:I wonder...NOT

[TheRaven64]

It is possible to create a kernel module that intercepts system calls on OS X. Any admin user can install a kernel module - and most users are accustomed to entering their password when installing.

Another approach would be to install hooks into the API functions for playing a CD and browsing the filesystem above the kernel level. This would be easier to detect (simply invoke the system calls directly, rather than via a userspace API), but probably as effective.

You could probably persuade users to run the software by putting an HFS+ session on the disk first so iTunes wouldn't see it as an audio CD, and putting the application on this session with the same icon as a Finder uses for CDDA tracks - or simply use the auto-install feature (which would prompt the user for confirmation, but how many people would click no?)

It's not a "file system"

[Anonymous Coward]

It is rip-able (see cdrdao), but it isn't a file system. It's a standard for laying out audio tracks on a CDIt encapsulates a single session, with up to 99 audio tracks, no data tracks and a table of contents at the end. No CD-TEXT or weird stuff in the subchannels, no track start/stop times that overlap, and no hidden data in the lead-in.

In any case, the CDs are not Red Book. They are Yellow Book (data track + audio tracks).

And for the record:
Red = Audio Only
Yellow = Data + Audio tracks (data tracks are specifically covered by ISO 9660)
Orange = Yellow book with CD-R and CD-RW provisions (this is the format of most burned CDs)
Blue = CD-G/Enhanced CD. Multisession with audio in one session and data in the second session. Appears as strict Red Book to audio-only players, and as strict Yellow Book to computers that can't understand multiple sessions.
Green/White book = CD-i and video CD (XA mode 2 with MPEG-1 encoded in raw sectors on the CD). Precursor to DVD-Video.
Beige = Kodak Photo CD (!)

Tell Sony here ..

[AceyMan]

Web-form for comments to Sony Music is here ->

http://www.sonymusic.com/about/feedback.cgi [sonymusic.com]

Also the snail mail address is given as well:

Sony Music Online Services
550 Madison Ave, 24th Fl
New York, NY 10022-3211

Lets put the /. effect to good use!

Re:No information

[sqlrob]

Because it sends the identifier of the CD in the HTTP request. RTFA

Re:Listing of Sony DRM'ed CDs

[droptone]

A collected listing from that link (If you see a band/group/artist you like, be sure to try to contact them and inform them of what is going on with THEIR music!):

A Static Lullaby - Faso Latido
Acceptance - Phantoms
Amerie - Touch
Bob Brookmeyer - Bob Brookmeyer & Friends [Remastered]
Buddy Jewell - Times Like These
Celine Dion - On Ne Change Pas
Chayanne - Cautivo
Chris Botti - To Love Again
David Gray - Life In Slow Motion
Dexter Gordon - Manhattan Symphonie
Dion - The Essential Dion
Elkland - Golden
Emma Roberts - Unfabulous And More: Emma Roberts
George Jones - My Very Special Guests
Gerry Mulligan - Jeru
Goapele - Change It All
Horace Silver - Silver's Blue
Kasabian - Kasabian
Kings of Leon - Aha Shake Heartbreak
Life of Agony - Broken Valley
My Morning Jacket - Z
Natasha Bedingfield - Unwritten
Neil Diamond - 12 Songs
Our Lady Peace - Healthy In Paranoid Times
Pete Seeger - The Essential Pete Seeger
Ricky Martin - Life
Sarah McLachlan - Bloom Remix Album
Shelly Fairchild - Ride
Susie Suh - Susie Suh
Switchfoot - Nothing Is Sound
The Bad Plus - Suspicious Activity
The Coral - The Invisible Invasion
The Dead 60s - The Dead 60s
VA - Elizabethtown OST
Van Zant - Get Right with the Man

Re:NO you are WRONG

[Simon Garlick]

I believe you meant "using Itunes to copy a CD is technically illegal in Australia". Murder is illegal in Australia, but that doesn't mean knives are illegal.