tinyurl.com/auyjl -> www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
Given the fact that Im careful in my surfing habits and only install sof tware from reputable sources I had no idea how Id picked up a real root kit, and if it were not for the suspicious names of the listed files I w ould have suspected RKR to have a bug.
Inside Windows 2000 and that let s you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking. Rootkits that hide files, directories and Registry keys can either execut e in user mode by patching Windows APIs in each process that application s use to access those objects, or in kernel mode by intercepting the ass ociated kernel-mode APIs.
Every kernel service thats exported for use by Windows applications has a pointer in a table thats indexed with the in ternal service number Windows assigns to the API. If a driver replaces a n entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API. Its relatively easy to spot system call hooking simply by dumping the co ntents of the service table: all entries should point at addresses that lie within the Windows kernel;
Armed with the knowledge of what driver implemented the cloaking I set of f to see if I could disable the cloak and expose the hidden processes, f iles, directories, and Registry data. Although RKR indicated that the \W indows\System32\$sys$filesystem directory was hidden from the Windows AP I, its common for rootkits to hide directories from a directory listing , but not to prevent a hidden directory from being opened directly. I th erefore checked to see if I could examine the files within the hidden di rectory by opening a command prompt and changing into the hidden directo ry.
I studied the drivers initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking c ode hides any file, directory, Registry key or process whose name begins with $sys$. Besides being indiscriminate abo ut the objects it cloaks, other parts of the Aries code show a lack of s ophistication on the part of the programmer. Its never safe to unload a driver that patches the system call table since some thread might be ju st about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory . Theres no way for a driver to protect against this occurrence, but th e Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the r ace condition Ive described.
After I finished studying the driver's code I rebooted the system. The cl oak was gone as I expected and I could see all the previously hidden fil es in Explorer and Registry keys in Regedit.
this article, confirming the fact that they ha ve deals with several record companies, including Sony, to implement Dig ital Rights Management (DRM) software for CDs. The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and th at limits you to at most 3 copies. I scrounged through my CDs and found it, Sony BMGs Get Right with the Man (the name is ironic under the cir cumstances) CD by the Van Zant brothers.
I closed the player and expected $sys$DRMServers CPU usage to drop to ze ro, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just hav ing the process active on my system.
Filemon and Regmon t o see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system eve ry two seconds, querying basic information about the files, including th eir size, eight times each scan.
At that point I knew conclusively that the rootkit and its associated fil es were related to the First 4 Internet DRM software Sony ships on its C Ds. Not happy having underhanded and sloppily written software on my sys tem I looked for a way to uninstall it. However, I didnt find any refer ence to it in the Control Panels Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Intern ets site.
EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall . I deleted the driver files and their Registry keys, stopped the $sys$DRMS erver service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I not ed that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\Control\SafeB oot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents th e system from booting. When I logged in again I discovered that the CD drive was missing from Ex plorer. Windows supports device filtering, which allows a driver to insert its elf below or above another one so that it can see and modify the I/O req uests targeted at the one it wants to filter. I know from my past work w ith device driver filter drivers that if you delete a filter drivers im age, Windows fails to start the target driver.
Unfortunately, although you can view the names of registered filter drive rs in the Upper filters and Lower filters entries of a devices Deta ils tab in Device Manager, theres no administrative interface for delet ing filters. Filter registrations are stored in the Registry under HKLM\ System\CurrentControlSet\Enum so I opened Regedit and searched for $sys$ in that key.
I retried the delete, succeeded, and search ed for $sys$ again. sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. Not only had Sony p ut software on my system that uses techniques commonly used by malware t o mask its presence, the software is poorly written and provides no mean s for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files. While I believe in the media industrys right to use copy protection mech anisms to prevent illegal copying, I dont think that weve found the ri ght balance of fair use and copy protection, yet.
Mark Russinovich : 3:12 PM, October 31, 2005 I think you're being a little genrous to Sony towards the end there... yo u don't really know what their motives are for permantly hiding services on your system, and they could extend well beyond copy-protection in th e future.
Charlie Don't Surf : 4:13 PM, October 31, 2005 Sony should pay the same fine that individuals are expected to pay if sue d by RIAA. Their infringement into your operating system is just as bad as a copyright infringement.
jayKayEss : 4:46 PM, October 31, 2005 "I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. He said there was no mention, I would certainly try to get a it of money offa them.
David C Barker : 5:27 PM, October 31, 2005 Mark, this is indeed an outstanding piece of work, and I agree completley about things starting to go too far. The minute someone starts installi ng services as deeply embedded in a system like this, it gets to the poi nt it infuriates you, and, this puts DRM in the spotlight.
Chad : 5:51 PM, October 31, 2005 I predict that maybe the next time you're purchasing a music CD with simi lar DRM software on it, you'll never open the package, instead downloadi ng the MP3 files for that album through (illegal) P2P file sharing. For some strange reason all DRM software is missing in those P2P download s, leaving you with just the music to enjoy...
Henry Skoglund : 5:51 PM, October 31, 2005 Mark, Outstanding detective work. Would you be willing to create a clean up scr ipt for us mortals who unknowingly installed this? The software that plays th e disc on Windows does not work on a mac.
...
|
http://csua.com/feed/