BioShock Installs a Rootkit

An anonymous reader writes "Sony (the owner of SecureROM copy protection) is still up to its old tricks. One would think that they would have learned their lesson after the music CD DRM fiasco, which cost them millions. However, they have now started infesting PC gaming with their invasive DRM. Facts have surfaced that show that the recently released PC game BioShock installs a rootkit, which embeds itself into Explorer, as part of its SecureROM copy-protection scheme. Not only that, but just installing the demo infects your system with the rootkit. This begs the question: Since when did demos need copy protection?"

Demos and protection

[arth1]

Demos require protection since the day that someone found out that if they hacked the demo and compared it to the original, they could simply replace some parts of the original from the same parts of the demo and have a free-for-all.

(That doesn't mean that I endorse Sony's approach here -- far from it)

HTH, HAND

Not QUITE a rootkit

[Robotech_Master]

If you RTFA, or specifically its comments, you find that it's not technically a rootkit that it installs, it's just a registry directory that contains a * and so a rootkit detector tags it. It's just a very hard to remove registry directory, and not necessarily an actual rootkit qua rootkit.

Re:Yet another game

[sodul]

So does that mean I'll have to get the cracked version from BittTorrent in order to NOT infect my machine ?

It is very sad that the underground world is nicer than the official one. It's Demolition Man [wikipedia.org] all over again.

Re:Oh great

[click2005]

From the author's comments...

I don't care if it is one or not. My point of this article is that the SecuROM service doesn't need to be included in the demo if we don't have to activate it.

Using "rootkit" brings the traffic. It's all about the SEO, and is why this article is on top in Google.

It's not a rootkit...

[g051051]

The article author seemed to base his conclusion on the fact that the SecureROM software installs a registry key that can't be deleted by normal means. This pops up on the Microsoft Rootkit Revealer (since that's a technique used by rootkits as well.) That's like saying that because rootkits use Windows APIs, any program that uses a Windows API is a rootkit.

As for why it's in the demo, modern copy protection is embedded throughout games. It's too difficult to remove the protection just for a demo that contains so much of the full game engine.

Re:raising vs begging the question

[darkhitman]

Pretty sure its a common slang phrase -- the situation is just 'begging' for a question to be asked - in this case "Since when did demos need copy protection?".

Not a real rootkit

[jfroot]

The author himself has said that he is only calling it a rootkit for SEO reasons.

From the comments:

"Using "rootkit" brings the traffic. It's all about the SEO, and is why this article is on top in Google."

Although I believe this is nastyware.. It surely does not meet the definition or rootkit [wikipedia.org].

Not a rootkit

[Torodung]

The reason for the !CAUTION! key is to keep an ignorant user from wiping out his key tokens in the SecuROM subkey. That's why there's an "!" at the beginning; it sorts first in the subkey. So if a user stupidly tries to delete the entire SecuROM key (not realizing that it's his DRM) while his game is installed, or even after he's uninstalled, the first attempted deleted subkey will be the !CAUTION! key and Windows will abort.

Thus it is a poor way to keep stupid users from trashing their DRM, not a rootkit.

The reason it shows up in "Rootkit Revealer" is because true rootkits use the embedded null tactic to keep users from deleting keys registering malware dll's, startup settings, etc. That way, the user has no way to deregister the malware or stop its launch.

However, the Rootkit Revealer does not simply point out rootkits. It's not that simple. RR points out suspicious methods and/or hidden files, and requires the user to analyze whether those methods and files indicate an actual piece of malware.

Clearly, a key that simply warns you not to delete other keys is not malware.

It is annoying, however, and the only way to get rid of a key with embedded nulls is with DelRegNull. I didn't like that one bit.

My key was added with the install of Neverwinter Nights 2, however, which also uses SecuROM. This key has been around for a while, folks. Someone is crying "rootkit," when really all it is is a sloppy hack to keep users from eliminating their SecuROM keys.

What's really annoying about this method is that the malformed key is not removed when you uninstall the software that requires it. SecuROM also drops a few malformed files in the directory %userprofile%\Application Data\SecuROM\UserData. They won't delete either, because they are key files which the folks at Sony have deemed MUST NEVER be deleted. Great. The only way I could manage to clean out those was by mounting the partition with NTFS-3g and issuing an rm *.*. Otherwise, another hack keeps Windows from moving the key files, probably because if you could copy them, you could run a game on any machine with the keys.

This is definitely more arrogance, and completely annoying, but certainly not a rootkit. I would love to hear what the suits at Sony have to say about their crapware. I expect nothing less than a true SecuROM removal kit, since it doesn't get removed on uninstall.

--
Toro

Re:Yet another game

[stg]

AFAIK, the Steam version really comes with Securom. I bought and pre-loaded it as a pre-release, and after the regular Steam decryption (and also regular re-downloading of content - EVERY single game I pre-loaded through Steam always had to download more stuff on release!), it needs to activate. The first time I tried it failed (for obvious reasons - the server should be overloaded as it was 2-3 hours after the release), but after that it worked fine.

BTW, the graphics are very impressive and the atmosphere too, but from the first few levels it seemed good but not all that revolutionary as I kept hearing it was...

As others mention and the FA clearly says, it's not a rootkit, just a regular service. This is a case where I wouldn't mind someone being sued for libel - they really deserve it.

UAService7 not on my system thank god

[Saint Stephen]

I have a laptop with a 7900gs, the thing burns disks. Thank god securerom doesn't think my machine is evil enough to install the DRM service. I don't mind having the unremovable keys and files on my PC as long as i'm playing the game.

By the way, there's an easier way to delete the files under appdata.

Type "at /next 9:02pm c:\windows\system32\cmd.exe /interactive" after looking at the clock and seeing it's 9:01am. Wait until 9:02 and you'll get a dos prompt running as the machine account. Go delete your files.

While we're on the subject of grammar...

[Anonymous Coward]

to --> too

Re:True Story...

[ZiakII]

Then you can relax, because it doesn't install a rootkit - the story is false.

Thats not my only reason your forgetting the limit on installs, every time you install the game it sends a message to a server after 2 of these notices the game doesn't run unless you uninstall it a computer you had it installed in (This is also in the Steam version). Now that doesn't seem bad at all except, lets say your hard drive crashes, laptop gets stolen or you just say eh screw it I'm reformatting my computer. Now that is one install (out of 2) completely gone. People are already posting responses from both of the companies handling it. 2k tells you to contact Securom, and Securom tells you to contact 2k. The fact that if I get another computer or my hard drive crashes I have to put up this is ridiculous. Now what happens if 2k games goes under and the server is no longer there to activate it, they haven't made a comment yet about that either.

Re:raising vs begging the question

[Anonymous Coward]

That begs the question, when will language nazis learn that their little standards and rulebooks are fairly meaningless when it comes to the evolution of language?

We, the people, control the future of our language; not a bunch of nerds who thought English was an easy degree to take in college. I caution Slashdotters not to go down that slippery slope of rote book fascism.

Its a damned shame, than, that these people get their panties in such a not over phrases that everyone understands.

Re:Oh great

[sanosuke76]

Ok, reading the early comments on this article made me laugh my rear off with how quickly the anti-Sony-fanboys jump to conclusions.

You guys do realize that Bioshock is NOT a Sony game, right? It's been stated that it won't appear on the PS3 (some .ini files have made folks question this, however the publisher officially denies it... no telling what the reality is, but it's at the bare minimum a timed exclusive for the PC and X360).

If it's not a Sony game, and it's not even going to be AVAILABLE for the PS3, then who do you think decided to use a rootkit-ish (even if it's not a rootkit) technology? Hint: it wouldn't have been Sony.

If Sony came up with the technology, and then the other guys decided to license it and use it, does this mean Sony had much to do with it? Nope.

I am still laughing at how easily the anti-Sony-fanboy types disengage their brains when reading articles, on totally non-Sony, not-even-Sony-friendly titles. At the very most, if Sony's the one that the technology was licensed from, one could complain that Sony is still providing it. But the folks who decided to USE it, i.e. the Bioshock publishers, are the folks you ought to be mad at.

Re:UAService7 not on my system thank god

[Torodung]

Type "at /next 9:02pm c:\windows\system32\cmd.exe /interactive" after looking at the clock and seeing it's 9:01am. Wait until 9:02 and you'll get a dos prompt running as the machine account. Go delete your files.

Cool, but the correct syntax is:

at 9:02pm /interactive %systemroot%\system32\cmd.exe

If running as SYSTEM will delete these files, it is a lot easier than mounting with NTFS-3g. I couldn't test this method because the files are already gone. Thanks for the tip!

--
Toro

Re:Shame on /. for linking to this

[c0d3g33k]

I've been following this matter on the web since the Bioshock release and monitoring Slashdot's Firehose as the story submissions popped in. This particular story submission was one of the worst of the bunch. There are genuine issues with Bioshock's DRM decision to use Securom which will unfortunately be dismissed due to the poor choice of article. Whether or not this is a rootkit, the fact that the game won't run unless a user completely disables or uninstalls legitimate utilities such as antivirus programs or process monitors is enough to make a security conscious user worry.

References:

http://consumerist.com/consumer/punishing--the-one s-that-don.t-steal/bioshock-comes-with-nasty-drm-t hat-sets-off-anti+virus-software-ruins-everyones-d ay-292841.php [consumerist.com]
http://forum.sysinternals.com/forum_posts.asp?TID= 11000 [sysinternals.com]

Re:raising vs begging the question

[AusIV]

I agree. This may not have been the original intent that spawned the phrase, but you can't say that people are wrong to put words together in an order that makes sense because those words in that order have been defined to have a different meaning.

The word "begs" has a definition of "to make a humble or urgent plea." If one is to make a humble or urgent plea for a question, they are begging a question - no matter what other definition people try to claim "begging the question" has.

If I were to claim "going to the store" had a definition relatively unrelated to that combination of words, it might be acceptable to use that definition, but it's absurd to suggest that people should stop using the phrase "going to the store" in relation to running over to the supermarket.

Re:True Story...

[Chandon Seldon]

Then you can relax, because it doesn't install a rootkit - the story is false.

No, it just installs a tool that's specifically intended to subvert an OS security mechanism (non-Admin user accounts). That's not a root kit, but it has a lot of the same security issues.

Re:True Story...

[XenoPhage]

Ah, interesting.. An article on Blues News [bluesnews.com] refers to this interview [joystiq.com] over at Joystiq where this is stated :

Given the internets and what they are -- with their tubes and all -- I want to sort of talk about the concerns people have. We take the concerns people have very seriously. There's been some concern like, "What happens if it's three years from now, or ten years from now, when I want to play this game. And, you know, Irrational Games has been hit by a meteor?" We will unset the online activation at some point in the future -- we're not talking about when. If people have concern about that they shouldn't be worried about that. This activation is for the early period of the game when it's really hot and there are people really trying to find ways to play the game without buying it. Of course, there are a lot of people who are legitimately trying to play it. We're not trying to be Draconian, we're trying to find a balance.

Well, perhaps I will buy the game.. After I see this activation thing being disabled...

Re:But why do they need to install spyware/rootkit

[Anonymous Coward]

Turns out, there is no Rootkit after all. Trash the article, update, whatever, but this is FUD and I smell lawsuit.

Re:Shame on /. for linking to this

[Mr2001]

If you consider this a privilege-escalation bug, then I assume you've already deleted such programs as "passwd", "chfn", and "man" from your Linux system, right? After all, they run setuid root in order to let non-root users do things that normally only root can do (e.g. writing to the man page cache or the password file).

Just because you don't have access to the SecuROM source code doesn't mean it necessarily contains any exploitable bugs. It just means you can't be sure. It might very well be as safe as passwd and man.

Re:Demos and protection

[CryoPenguin]

I haven't ever tried to crack copy protection by inserting code from a demo, but I have cracked copy protection without it, and from that experience I don't think having an unprotected demo would help.

Once you get to the point where you can modify the exe, the hard part of the crack is over. Whatever the protection checks, whether it's some data on the CD or a registry key or some more complex signature of your machine, it's just a branch instruction somewhere and can be NOPed out. Finding the branch is easy too, since you can just run the game with and without whatever it checks for, and see where the execution paths diverge.
The (marginally) effective part of a copy protection scheme like SecuROM is use of encryption, compression, and self-modifying code, which make it hard to examine or modify the exe. If you have an unprotected demo exe and a protected retail exe, you can't even compare them until after breaking the protection.

Sure there's the extreme case where the demo and the final version are exactly the same code and differ only in data files, then dropping the whole demo exe into the retail installation would crack it. But as the sibling posters explained, that's rare.

Re:It's not a rootkit...

[g051051]

The Windows registry allows creating keys that have nulls in them, but the standard tools (such as RegEdit) don't have a way of entering a "binary" value for the name of a key, and the selection mechanism doesn't propagate the nulls to the delete code when you try to remove it. That's why the article references some special software that allows these to be deleted.

As far as not being able to delete stuff without going into the registry, that's not strictly true. The registry contains pointers and configuration information, not executable code. The trick to removing something is that in addition to deleting the physical files, you also want to remove the associated registry stuff. That's because if something is running, it may not be possible to kill the process it runs in or delete the code. If something is configured in the registry, it can start at boot time before the user gets control (including in safe mode). So, malware can protect itself from removal by making the registry key impossible to delete under normal circumstances.

Re:Oh great

[Cornelius the Great]

Wow, that's some rant there.

Anyway, if you even bothered to read the first seven words of the summary, you'd notice that Sony owns SecuROM, the copy protection software that Bioshock uses.

Re:Yet another game

[MadnessASAP]

I personally quite like steam, I have a notorious habit of losing install CDs and there related CD keys and steam happily takes care of all of that. Furthermore these other programs that supposedly check and validate games usually do so by installing hidden drivers or disabling all SCSI drives which can cause far more damage then a system that just encrypts the files and wont let you at them unless you can provide it with a password which many people do to their hard drives anyways.

As for data collection, the only data steam collects is the hardware installed and the games you've purchase which I am just fine with them having, I figure that the worst that could happen is that companies realize that not everyone has $1000 graphic cards in their system and the latest quad-core hyper nano zeon processor and therefore stop making games that rely solely on graphics to sell themselves. The same goes for the purcahse information, if it helps them make games that I'm more interested in I'm all for it.

More bad news

[sqrt(2)]

This "rootkit" stuff--and I know it's not a true rootkit, just some overzealous DRM, it's still bad--isn't the only thing that might put some people off from buying Bioshock. The game requires a video card that supports PS3.0, so that means there's a lot of gamers out there that simply wont be able to run the game, DRM or not. Over 40% of Steam users from Valve's hardware survey are not capable of running Bioshock. This article from arstechnica explains [arstechnica.com], it's mostly the ATI x800/850 users who are being kept from playing. There is a project in development to port Bioshock to work on the older cards, so we'll see how that pans out. This whole thing reminds me of a similar situation with BF2 requiring PS2.0 support, plenty of older cards that could run the game fine otherwise were incompatible because EA didn't include an alternate rendering path for cards that didn't include the new PS standard.

Re:Yet another game

[DAtkins]

You should check to see if your credit card company offers limited accounts. All of mine will let me setup a temporary account number with a withdrawal cap applied to it. Get one of those, change your card info, don't forget that you have to update that account's limit if you choose to buy something else.

Clears that problem right up :)

Re:Yet another game

[silverkniveshotmail.]

Actually yes it is. I have a library of well over 100 games all legaly purchased out of which less than 20% still run on my current hardware mostly becuase of silly DRMs. Yes now I download and I have downloaded games I have purchased that run on currnet systems when my "legal" copy does not.

Good for you. Since that's the reason that you do it, and your ethics keep you from ever downloading something that you didn't purchase first that must be how everyone does it, and no one downloads a game as an alternative to paying.

Re:Oh great

[mariushm]

The Securom protection in the executable of the DEMO is needed because the game makers were probably too lazy to compile a different version of the executable for the DEMO, with less functions.

Some crackers would take the executables from a DEMO and the content from a game CD and thus would have nothing to crack.

While the protection is anyway removed in less than a week from the game it is released, it is often pushed by the people in distribution chain and by people that finance the development of the game.

It's just too slow down the piracy of the game in the few days the game is released in retail stores, when the hype is at the maximum.

Combined with the online activation I believe it has, it's good enough.

Another inconsistency...

[KingSkippus]

(from above post...)

A 2K Games forums administrator, "2K Elizabeth," posted this message [2kgames.com] when a brouhaha started erupting:

there is no securom on the demo.

This is patently false, as pointed out by several users' follow-up posts. One even took a nice screenshot [trickingq3.com] that shows that this is at best a pretty hideous example of an administrator not knowing what the hell she's talking about, at worst another outright lie that attempts to appease people who don't know better and can't actually check the veracity of what's being said.

Re:But why do they need to install spyware/rootkit

[Anonymous Coward]

They did it with ShadowRun...

Exactly, only a development company owned by MS would be stupid enough to make that kind of blunder this early in Vista's lifecycle.

Re:Oh great

[shadowkin]

Try again.

The plumber installs one toilet. The bathroom is now only authorized for use by one person. If anyone other than that one person asks to use the bathroom, it requires reauthorization. If your toilet ever leaks, you can only repair it once, unless you've de-authorized the toilet before the leak started. Otherwise, you're required to purchase a new toilet before using it in that bathroom again.

If you move, the next person to use your house has to pay for authorization to use that toilet.

In the end, it all winds up a steaming pile of crap in one way or another.

"Reasonable" my ass.

[SanityInAnarchy]

Expecting to be paid for your software is reasonable.

Taking tactics which can actually damage your customers' computers is not.

In fact, copy protection is entirely unnecessary to be paid for your work. Just look at record sales -- people do, in fact, still buy CDs, even though most have no copy protection at all. They even buy DVDs, even though the protection there has been so thoroughly cracked that there are one-click programs to rip a DVD and put it on your video iPod. Plenty of people still subscribe to Cable TV, even though most shows are available within a few hours on BitTorrent.

Oh, and by the way, before you mention it -- a pirated copy is not a lost sale. A pirated copy is not a lost sale. A pirated copy is not a lost sale. Repeat this until you understand it, and then take another look at the statistics -- the RIAA/MPAA are still insanely rich, as are the better artists, musicians, directors, and so on. There is simply not significant evidence, anywhere, that they have lost money due to piracy.

I know it's comforting when you can believe the world is black and white, but it isn't.