PDA

View Full Version : SONY RootKit programmer got info from an Online Forum.



novacain
11-10-2005, 10:57 PM
I’m sure we have all read about the SONY rootkit……
Now we have to worry about something as simple as playing a CD in your work computer.
[If not below is a run down……]

The part of this issue that interested me was that First4Internet programmer, Ceri Coburn, asked, and was told, on an online forum how to do this.

I see threads in the forums on ‘iffy’ topics. Getting keypresses, capturing screens ect.

I visited some of the sites, belonging to the posters, which related to ‘security’ and was not reassured.

Should we be spreading this kind of information around?
Should we be taking more care that the information is used responsibly?
Should we just ignore it, as the info is already out there?







SONY Rootkit
Sysinternals has discovered a rootkit in the media player that comes with a copy protected CDs from Sony BMG and Universal.

The 'patch' is just a PR exercise. Does not actually remove the root-kit, just its 'cloaking' and in fact adds files to the DRM.

Not to mention you (at this time) can not get the patch unless you supply your personal details to Sony. Sony's privacy policy tells you that Sony 'can' add you to various marketing lists.

http://www.freedom-to-tinker.com/?p=921

According to Sysinternals Mark Russinovich's BLOG XCP;

- scans the executables corresponding to the running processes on the system every two seconds
- degrades system performance 24/7 (not just when the media player is in use)
- uses misleading names such as "Plug and Play Device Manager" to deceive users into thinking it's a legitimate part of Windows
- tampers with the low-level operation of the system, causing stability and compatibility problems
- installs hooks and filters, making it difficult to uninstall without breaking Windows

It has also been discovered that the DRM calls home as well.
http://www.sysinternals.com/blog/

Here is the programmer asking for help on a forum.
http://www.osronline.com/showThread.cfm?link=42117

Computer Associates declare it a trojan
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362

Thantos
11-10-2005, 11:09 PM
I heard about this earlier in the week. Pretty amazing that they'd have the gull to do something like this. I'm pretty sure it violates a few laws here in the US. I'm almost willing to get a CD and have it install it so I can be part of the lawsuit class :)

SMurf
11-11-2005, 06:18 AM
I find it quite frightening that the record companies will trust anyone if they say "We can protect your content from these infidels! For a modest fee! And maybe some legal protection!" :(

Although the use of the word "rootkit" in a Windows context is a bit OTT. You don't have to do anything to have root access on most peoples' XP boxes. :rolleyes:

Frobozz
11-11-2005, 08:46 AM
Personally I don't see how they could have thought that nobody would find this rootkit. Also I would think this would discourage people from buying CDs. Who'd buy a CD only to have it do something bad? That's like paying a hacker for a virus!

CornedBee
11-11-2005, 05:18 PM
Well, Sony is facing quite a few lawsuits right now.

rockytriton
11-11-2005, 07:04 PM
there are plenty of legitimate uses of windows hooks and capturing keyboard strokes and such. Most of the people who ask probably aren't looking for legitimate reasons, but they can find the info elsewhere anyway.

bithub
11-11-2005, 09:55 PM
The part of this issue that interested me was that First4Internet programmer, Ceri Coburn, asked, and was told, on an online forum how to do this.
He asked nothing of the sort. He was asking how to install a filter driver without forcing a reboot afterwards. I fail to see how this is construed as him asking how to build a rootkit, and someone giving him directions. Besides, why would he need to ask someone on a forum how to build a rootkit when amazon.com sells several books detailing how to code your own.

Second of all, rootkits are not illegal. Sony is under a lot of heat for installing a rootkit without telling the user that it was doing so, and also for introducing security holes in people's computers. I guarantee you that rootkits will be used again in the future for DRM enforcement, the only difference will be that companies will cover their ..........es better in the EULA. Hopefully a law of some kind will be implemented that forces companies to inform the user when a rootkit is being installed, but I'm not holding my breath.

Oh, and I will continue to be amused at the people on this board that believe API functions like SetWindowsHookEx and CreateRemoteThread should be hidden from the masses :)

novacain
11-11-2005, 10:02 PM
If Sony is allowed to do this, can anyone do it?

Can I put a 100 page EULA (who reads them (http://yro.slashdot.org/article.pl?sid=05/02/23/2315211)?) on my app so you agree to allow my app to install spyware and be covered?

Sure the programmer did not ask 'how do I make a rootkit'. If he had divulged/explained why he needed a driver without a reboot, would he had been told?

Posters here are the same, not asking how to make a keylogger, they ask 'how does my window, without focus, capture keypresses'.

I'm not saying hide the info from the masses but rather make them either justify their need or do their own reseach.

bithub
11-11-2005, 10:15 PM
Can I put a EULA (who reads them?) on my app so you agree to allow my app to install spyware?Well different states/countries have different laws and definitions as to what spyware is. In the US, part of the definition of spyware is installing software without the user's knowledge. So you can install anything you want as long as you tell the user you are doing so (and as long as the program doesn't do anything malicious of course).


Such as? I've coded several commercial application which make use of windows hooks. The fact that windows only sends keypress notifications to your application window when it has the focus is one of the main reasons for needing hooks (in my experience at least). As a specific (non-commercial) example, I used to play a game which used the numpad for certain hotkey buttons. Since this was inconvienient for me (and there was no in-game way to remap these keys), I installed a hook to remap these keypresses to something more convenient. Let's face it, if there were only malicous applications for using hooks, the API functions wouldn't exist. Also keep in mind that a programmer can do more damage with the system() function than they can with any hook.

bithub
11-11-2005, 10:25 PM
Bah, you completely edited your post between me reading it, and posting my response. Now my last post doesn't make much sense :p


Sure the programmer did not ask 'how do I make a rootkit'. If he had divulged/explained why he needed a driver without a reboot, would he had been told?If he had said he was writing DRM software, then yes. My point was that writing a filter driver is not necessarily part of a rootkit (although I guess it can be). A rootkit is when you write over the kernel API function table thus causing other applications to call your own kernel level functions. Doing this, you can essentially place your application between the user mode of the OS, and the hardware on the system.

novacain
11-11-2005, 10:29 PM
Now-a-days modifying a games function could be considered illegal under the DMCA.

http://news.com.com/Blizzard+wins+lawsuit+on+video+game+hacking/2100-1047_3-5845905.html

>>Second of all, rootkits are not illegal.

They are in Australia.

http://www.dcita.gov.au/ie/spyware/outcome_of_review

Its review defined spyware as any software application that is generally installed without the knowledge or consent of the user, to obtain, use or interfere with personal information or resources, content or settings for malicious or undesirable purposes.

Under
Australian Securities and Investments Commission Act 2001 (Cth) and the Corporations Act 2001 (Cth)
Privacy Act 1988
Telecommunications Act 1997 (Cth)
Telecommunications (Interception) Act 1979 (Cth)
Trade Practices Act 1974 (Cth)

"The advice received indicates that most serious and culpable uses of spyware do constitute criminal offences under existing legislation. These behaviours include:

unauthorised access;
...
...
content modification;
theft of computer software, resources and bandwidth;
...
...
impairment of security;
damage to computer settings"

novacain
11-11-2005, 10:31 PM
>>Bah, you completely edited your post between me reading it, and posting my response. Now my last post doesn't make much sense

Sorry. Only saw your post when I posted the original....

bithub
11-12-2005, 02:26 AM
Nowhere in that link does it say anything that would indicate that a rootkit is illegal. According to that link, it's only illegal if it's installed without the users consent (and even then, it appears that the rootkit must perform some malicous action before it is considered illegal).

B0bDole
11-12-2005, 07:08 AM
>the rootkit must perform some malicous action before it is considered illegal

"Sony BMG said it has temporarily stopped manufacturing music CDs containing a controversial copy-protection program after several Internet viruses took advantage of the software to attack computers."



edit: post 600 wahoo

bithub
11-12-2005, 11:01 AM
I never said Sony's rootkit was legal or illegal. My comment was referring to rootkits in general. I wouldn't be surprised if all the suites against Sony lose though. Having a team of high payed lawyers for situations like this can do wonders...

novacain
11-13-2005, 09:10 PM
Seems the programmer, in the quest ot protect SONYs copyrights, has violated copyright of other programmers.....

The DRM contains code taken directly from LAME (an LGPL MP3 player).
http://dewinter.com/modules.php?name=News&file=article&sid=215.

But of course, to find this theft, the investigator had to violate SONYs EULA..........

>>Nowhere in that link does it say anything that would indicate that a rootkit is illegal. According to that link, it's only illegal if it's installed without the users consent (and even then, it appears that the rootkit must perform some malicous action before it is considered illegal).

Off the record legal advice from lawyer friends, is that a user could successfully claim on the sections I highlighted and that;

The original EULA does not contain any mention of the rootkit and the later one that does may not be inforceable (as a EULA can not protect you against illegal actions).

The rootkit phoning home, without express permission, violates the Australian Privacy Act.

Not allowing free download of the patch (it requires you allow SONY to add you to its and third party marketting lists) could also be a violation of the Australian Privacy Act.

BobMcGee123
11-13-2005, 09:24 PM
I see threads in the forums on ‘iffy’ topics. Getting keypresses, capturing screens ect.


lol, I figured out how to write programs for doing keypresses, windows DIB screen captures and sending the results back to my comptuer using socket programming all through MSDN.

You cannot control or ignore the problem.

nickname_changed
11-13-2005, 09:34 PM
And it doesn't do a thing anyway: http://newtechinc.blogspot.com/2005/11/using-sonys-drm-against-itself.html