Jump to content


Photo

Safemode rootkit & DRM


  • Please log in to reply
40 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 October 2005 - 04:56 PM

FYI...

- http://isc.sans.org/...php?storyid=810
Last Updated: 2005-10-31 22:19:15 UTC
"A news fwiw, there is a great analysis and commentary on a rootkit made to run in safemode today at Mark's Sysinternals Blog today. Thanks very much for the great rootkit detection work and writing Mark!"
- http://www.sysinternals.com/Blog/
Sony, Rootkits and Digital Rights Management Gone Too Far
Monday, October 31, 2005

:eek:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 01 November 2005 - 11:01 AM

Sony and the RIAA. I hope you are reading this, because you just permanently lost all of my business! :rant: :angry: You claim that illegal music downloads are cutting into CD purchases and profits. I say that it has more to do with actions like this.

#3 cheglabratjoe

cheglabratjoe

    Member

  • Full Member
  • Pip
  • 65 posts

Posted 01 November 2005 - 11:23 AM

More B.S. from the league leader ... don't they realize, if they cut through all the extraneous garbage that goes into making music, then CDs would cost mere dollars (if not less than a dollar), and then no one would bother with piracy?

Oh, wait, that extraneous crap is the RIAA! Oops, nevermind.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 November 2005 - 04:33 PM

FYI...

http://www.theinquir.../?article=27349
1 November 2005
"...To play your songs, you simply drop your legally purchased CD in your legally purchased computer, and you are infected with DRM, no choice in the matter... It has finally come down to this, you don't have a choice about DRM, your rights are removed and there is no recourse. All of this to protect the profit margins of Sony Corp, at your expense. If there was ever a good argument for piracy, to me, this is it. No, better yet people, just say no and don't buy this crap, it is the higher ground."

:rant:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 November 2005 - 05:37 PM

FYI...

- http://www.f-secure....s/xcp_drm.shtml
Nov 1, 2005
"Extended Copy Protection (XCP) is a CD/DVD copy protection technology created by First 4 Internet Ltd. XCP has been used to protect some audio CDs released by Sony BMG Music Entertainment. The XCP protected disks contain digital rights management (DRM) software that allow the user to make a limited number of copies of the disk and also rip the music into a digital format to be used on a computer or portable music player.
Once installed, the DRM software will hide:
Files
Processes
Registry keys and values
No means of uninstalling the DRM software is given. The software supports Windows 98SE, Windows ME, Windows 2000 SP4 and Windows XP..."

More...
- http://www.f-secure.com/weblog/

Sony CD Copy Protection Relies On Hacker Rootkit
- http://www.techweb.c...2&site_section=

:huh: :evilgrin: :rant:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 JRosenfeld

JRosenfeld

    Advanced Member

  • Full Member
  • PipPipPip
  • 143 posts

Posted 02 November 2005 - 08:52 PM

Sony have apparently responded with a patch to unhide the software and an uninstaller:
http://seattlepi.nws...Protection.html

#7 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 03 November 2005 - 06:07 AM

Sony releases removal utility

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 03 November 2005 - 06:13 AM

Er, 'don't know that I would trust them to remove it, since they're the ones who installed it surreptiously... ya' know?

EDIT/ADD:
- http://www.theinquir.../?article=27426
3 November 2005
"...This is the service pack from hell...These are scary times people, and if we let Sony get away with this now, it will only get worse and harder to stop later."

EDIT/ADD:
- http://www.theregist...ny_rootkit_drm/
"...The patch that Sony will offer doesn't remove the 'rootkit' DRM: it only makes the hidden files visible..."

:oops:

Edited by apluswebmaster, 03 November 2005 - 03:56 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 Buntox

Buntox

    Lemming #1

  • Full Member
  • Pip
  • 92 posts

Posted 04 November 2005 - 04:22 PM

Great podcast about this with Leo Laporte and Steve Gibson.
from: http://thisweekintech.com/sn12

"The Sony/BMG DRM rootkit was first discovered by F-Secure and widely publicized by Mark Russinovich of Sysinternals in his blog. The Sony DRM hides itself by modifying the Windows kernel, names itself "Plug and Play Device Manager" to confuse users, consumes CPU resources whether running or not with sloppily written code that does things like querying the file size eight times per scan, scanning every two seconds, and, worst of all, allows any hacker to easily hide files on your system."

Some more articles:

http://blogs.washing...raids_hack.html

http://www.pcpro.co....otkit-code.html

Hopefully some more major news networks will pick this up and cause more outrage.

I would like to extend a special Thanks to Sony for encouraging the legal purchase of music.
The time you enjoy wasting is not wasted time.
Bertrand Russell

#10 CyberRaptor

CyberRaptor

    Move Zig

  • Full Member
  • PipPipPip
  • 161 posts

Posted 05 November 2005 - 06:46 PM

Wow this is really shocking. I can't believe they would exploit people like this. I'm going to make sure everyone I know hears about this, and encourage them to do the same.

I was thinking about buying a PS3. Not anymore. I'm boycotting Sony products. They have lost my business for good.

#11 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 07 November 2005 - 07:18 AM

Sony's antipiracy may end up on antivirus hit lists

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#12 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 07 November 2005 - 10:26 AM

Apparently it also phones home:
http://www.sysintern...decloaking.html

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 November 2005 - 05:50 PM

FYI...

Sony sued over rootkits
- http://www.theinquir.../?article=27508
7 November 2005
"SONY IS FINALLY GOING to have to answer the tough questions, because it is being sued. According to the press release here ( http://www.alcei.org...hp/archives/106 ), and the complaint here ( http://www.alcei.org...hp/archives/105 ), the Italian group ALCEI is suing Sony over the rootkitting DRM infection. It seems that ALCEI hired a noted Italian security researcher name(d) Stefano Zanero to dot all the Is and cross all the Ts."

.

Edited by apluswebmaster, 07 November 2005 - 05:51 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 November 2005 - 05:50 PM

FYI...

Sony Copy Protection Called Spyware
- http://www.techweb.c..._section=700028
November 8, 2005
"Sony BMG's woes over its CD copy protection scheme continued Tuesday as a security company accused the entertainment firm of shoving spyware onto users' PCs. By Computer Associates' account, the XCP (eXtended Copy Protection) technology failed 8 of the 22 tests it applies to determine if software is legitimate or spyware, and so it added the programs to its Pest Patrol spyware lists. "Sony failed several different tests, each of which would have identified it as either a Trojan [horse] or a rootkit," said Sam Curry, vice president of CA's eTrust Security group. XCP -- which was crafted by U.K.-based First4Internet -- has serious spyware personality traits, including a lack of consent, the omission of an uninstall routine, and most egregious, a hidden "phone home" feature that sends data about the user to Sony without the user's permission.
The software retrieves lyrics and updated album art automatically, but also, claimed Curry, the user's IP address. "This could also be used to determine [music] playing habits," said Curry. "And users aren't told any of this." Hidden features and a lack of a clear end-user licensing agreement ( EULA) are traits of spyware, pure and simple, said Curry. "People are buying CDs, thinking they're getting content, when in actuality, the CD's changing the behavior of the user's computer"...
Curry said that his group was also digging into Sony's process for users who request an uninstaller because that has spyware characteristics as well. "The uninstaller is an ActiveX control, which is generally considered a security problem," said Curry, "but the removal process also requires users to give up personal information." That information includes their name, e-mail address, the albums purchased, and the places of purchase.
An unknown amount of data is also sent by the ActiveX uninstaller to First4Internet, claimed Curry, and the copy protection causes the system hard drive to read so frequently that it "becomes nearly constant, and could damage the hardware," he added. "This isn't an issue about artists' rights, it's an issue about users' rights. The computer is more than a gloried CD player"..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 November 2005 - 03:38 PM

FYI...

Calif. Lawsuit Targets Sony
- http://blogs.washing..._ny_lawsui.html
November 8, 2005; 06:35 PM ET
"A class-action lawsuit has been filed on behalf of California consumers who may have been harmed by anti-piracy software installed by some Sony music CDs. A second, nationwide class-action lawsuit is expected to be filed against Sony in a New York court on Wednesday seeking relief for all U.S. consumers who have purchased any of the 20 music CDs in question...
The California lawsuit, filed Nov. 1 in Superior Court for the County of Los Angeles by Vernon, Calif., attorney Alan Himmelfarb, asks the court to prevent Sony from selling additional CDs protected by the anti-piracy software, and seeks monetary damages for California consumers who purchased them. The suit alleges that Sony's software violates at least three California statutes, including the "Consumer Legal Remedies Act," which governs unfair and/or deceptive trade acts; and the "Consumer Protection against Computer Spyware Act," which prohibits -- among other things -- software that takes control over the user's computer or misrepresents the user's ability or right to uninstall the program. The suit also alleges that Sony's actions violate the California Unfair Competition law, which allows public prosecutors and private citizens to file lawsuits to protect businesses and consumers from unfair business practices...
Scott Kamber, an attorney in New York, said he plans on Wednesday to file class-action suits targeting Sony under both New York consumer protection statutes and a federal criminal statute that allows civil actions..."

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 Trilobite

Trilobite

    Malware Hunter

  • Trusted Advisor
  • PipPipPipPipPip
  • 711 posts

Posted 09 November 2005 - 04:55 PM

For concerned music listeners, SlashDot.org has a list of CDs that contain Sony’s antipiracy crapware.LINK

Buyer beware!

#17 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 10 November 2005 - 10:47 AM

Update: Sony's Patch Brings Up "Blue Screen Of Death"

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#18 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 10 November 2005 - 11:39 AM

Trojan Horse Hides Using Sony Rootkit
By Nate Mook, BetaNews
November 10, 2005, 11:36 AM

What security experts have warned about Sony's DRM has come to pass, with a new trojan horse attempting to hide itself using techniques enabled by the company's anti-piracy software. Dubbed "Troj/Stinx-E" by Sophos, the application copies itself to a file called: $sys$drv.exe, which is hidden by Sony's copy protection.

betanews.com

http://www.sophos.co...trojstinxe.html

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#19 datababe

datababe

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 11 November 2005 - 11:00 AM

The news is now on CNN:

http://www.cnn.com/2...reut/index.html

Nice work, Sony. Just put me down as another permanently lost customer.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 November 2005 - 12:03 PM

FYI...

Troj/RKProc-Fam and Troj/Stinx disinfection instructions
- http://www.sophos.co...tion/rkprf.html
"Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.
This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

Windows 95/98/Me and Windows NT/2000/XP/2003
The Trojans can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Windows disinfector
RKPRFGUI is a disinfector for standalone Windows computers
open RKPRFGUI, run it, then click GO.
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

Command line disinfector
RKPRFSFX.EXE is a self-extracting archive containing RKPRFCLI, a Resolve command line disinfector for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program..."

:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 11 November 2005 - 01:39 PM

FYI...

Sony halts music CDs with anti-piracy scheme
- http://www.msnbc.msn.com/id/10005667/
Nov. 11, 2005
"Stung by continuing criticism, the world’s second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.
Sony defended its right to prevent customers from illegally copying music but said it will halt manufacturing CDs with the “XCP” technology as a precautionary measure. “We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,” the company said in a statement..."

:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 13 November 2005 - 06:40 AM

Microsoft said Saturday that it is updating its anti-spyware software (now called "Windows Defender") to detect and remove the file-hiding capabilities of the anti-piracy software installed by some Sony BMG music CDs.

In December, Microsoft will automate that process through its malicious software removal tool, which is designed to help people clean up infections from some of the most pervasive bots, viruses, worms and rootkits.

washingtonpost.com

Symantec SecurityRisk.First4DRM Removal Tool for Sony rootkit:
securityresponse.symantec.com

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 November 2005 - 10:17 AM

More of same...

Sony DRM Rootkit to be removed automatically by Microsoft
- http://isc.sans.org/...php?storyid=845
Last Updated: 2005-11-13 14:36:09 UTC
"Microsoft says* "Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems" "and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software."
* http://blogs.technet.com/antimalware/

.
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 tooseyboy

tooseyboy

    Member

  • Helper Trainee
  • Pip
  • 15 posts

Posted 14 November 2005 - 01:59 PM

An interesting article here, claiming that Sony's DRM software violates the GPL :blink:

http://dewinter.com/...article&sid=215

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 November 2005 - 03:38 PM

(Playing catch-up... sorry for long post here):

- http://www.sysinternals.com/Blog/
November 14, 2005
"...Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
1. Open the Run dialog from the Start menu
2. Enter “cmd /k sc delete $sys$aries”
3. Reboot ..."

:oops:

Sony’s Web-Based Uninstaller Opens a Big Security Hole...
- http://www.freedom-t...nker.com/?p=927
November 15, 2005
"Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.
The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get..."

Sony to pull controversial CDs, offer swap
- http://www.usatoday....ds_x.htm?csp=34
11/14/2005 11:01 PM

:oops:

- http://www.theinquir.../?article=27714
15 November 2005
"...Blatant stupidity in the 'cure is worse than the disease' category... FTT goes into detail. It seems the 'cure' from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine. See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course. The more disturbing part is that it appears the control is signed. I wonder who at MS approved this, and how this blatant security hole got through the barest minimum of QC? Moral, if you bought Sony products, you are screwed. If it causes you problems, you are screwed more. If you uninstall, you are screwed yet harder. If you uninstall it yourself, you are a criminal under the DMCA. If you use an antivirus program to uninstall it, you spent money to fix Sony's problems, and you are still a criminal. That's what you get for buying music."

:(

>>> http://www.freedom-t...nker.com/?p=927
"To see whether CodeSupport is on your computer, try our CodeSupport detector page:
- http://www.cs.prince...xcp/detect.html

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)
cmd /k del “%windir%\downloaded program files\codesupport.*”

;)

- http://www.freedom-t...nker.com/?p=928
"...You can tell whether you are vulnerable by visiting our CodeSupport detector page.
If the component is installed, you should try to remove it using the instructions from our earlier post. However, this may not be enough to prevent the software from being installed again, depending on your security settings. If you have been exposed, the safest thing to do is to avoid using Internet Explorer until you receive a fix from Sony and First4Internet. Firefox should be a safe alternative.
UPDATE (11/16, 2am): Sony has removed the initial uninstaller request form... In its place is the following message:
'November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.'
This is a positive step that will help prevent additional users from being exposed to the flawed component, but customers who already used the web-based uninstaller remain at risk..."

:(

Welcome To Planet Sony
- http://www.doxpara.com/?q=sony
Submitted by Dan Kaminsky on Tue, 2005-11-15 09:28.
"Sony.
Sony has a rootkit.
The rootkit phones home.
Phoning home requires a DNS query.
DNS queries are cached.
Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .
So what did I find?
Much, much more than I expected.
It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows... unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident..."

:eek:

Hmmm...

>>> http://www.wired.com...4,69601,00.html
Nov. 17, 2005
"... That all the big security companies, with over a year's lead time, would fail to notice or do anything about this Sony rootkit demonstrates incompetence at best, and lousy ethics at worst.
Microsoft I can understand. The company is a fan of invasive copy protection -- it's being built into the next version of Windows. Microsoft is trying to work with media companies like Sony, hoping Windows becomes the media-distribution channel of choice. And Microsoft is known for watching out for its business interests at the expense of those of its customers.
What happens when the creators of malware collude with the very companies we hire to protect us from that malware?
We users lose, that's what happens. A dangerous and damaging rootkit gets introduced into the wild, and half a million computers get infected before anyone does anything.
Who are the security companies really working for? It's unlikely that this Sony rootkit is the only example of a media company using this technology. Which security company has engineers looking for the others who might be doing it? And what will they do if they find one? What will they do the next time some multinational company decides that owning your computers is a good idea?..."

:eek:

Not Again! Uninstaller for Other Sony DRM Also Opens Huge Security Hole
- http://www.freedom-t...nker.com/?p=931
November 17, 2005

(Arrgghh!)


:ph34r: :rant:

Edited by apluswebmaster, 18 November 2005 - 03:39 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#26 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 18 November 2005 - 03:41 PM

Microsoft has released signatures for the removal of the rootkit portion of the Sony XCP DRM software. There are two ways to get these. First is by updating Microsoft Antispyware with the November 17th update (#5777). Second is to use the Windows Live Safety Center and select the "Full Service Scan" followed by the "Quick scan" option.

Microsoft will also include detection and removal of the XCP rootkit with the December release of their Malicious Software Tool.

Sony rootkit signatures now available

Edited by quietman7, 18 November 2005 - 03:43 PM.

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#27 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 18 November 2005 - 03:55 PM

Sony's DRM disaster: A chronology of events
http://www.tgdaily.c...olgy/index.html

Edited by quietman7, 18 November 2005 - 03:59 PM.

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#28 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 18 November 2005 - 08:29 PM

Er, um...

"Sony rootkit signatures now available" from M$...
- http://blogs.technet...2005/11/17.aspx
November 17, 2005
"... We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change..."


(Arrgghh!)


:rant:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#29 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 19 November 2005 - 10:21 AM

List of 52 infected Sony CDs being recalled

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#30 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 19 November 2005 - 12:08 PM

List of 52 infected Sony CDs being recalled...

...that they admit to. Should they be trusted for anything at this point? :hmmm:




:oops:

Edited by apluswebmaster, 19 November 2005 - 12:12 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#31 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 21 November 2005 - 12:00 PM

Texas Sues Sony Over Alleged CD Spyware

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#32 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 24 November 2005 - 09:03 AM

But first, a few questions:

Sony-baloney
- http://www.securityf.../columnists/370
2005-11-22...

...not many answers yet.


:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#33 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 December 2005 - 07:32 AM

FYI...

- http://www.wired.com...4,69763,00.html
Dec. 07, 2005
"...The software used a Microsoft Windows feature called AutoRun that executes software on a CD without the user's knowledge or consent. Holding down the Shift key stopped AutoRun and prevented the software from being installed. Halderman wrote about the software, and the "infamous Shift key attack," in an academic paper and posted it online. Within 24 hours, SunnComm was threatening a $10 million lawsuit, and vowing to refer Halderman to authorities for allegedly committing a felony under the controversial Digital Millennium Copyright Act, or DMCA. By the next day, the company had backed down in the face of public outrage. Looking back, Halderman says, "The whole experience was a whirlwind.... The response was way bigger than (anything I'd) expected"..."

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#34 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 December 2005 - 06:15 AM

FYI...

Not Just Another Buggy Program
- http://www.freedom-t...nker.com/?p=944
Thursday December 8, 2005 by Ed Felten
"Was anybody surprised at Tuesday’s announcement that the MediaMax copy protection software on Sony CDs had a serious security flaw? I sure wasn’t. The folks at iSEC Partners were clever to find the flaw, and the details they uncovered were interesting, but it was pretty predictable that a problem like this would turn up...if you decline the MediaMax licence agreement, and the software secretly installs itself anyway, you will face risks that you didn’t choose. You won’t even know that you’re at risk. All of this, simply because you tried to listen to a compact disc. Experience teaches that where there is one bug, there are probably others. That’s doubly true where the basic design of the product is risky. I’d be surprised if there aren’t more security bugs lurking in MediaMax...."

(More detail at the URL above.)

:(
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#35 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 December 2005 - 09:25 PM

FYI...

Microsoft Security Bulletin MS05-054
Cumulative Security Update for Internet Explorer (905915)
- http://www.microsoft...n/MS05-054.mspx
Published: December 13, 2005
"...This cumulative security update sets the kill bit for the First4Internet XCP uninstallation ActiveX control. For more information about this ActiveX control, visit the SONY BMG Web site. Older versions of this control have been found to contain a security vulnerability. To help protect customers who have this control installed, this update prevents older versions of this control from running in Internet Explorer. It does this by setting the kill bit for the older versions of this control that are no longer supported. This kill-bit is being set with the permission of the owner of the ActiveX control..."

:whistle:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#36 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 15 December 2005 - 11:43 AM

The monthly update to the Windows Malicious Software Removal Tool adds detection and deletion for "F4IRootkit," Microsoft's name for the invisibility tool Sony BMG added to 52 of its music albums, and placed on more then 5 million CDs.

securitypipeline.com

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#37 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 17 December 2005 - 10:52 AM

Lavasoft is releasing ARIES Beta Remover (Sony Rootkit)
http://www.lavasoftr...com/blog/?p=136

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#38 quietman7

quietman7

    quietman7

  • Helper
  • PipPipPipPipPip
  • 680 posts

Posted 29 December 2005 - 02:28 PM

Preliminary settlement for Sony suit

.
Windows Insider MVP 2017-2019
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators


#39 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 January 2006 - 08:41 PM

FYI...

Microsoft, Yahoo, others sued by Softvault over DRM
- http://www.theinquir.../?article=28990
15 January 2006
"SEPARATE CASES were filed against Microsoft, Yahoo and a spate of other tech firms in the US last week, alleging patents covering digital rights management (DRM) were breached by the firms. The main action is against Microsoft, filed in the Eastern District Court of Texas, and relates to US patent 6,249,868, a method and system for embedded, automated, component level control of computer systems and other complex systems.
The patent covers security components for a PC which can enable or disable systems using a remote server. Softvault alleges that products with the feature include Windows Server 2003, Windows XP, Microsoft Office XP, Access 2002, Excel 2002, Vision 2002, Visual Studio Net, Office 2000 SR-1, Project 2000 SR-1, Powerpoint, and many other products including Word. Softvault also claims Microsoft infringes patent 6,594,765, with a long list of Volish software alleged to breach that patent. Softvault wants damages, injunctions, fees, costs, and the like. The other case against Yahoo, Microsoft, Napster, Creative Labs, Dell, Gateway, Iriver, Samsung, Toshiba, Digital Networks, Palm, Audiovox, Sandisk and Thomson also relates to the 868 patent and the 765 patent... Softvault alleges that Microsoft supplies Windows Media Digital Rights Management (DRM) which breaches its patent, and Yahoo's Music Unlimited to Go uses this DRM and so infringes its patents. The other firms named in the suit also infringe Softvault's patents by using Microsoft DRM, it's alleged. Softvault wants the defendants to pay up after a jury trial. Softvault, according to its web page, here*, is a Washington based IP firm which explains that by using its tech a device breaching digital rights can be turned into a brick. And, as we all know, bricks make houses. And gold bricks make gold houses."
* http://www.softvault...ges/1/index.htm

:oops:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#40 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 January 2006 - 04:51 PM

FYI...

Sony BMG "rootkit" still widespread
- http://www.securityf....com/news/11369
2006-01-16
"...Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks--many belonging to the military and government--contain computers affected by the software. "It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks," Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains... Kaminsky's research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of 9 million domain-name servers, about 3 million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the 3 million systems, asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches. During his first survey, carried out over three days in mid-November, he found 568,000 DNS servers had previously been asked to look up three different server addresses used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet. The most recent survey, which lasted between December 15 and December 23, he found 350,000 servers had the unique address in their caches. While other factors may increase or decrease the number, Kaminsky continues to stress that the experiment is about finding out the magnitude of the impact of Sony BMG's software..."

:huh:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#41 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 May 2006 - 08:05 AM

FYI...

Sony rootkit settlement finalized
- http://www.theregist...kit_settlement/
23 May 2006
"Federal courts have decided the penalty Sony BMG must suffer for exposing thousands of music fans' computers to hackers with dodgy DRM software last year. District court judge Naomi Reice Buchwald granted final approval for a settlement yesterday. Consumers will receive new malware and vulnerability-free CDs, a patch to remove the offending XCP or MediaMax code, and Sony will be dishing out free downloads. Electronic Frontier Foundation legal director Cindy Cohn said: "This settlement gets music fans what they thought they were buying in the first place: music that will play on all their electronic devices without installing sneaky software." Sony's pages about the settlement, including how to claim, are here*. The list of popular platters covered by the ruling is here**."

* http://www.sonybmgcd...settlement.com/

** http://www.sonybmgcd....com/CDList.htm

>>> http://www.eff.org/sony/

:!:

Edited by apluswebmaster, 23 May 2006 - 09:09 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button