July 26, 2017

Sony Distributing Spyware

Sony, in their futile digital rights management efforts, has taken to playing dirty with the music CDs. Multiple security sources are confirming the existence of spyware in the form of rootkits on Sony’s music CDs. This behavior is unethical in the eyes of many and the legality may be questionable as well.

Are you being spied on?
Are you being spied on?

Editor’s Note: One of the biggest issues today is protecting computers from spyware. How can users do that when something so simple as listening to a music CD can put the computer at risk? Tell us your thoughts on WebProWorld.

The first point will be to define rootkits. F-Secure said this about it on their blog:

Rootkit is technology that hides software from the user and security software. This kind of technology is normally used by malware authors that want their presence to remain undetected in the system as long as possible. DRM software is not malicious but it has other reasons for hiding from the user. DRM software restricts the user’s ability to make copies of a record and for that reason uses technology that prevents removal and modification of the software.

F-Secure went on to say Sony BMG is using the rootkit-based DRM on some CDs sold in the U.S. and the system may have been in use since March of 2005. The real irritating part is even when one reads the End User License Agreement, there’s no mention of software being installed on the computer. Mark Russinovich over at SysInternal said this on the company blog:

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.

I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLMSystemCurrentControlSetServices I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLMSystemCurrentControlSetControlSafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.

When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad. Windows supports device “filtering”, which allows a driver to insert itself below or above another one so that it can see and modify the I/O requests targeted at the one it wants to filter. I know from my past work with device driver filter drivers that if you delete a filter driver’s image, Windows fails to start the target driver. I opened Device Manager, displayed the properties for my CD-ROM device, and saw one of the cloaked drivers, Crater.sys (another ironic name, since it had ‘cratered’ my CD), registered as a lower filter.

Both F-Secure and SysInternals said conventional means won’t get rid of the file. They said if you just delete it, it could “cripple” your computer. Mikko at F Secure said the fix has to come directly from Sony BMG via their website. Users have to fill out a web form and ask directions on how to remove the rootkit directly from Sony. This will certainly create strife in some of the music industry.

This unethical behavior by Sony shows the lengths companies are willing to go to protect the music. Passing around malware in the form of rootkits could create real problems for many computer users and possibly leave them susceptible to other hackers in the future. The whole purpose of this rootkit is to be sneaky and stick stuff in they don’t want you to know about.

This issue is now one of integrity. They own the rights to all this material and obviously are willing to use any means to prevent the filesharing of that material. While the filesharing has hurt the current business model, they insist on continuing down the current path of unethical means to protect that model. The path they go down not only destroys consumer trust, it puts those consumer at a potential financial loss, even if they’ve done nothing wrong. Now Sony has become no better than those they claim to fight against. The hypocrisy knows no bounds.

About John Stith 459 Articles
John is a staff writer for SecurityProNews covering cyber security.