Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security PC Games (Games) Your Rights Online

BioShock Installs a Rootkit 529

An anonymous reader writes "Sony (the owner of SecureROM copy protection) is still up to its old tricks. One would think that they would have learned their lesson after the music CD DRM fiasco, which cost them millions. However, they have now started infesting PC gaming with their invasive DRM. Facts have surfaced that show that the recently released PC game BioShock installs a rootkit, which embeds itself into Explorer, as part of its SecureROM copy-protection scheme. Not only that, but just installing the demo infects your system with the rootkit. This begs the question: Since when did demos need copy protection?"
This discussion has been archived. No new comments can be posted.

BioShock Installs a Rootkit

Comments Filter:
  • Here we go again. *sigh*
    • Re:Oh great (Score:5, Informative)

      by click2005 ( 921437 ) on Friday August 24, 2007 @08:42PM (#20349799)
      From the author's comments...

      I don't care if it is one or not. My point of this article is that the SecuROM service doesn't need to be included in the demo if we don't have to activate it.

      Using "rootkit" brings the traffic. It's all about the SEO, and is why this article is on top in Google.
    • by Crazy Taco ( 1083423 ) on Friday August 24, 2007 @09:12PM (#20350043)

      Good for certain uses anyway. I've participated in Iowa State University's Cyber Defense competitions as a red team hacker, and I've found they really help to take out the defending teams. Every team is required to run a regular Windows desktop that any user can access (the teams often play the part of universities or other facilities trying to secure a public lab), and it's fun to just walk up like a normal user, put in a "normal" music CD or game (courtesy of Sony), and then BOOM, rootkited. From there on, of course, things get easier... it's hard to remove malicious files when the OS won't let you know they are there :D.

      • by bluefoxlucid ( 723572 ) on Saturday August 25, 2007 @12:39AM (#20351259) Homepage Journal
        Sweet. I've played Blue Team on the Mid-Atlantic Regional CyberDefense Competition run by CyberWATCH on the east coast with the team from CCBC for the first 2 years; but I'm out now, because I'm a security professional. Third year I'll be running red team; I've gotten permission, and I'm a student of Offensive Security (Offsec 101, going to go into Wifu and B2M when they're out too) NOW so the competition in March will let me put my studies to the test and get some experience (good arrangement!).
    • Re:Oh great (Score:5, Insightful)

      by CastrTroy ( 595695 ) on Friday August 24, 2007 @09:24PM (#20350147)
      I'm not sure of the specifics of how these rootkits work, but if every piece of software we buy starts installing a rootkit, What is the probably they will conflict with each other and make the system less stable, and/or break the system completely? What kind of support or compensation is available once this starts happening. I find it very disturbing that they will install rootkits, or use non-standard CDs that don't work in a lot of CD drives (which used to happen a lot), making a terrible experience for the end users, while the pirates just modify the machine code, so it doesn't do any checks, and use the software without paying.
      • Re:Oh great (Score:5, Funny)

        by Beardo the Bearded ( 321478 ) on Friday August 24, 2007 @09:40PM (#20350229)
        Hey, consumer.

        You'll buy what we fucking TELL you to buy. If it crashes your system, then your system requires more RAM.

        It's situation fucking normal for a game.

        If you don't like it, then millions of idiots will just buy it and install it on their parents' computer anyway. After all, kids are the only ones who play games.

        (Not previewing after 5 on a Friday.)
        • Re:Oh great (Score:5, Interesting)

          by arkhan_jg ( 618674 ) on Saturday August 25, 2007 @03:55AM (#20352097)
          The frustrating thing is, this rootkit worry isn't the biggest problem (it's a bit of a stretch). It's that when the game shipped, you only got 2 activations. Yes, you could only install it twice. Ever. Using another user account or install of windows requires another activation. Wipe windows, and try to install a third time? Activation denied. They then proceeded to flat out lie and say uninstalling the game from windows before formatting would give you an activation 'credit' back. It didn't, and according to SecuROM never could.

          The outrage over this on the 2K forums [2kgames.com] made them raise the limit to 5 installs on a given copy of windows, and up to 5 installs on different machines. Ever. Problem solved, right? I mean, who ever installs software they buy more than 5 times, right? Must be pirates. They want to carry on playing in a couple of years, they can go buy a new copy.

          Oh, and they'll release a utility at some point in the future that when run, will supposedly uninstall the game and 'deregister' your install with the online securom database, thus giving you the privilege of reinstalling your own game on your own computer one more time. Just hope windows doesn't go belly up before you get to unregister. And I can't wait for the day all games do this, and I have to run round manually deregistering all of them prior to a reinstall with different tools. Then calling support when it doesn't work and won't let me reinstall.

          • by KingSkippus ( 799657 ) * on Saturday August 25, 2007 @05:55AM (#20352519) Homepage Journal

            First of all, your link to the forums goes to a thread about achievement points on the Xbox version of the game. This thread [2kgames.com] is much more relevant; it's about the rootkit.

            Second of all, I, like many other people, was looking forward to Bioshock's release. I, like I hope many other people will do, refuse to buy it now.

            Whether people thing of this as FUD or not, the simple matter of the fact is that:

            • Bioshock installs software that allows the administrative privilege system of your computer to be subverted. They claim that it's a benefit and they have only good intentions. Maybe, but we all know what the road to hell is paved with. Just because 2K doesn't use their installed software for evil purposes doesn't mean that another hacker's software can't use it to take over a system using privileges that it shouldn't have. When Sony's rootkit distributed on CDs got out into the wild, it didn't take long for other more dangerous software to take advantage of the security hole it created.
            • The aforementioned software hides itself from detection and cannot be removed via normal means. This is a massive breach of trust for a software company to a user.

            2K Games has A FAQ about SecuROM [2kgames.com] that is, at best, contradictory in several places. They say:

            A "rootkit" can be described as software or a set of software tools intended to conceal running processes, files or system data from the operating system and which can open ports to allow remote access to the system...

            SecuROM DOES NOT USE any root kit technology in its implementation. [Their emphasis, not mine.]

            However, Sysinternals' RootkitRevealer software [photobucket.com] begs to differ. Who am I going to trust, a game company that is practicing Defective by Design [wikipedia.org] tactics, or Mark Russinovich [wikipedia.org], a software engineer who's proven time and again that he is the guru of this stuff, the guy who discovered the infamous Sony rootkit, the guy who knew Windows better than even the Windows people knew Windows, so well that Microsoft bought his company and hired him? I'll gladly cast my lot with Mark any day, even if he does work for Microsoft now.

            2K Games also says in its FAQ:

            SecuROM does not fingerprint the hardware [of the computer running Bioshock].

            They then go on to say:

            The only data collected is the serial being used for activation, the IP address used for activation, an identifier for the software being activated, and the hash of the machine ID...

            You won't have to reactivate unless you change several pieces of hardware and this will count as one of your 5 allowed computers, if reactivation is required.

            Um... If SecuROM doesn't fingerprint my hardware, what is the "machine ID" that a hash is taken of and sent to their servers? And how the hell is it possible that changing several pieces of hardware might result in a required reactivation? The simple answer is, of course, that SecuROM does fingerprint your hardware, and 2K Games lied to our faces in the hopes that computer users who aren't as savvy as us won't get bogged down with the technical details and just read the part where they say that it doesn't fingerprint the hardware.

            This is totally inexcusable, and I won't have anything to do with this company. Will the game be cool? Maybe, but nothing is cool enough to install this crap on my computer for. As far as I'm concerned, 2K Games has destroyed its credibility, and they can go to hell for it.

          • (from above post...)

            A 2K Games forums administrator, "2K Elizabeth," posted this message [2kgames.com] when a brouhaha started erupting:

            there is no securom on the demo.

            This is patently false, as pointed out by several users' follow-up posts. One even took a nice screenshot [trickingq3.com] that shows that this is at best a pretty hideous example of an administrator not knowing what the hell she's talking about, at worst another outright lie that attempts to appease people who don't know better and can't actually check the veracity

    • Re:Oh great (Score:4, Informative)

      by sanosuke76 ( 887630 ) on Friday August 24, 2007 @09:30PM (#20350181) Homepage
      Ok, reading the early comments on this article made me laugh my rear off with how quickly the anti-Sony-fanboys jump to conclusions.

      You guys do realize that Bioshock is NOT a Sony game, right? It's been stated that it won't appear on the PS3 (some .ini files have made folks question this, however the publisher officially denies it... no telling what the reality is, but it's at the bare minimum a timed exclusive for the PC and X360).

      If it's not a Sony game, and it's not even going to be AVAILABLE for the PS3, then who do you think decided to use a rootkit-ish (even if it's not a rootkit) technology? Hint: it wouldn't have been Sony.

      If Sony came up with the technology, and then the other guys decided to license it and use it, does this mean Sony had much to do with it? Nope.

      I am still laughing at how easily the anti-Sony-fanboy types disengage their brains when reading articles, on totally non-Sony, not-even-Sony-friendly titles. At the very most, if Sony's the one that the technology was licensed from, one could complain that Sony is still providing it. But the folks who decided to USE it, i.e. the Bioshock publishers, are the folks you ought to be mad at.
      • by KingSkippus ( 799657 ) * on Saturday August 25, 2007 @07:00AM (#20352721) Homepage Journal

        How the HELL did this get modded informative!!?

        The summary never says that Bioshock is a Sony game. In fact, Bioshock isn't even mentioned until well into the summary, and it's clear that they licensed the software from Sony. The summary makes it crystal clear that Sony is the owner of SecuROM copy protection, the copy protection that Bioshock installs.

        If Sony came up with the technology, and then the other guys decided to license it and use it, does this mean Sony had much to do with it? Nope.

        Are you on drugs? I mean, seriously, are you on drugs!? That's the only way I can think of to explain how stupid that sentence is. If Sony came up with the technology, and then the other guys decided to license it and use it, does this mean Sony had much to do with it? Hell yes, because they wrote it!!! Plus, there's also the little fact that they've done this exact same thing before that you're totally ignoring. Once is a lapse in judgement. Twice is a pattern. I wasn't what you call and anti-Sony-fanboy before all of this rootkit fiasco, but I sure as hell am now. If not wanting rootkits installed on my computer makes me a anti-Sony-fanboy, then I suppose I'm proud to call myself one, and for the mere sake of computer security, I highly recommend to everyone I know that they immediately become anti-Sony-fanboys too.

        If I steal your credit card numbers, and then other guys decided to buy them and use them, does this mean that I had much to do with it?

        Damn, there's dense, and then there's dense. You, sir, are the latter kind. By all means, feel free to riddle your computer with rootkits for the sake of playing a stupid game, and be happy that at least you know that you're selling your soul to the devil, unlike most of the non-computer-savvy users who will probably buy and play this game that are none the wiser.

    • Re:Oh great (Score:4, Funny)

      by Short Circuit ( 52384 ) <mikemol@gmail.com> on Friday August 24, 2007 @09:53PM (#20350291) Homepage Journal

      Here we go again. *sigh*
      What, Sony and their rootkits, or the "Begs the question" abuse that seems to get on everyone's nerves?
  • Yet another game (Score:3, Insightful)

    by PhrostyMcByte ( 589271 ) <phrosty@gmail.com> on Friday August 24, 2007 @08:38PM (#20349763) Homepage
    I won't be buying. I was looking forward to this one, too.
    • Re:Yet another game (Score:5, Informative)

      by sodul ( 833177 ) on Friday August 24, 2007 @08:42PM (#20349797) Homepage

      So does that mean I'll have to get the cracked version from BittTorrent in order to NOT infect my machine ?

      It is very sad that the underground world is nicer than the official one. It's Demolition Man [wikipedia.org] all over again.

      • Re:Yet another game (Score:5, Interesting)

        by Headcase88 ( 828620 ) on Saturday August 25, 2007 @03:53AM (#20352087) Journal
        Not to mention that you'll have to download that movie to avoid the inconvenient FBI Warnings / anti-downloading PSAs.

        In the PS1's case (and probably newer consoles), anti-piracy technology made new games not work on chipped consoles. Oh, unless they were burned.

        Maybe these companies should give up on anti-piracy. It seems that most people are decent enough to pay for something that's worth the price of admission. I can't imagine that all of these measures have made enough money from would-be pirates to justify money lost from would-be consumers turned off by DRM, etc. Not to mention the money they had to spend to set up all that shit. I mean, correct me if I'm wrong, but it seems that they'd make more money and have a better brand image from simply chilling out and trying to sell worthy products.
    • Re:Yet another game (Score:5, Interesting)

      by arth1 ( 260657 ) on Friday August 24, 2007 @08:42PM (#20349803) Homepage Journal
      I was about to buy it through Steam. I only waited because I had next to no disk space left on the partition that the Steam games are on, and Steam is too brain dead to let you use more than one partition. I was going to delete some other game and then download Steam, but now I think I'll wait. Especially since judging by Steam's web site, even the non-CD downloadable version comes with Securom (why??).

      • Re:Yet another game (Score:5, Informative)

        by stg ( 43177 ) on Friday August 24, 2007 @08:59PM (#20349931) Homepage
        AFAIK, the Steam version really comes with Securom. I bought and pre-loaded it as a pre-release, and after the regular Steam decryption (and also regular re-downloading of content - EVERY single game I pre-loaded through Steam always had to download more stuff on release!), it needs to activate. The first time I tried it failed (for obvious reasons - the server should be overloaded as it was 2-3 hours after the release), but after that it worked fine.

        BTW, the graphics are very impressive and the atmosphere too, but from the first few levels it seemed good but not all that revolutionary as I kept hearing it was...

        As others mention and the FA clearly says, it's not a rootkit, just a regular service. This is a case where I wouldn't mind someone being sued for libel - they really deserve it.
        • by nmb3000 ( 741169 ) on Friday August 24, 2007 @09:07PM (#20349999) Journal
          The first time I tried it failed (for obvious reasons - the server should be overloaded as it was 2-3 hours after the release), but after that it worked fine.

          Somewhat off-topic, but if this isn't a sign of the times I don't know what is. You shelled out $50-60 of hard-earned money to buy a game immediately after it's released and what's your reward? You sit and wait for hours while the moron publisher's servers get overloaded with "activation" requests. And here in this comment, instead of showing irritation or annoyance, you just accept this as normal (not saying you weren't pissed then of course :)

          Funny, I remember when you would buy a game and could take it home and play it right away. Of course technology has progressed since then - now companies can alienate honest customers while adding a few hours to the time it takes to crack the copy protection. Steam is one of the worst things to happen to computer gaming in a long time.

          If that's not progress, I don't know what is.
          • Re: (Score:3, Insightful)

            by moo083 ( 716213 )
            I think your forgetting the time it took to get the game shipped to stores, find a store that has it, and then buy it, and drive home. Thats measured in days, not hours, like steam.
          • Re:Yet another game (Score:5, Interesting)

            by stg ( 43177 ) on Friday August 24, 2007 @09:27PM (#20350165) Homepage
            I wouldn't be okay with it, except for the detail that 30 seconds after my first attempt on activation I ran it again and it went through fine.

            I was really ready to get angry (I had pre-loaded days before and it had the gall to make me wait another 2 hours since download speeds were awful - but that isn't activation related, AFAIK), but it's hard to make much of an issue of a 30 seconds delay.

            Also, I live in Brazil. Sometimes games would take months, sometimes years and on occasion, they would never be available here in a legal form. Buying from the USA is of course possible, but even then it would something like US$20+80% customs taxes. And sometimes it would be translated (poorly) - argh! Prices are about the same as the US, sometimes a bit higher, sometimes a bit lower.

            So I consider being able to download major releases (instead of just indie games) and play at the same time as anyone else major progress.

            Steam could improve their download client a lot, though. I get 460K/s routinely on Getright with multiple connections, but sub-100K/s is the norm on Steam.
            • Re: (Score:3, Interesting)

              by dr_d_19 ( 206418 )
              Steam and Valve (and now 2kgames) thrive on the fact that most of their customers are 14 years old and really don't care. They'll spam the forums at every game release saying that "steam SUCKS!!!" when they can't activate their games for two days but then they'll start playing the their usual concentration rush sets in and they will forget about it.

              When BioShock couldn't activate I used TCPView and nmap to figure out why it couldn't activate (because the "failed to contact key server" game instantly). Turns
          • by Afecks ( 899057 ) on Friday August 24, 2007 @10:02PM (#20350345)
            That settles it, I will never buy this game again.
      • Re:Yet another game (Score:5, Interesting)

        by ludomancer ( 921940 ) on Friday August 24, 2007 @10:18PM (#20350439)
        It's ironic to me that you are comfortable using Steam, which opens much of your PC to the Valve network (sharing information about your computer, sends marketting statistics, etc), but don't want secureROM installed on your PC.

        In my opinion, Steam is far worse than any regular DRM, because instead of simply installing software that checks and validates your game, you're allowing a company access via network to your game where they can outright regulate whatever you do with it.

        I never installed Steam for that reason. It freaks me out. I don't want anyone on my machine other than myself, and I don't feel companies have a right to regulation on that level.
        Even though this Bioshock thing turns out not to be a true Rootkit, it's a game I was going to buy, but now that I see they install this additional mess, I will be passing it up.

        I will be happy if a piracy group supplies with me a DRM free version. But I truly LIKE to give my money to teams that deserve it, and I feel the inclusion of secureROM in this game may be robbing a very deserving team of it's sales.

        In the end, if the publisher feels they need to install anything that is not necessary to the game itself, they will not get my money.
    • by kjart ( 941720 )

      It's a ridiculously good game (I have the Xbox version), so this kind of news saddens me. I hate seeing masterpiece level games brought down by details like this (albeit pretty major, horrible details).

      In any case, if you have a Xbox 360 or have thought about getting one, this game is well worth it (imho, though there are plenty of supporting reviews out there).

  • Demos and protection (Score:5, Informative)

    by arth1 ( 260657 ) on Friday August 24, 2007 @08:39PM (#20349765) Homepage Journal
    Demos require protection since the day that someone found out that if they hacked the demo and compared it to the original, they could simply replace some parts of the original from the same parts of the demo and have a free-for-all.

    (That doesn't mean that I endorse Sony's approach here -- far from it)

    HTH, HAND
    • That trick doesn't really work on the big titles anymore. Usually they release a different build of the game as the demo with most of the game stripped. I mean with the Battle Field 2 demo you could unlock the extra weapons but you couldn't unlock extra maps because they simply didn't put the other maps in the demo.
    • by CryoPenguin ( 242131 ) on Friday August 24, 2007 @10:39PM (#20350553)
      I haven't ever tried to crack copy protection by inserting code from a demo, but I have cracked copy protection without it, and from that experience I don't think having an unprotected demo would help.

      Once you get to the point where you can modify the exe, the hard part of the crack is over. Whatever the protection checks, whether it's some data on the CD or a registry key or some more complex signature of your machine, it's just a branch instruction somewhere and can be NOPed out. Finding the branch is easy too, since you can just run the game with and without whatever it checks for, and see where the execution paths diverge.
      The (marginally) effective part of a copy protection scheme like SecuROM is use of encryption, compression, and self-modifying code, which make it hard to examine or modify the exe. If you have an unprotected demo exe and a protected retail exe, you can't even compare them until after breaking the protection.

      Sure there's the extreme case where the demo and the final version are exactly the same code and differ only in data files, then dropping the whole demo exe into the retail installation would crack it. But as the sibling posters explained, that's rare.
  • It does not (Score:5, Insightful)

    by Anonymous Coward on Friday August 24, 2007 @08:40PM (#20349777)
    The author even admits that he's just trying to get search engine traffic in the comments. It uses SecureROM, which regardless of your feelings on it, is mis-detected by Microsoft's Rootkit detection program. He even says in the main article it's not malware.
    • Re: (Score:3, Insightful)

      by NickFortune ( 613926 )

      The author even admits that he's just trying to get search engine traffic in the comments.

      At the time of writing, there's only one comment from the author that mentions "search engines". So I assume your are refering to this paragraph:

      I installed RootkitRevealer, and discovered it on my computer after installing the demo. I then found a fix to remove it on the 2K forums. In order for others to learn about this I used the word "rootkit", because it is what would naturally be typed in to search engine

  • Not that I would play this game, but it would be nice to have some links to detectors and removal of this type program.
  • Not QUITE a rootkit (Score:5, Informative)

    by Robotech_Master ( 14247 ) on Friday August 24, 2007 @08:42PM (#20349791) Homepage Journal
    If you RTFA, or specifically its comments, you find that it's not technically a rootkit that it installs, it's just a registry directory that contains a * and so a rootkit detector tags it. It's just a very hard to remove registry directory, and not necessarily an actual rootkit qua rootkit.
    • by Anonymous Coward on Friday August 24, 2007 @08:47PM (#20349841)

      This is pure FUD. The twat who wrote it even admits it in the comments:

      Using "rootkit" brings the traffic. It's all about the SEO, and is why this article is on top in Google.
      • Indeed. To boot the story was submitted anonymously.

        If I was a betting man, I'd bet even money that the blogger himself submitted the story to make a few bucks.
      • Re: (Score:3, Interesting)

        by MikeBabcock ( 65886 )
        Articles like this should have their link removed from the Slashdot summary to punish the author.
    • by arth1 ( 260657 )

      If you RTFA, or specifically its comments, you find that it's not technically a rootkit that it installs, it's just a registry directory that contains a * and so a rootkit detector tags it. It's just a very hard to remove registry directory, and not necessarily an actual rootkit qua rootkit.


      if (compare(&securom,&duck,LOCOMOTION)
      || compare(&securom,&duck,DIALOGUE)) then { ...
      }

      • Re: (Score:2, Insightful)

        Thing is, that if statement is false. As one of the other commenters put it more eloquently than I, the fellow's just claiming it's a "rootkit" to bring in traffic. There's no evidence it demonstrates any rootkitlike behavior, other than being detected by a detector that also detects rootkits.
  • by g051051 ( 71145 ) on Friday August 24, 2007 @08:44PM (#20349813)
    The article author seemed to base his conclusion on the fact that the SecureROM software installs a registry key that can't be deleted by normal means. This pops up on the Microsoft Rootkit Revealer (since that's a technique used by rootkits as well.) That's like saying that because rootkits use Windows APIs, any program that uses a Windows API is a rootkit.

    As for why it's in the demo, modern copy protection is embedded throughout games. It's too difficult to remove the protection just for a demo that contains so much of the full game engine.
  • by BertieBaggio ( 944287 ) * <bob@nOsPam.manics.eu> on Friday August 24, 2007 @08:45PM (#20349825) Homepage

    Okay, I was getting myself good and riled up over this piece of news. I was even ready to return the game first thing tomorrow despite it being a lot of fun. Then I did the unthinkable - I RTFA.

    Seems this is a big load of nothing. SecureROM installs a service to let those running without admin privileges run the SecureROM stuff. This is kinda bitterweet - yes, SecureROM is bad etc but running as a restricted user is good. This is assuming you trust SecureROM's website which says (from TFA):

    SecuROM(TM) will install a Windows(TM) service module called "User Access Service" (UAService) on your system. This is a standard interface commonly used by several other applications as well. It is no spyware or rootkit at all. This module has been developed to enable users without Windows(TM) administrator rights the ability to access all SecuROM(TM) features. Please be assured that this service is installed only for security and convenience purposes. Since it is a standard Windows(TM) service, you can stop and delete this service, like any other Windows(TM) service. If deleted, the access for non-administrator users to SecuROM(TM) protected applications will be affected.
    As opposed to TFA which makes it sound something sinister. However, I don't trust GamingBOB due to his own admission:

    Using "rootkit" brings the traffic. It's all about the SEO, and is why this article is on top in Google.
    I would add my own emphasis, but I don't think it needs it. Someone finds out a service is installed along with a game and demo and calls it a rootkit to gain traffic / links / ad revenue. Slashdot should not link to crap like this. It would be newsworthy if it were true: I think many people here - myself included - would return the game if it had a true rootkit installed along with it. But this...?

    I don't see the issue here.

    • Comment removed based on user account deletion
    • This is a standard interface commonly used by several other applications as well. It is no spyware or rootkit at all. This module has been developed to enable users without Windows(TM) administrator rights the ability to access all SecuROM(TM) features.

      I don't care if it's a rootkit or not, this quote is absolutely obnoxious. I have a return quote.

      "this (car boot) is a standard interface commonly used by several other parking proprietors as well, there is no impediment to the vehicle at all. This module h

    • My biggest problem is the draconian copy protection though. First it downloads and updates SecureRom. Then it Authenticates with an internet server. So this means you can't even PLAY the damn thing without internet access. Then I heard a roomer that you could only register the software twice, THEN have to call this number to get a new key.

      Sadly, I agree with these draconian systems. So far the game hasn't been cracked (or atleast a crack posted on the torrent sites) in the all important week of relea
    • by c0d3g33k ( 102699 ) on Friday August 24, 2007 @09:36PM (#20350213)
      I've been following this matter on the web since the Bioshock release and monitoring Slashdot's Firehose as the story submissions popped in. This particular story submission was one of the worst of the bunch. There are genuine issues with Bioshock's DRM decision to use Securom which will unfortunately be dismissed due to the poor choice of article. Whether or not this is a rootkit, the fact that the game won't run unless a user completely disables or uninstalls legitimate utilities such as antivirus programs or process monitors is enough to make a security conscious user worry.

      References:

      http://consumerist.com/consumer/punishing--the-one s-that-don.t-steal/bioshock-comes-with-nasty-drm-t hat-sets-off-anti+virus-software-ruins-everyones-d ay-292841.php [consumerist.com]
      http://forum.sysinternals.com/forum_posts.asp?TID= 11000 [sysinternals.com]
      • by Cee ( 22717 ) on Saturday August 25, 2007 @04:16AM (#20352181)

        Whether or not this is a rootkit, the fact that the game won't run unless a user completely disables or uninstalls legitimate utilities such as antivirus programs or process monitors is enough to make a security conscious user worry.

        True, I'm surprised no one has really mentioned it here, but my biggest issue is that Bioshock refuses to start if it detects Process Explorer running. And since Process Explorer starts its own device driver (or whatever it is) upon first start which isn't later unloaded, I have to reboot Windows every time I want to play Bioshock.

        That is a showstopper right there for me. I'm never buying any game Securom protected game again. This was the first and last time I did that mistake.
  • Not a real rootkit (Score:3, Informative)

    by jfroot ( 455025 ) <darmok@tanagra.ca> on Friday August 24, 2007 @08:46PM (#20349835) Homepage
    The author himself has said that he is only calling it a rootkit for SEO reasons.

    From the comments:

    "Using "rootkit" brings the traffic. It's all about the SEO, and is why this article is on top in Google."

    Although I believe this is nastyware.. It surely does not meet the definition or rootkit [wikipedia.org].
  • This is still an awesome game and definitely worth the purchase. This news only makes me glad that I got it for the Xbox 360 rather than PC. If you have a Xbox 360 and don't have this game yet - shame on you.

  • SEO bait (Score:4, Insightful)

    by agendi ( 684385 ) on Friday August 24, 2007 @08:49PM (#20349863)
    Whether it is a rootkit or not, I'll let others more knowledgeable than me decide that but the comments in the article basically has the author admit that he ties the word rootkit and the game together to get better SEO. Not only is the article light on actual technical detail it declares fire where there may be a hint of smoke for the purpose of driving traffic. I know I must be new here..
  • Inaccurate. (Score:3, Insightful)

    by Ahnteis ( 746045 ) on Friday August 24, 2007 @08:54PM (#20349899)
    Although this "protection" scheme is horrible, crappy, the spawn of Satan himself, etc -- I don't believe it qualifies as a rootkit since it is not hidden. It IS resistant to removal, which warrants complaint, but accuracy is important in making such a complaint / discussion.

    I *really* wish we could force (through consumer pressure rather than legislation if possible) publishers to acknowledge copy protection on the OUTSIDE of boxes (or other appropriate pre-purchase manner).

    It's hard to boycott something that you don't hear about until AFTER purchase. (Especially since it's very difficult to return an opened game.)
    • Wow, apparently I type far too slowly. While I was typing, not only have several other people posted the same thing... there's even a post modded +5 already! O_o

      I guess I lose at teh interwebs.
  • Not a rootkit (Score:5, Informative)

    by Torodung ( 31985 ) on Friday August 24, 2007 @08:58PM (#20349927) Journal
    The reason for the !CAUTION! key is to keep an ignorant user from wiping out his key tokens in the SecuROM subkey. That's why there's an "!" at the beginning; it sorts first in the subkey. So if a user stupidly tries to delete the entire SecuROM key (not realizing that it's his DRM) while his game is installed, or even after he's uninstalled, the first attempted deleted subkey will be the !CAUTION! key and Windows will abort.

    Thus it is a poor way to keep stupid users from trashing their DRM, not a rootkit.

    The reason it shows up in "Rootkit Revealer" is because true rootkits use the embedded null tactic to keep users from deleting keys registering malware dll's, startup settings, etc. That way, the user has no way to deregister the malware or stop its launch.

    However, the Rootkit Revealer does not simply point out rootkits. It's not that simple. RR points out suspicious methods and/or hidden files, and requires the user to analyze whether those methods and files indicate an actual piece of malware.

    Clearly, a key that simply warns you not to delete other keys is not malware.

    It is annoying, however, and the only way to get rid of a key with embedded nulls is with DelRegNull. I didn't like that one bit.

    My key was added with the install of Neverwinter Nights 2, however, which also uses SecuROM. This key has been around for a while, folks. Someone is crying "rootkit," when really all it is is a sloppy hack to keep users from eliminating their SecuROM keys.

    What's really annoying about this method is that the malformed key is not removed when you uninstall the software that requires it. SecuROM also drops a few malformed files in the directory %userprofile%\Application Data\SecuROM\UserData. They won't delete either, because they are key files which the folks at Sony have deemed MUST NEVER be deleted. Great. The only way I could manage to clean out those was by mounting the partition with NTFS-3g and issuing an rm *.*. Otherwise, another hack keeps Windows from moving the key files, probably because if you could copy them, you could run a game on any machine with the keys.

    This is definitely more arrogance, and completely annoying, but certainly not a rootkit. I would love to hear what the suits at Sony have to say about their crapware. I expect nothing less than a true SecuROM removal kit, since it doesn't get removed on uninstall.

    --
    Toro
    • Re:Not a rootkit (Score:4, Interesting)

      by Dachannien ( 617929 ) on Friday August 24, 2007 @10:32PM (#20350511)
      The undeletable files under the Application Data tree may be protected by the cmdlineext.dll shell extension that is also installed with SecuROM (and gets a lot less fanfare than uaservice7.exe does). In earlier versions of SecuROM, one of the functions of this extension was to prevent you from deleting 16-bit executables (you'd get a sharing violation error if you tried). I've heard that the latest version of SecuROM doesn't do that anymore, but it may have other similar properties or may have its scope narrowed a bit to the so-called sacred files you mentioned.

      Note that cmdlineext.dll (and other versions cmdlineext02.dll, cmdlineext03.dll) can be a bit tricky to remove. Since it's registered as a shell extension, and Explorer is invoked during startup, the file will always be in use unless you unregister it:

      regsvr32 /u cmdlineext.dll

      After rebooting, you can then (hopefully) delete the file. Note, however, that the file will be recreated and re-registered the next time you run a SecuROM game, so you have to take some extreme measures if you want to ensure that the file can't come back. I've tried creating a zero-length file and setting the permissions to Deny for all users, as well as setting the file read-only, and that seems to do it for at least some versions of SecuROM.

      This functionality is at least as nefarious as the more commonly reported portion of SecuROM, which is indeed a service in the current version and can be stopped like other services.

      Anyway, as for the larger question, I didn't buy Civ IV because of SecuROM, and I'm not buying BioShock because of it, either. If 2K decides to capitulate on this issue at some point, I'll reconsider. In any case, it'll give Irrational time to work on a patch for some other issues that have come up.

  • by Saint Stephen ( 19450 ) on Friday August 24, 2007 @09:01PM (#20349955) Homepage Journal
    I have a laptop with a 7900gs, the thing burns disks. Thank god securerom doesn't think my machine is evil enough to install the DRM service. I don't mind having the unremovable keys and files on my PC as long as i'm playing the game.

    By the way, there's an easier way to delete the files under appdata.

    Type "at /next 9:02pm c:\windows\system32\cmd.exe /interactive" after looking at the clock and seeing it's 9:01am. Wait until 9:02 and you'll get a dos prompt running as the machine account. Go delete your files.
    • Re: (Score:3, Informative)

      by Torodung ( 31985 )

      Type "at /next 9:02pm c:\windows\system32\cmd.exe /interactive" after looking at the clock and seeing it's 9:01am. Wait until 9:02 and you'll get a dos prompt running as the machine account. Go delete your files.

      Cool, but the correct syntax is:

      at 9:02pm /interactive %systemroot%\system32\cmd.exe

      If running as SYSTEM will delete these files, it is a lot easier than mounting with NTFS-3g. I couldn't test this method because the files are already gone. Thanks for the tip!

      --
      Toro

  • So, even if this *isn't* an actual root kit, it does install some software that is a little more 'gung ho' about the whole DRM thing, which I'm definitely not thrilled to hear about. Add this in with the widescreen FOV issues from before(or more specifically how the company handled those inquiries, re: badly) and we have a game I've totally lost interest in. I'm very, very glad I didn't buy it, and do not plan to. It could be the most awesome game on the planet, but I have other cool games. In the end, I'm
  • PC gaming (Score:5, Insightful)

    by ucblockhead ( 63650 ) on Friday August 24, 2007 @09:06PM (#20349997) Homepage Journal
    This is why, after being a PC gamer for 20 years, I recently bought a console.

    I got sick and tired of copy protection fucking up my machine, or refusing to run a valid copy because it didn't like my disk. (Medieval Total War and Diablo II being two games in particular that simply would not run on my hardware without a CD crack.)

    Having to upgrade hardware every couple years was annoying, but it's all this crap heaped on me, who is trying to pay real money for games that pushed it over the edge. I'm sure I'm not alone. And yes, I know that Console games are protected too...but for console games, it's transparent to the user.

    Note that I also paid for "Galactic Civilizations II", which was not protected, and the expansion will be the only PC game I purchase this year.
  • by firesyde424 ( 1127527 ) on Friday August 24, 2007 @10:06PM (#20350363)
    Do you remember those AOL CD's that came in the mail? I use them as beer coasters. Over the years, I have added companions to those first denizens of table top protection. Most have been advert cd's or the cd's that contain the bloatware from a new computer. Some, such as X3, were wonderful games that were destroyed by their DRM schemes. In that case, starforce, which forced its scheme on you without notification.

    Did we not learn the first time? Why can these multi billion dollar corporations not come up with anything better than the broken and bloated software the average consumer must choke down?

    I bought Bioshock today. I've played it for a full 3 hours. And that is all the more that it will be played.

    Welcome to the beer coaster pile, Bioshock, I forsee many coffee rings and soda drops in your future
  • by OverflowingBitBucket ( 464177 ) on Friday August 24, 2007 @10:22PM (#20350473) Homepage Journal
    I used to buy a fair few more music CDs until the funny games they started playing to stop me playing my entirely-legitimately-purchased CDs on my PC. It was a gradual thing- I just started getting sick of half of my purchased music CDs not working when I got them home to listen to whilst I worked. Over time I just stopped buying them so often.

    I used to buy a fair few more PC games. After some of the nastier games the bigger vendors started playing, I stopped buying larger commercial games and moved on to games made by smaller indies (okay, there were some other reasons to, but that's a discussion for another day). They are far less likely to install crap on your system or make you jump through hoops post-purchase.

    Until recently. I purchased a game from a larger indie and then found out I had to "activate" it (after they got my money, of course). They "promise" it'll all be okay, they've got money aside in case they go out of business (which they'll never touch, of course, promise promise). But it's okay because "Windows does it too". I'd name-and-shame them but they did make an effort to make it right when I kicked up. And honestly, I don't want this fight. So let's just say it was a good indie game.

    So I'll be buying less and less games over time, I guess.

    So where are we now? Here I am, along with other paying customers, doing the right thing- and I get shafted as a result. I can get a better copy with less restrictions by going to the local warez-are-us. That copy won't stop working ten years later when the developer shuts down. It won't phone home and refuse to run. It won't refuse to run without a net connection sending God-knows-what to their activation server.

    As a software developer I can completely understand the reason to protect your software from being casually distributed, but dammit- CD driver replacements, rootkits, web trojans, privilege elevation servers, surprise "activation". Why are you subjecting your legitimate customers to this nonsense, when the people ripping you off are just going to get it from someone who has already stripped this stuff out? Don't you realise the logical conclusion of making your product considerably worse that the warez version? Of making every software install a risk of hosing the system?
  • More bad news (Score:3, Informative)

    by sqrt(2) ( 786011 ) on Saturday August 25, 2007 @12:02AM (#20351057) Journal
    This "rootkit" stuff--and I know it's not a true rootkit, just some overzealous DRM, it's still bad--isn't the only thing that might put some people off from buying Bioshock. The game requires a video card that supports PS3.0, so that means there's a lot of gamers out there that simply wont be able to run the game, DRM or not. Over 40% of Steam users from Valve's hardware survey are not capable of running Bioshock. This article from arstechnica explains [arstechnica.com], it's mostly the ATI x800/850 users who are being kept from playing. There is a project in development to port Bioshock to work on the older cards, so we'll see how that pans out. This whole thing reminds me of a similar situation with BF2 requiring PS2.0 support, plenty of older cards that could run the game fine otherwise were incompatible because EA didn't include an alternate rendering path for cards that didn't include the new PS standard.
  • No DRM for me. (Score:3, Interesting)

    by lanner ( 107308 ) on Saturday August 25, 2007 @02:22AM (#20351687)
    I was looking forward to buying this game, but then I heard about the DRM.

    I looked to see if Steam had a version that wasn't infected, but it was too.

    I'll pass on this game. There are others.
  • by Opportunist ( 166417 ) on Saturday August 25, 2007 @09:08PM (#20357951)
    Let's be blunt here. There is software I do not want on my PC. Rootkits for example. And I have no problem with my conscience to remove rootkits that come tagging along with programs I want to use. I licensed the software, I am allowed to use it, I do not want you to bug my computer, reduce its stability or its security. You don't care about my needs, I don't care about yours. Fair deal.

    I just wonder how many people will still take the, for the functionality unnecessary, burden of actually licensing the software, though.

Machines have less problems. I'd like to be a machine. -- Andy Warhol

Working...