In August 2005, I received a virus alert in my e-mail. It was from a computer in the financial department - it was infected with a rootkit. Not the best way to start out a day, but stuff happens. We looked over the file and I reported it to our anti-virus vendor. The vendor responded that it was not a false positive and that we should treat it like a normal rootkit. Here was the detection -
Virus Troj/RKProc-Fam detected in:"C:\WINNT\system32\$sys$filesystem\aries.sys"Disinfection unavailable.Thanks to my friends at
TRE Research for reverse engineering the above file with
IDA Pro. Check that out
here.
The threat was removed but I kept the file for several months. On Nov 9th, I tested the file at
VirusTotal.com and it was no longer detected as a rootkit. Study the filename closely and remember it as you read the rest of this blog.
On the morning of October 31, I started my day like every other day. I was looking over the standard security websites, reading
Full-Disclosure and drinking my
coffee. I ran across
Mark Russinovich's Blog that morning but my eye didn't get past the title for some reason. I was asked to work on a network device, so I started my day.
But later I came back to
Mark's blog entry for Oct 31 and was very impressed with what he had found. In the process of testing the latest version of
Sysinternals' RootKit Revealer, he had discovered hidden software on his computer. Mark, like many in the security community, does not like to find surprises hiding in his computer. He started a basic forensic breakdown on the software and found that it was connected to a company not normally known for its rootkit technology -
Sony BMG.
Digging deeper, he found that the main driver of the
rootkit (aries.sys) was designed by the UK firm -
First 4 Internet. This driver is part of a new
Digital Rights Management package from Sony called Extended Copy Protection (XCP). This new software is installed onto your computer when you attempt to listen to
certain copyright-protected music CDs. When the CD is inserted into the computer, it automatically runs the software and presents the user with a common
End User License Agreement. The EULA tells the user that a special player needs to be installed to listen to the CD but fails to fully describe the "player" software. If you agree to the install, the software installs itself onto the computer, hooks its "claws" into the
kernel and cloaks itself using standard "rootkit technology".
"Root technology" in a simple yet very broad sense can be seen as a piece of software that hooks into the lowest level of a computer and attempts to cloak itself using many techniques. In general this cloaking ability will enable a piece of software to hide form the operating system itself and even lie about its existence to applications that run at "levels" higher than itself. This means that the rootkit can lie to anti-virus, running process detection software, anti-spyware and other applications that may hint at its existence. But you have to remember, the hooking is separate from the cloaking. Kernel hooking is in itself a valid programming technique used by some anti-virus vendors, anti-spyware vendors and
IDS/
IPS vendors.
This is where the water gets dirty however. Sony's rootkit driver cloaks ANY file or folder that has $sys$ in the filename. Sony stated that the cloaking rootkit does not increase the security risk to normal user, but I will state the opposite. This does make a computer more vulnerable overall and puts the casual user in greater risk. I also stated this fact in a small e-mail
interview with TechTarget/SearchSecurity.com yesterday.
Sony's statement about the security risk only proves to the public that they do not understand the security risk of their rootkit-technology. Sony mislead the public about the risk only to save its image (aka bottom line), nothing more. If they are aware of the increased risk, then this proves they lied to the public. If they are not aware of the increated risk, this proves they do not understand the technology they are forcing onto millions of computers and therefore should have never started down this road in the first place.
Just today, a
Trojan was discovered using Sony's cloaking driver to hide itself. This Trojan would normally have to contain code to hook itself into the kernel. But who needs the code, when Sony already has the hooks in place. The Trojan only needs to have
$sys$ it its name to hide from the user and operating system.
Under the recent public pressure, Sony and First 4 Internet have released a "
patch" that decloaks the DRM software but doesn't remove it at all. It actually updates the DRM software to new versions.
Sony's rootkit-like tricks are not the real legal problem however. There are two main legal problems with Sony's actions -
1) Sony's attempt to mislead the public about the software and its security risk - multiple times.
2) Sony's lack of information discourse in their EULA about the true nature of the software and how it is impossible to remove for a normal computer user.
See the
Electronic Frontier Foundation's report on the Sony BMG EULA.
A
class-action lawsuit has been started in the state of California, a nationwide class-action lawsuit is expected to be filed in the state of New York this week and there could be criminal cases bought against Sony under the "U.S. Computer Fraud and Abuse Act" and the UK's "Computer Misuse Act of 1990". Italian police have been asked to by the ALCEI-EFI in Italy to
investigate Sony DRM code as well.
Computer Associates International said today it is now classifying Sony's software as spyware and will begin searching for and removing XCP with its anti-spyware software, starting on November 12. I can only hope that other vendors will follow suit.
How much trouble will Sony get into? Only time will tell...
In the meantime, conduct a simple test on your computer. Create a new folder on your desktop and name it
test. Then rename the folder to
$sys$test. If the folder disappears, your computer is infected with Sony's new DRM software. Then do two things -
1) E-mail Sony to thank for putting your system at increased security risk.
2) Wipe your computer and install everything fresh or use
Sophos' UnMasking Tool to decloak the DRM Software. It will not remove it however.