Ubisoft Uplay DRM Found To Include a Rootkit

An anonymous reader writes "It has been discovered that the Uplay system Ubisoft uses to both check a game is legal and offer up gaming achievements, multiplayer, and additional content, actually contains a rootkit. The discovery was made by Tavis Ormandy, an information security engineer at Google, when he installed Assassin's Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user's consent."
Update: Ubisoft has released a statement saying it has issued a forced patch to correct the flaw in the browser plug-in for the Uplay PC application.

under the DMCA any antivirus software can get sued

[Joe_Dragon]

under the DMCA any antivirus software companies can get sued for remove or even marking this.

That's awesome

[the_Bionic_lemming]

I started boycotting several manufacturers over the games that required a constant online connection. I can't wait to tell my buddy that thinks that the boycott is stupid how his system is rooted (again)!

this sounds familiar

[slashmydots]

Rootkit = hidden from the file structure of an OS, typically by intercepting explorer display calls. So it's not that but definitely a trojan, as it is a game on the outside and secret remote control browser plugin on the inside. By the way, there is no such thing as a hidden browser plugin. IE9 pops up and says that there's a new browser plugin and asks to enable it or not. Does it get around this? I think Firefox is a little more inviting to whatever the hell wants to hop in, as is Chrome, but no matter what, you can see all add-ons listed in all 3 browsers.

By the way, if you're thinking "hmmm, where have I heard Ubisoft news before?" they used a hacker team's no-CD crack, as-is, in one of their official updates to Rainbow 6 Vegas 2 to solve a problem with the game calling their own legit CD a fake CD.

Re:Is anyone actually surprised?

[jones_supa]

I don't know if it's anymore there, but along C drive residing in '~/.wine/drive_c/' Wine has defaulted to mapping Z to '/'. So for some extra protection be sure to remove that. And in this case, just remember to move all the installers and stuff in the virtual C drive before starting them.

Re:No wonder game sales are slumping...

[Tridus]

Based on what data? NPD says that game sales are slumping, but NPD's numbers are shit. They're based on retail sales at big stores. They're of little to no use when tracking the growth areas of the gaming market: anything digital. Game sales are likely not down at all, just people buying shiny disks at Walmart.

Besides that, 2012 has featured a lot of big name letdowns compared to 2011. The fall season will likely do better.

Re:Is anyone actually surprised?

[bluefoxlucid]

Wine doesn't run as root though (I tried, it actually screams and exits immediately). Wine has a mapping to $HOME that you need to remove though...

Prosecute?

[MattW]

I'm going to contact my Congresspeople, and ask them to ask the Department of Justice to investigate and prosecute any violation of wiretapping and/or computer crime laws which may have occurred.

Re:That's awesome

[oneandoneis2]

As somebody who hasn't bought (or pirated) any games in about a decade (other than a few of the Wii Lego series) I have to say that the only downside of boycotting all modern games is that you have to find something to do with all the extra free time and money.

Re:All DRM is rootkit

[cheekyjohnson]

I dislike DRM, but will defend a software company's right to encrypt their software, and even allow them to require an Internet connection to "unlock/decrypt" that software so that it can be used.

I would too. But I would also defend the right of people to modify their copy of the software to remove said DRM and even distribute cracks for it.

Re:Is anyone actually surprised?

[causality]

So do you actually install it as a different user, or do you just feel warm and fuzzy that they can't modify your system, even though most of what you probably care about exists within your user account?

Even if you install it as a different user, you would need to log out of your main account every time (or, I suppose, run a secondary X server) as the rights required to display to your X server pretty much give full access to your account.

My own setup has a user account specifically dedicated to Wine. This user doesn't run anything else. That user has no network access at all because of iptables. There is a PAM module that gives this user access to draw on the X display when I switch to it (Gentoo does this by default; on most Debian-derived distros you have to configure PAM with a one-liner in /etc/pam.d/su -- add "session optional pam_xauth.so" to that text file).

I use a Gentoo Hardened system so I place extra restrictions on it. The Wine user cannot see processes of any other user and the permissions on anything outside of its home directory are quite restrictive. Back when I played WoW (and had to allow network access, but only just what it needed), it would scan the running processes as an anti-cheating measure; on this system it would see only itself and a couple of Wine processes. On a normal Linux system, any user can view every user's running processes. Also, Wine is compiled with SSP and has NX and other hardening features applied to it.

That's not an exhaustive list but it covers the main steps I took. You can probably gather that I don't trust binary Windows programs.

Re:under the DMCA any antivirus software can get s

[mcgrew]

Actually they were sued by several state's attorneys, and settled. Personally, as a victim of XCP (I didn't agree to their god damned eula, my daughter installed it, never imagining that a big respected company would deliberately install MALWARE) I'd like to meet Sony's President in Felbers' beer garden and beat him to death with a two by four. I'm still pissed, and it's almost been ten years. I will never EVER be stupid enough to buy another Sony product. I want the company broken up and its board of directors impoverished. Nothing's too bad for those evil sociopaths. Cancer and AIDS are too good for 'em.

A rootkit is MALWARE. The president of Sony should have gone to prison, and the President of Ubisoft should, too. If I did to Sony what Sony did to me, you can bet your ass I'd go to prison. But it's OK for the 1% to fuck over the 99% any way they want, but if you mess with them, well, you're screwed.

And you stupid people should quit buying their damned games! Jesus, stop letting these assholes take advantage of you! You would buy from a company that deliberately installs malware on their customers' computers??? How goddamned stupid can you get????

Comment removed

[account_deleted]

Comment removed based on user account deletion

Maybe they'll actually get sued this time...

[Anachragnome]

Maybe they'll actually get sued this time...

I play Everquest 2 on this machine, and look what I just found (installed yesterday). Firefox never informed me that it was being installed.

FF - HKLM\Software\MozillaPlugins\@soe.sony.com/installer,version=1.0.3: C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\5kpvldeq.default\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}\plugins\npsoe.dll ()

In the Firefox browser Add-on pane it is listed as SOE Web Installer 1.0.3.171. It can be disabled, but I have not attempted to remove it yet. I want to keep it around while I figure out what it is doing. A web-search is inconclusive as it appears to have just been released, although I did find several links to a "test page" that belongs to Sony that instantly tries to install said plug-in. No-script blocked these attempts, so I have to assume it was served to me via the EQ2 GAME updating system. If so, complete bullshit.

Again, I never got any sort of plug-in install warning when running Firefox, and I have my browser warning settings at maximum verbosity. This plug-in was just "there".

Re:under the DMCA any antivirus software can get s

[rtb61]

You have to be careful about what you consider to be waiving your rights ie. I wave my rights, sorry changed my mind, waived them again, changed my mind again, waived, not waived, waived, mine again.

Waiving your rights means pretty much nothing because the very second you claim them back, they return with full force of the law, constitutional and criminal law both of which out weigh contract law. There is no legal condition of contract that can prevent you from reclaiming your rights, at any time you choose.

Re:Maybe they'll actually get sued this time...

[Anachragnome]

Update, if anyone cares.

You can uninstall the plug-in, SOE Web Installer, by using the provided "Uninstaller" you get at the same webpage that installs it.

Or, you can do what I did. Manually uninstall the game then spend 2 hours scouring out the 67 registry entries the "uninstaller" left behind. (The game uninstaller didn't actually remove a single file...not a single one. The plug-in uninstaller simply appeared to remove the plug-in from the control panel--all of the registry entries remained. CCleaner only found four of the 67 I removed.)

That shit is pure rootkit. Considering you can't even firewall out the outbound data without also firewalling your browser, this one is worse then the Sony/BMG rootkit. I've had to remove both and this one was spread all over the damn place, with redundant registry entries everywhere.

Never again, Sony, will any of your products enter this household.