Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

Premature Victory Declaration?

Two weeks ago I declared victory in what the media is now referring to as the “Sony rootkit debacle”, but now I’m wondering if I jumped the gun. It turns out that the CDs containing the XCP rootkit technology are still widely available, there’s still no sign of an uninstaller, and comments made recently by the president of the Recording Industry Association of America (RIAA) make it clear that the music industry is still missing the point.

I declared my victory a few hours after Sony announced that it would withdraw the somewhere between 2 and 5 million (the number varies depending on the source) infected CDs that are on store shelves. However, even close to two weeks later it’s obvious that Sony has done little to advertise to store owners, even larger chains, that a recall is in place. They were present in stores in the Austin, Philadelphia and Chicago areas And as of last week Eliot Spitzer, the Attorney General of New York State, reports that his investigators found them in the New York City area. Many store clerks were unaware that a withdrawal had even been ordered.

At the same time that Sony announced the recall it also withdrew the flawed DRM-software uninstaller it had posted and its statement to the public dated November 18, which is still posted, they promise “We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer.” That was two weeks ago and still there’s no uninstaller. I could write an uninstaller in an hour based on my own research of the software without access to the source code. They have source code and an existing uninstaller. I find the delay utterly inexcusable.

As for notifying consumers of the problem, Ben Edelman has researched the phone-home behavior of the Sony Player software that comes on the CDs and found that, if it wanted, Sony could inform every infected customer that a recall is in place. That they haven’t taken advantage of that is particularly telling.

Besides the various comments and actions Sony has made it’s obvious that they didn’t, and still don’t, understand the issues they’ve raised from the perspective of their customers. The president of the RIAA, Cary Sherman, held a question and answer session with college journalists on November 18, just after Sony announced the recall, where he had this to say about Sony’s actions:

The problem with the SonyBMG situation is that the technology they used contained a security vulnerability of which they were unaware. They have apologized for their mistake, ceased manufacture of CDs with that technology,and pulled CDs with that technology from store shelves. Seems very responsible to me. How many times that software applications created the same problem? Lots. I wonder whether they've taken as aggressive steps as SonyBMG has when those vulnerabilities were discovered, or did they just post a patch on the Internet?

First, Sony never admitted to or apologized for making a mistake, they expressed “regret” for “any inconvenience” they caused customers. Second, Sherman overlooks the fact that more than a security vulnerability, the Sony software actively hides from customers, is not uninstallable, and sends information to Sony servers without disclosure or consent, not to mention Sony’s subsequent behavior with respect to the onerous multistep uninstall request procedure. Does he consider that behavior “responsible”? And I wonder if he still agrees that Sony’s withdrawal and uninstaller development efforts are “aggressive”? My guess is that he would, despite the evidence to the contrary.

Perhaps the strongest evidence of Sony’s own confused view of their actions is their response when F-Secure, a Finnish antivirus company, contacted them about the rootkit a month before I initially blogged about it. Business Week has an article on the inside story that documents Sony’s attempt, which it appears my blog post foiled, to sweep the whole thing under the rug.

Sony’s day of reckoning is coming, however. Last week my home state of Texas filed a law suit in civil court that charges Sony with violations of an antispyware law that the Texas legislature passed in September. How many violations? Several thousand since each Texas consumer that’s installed the XCP software counts as a violation. If Texas gets the $100,000 per violation that they are asking for, the maximum fine under the new law, Sony will feel some real pain. If you haven’t seen the news conference where Greg Abbott, the Attorney General of Texas, announces the suit I recommend you do: “Sony, don’t mess with Texas computers!”

And that’s just one law suit. There are still pending class action suits in several states, including one filed last week by the Electronic Frontier Foundation (EFF), Eliot Spitzer may file suit on behalf of New York consumers, and I’m serving as an expert for New York attorney Scott Kamber in the national class action suit.

Like I’ve said before, I hope things don’t end when the suits end, but that there’s some lasting policy change to the way that software installations disclose their effect on our computers. Would this have been the mainstream story it’s become if the Sony XCP EULA disclosed somewhere deep within it that hidden software would be installed and that the player would contact Sony’s site with a CD identifier so as to obtain banner information? I’m afraid that, while just as unethical, that behavior would be legal in most states, even ones with spyware laws. Are we okay with that?

Finally, here’s a funny comic related to the story (my apologies to Celine Dion fans...never mind).

posted by Mark Russinovich @ 3:48 PM 98 comments


I’m proud to announce a significant victory in the ongoing Sony Digital Rights Management (DRM) saga; Sony has capitulated almost entirely. While not publicly admitting blame for distributing a rootkit, providing no uninstall for the DRM software, implementing a music player that sends information to Sony’s site, and supplying a remotely-exploitable ActiveX control for the on-line uninstall they eventually made available – all without any disclosure to users – they have come close.

Sony BMG’s site now includes a prominent link on its front page, “INFORMATION ON XCP CONTENT PROTECTION,” that takes visitors to a page with a statement from Sony that declares its concern over the security issues raised by its software. The first paragraph points out that Sony licensed the software from First 4 Internet, which while true, does not hold Sony any less responsible for its use of the software or the contents of the End User License Agreement (EULA).

The paragraph continues by saying that Sony will offer consumers that have purchased the spyware-laden CD’s with unprotected versions, that they are suspending production of the rootkit-based CD’s and that they are recalling existing from store shelves, which they’ve said elsewhere comes to around 2 million units. Furthermore, Sony has finally withdrawn the spyware-like uninstall-request process, which included the download of an ActiveX control that’s proven to be its own security risk, and promises the imminent release of a stand-alone uninstaller. Note that because the control is also used in the update patch, I strongly recommend that you do not apply the patch to disable the cloaking, but instead follow the manual steps I've outlined to disable the rootkit and wait for Sony to address the flaws.

Why did I qualify my statement regarding their response? Two reasons: first, as I’ve stated, they don’t admit wrongdoing, only that the software was a security concern. Second, there’s no statement on Sony’s site or their press releases regarding future policy. They go as far as saying that they “will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music”, but say nothing about their stance on rootkits or disclosure during software installation.

Speaking of disclosure, I hope this story isn’t over. Attention now needs to turn to the broader issues that go beyond DRM to software in general. They include acceptable behavior of commercial software, from both legal and ethical standpoints, and appropriate disclosure of software behavior. We’ve been living in a world of hazy laws surrounding EULAs and ideally this case will lead to more clearly defined laws and standard judicial principles.

There are several pending class action lawsuits, likely more to come, and its my expectation that a U.S. government agency will eventually announce a formal investigation. The Federal Trade Commission is the one most likely to take up the case and if so, some of its recent actions against spyware vendors may have set promising precedents.

Of course, this first victory would not have happened without your participation in bringing the story to the attention of the media both in this blog and in other publications. I congratulate everyone that voiced their concern over the trend Sony’s software portended and I encourage you to continue to fight for a long-lasting resolution on the issue of software installation and disclosure.

posted by Mark Russinovich @ 7:42 AM 167 comments

Sony: No More Rootkit - For Now

There have been several significant developments in the Sony DRM story since my last post. The first is that, despite Sony’s and First 4 Internet’s claims that their rootkit poses no security risk, several viruses have been identified in the wild that exploit the cloaking functionality provided by the rootkit. Besides F-Secure and Computer Associates, most antivirus companies were slow to label the Sony rootkit as a risk. But the discovery of viruses that use the rootkit to hide files has caused many to identify and disable the rootkit in their latest scanning signatures. My guess is that they were waiting for an actual security threat to shield them from a potential problem with Sony. For example, Microsoft initially responded cautiously when questioned about its position on Sony’s use of rootkits, but Jason Garms, a member of the Microsoft Windows Defender team (formerly Microsoft Antispyware), announced in the Windows Defender blog this weekend that Microsoft is also releasing signatures and a cleaner for the rootkit.

While I’m glad that the viruses have resulted in continuing media coverage of the story, the viruses being discussed in the media are not really the primary security issue. The viruses simply take advantage of the Sony rootkit if it’s present, but could just as easily install their own rootkit to hide their presence on the system. If a user activating the virus, which is transmitted as an email attachment, is running with administrator privileges, the virus can install a kernel-mode rootkit just as powerful as Sony’s. But even if the virus is activated from a non-administrator account it can install a less powerful, though still effective, user-mode rootkit. The bottom line is that it’s not rootkits themselves that are the problem; it’s the inability to manage the objects that they hide that creates security, reliability and manageability problems.

I’m not the only one that realizes the dangers of rootkits, especially those bundled with commercial software. On Friday, the US Chamber of Commerce co-sponsored a conference in Washington, D.C. on combating intellectual property theft. The conference concluded with a panel that included major representatives of the entertainment and technology industries such as the chairman and chief executive officer of the Recording Industry Association of America (RIAA) and Stewart Baker, the assistant secretary for policy in the Department of Homeland Security. Baker concluded with a comment aimed squarely at Sony: “It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.”

Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
  1. Open the Run dialog from the Start menu
  2. Enter “cmd /k sc delete $sys$aries”
  3. Reboot

Perhaps the biggest news in the story last week is Sony’s first public response since one of their executives stated in a National Public Radio interview, “users don't know what a rootkit is, and therefore, don't care." Mid-day Friday Sony announced, with the hope that press coverage wouldn’t last through the weekend, that it would temporarily cease production of CD’s containing First 4 Internet’s XCP technology, the software that utilizes the rootkit. They have also finally added a link on the Sony BMG web site, under the News section, to the decloaking patch and uninstall link:

It’s a small first step on Sony’s part. Sony still makes no admission of guilt, though by this time I’m sure that legal exposure prevents them from doing so. In addition, the use of the word “temporarily” disturbs me. Are they just waiting for the media attention to fade before starting up again?

More importantly, Sony is making no effort to withdraw existing CDs that are already on the market and the uninstall process is still spyware-like with its use of an ActiveX control during the request for uninstall and actual uninstall. ActiveX controls are a commonly-used attack vector for malicious web sites and one of the blog comments from the last posting by Matti Nikki points out that the First 4 Internet control contains scriptable methods that can be activated without the user’s knowledge or consent. His site demonstrates how he can reboot your system using one of the methods. The control exports 22 scriptable interfaces, as seen here in a screenshot of Type Library Explorer from iTripoli, and the shoddy nature of First 4 Internet’s other code gives me little confidence that there aren’t vulnerabilities that could be used by malicious site to gain control of systems on which the control is installed.

I’ve said it before, but obviously need to say it again: Sony needs to make the uninstaller freely available as a standalone executable download so that users can choose to safely and easily discontinue use of this nefarious software.

posted by Mark Russinovich @ 4:49 AM 98 comments

Sony: You don’t reeeeaaaally want to uninstall, do you?

A few days after I posted my first blog entry on Sony’s rootkit, Sony and Rootkits: Digital Rights Management Gone Too Far, Sony announced to the press that it was making available a decloaking patch and uninstall capability through its support site. Note that I said press and not customer. The uninstall process Sony has put in place is on par with mainstream spyware and adware and is the topic of this blog post.

As I’ve stated several times already, Sony’s rootkit hides the Digital Rights Management (DRM) files from users that have it installed, so users not monitoring the developments in this story are unaware of the scope and intrusiveness of the DRM. The End User License Agreement (EULA) does not provide any details on the software or its cloaking. Further, the software installation does not include support information and lacks a registration option, making it impossible for users to contact Sony and Sony to contact its users.

What if a user somehow discovers the hidden files, makes the connection between files and the Sony CD that installed them, and visits Sony BMG’s site in search of uninstall or support information? Or what about the unsuspecting Sony DRM user that happens to visit the Sony BMG site to look at their other offerings? Will these customers learn about the patch and uninstaller?

See for yourself. Visit and search for the support site Sony has made available to the press. There’s no information on this story anywhere on the front page, no support link, and the FAQ only contains information about Sony’s merger with BMG. The fact that Sony’s announcement was directed at the press and that they’ve made no effort to make contact with their customers makes the patch and uninstall look solely like a public relations gesture for the media.

Sony even gives those users like me that are aware of the “uninstaller” several hurdles to jump over. First you have to go to Sony’s support site, guess that the uninstall information is in the FAQ, click on the uninstall link and then fill out a form with your email address and purchasing information, possibly adding yourself to Sony’s marketing lists in the process.

Then, after you submit the information the site takes you to a page that notifies you that you’ll be receiving an email with a “Case ID”. A few minutes later you receive that email, which directs you to install the patch and then visit another page if you still really want to uninstall. That page requires you to install an ActiveX control, CodeSupport.Ocx, that’s signed by First 4 Internet, enter your case ID and fill in the reason for your request. Then you receive an email within a few minutes that informs you that a customer service representative will email you uninstall instructions within one business day.

When you eventually receive the uninstall email from Sony BMG support it comes with a cryptic link in the form (I’ve modified the link so it doesn’t work) to your personalized uninstall page. Interestingly, the email address has a confidentially notice, which implies to me that Sony has something to hide, and it informs you that the uninstaller will expire in one week.

If you visit the uninstall page from the computer where you filled out the first uninstall form then the DRM software is deleted from your system. However, if you visit it from another computer the page requires you install the same CodeSupport ActiveX control as the uninstall-request page, but then even if the computer has the DRM software installed you get this error:

Besides the obvious question of why there’s not a universal uninstall link, the error also begs the question of how the Sony site knows that the uninstall link is for a different computer? For that matter, why do you have to install an ActiveX control just to fill out a web form and why does that form have to be filled out “using the computer where the software is currently installed”? The email, web page and ActiveX control offer no hints.

I of course decided to investigate. A network trace of the ActiveX control’s communication with the Sony site using Ethereal reveals that the control sends Sony an encrypted block of data:

A Regmon trace of the ActiveX control’s activity when you press the submit button on the Web page reveals that the encrypted data is actually a signature that the control derives from the hardware configuration of your computer:

The uninstall link Sony sends you has your case ID encrypted in the address and when you visit the uninstall page the ActiveX control sends the hardware signature to Sony’s site. If the signature doesn’t match the one it stored earlier with your Case ID when you made the second uninstall request the site informs you that there’s a case ID mismatch.

While I’ve answered the question of how the uninstaller knows if the uninstall link is for your computer, I can’t definitively answer questions like:

  1. Why isn’t Sony publicizing the uninstall link on their site in any way?
  2. Why do you have to tell Sony twice that you want to uninstall?
  3. Why is the email with the uninstall link labeled confidential?
  4. Why does Sony generate a unique uninstall link for each computer?
Sony has left us to speculate, but under the circumstances the answer to all these questions seems obvious: Sony doesn’t want customers to know that there’s DRM software installed on their computers and doesn’t want them to uninstall it if they somehow discover it. Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.

For those readers that are coming up to speed with the story, here’s a summary of important developments so far:

The DRM software Sony has been shipping on many CDs since April is cloaked with rootkit technology:

  • Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
  • Sony claims that users don’t care about rootkits because they don’t know what a rootkit is
  • The installation provides no way to safely uninstall the software
  • Without obtaining consent from the user Sony’s player informs Sony every time it plays a “protected” CD
Sony has told the press that they’ve made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:

  • There is no way for customers to find the patch from Sony BMG’s main web page
  • The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
  • Access to the uninstaller is gated by two forms and an ActiveX control
  • The uninstaller is locked to a single computer, preventing deployment in a corporation
Consumers and antivirus companies are responding:

  • F-Secure independently identified the rootkit and provides information on its site
  • Computer Associates has labeled the Sony software “spyware”
  • A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
  • ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations
More on the story here.

posted by Mark Russinovich @ 11:31 AM 230 comments

Sony’s Rootkit: First 4 Internet Responds

First 4 Internet, the company that implements Sony’s Digital Rights Management (DRM) software that includes a rootkit, has responded to my last post, More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home. They rebut four of the points I raise in the post. Their first statement relates to my assertion that Sony’s player contacts Sony’s web site each time it runs and sends the site an ID associated with the CD the user is playing:

The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities.

I speculated that the player sends Sony’s web site a CD identifier as part of a check to see if new song lyrics or artwork was available, which they essentially confirm. Their claim that the communication is “one way” from Sony’s web site is false, however, since Sony can make a record of each time their player is used to play a CD, which CD is played, and what computer is playing the CD. If they’ve configured standard Web server logging then they are doing that. As I stated earlier, I doubt Sony is using this information to track user behavior, but the information allows them to do so. In any case, First 4 Internet cannot claim what Sony is or is not doing with the information since they do not control those servers, and the First 4 Internet response fails to address the fact that the End User License Agreement (EULA) and Sony executives either make no mention of the “phone home” behavior or explicitly deny it.

Another point that I made in the post is that the decloaking patch that Sony has made available weighs in at a relatively large 3.5 MB because it not only removes the rootkit, it also replaces most of the DRM files with updated versions. First 4 Internet responded with this:

In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point.

It’s not clear to me what they mean by “a secure installation”, but like most of the disclosure in this story, they’ve acknowledged the updating nature of the patch only after someone else has disclosed it first. What’s also lost in their response is that Sony DRM users not following this story as it develops have no way of knowing that there’s a patch available or that they even have software installed that requires a patch.

Further, Sony’s patch is dangerous because the way that it removes the cloak could crash Windows. I discussed the flaw in the patch’s decloaking method in the first post and again in the last one (I also provide a simple way for users to remove the cloak safely), yet First 4 Internet refuses to recognize it. They contest my claim in their comment:

This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more.

While the probability of a crash is relatively small, its not “pure conjecture”, but fundamental to multithreaded programming concepts. Anyone that writes Windows device driver code must have a firm grasp of these concepts or they can easily introduce bugs and security holes into Windows. Here’s one of many scenarios that will lead to a crash when the patch decloaks Sony’s rootkit:

  1. Thread A invokes one of the functions that Aries.sys, the Sony rootkit driver developed by First 4 Internet, has redirected
  2. Thread A reads the address of the redirected function from the system service table, which points at the rootkit function in Aries.sys
  3. Thread A executes the first few instructions of the Aries.sys function, which is enough to enter the driver, but not enough to execute the Aries.sys code that attempts to track threads running within it
  4. Thread A is context swapped off the CPU by the Windows scheduler
  5. The scheduler gives thread B the CPU, which executes the patch’s “unload driver” command, unloading the Aries.sys driver from memory
  6. The scheduler runs thread A again, which executes memory that previously held the contents of Aries.sys, but is now invalid or holds other code or data
  7. Windows detects thread A’s illegal execution and crashes the system with a blue screen
First 4 Internet’s failure to imagine this control flow is consistent with their general failure to understand Windows device driver programming.

As further evidence of this, I’ve performed further testing of the Aries.sys driver using a program I wrote, NTCrash2, and found that Aries.sys fails to perform basic checks on the data passed to it by applications. NTCrash2 passes randomly-generated invalid data to Windows APIs and on a stock Windows system simply receives error codes from the APIs. However, when NTCrash2 runs on a system that has the Sony rootkit installed Windows crashes. Here’s an example Windows blue screen that identifies Aries.sys as the cause of a crash that occurred while NTCrash2 ran:

Besides demonstrating the ineptitude of the First 4 Internet programmers, this flaw highlights my message that rootkits create reliability risks in addition to security risks. Because the software package that installed the rootkit is hidden when Windows is running (in this case Sony’s DRM software), and even if exposed not clearly identified, if an application triggers one of Aries.sys’s bugs a user would have no way of associating the driver responsible for the resulting crash with any software package they have installed on their system. The user would therefore be unable to conclusively diagnose the cause of the crash, check to see if they have the most recent version of the driver or of uninstalling the driver.

First 4 Internet and Sony also continue to argue that the rootkit poses no security vulnerability, repeating it in the description of the patch download. Any software that hides files, processes, and registry keys based on a prefix of letters can clearly be used by malicious software.

First 4 Internet’s final rebuttal relates to my complaint that as part of a request to uninstall their DRM software Sony requires you to submit your email address to their marketing lists. First 4 Internet says:

An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.

The Sony privacy policy the comment refers to clearly states that Sony may add a user’s email address to their marketing lists:

Except on sites devoted to particular recording artists, we may share the information we collect from you with our affiliates or send you e-mail promotions and special offers from reputable third parties in whose products and services we think you may have an interest. We may also share your information with reputable third-parties who may contact you directly.

Again, the fact is that most users of Sony’s DRM won’t realize that they even have software that can be uninstalled. Also, the comment does not explain why Sony won’t simply make the uninstaller available as a freely accessible download like they do the patch, nor why users have to submit two requests for the uninstaller and then wait for further instructions to be emailed (I still have not received the uninstaller). The only motivation I can see for this is that Sony hopes you’ll give up somewhere in the process and leave their DRM software on your system. I’ve seen similar strategies used by adware programs that make it difficult, but not impossible, for you to remove them.

Instead of admitting fault for installing a rootkit and installing it without proper disclosure, both Sony and First 4 Internet claim innocence. By not coming clean they are making clear to any potential customers that they are a not only technically incompetent, but also dishonest.

More on the story in Sony: You don't reeeeaaaally want to uninstall, do you?

posted by Mark Russinovich @ 7:29 PM 147 comments

More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home

My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including USA Today and the BBC. This is the case of the blogosphere having an impact, at least for the moment. But, there’s more to the story, like how Sony’s patch can lead to a crashed system and data loss and how Sony is still making users jump through hoops to get an uninstaller. At the core of this story, however, is the issue of what disclosure should be required of software End User License Agreements (EULAs) and how the requirements can be made Federal law.

The Uninstaller
Despite a chorus of criticism over Sony not delivering an uninstaller with their DRM software, Sony refuses to admit blame and to make an uninstaller readily available. The uninstall question on Sony’s FAQ page directs you to another page that asks you to fill out a form requesting for uninstall directions to be emailed to you:

There’s no way to access the uninstaller without providing this information, and clicking on the Sony privacy policy link at the bottom of the page takes you to a notice that your email address can be added to various Sony marketing lists.

A few minutes after submitting the form I received an email assigning me a case ID and directing me to another page on Sony’s site where I would have to submit an uninstall request a second time:

I’ve filled out the second form and am waiting for the follow-up email.

The Patch
You can the get to the patch supplied in the above email from the same Sony support site under Software Updates:

The download text claims that the rootkit does not pose any “potential security vulnerabilities,” however it’s obvious that any software that cloaks files, directories and Registry keys beginning with a certain string of characters is a clear security risk. An innovating exploit of the rootkit utilizes it to compromise the World of Warcraft anti-cheat system.

The download of what should be a small patch is around 3.5 MB because it includes updated drivers and executables for the DRM software that the patch also installs (again, no mention of this is made in the download description). Interestingly, after installing the patch a new entry showed up in the Windows Add and Remove Programs utility, but it’s only because I checked immediately after I ran the patch that I knew it was related to Sony:

Nowhere up to now have I seen the Sony Player or DRM software referred to as “MediaJam”. I looked in the Program Files directory and the only file in the new MediaJam subdirectory was Unicows.dll, a Microsoft DLL:

Assuming that uninstalling MediaJam would uninstall the DRM software, I attempted to do so but was greeted with this dialog:

It looks like their rush to get the patch out precluded any kind of testing.

The actual decloaking, which is the only value the patch advertises, simply performs the equivalent of the following Windows command:

net stop “network control manager”

“Network Control Manager” is the misleading name the developers assigned to the Aries driver so the command directs the Windows I/O system to unload the driver from memory. After the patch had completed I dumped the system call table in LiveKd and noted that the redirected entries had returned to their standard values and that the driver had unloaded from memory:

However, Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss. The risk is small, but I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running:

It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described.

If the developers had heeded this warning the decloaker would have required the system to reboot so that the Aries driver could remain active through the shutdown, but then not load on the next reboot.

I urge Sony to make a real uninstaller readily available for download and to make both the de-cloaking and uninstaller unload the driver safely. In the meantime users can perform a safe decloaking by opening the Run dialog from the Start menu, entering “sc delete $sys$aries”, and then rebooting. This sequence deletes the driver from the Windows Registry so that even though its image is still present on disk, the I/O system will not load it during subsequent boots.

EULAs and Disclosure: Sony’s Player Phones Home
There’s more to the story than rootkits, however, and that’s where I think Sony is missing the point. As I’ve pointed out in press interviews related to the post, the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There's no way to ensure that you have up-to-date security patches for software you don't know you have and there's no way to remove, update or even identify hidden software that's crashing your computer.

The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony’s site and sends the site an ID associated with the CD.

I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site. This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID:

In response the Sony web site reports the last time a particular file was updated:

I dug a little deeper and it appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it.

The media has done a great job of publicizing this story, which has implications that extend beyond DRM to software EULAs and disclosure, and I hope that the awareness they’re creating will result in Congressional action. Both the software industry and consumers need laws that will clearly draw lines around acceptable behaviors.

The story continues with Sony's Rootkit: First 4 Internet Responds.

posted by Mark Russinovich @ 12:04 PM 208 comments

This page is powered by Blogger. Isn't yours?

RSS Feed



Full Blog Index

Recent Posts

On My Way to Microsoft!
The Power in Power Users
Why Winternals Sued Best Buy
The Case of the Mysterious Driver
Running as Limited User - the Easy Way
Using Rootkits to Defeat Digital Rights Management
Inside the WMF Backdoor
Rootkits in Commercial Software
The Antispyware Conspiracy
Sony Settles


03/01/2005 - 03/31/2005
04/01/2005 - 04/30/2005
05/01/2005 - 05/31/2005
06/01/2005 - 06/30/2005
07/01/2005 - 07/31/2005
08/01/2005 - 08/31/2005
09/01/2005 - 09/30/2005
10/01/2005 - 10/31/2005
11/01/2005 - 11/30/2005
12/01/2005 - 12/31/2005
01/01/2006 - 01/31/2006
02/01/2006 - 02/28/2006
03/01/2006 - 03/31/2006
04/01/2006 - 04/30/2006
05/01/2006 - 05/31/2006
07/01/2006 - 07/31/2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer