Supplemental Resources and Links for Episode #12

Resource links for Security Now! Episode #12:

Sony's "Rootkit Technology" DRM
(copy protection gone bad)

 UPDATE: 11/14/2005
 A FREE, new Rootkit Hook Analyzer
The folks at "Resplendence" (I use several of their products) just sent me a note about their just-released "Rootkit Hook Analyzer" which compares the current kernel hook table to the original copy and shows any differences. This will show any "API services" that are being "hooked" and possibly altered and can be an indication of rootkit technology in a machine.

 The "First 4 Internet" company web site
This is the company "First 4 Internet" that created this DRM "rootkit" technology which Sony is deploying.

 The XCP Aurora web site
This is the web site for the XCP DRM "rootkit" technology.

 Mark Russinovich's blog posting
This is Mark's Halloween (October 31st, 2005) posting explaining how he discovered the Sony/BMG rootkit technology living on one of his own machines when we ran his own "Rootkit Revealer" technology on this machine.

 Mark Russinovich's copy of the Sony EULA license agreement

 A form on the Sony/BMG site for contacting them
You might be interested in dropping Sony a note to express your opinion about their hidden copy protection technology.

 F-Secure's "Blacklight" Rootkit detection (free during beta release)

F-Secure has their rootkit detection system in beta release. I haven't looked at it, but it might be worth giving a whirl.

 The XCP "Software Update" page

This is the XCP Aurora page with instructions for "updating" or removing the Sony "rootkit" DRM technology.

 F-Secure's complete imformation

The folks at F-Secure discovered this problem in early October 2005, began researching it, purchased CD's from Amazon, "infected" their machines, and have thoroughly documented their findings.

The folks at F-Secure wrote: "Although the software isn't itself malicious, the hiding techniques used are exactly the same that malicious software known as rootkits use to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits.

The hiding techniques used by the DRM software can be abused by less technical malware authors to hide their backdoors and other tools. If a malware names its files beginning with the prefix '$sys$', the files will also be hidden by the DRM software. Thus it is very inappropriate for commercial software to use these techniques."

Remember: F-Secure's Blacklight rootkit scanner provides a REMOVAL capability BUT YOU MUST NOT USE IT or, as Mark found, or you'll lose your CD Drive!!!

 A form on the Sony/BMG site for contacting them
You might be interested in dropping Sony a note to express your opinion about their hidden copy protection technology.

 "Why DRM is Bad" (and doesn't work anyway)

In June of 2004, Cory Doctorow of the EFF (Electronic Frontier Foundation) gave a talk to Microsoft about why DRM is always a bad idea.

 The news on SlashDot
If you know, like, or read the popular SlashDot web site, you might like reading their group-take on this story.

 The news posting on Digg

 "The Register" headline: Removing Sony's CD "Rootkit" kills Windows

 An MSNBC posting
This MSNBC poster clicked "No" on the pop-up EULA license then became VERY glad that he had as he learned more about the nightmare he had avoided.

 A typical Sony/BMG horror story
About halfway down this page, "Mikefive" posts and shares his experience of discovering and struggling to remove this rootkit technology.

 "DRM Crippled CD: A bizarre tale in 4 parts"
An interesting page discussing DRM and the politics that sometimes underlies what we see on the surface.


Jump to top of page
Gibson Research Corporation is owned and operated by Steve Gibson.  The contents
of this page are Copyright (c) 2016 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson
Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy.
Jump to top of page

Last Edit: May 04, 2013 at 17:12 (1,681.65 days ago)Viewed 2 times per day