BEWARE! Malware Being Distributed As Copy Protection Software
Watch out! Sony-BMG has been releasing CDs for about the past year that have a rootkit built into them. Not only that, but they don’t tell you that they are installing it, it is known to cause computers to blue screen, and is nearly impossible to remove without completely reinstalling Windows.
OK, backtrack a little bit. I’m sure that you don’t have a clue as to what a rootkit is. I’ll try to explain, but they are pretty complicated.
Every operating system has a kernel, which is the that the user interface uses to communicate with the hardware. It is a little hard for Windows users to understand since Microsoft markets Windows as just an operating system, even though it is so much more. On the other hand, Linux and Unix users will know what it is since Linux is really just the kernel and other programs, like the command line shell bash and the desktop environment KDE, run on top of it. Anyway, every piece of software on the computer communicates with the hardware (hard drive, memory, etc) by making calls to the kernel, which then performs the correct instructions to make the computer do the task. The only reason that the Windows kernel should ever be modified is if a major patch is released. Other than that, the kernel should never be modified since it could cause instability.
A rootkit, however, breaks this rule: it modifies the kernel. One of the things that rootkits most commonly do is modify the code that reads the directory structure on your computer and the registry. This might sound harmless at first, but think again. By doing this, the maker of the rootkit can hide whatever they want to on your hard drive or in your registry, and you’ll never know it because you won’t be able to see the file or registry entry. For a more detailed description of what a rootkit is, you can either listen to or read Episode 9: Rootkits from the Security Now! podcast, hosted by Leo Laporte of This Week In Tech and G4‘s Call For Help and Steve Gibson of Gibson Research Corporation.
This story was originally published on the SysInternals blog, which is written by Mark Russinovich, on Monday. It ends up that Sony-BMG licensed copy protection software from First 4 Internet called XCP, that uses a rootkit. It is installed when you agree to the EULA that displays when you insert the CD into your computer. The rootkit that it installs cloaks any files or registry entries on your computer that start with the string $sys$. You can’t even get around the rootkit by starting in safe mode because it marks itself as a safe mode driver. It is possible to find the files that are cloaked by using a program from SysInternals called Rootkit Revealer. However, this rootkit has evil intentions. If you try to delete these files (easily done if you know that they exist), your CD-ROM drive will disappear from Windows. It can be restored, but it is not an easy process. A longer discussion on this rootkit can be heard or read in Episode 12: Rootkit DRM of Security Now!
Mark of SysInternals revisited the topic today. In Sony’s EULA, they say that their copy protection software can easily be removed. Ha! That’s a good one. To remove it, you must first go to Sony-BMG’s website and request the uninstaller. They email a link to you that leads to a web page where you can download a service pack to XCP. However, this service pack is the only way to uninstall it. When you start the installer, you must decline to EULA, which will trigger the uninstaller. However, the uninstaller is itself flawed. It is impossible to reliably remove a rootkit while Windows is running, due to the way that it interacts with the kernel. When you attempt to unload the rootkit, you could very easily blue screen your system. Too bad that First 4 Internet was too incompetent to know this. Then again, what should you expect from a company that relies on a poorly written root kit to implement copy protection. What’s even worse is that Sony-BMG refuses to admit that they are using DRM technology that utilizes a rootkit.
Remember when I mentioned that the rootkit masks all files and registry entries that started with $sys$? This allows anyone to plant files on your computer that start with the same string and have them hide from you. Already, a crack has surfaced that allows players to circumvent the anti-cheat facilities in Blizzard‘s MMORPG World of Warcraft. Also, every time that you insert the CD, a program on it "phones home" to Sony-BMG, which is a security risk in and of itself.
I don’t know about you, but after learning all of this, I can say that I am going to stay away from Sony-BMG for a while, and any other copy-protected CDs. It just isn’t right to buy a CD only to learn that you basically have no rights to use it. They dictate that you can make X number of copies, you can only listen to it on a computer using our built-in player, you can’t rip the songs yourself in any format you want, but we do offer (crappy) 128 kbs MP3 versions of these on our website that you can only download if you have the original CD in your CD-ROM drive, etc. What ever happened to fair-use? Doesn’t sound like you own the music, now does it?
What’s even worse is that what Mark Russinovich did was illegal under the Digital Millennium Copyright Act. What was illegal about Mark getting a rootkit off of his system, you wonder? It is because it is considered circumventing copy protection. For doing that, he could be taken to court. What is wrong with this picture? Pretty soon, every music manufacturer could start putting "copy protection" on their CDs that phones home or puts ads on your computer, and you could not legally do a thing about it due to the DMCA! The music industry is doing all of the wrong things to try to get people to actually buy music instead of illegally downloading it from P2P services such as KaZaA, Shareaza, and BitTorrent.
