Rootkit

100 %
0 %
Information about Rootkit

Published on September 30, 2007

Author: tech2click

Source: slideshare.net

Description

Sony Rootkit problem

Sony’s Rootkit [most, but not all, of this is derived directly from Mark Russinovich’s blog]

Sony, Rootkits and Digital Rights Management Gone Too Far Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits ” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:

Sony, Rootkits and Digital Rights Management Gone Too Far

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits ” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:

 

Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran Process Explorer and Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to LiveKd , a tool I wrote for Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking. Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs . A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon . Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API. It’s relatively easy to spot system call hooking simply by dumping the contents of the service table: all entries should point at addresses that lie within the Windows kernel; any that

Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran Process Explorer and Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to LiveKd , a tool I wrote for Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking. Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs . A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon . Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API. It’s relatively easy to spot system call hooking simply by dumping the contents of the service table: all entries should point at addresses that lie within the Windows kernel; any that

 

I listed one of the intercepting functions and saw that it was part of the Aries.sys device driver, which was one of the images I had seen cloaked in the $sys$filesystem directory:

I listed one of the intercepting functions and saw that it was part of the Aries.sys device driver, which was one of the images I had seen cloaked in the $sys$filesystem directory:

Armed with the knowledge of what driver implemented the cloaking I set off to see if I could disable the cloak and expose the hidden processes, files, directories, and Registry data. Although RKR indicated that the WindowsSystem32$sys$filesystem directory was hidden from the Windows API, it’s common for rootkits to hide directories from a directory listing, but not to prevent a hidden directory from being opened directly. I therefore checked to see if I could examine the files within the hidden directory by opening a command prompt and changing into the hidden directory. Sure enough, I was able to enter and access most of the hidden files:

Armed with the knowledge of what driver implemented the cloaking I set off to see if I could disable the cloak and expose the hidden processes, files, directories, and Registry data. Although RKR indicated that the WindowsSystem32$sys$filesystem directory was hidden from the Windows API, it’s common for rootkits to hide directories from a directory listing, but not to prevent a hidden directory from being opened directly. I therefore checked to see if I could examine the files within the hidden directory by opening a command prompt and changing into the hidden directory. Sure enough, I was able to enter and access most of the hidden files:

Perhaps renaming the driver and rebooting would remove the cloak, but I also wanted to see if Aries.sys was doing more than cloaking so I copied it to an uncloaked directory and loaded it into IDA Pro , a powerful disassembler I use in my exploration of Windows internals. Here’s a screenshot of IDA Pro’s disassembly of the code that calculates the entries in the system service table that correspond to the functions it wants to manipulate:

Perhaps renaming the driver and rebooting would remove the cloak, but I also wanted to see if Aries.sys was doing more than cloaking so I copied it to an uncloaked directory and loaded it into IDA Pro , a powerful disassembler I use in my exploration of Windows internals. Here’s a screenshot of IDA Pro’s disassembly of the code that calculates the entries in the system service table that correspond to the functions it wants to manipulate:

I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view. Besides being indiscriminate about the objects it cloaks, other parts of the Aries code show a lack of sophistication on the part of the programmer. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described. They’ll have to come up with a new approach to their rootkit sooner or later anyway, since system call hooking does not work at all on x64 64-bit versions of Windows .

I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view. Besides being indiscriminate about the objects it cloaks, other parts of the Aries code show a lack of sophistication on the part of the programmer. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described. They’ll have to come up with a new approach to their rootkit sooner or later anyway, since system call hooking does not work at all on x64 64-bit versions of Windows .

After I finished studying the driver's code I rebooted the system. The cloak was gone as I expected and I could see all the previously hidden files in Explorer and Registry keys in Regedit. I doubted that the files had any version information, but ran my Sigcheck utility on them anyway. To my surprise, the majority did have identifying product, file and company strings. I had already recognized Dbghelp.dll and Unicows.dll as Microsoft Windows DLLs by their names. The other files claimed to be part of the “Essential System Tools” product from a company called “First 4 Internet”:

I entered the company name into my Internet browser’s address bar and went to http://www.first4internet.com/ . I searched for both the product name and Aries.sys, but came up empty. However, the fact that the company sells a technology called XCP made me think that maybe the files I’d found were part of some content protection scheme.

I entered the company name into my Internet browser’s address bar and went to http://www.first4internet.com/ . I searched for both the product name and Aries.sys, but came up empty. However, the fact that the company sells a technology called XCP made me think that maybe the files I’d found were part of some content protection scheme.

I Googled the company name and came across this article , confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs. Sony tests technology to limit CD burning Go back to review | Print http://news.cnet.co.uk/digitalmusic/0,39029666,39189658,00.htm June 1, 2005 As part of its mounting US rollout of content-enhanced and copy-protected CDs, Sony BMG Music Entertainment is testing technology solutions that bar consumers from making additional copies of burned CD-R discs. Since March, the company has released at least 10 commercial titles -- more than 1 million discs in total -- featuring technology from UK antipiracy specialist First4Internet that allows consumers to make limited copies of protected discs, but blocks users from making copies of the copies. The concept is known as 'sterile burning'. And in the eyes of Sony BMG executives, the initiative is central to the industry's efforts to curb casual CD burning. "The casual piracy, the schoolyard piracy, is a huge issue for us," says Thomas Hesse, president of global digital business for Sony BMG. "Two-thirds of all piracy comes from ripping and burning CDs, which is why making the CD a secure format is of the utmost importance." Names of specific titles carrying the technology were not disclosed. The effort is not specific to First4Internet. Other Sony BMG partners are expected to begin commercial trials of sterile burning within the next month. To date, most copy protection and other digital rights management (DRM)-based solutions that allow for burning have not included secure burning. Early copy-protected discs as well as all DRM-protected files sold through online retailers like iTunes, Napster and others offer burning of tracks into unprotected WAV files. Those burned CDs can then be ripped back onto a personal computer minus a DRM wrapper and converted into MP3 files. Under the new solution, tracks ripped and burned from a copy-protected disc are copied to a blank CD in Microsoft's Windows Media Audio format. The DRM embedded on the discs bars the burned CD from being copied. "The secure burning solution is the sensible way forward," said First4Internet CEO Mathew Gilliat-Smith. "Most consumers accept that making a copy for personal use is really what they want it for. The industry is keen to make sure that is not abused by making copies for other people that would otherwise go buy a CD." As with other copy-protected discs, albums featuring XCP (extended copy protection) will allow for three copies to be made. However, Sony BMG has said it is not locked into the number of copies. The label is looking to offer consumers a fair-use replication of rights enjoyed on existing CDs. A key concern with copy-protection efforts remains compatibility. It is a sticking point at Sony BMG and other labels as they look to increase the number of copy-protected CDs they push into the market. Among the biggest headaches is that secure burning means that iPod users do not have any means of transferring tracks to their device, because Apple Computer has yet to licence its FairPlay DRM for use on copy-protected discs. As for more basic CD player compatibility issues, Gilliat-Smith says the discs are compliant with Sony Philips CD specifications and should therefore play in all conventional CD players. The moves with First4Internet are part of a larger copy-protection push by Sony BMG that also includes SunnComm and its MediaMax technology. To date, SunnComm has been the music giant's primary partner on commercial releases -- including Velvet Revolver's Contraband and Anthony Hamilton's solo album. In all, more than 5.5 million content-enhanced and protected discs have been shipped featuring SunnComm technology. First4Internet's XCP has been used previously on prerelease CDs only. Sony BMG is the first to commercially deploy XCP. First4Internet's other clients -- who include Universal Music Group, Warner Music Group and EMI -- are using XCP for prerelease material. Sony BMG expects that by the end of the year a substantial number of its US releases will employ either MediaMax or XCP. All copy-protected solutions will include such extras as photo galleries, enhanced liner notes and links to other features.

I Googled the company name and came across this article , confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs.

Contact By Email info@xcp-aurora.comsales@xcp-aurora com [email_address] By Phone Tel:+44 (0)1295 255777 Fax:+44 (0)1295 262682 By Post 6 South Bar Street BanburyOxfordshire OX16 9AA

Contact

By Email

info@xcp-aurora.comsales@xcp-aurora

com [email_address]

By Phone

Tel:+44 (0)1295 255777

Fax:+44 (0)1295 262682

By Post

6 South Bar Street

BanburyOxfordshire

OX16 9AA

They seemed to need a lot of help … Subject: Winsock 2 LSP Problems. From: &quot;Ceri Coburn&quot; <xxx@first4internet.co.uk> Date: Thu, 15 Aug 2002 12:19:23 +0100 Hi, I am having problems with creating a winsock LSP. I am going of the LSP example that's in the Platform SDK. I can get the ws2_32.dll to call WSPStartup but when debbuging an application that uses winsock they fall over with the following error:- (558.55c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 bx=00000000 ecx=00000202 dx=00dfd740 esi=0013eb08 edi=00000202 eip=77e777f8 esp=0013ee64 ebp=0019ae50 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 kernel32!InterlockedIncrement+9: 77e777f8 f00fc101 lock xadd [ecx],eax ds:0023:00000202=???????? Anybody got any ideas on why it's doing this? [ http://www.osronline.com/lists_archive/ntfsd/thread2716.html ]

Subject: Winsock 2 LSP Problems.

From: &quot;Ceri Coburn&quot; <xxx@first4internet.co.uk> Date: Thu, 15 Aug 2002 12:19:23 +0100

Hi, I am having problems with creating a winsock LSP. I am going of the LSP example that's in the Platform SDK. I can get the ws2_32.dll to call WSPStartup but when debbuging an application that uses winsock they fall over with the following error:- (558.55c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 bx=00000000 ecx=00000202 dx=00dfd740 esi=0013eb08 edi=00000202 eip=77e777f8 esp=0013ee64 ebp=0019ae50 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 kernel32!InterlockedIncrement+9: 77e777f8 f00fc101 lock xadd [ecx],eax ds:0023:00000202=???????? Anybody got any ideas on why it's doing this?

[ http://www.osronline.com/lists_archive/ntfsd/thread2716.html ]

Is this the author in an earlier life?

I think I have the right man By the way —I checked the Estyn report on this school, it’s a jolly good Welsh-speaking comprehensive in the Rhondda with a “very good” Computer Science Department.

The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies. I scrounged through my CD’s and found it, Sony BMG’s Get Right with the Man (the name is ironic under the circumstances) CD by the Van Zant brothers. I hadn’t noticed when I purchased the CD from Amazon.com that it’s protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known:

The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies. I scrounged through my CD’s and found it, Sony BMG’s Get Right with the Man (the name is ironic under the circumstances) CD by the Van Zant brothers. I hadn’t noticed when I purchased the CD from Amazon.com that it’s protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known:

The next phase of my investigation would be to verify that the rootkit and its hidden files were related to that CD’s copy protection, so I inserted the CD into the drive and double-clicked on the icon to launch the player software, which has icons for making up to three copy-protected backup CDs:

Process Explorer showed the player as being from Macromedia, but I noticed an increase in CPU usage by $sys$DRMServer.exe, one of the previously cloaked images, when I pressed the play button. A look at the Services tab of its process properties dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows:

I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software:

I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software:

I still had to confirm the connection between the process and the CD’s player so I took a closer look at each process. Based on the named pipe handles I saw they each had opened when I looked in Process Explorer’s handle view I suspected that the player and $sys$DRMServer communicated via named pipes and so I launched Filemon, checked Named Pipes in the Volumes menu, and confirmed my theory:

I still had to confirm the connection between the process and the CD’s player so I took a closer look at each process. Based on the named pipe handles I saw they each had opened when I looked in Process Explorer’s handle view I suspected that the player and $sys$DRMServer communicated via named pipes and so I launched Filemon, checked Named Pipes in the Volumes menu, and confirmed my theory:

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad. IMPORTANT-READ CAREFULLY: This compact disc (“CD”) product contains standard so-called “Red Book”-compliant audio files that can be played on any standard CD player, including those contained in many personal home computer systems. As an added feature, this compact disc (“CD”) product also enables you to convert these audio files into digital music files and/or may also contain other already existing digital content (such files and content, collectively, the “DIGITAL CONTENT”), any of which may be stored on the hard drive of a personal home computer system owned by you (“YOUR COMPUTER”) and accessed via YOUR COMPUTER or certain approved, compatible portable devices owned by you (each, an “APPROVED PORTABLE DEVICE”).   Before you can play the audio files on YOUR COMPUTER or create and/or transfer the DIGITAL CONTENT to YOUR COMPUTER, you will need to review and agree to be bound by an end user license agreement or “EULA”, the terms and conditions of which are set forth below. Once you have read these terms and conditions, you will be asked whether or not you agree to be bound by them. Click “AGREE” if you agree to be bound. Click “DISAGREE” if you do not agree to be bound. Please keep in mind, however, that if you do not agree to be bound by these terms and conditions, you will not be able to utilize the audio files or the DIGITAL CONTENT on YOUR COMPUTER.   As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.   Once the SOFTWARE has been installed on YOUR COMPUTER, a menu will then appear on the screen of YOUR COMPUTER, giving you the option of playing the audio files on YOUR COMPUTER, creating a copy of the DIGITAL CONTENT directly onto the hard drive of YOUR COMPUTER, or making a limited number of back-up copies of the CD onto other, recordable CDs. If you choose to create a copy of the DIGITAL CONTENT, the menu will then prompt you to select a file format for the DIGITAL CONTENT. Once you have selected a file format, a copy of the DIGITAL CONTENT will automatically be created in that file format and transferred onto the hard drive of YOUR COMPUTER, where you will be able to access it using an APPROVED MEDIA PLAYER (see below) or, at you election, transfer it from YOUR COMPUTER onto an APPROVED PORTABLE DEVICE.   In order to access the DIGITAL CONTENT on YOUR COMPUTER, you will need to have a copy of an approved media player software program that is capable of playing the DIGITAL CONTENT in the file format you selected (each such approved media player, an “APPROVED MEDIA PLAYER”) on YOUR COMPUTER. You may already have a copy of an APPROVED MEDIA PLAYER on YOUR COMPUTER. If you do, you will be able to play the DIGITAL CONTENT on YOUR COMPUTER without doing anything further. This CD may also contain an APPROVED MEDIA PLAYER for the file format you selected. If it does, the menu that appears on the screen of YOUR COMPUTER will prompt you on how to transfer a copy of that APPROVED MEDIA PLAYER onto YOUR COMPUTER. To the extent you utilize an APPROVED MEDIA PLAYER contained on this CD, your use of such APPROVED MEDIA PLAYER may be subject, in each instance, to separate terms and conditions provided by the owner of the APPROVED MEDIA PLAYER concerned. If you do not already have a copy of an APPROVED MEDIA PLAYER on YOUR COMPUTER, and if this CD does not contain a compatible APPROVED MEDIA PLAYER, then you will then need to secure a compatible APPROVED MEDIA PLAYER elsewhere (e.g., on an Internet website, where you can download one). END-USER LICENSE AGREEMENT   This End-User License Agreement (“EULA”) is a legal agreement between you and SONY BMG MUSIC ENTERTAINMENT (“SONY BMG”), a general partnership established under Delaware law. By clicking on the “AGREE” button below, you will indicate your acceptance of these terms and conditions, at which point this EULA will become a legally binding agreement between you and SONY BMG.   Article 1. GRANT OF LICENSE 1. Subject to your agreement to the terms and conditions set forth in this EULA, SONY BMG grants to you a personal, non-exclusive and non-transferable license, with no right to grant sublicenses, to: (a) install one (1) copy of SOFTWARE onto the hard drive of YOUR COMPUTER, solely in machine-executable form; (b) install one (1) copy of any APPROVED MEDIA PLAYER(S) contained on this CD onto the hard drive of YOUR COMPUTER, solely in machine-executable form; (c) use the SOFTWARE and any APPROVED MEDIA PLAYER(S) contained on this CD to access the DIGITAL CONTENT on YOUR COMPUTER or on an APPROVED PORTABLE DEVICE; in each instance, solely for your own personal and private use and not for any other purpose (including, without limitation, any act of electronic or physical distribution, making available, performance or broadcast, or any act for profit or other commercial purpose) and in accordance with the terms and conditions set forth in this EULA. 2. The DIGITAL CONTENT and the SOFTWARE contained on this CD are sometimes referred to herein, collectively, as the “LICENSED MATERIALS”.   Article 2. PRODUCT FEATURES 1. This CD contains technology that is designed to prevent users from making certain, unauthorized uses of the DIGITAL CONTENT, including, without limitation, the following: (1) making and storing more than one (1) copy of the DIGITAL CONTENT in each available file format on the hard drive of YOUR COMPUTER; (2) accessing the DIGITAL CONTENT on YOUR COMPUTER (once you have installed a copy of it on the hard drive of YOUR COMPUTER) using a media player that is not an APPROVED MEDIA PLAYER; (3) transferring copies of the DIGITAL CONTENT that reside on the hard drive of YOUR COMPUTER on to portable devices that are not APPROVED PORTABLE DEVICES; (4) burning more than three (3) copies of the DIGITAL CONTENT stored on YOUR COMPUTER (ATRAC OpenMG file format only) onto AtracCDs; (5) burning more than three (3) copies of the DIGITAL CONTENT onto recordable compact discs in the so-called “Red Book”-compliant audio file format; and (6) burning more than three (3) backup copies of this CD (using the burning application provided on the CD) onto recordable CDs and burning or otherwise making additional copies from the resulting backup copies. 2. PLEASE NOTE : Your use of the DIGITAL CONTENT and the other LICENSED MATERIALS may be subject to additional restrictions, under applicable copyright and other laws, that are not enforced or prescribed by any technology contained on this CD. The absence of any such technology designed to enforce these additional restrictions should in no way be viewed or interpreted as a waiver, on the part of SONY BMG or any other person or entity owning any rights in any of the LICENSED MATERIALS, of their respective rights to enforce any such additional restrictions regarding your use of the LICENSED MATERIALS. Your use of the DIGITAL CONTENT and the other LICENSED MATERIALS shall, at all times, remain subject to any and all applicable laws governing the use of such materials, including, without limitation, any restrictions on your use prescribed therein. 3. All of your rights to enjoy the DIGITAL CONTENT, as described herein, shall be subject to your continued ownership of all rights in and to the physical CD on which such DIGITAL CONTENT is embodied; should you transfer your ownership rights in the physical CD on which such DIGITAL CONTENT is embodied (in whole or in part) to any other person (whether by sale, gift or otherwise), your rights in both the physical CD and such DIGITAL CONTENT shall terminate. …

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad.

I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLMSystemCurrentControlSetServices I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLMSystemCurrentControlSetControlSafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting. When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad. Windows supports device “filtering”, which allows a driver to insert itself below or above another one so that it can see and modify the I/O requests targeted at the one it wants to filter. I know from my past work with device driver filter drivers that if you delete a filter driver’s image, Windows fails to start the target driver. I opened Device Manager, displayed the properties for my CD-ROM device, and saw one of the cloaked drivers, Crater.sys (another ironic name, since it had ‘cratered’ my CD), registered as a lower filter:

I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLMSystemCurrentControlSetServices I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLMSystemCurrentControlSetControlSafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.

When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad. Windows supports device “filtering”, which allows a driver to insert itself below or above another one so that it can see and modify the I/O requests targeted at the one it wants to filter. I know from my past work with device driver filter drivers that if you delete a filter driver’s image, Windows fails to start the target driver. I opened Device Manager, displayed the properties for my CD-ROM device, and saw one of the cloaked drivers, Crater.sys (another ironic name, since it had ‘cratered’ my CD), registered as a lower filter:

Unfortunately, although you can view the names of registered filter drivers in the “Upper filters” and “Lower filters” entries of a device’s Details tab in Device Manager, there’s no administrative interface for deleting filters. Filter registrations are stored in the Registry under HKLMSystemCurrentControlSetEnum so I opened Regedit and searched for $sys$ in that key. I found the entry configuring the CD’s lower filter: I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec : psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back.

Unfortunately, although you can view the names of registered filter drivers in the “Upper filters” and “Lower filters” entries of a device’s Details tab in Device Manager, there’s no administrative interface for deleting filters. Filter registrations are stored in the Registry under HKLMSystemCurrentControlSetEnum so I opened Regedit and searched for $sys$ in that key. I found the entry configuring the CD’s lower filter:

World of Warcraft hackers using Sony BMG rootkit Published: 2005-11-03 Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD. World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software-- deemed a &quot; rootkit &quot; by many security experts --is shipped with tens of thousands of the record company's music titles. Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix &quot;$sys$&quot; to file names. Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible. Posted by: Robert Lemos Just call your hack $sys$foo and nobody can find it …

World of Warcraft hackers using Sony BMG rootkit

Published: 2005-11-03

Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.

World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software-- deemed a &quot; rootkit &quot; by many security experts --is shipped with tens of thousands of the record company's music titles.

Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix &quot;$sys$&quot; to file names.

Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.

Posted by: Robert Lemos

Writing to Sony … Date: Thu, 3 Nov 2005 07:54:37 -0500 (EST) From: contentprotectionhelp <ContentProtectionHelp@info.sel.sony.com> To: D.A.Nicole1@soton.ac.uk Subject: Re: ContentProtectionHelp Email Form (KMM15554001I21924L0KM) [ The following text is in the &quot;utf-8&quot; character set. ] [ Your display is set for the &quot;ISO-8859-1&quot; character set. ] [ Some characters may be displayed incorrectly. ] Thank you for contacting Sony BMG Online. Sony BMG and First 4 Internet have just released an update that will completely remove the rootkit based DRM content protection software and replace it with a non-rootkit DRM technology that is compatible with all current security protocols. To ensure the security of your system, please visit their software update website to obtain and install Service Pack 2 at: http://updates.xcp-aurora.com If after this update, you still wish to uninstall our software, please visit the form below using the computer where the software is currently installed and you will be emailed an uninstall link within 1 business day (M-F). http://cp.sonybmg.com/xcp/english/form9.html Your &quot;Case ID&quot; is: 3372250. TIP: Our uninstall request form will require a small ActiveX plug-in (from First 4 Internet). Be sure to also temporarily turn off any pop-up blocker software. Although a non-ActiveX process is in development, currently, our online process is the only option. Should you prefer to wait for the next uninstallation version, one is due to be released later this month at: http://cp.sonybmg.com/xcp/english/updates.html Thank you for the opportunity to be of assistance. The Sony BMG Online Support Team CC2X John

Date: Thu, 3 Nov 2005 07:54:37 -0500 (EST)

From: contentprotectionhelp <ContentProtectionHelp@info.sel.sony.com>

To: D.A.Nicole1@soton.ac.uk

Subject: Re: ContentProtectionHelp Email Form (KMM15554001I21924L0KM)

[ The following text is in the &quot;utf-8&quot; character set. ]

[ Your display is set for the &quot;ISO-8859-1&quot; character set. ]

[ Some characters may be displayed incorrectly. ]

Thank you for contacting Sony BMG Online.

Sony BMG and First 4 Internet have just released an update that will completely remove

the rootkit based DRM content protection software and replace it with a non-rootkit

DRM technology that is compatible with all current security protocols.

To ensure the security of your system, please visit their software update website to

obtain and install Service Pack 2 at:

http://updates.xcp-aurora.com

If after this update, you still wish to uninstall our software, please visit the

form below using the computer where the software is currently installed and you will

be emailed an uninstall link within 1 business day (M-F).

http://cp.sonybmg.com/xcp/english/form9.html

Your &quot;Case ID&quot; is: 3372250.

TIP: Our uninstall request form will require a small ActiveX plug-in

(from First 4 Internet). Be sure to also temporarily turn off any

pop-up blocker software. Although a non-ActiveX process is in

development, currently, our online process is the only option.

Should you prefer to wait for the next uninstallation version,

one is due to be released later this month at:

http://cp.sonybmg.com/xcp/english/updates.html

Thank you for the opportunity to be of assistance.

The Sony BMG Online Support Team

CC2X

John

And the inevitable threat … This message and any attachments are solely for the use of intended recipients. They may contain privileged and/or confidential information. If you are not the intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you receive this email in error please contact the sender and delete the message and any attachments associated therewith from your computer. Your cooperation in this matter is appreciated. Original Message Follows: ------------------------ Email Address: dan1@soton.ac.uk Case ID : Packet : Artist Name : n/a Disk Title : n/a Store Name : n/a Country : Other Language : Problem Type : OTHER TECHNICAL PROBLEM Device Type : Manufacturer : PC Brand : Model : OS : Auto Mfg : Auto Model : Auto Year : Message : I am considering buying Sony music CDs here in the UK, but am deeply worried by recent reports that they include Digital Rights software from &quot;First 4 Intenet&quot; which uses techniques which Microsoft say should be avoided (see http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx) and have been found to cause system instability (see the post by Mikefive at http://castlecops.com/postp605449.html). Can you tell ne which (if any) Sony CDs are safe to purchase and play on my PC?

This message and any attachments are solely for the use of intended recipients. They

may contain privileged and/or confidential information. If you are not the intended

recipient, you are hereby notified that you received this email in error, and that

any review, dissemination, distribution or copying of this email and any attachment

is strictly prohibited. If you receive this email in error please contact the sender

and delete the message and any attachments associated therewith from your computer.

Your cooperation in this matter is appreciated.

Original Message Follows:

------------------------

Email Address: dan1@soton.ac.uk

Case ID :

Packet :

Artist Name : n/a

Disk Title : n/a

Store Name : n/a

Country : Other

Language :

Problem Type : OTHER TECHNICAL PROBLEM

Device Type :

Manufacturer :

PC Brand :

Model :

OS :

Auto Mfg :

Auto Model :

Auto Year :

Message : I am considering buying Sony music CDs here in the UK, but am deeply

worried by recent reports that they include Digital Rights software from &quot;First 4

Intenet&quot; which uses techniques which Microsoft say should be avoided (see

http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx) and have been found

to cause system instability (see the post by Mikefive at

http://castlecops.com/postp605449.html).

Can you tell ne which (if any) Sony CDs are safe to purchase and play on my PC?

The uninstaller just makes things worse Uninstaller The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It's called &quot;RebootMachine&quot;. If you have installed Sony's ActiveX control, follow the link to invoke the RebootMachine method . I don't even want to know what the ExecuteCode method does... The InstallUpdate method seems to download a file in XCP.DAT format, extract a dll from it and then execute stuff. So far I haven't analyzed the code enough to determine if it's exploitable, but I'm guessing it doesn't do any significant verification - meaning this ActiveX control could have exploitable remote code execution hole in it by design. NEEDS URGENT VERIFICATION! If anyone has working uninstall link, please view the source for page at every step and check the javascript it uses. I'd like to see how these methods are supposed to be used. Also, if anyone has reversed the XCP.DAT format (seems to be zlib based compressed archive), please contact me. It would appear that ability to create these archives is the ability to execute anything on the vulnerable systems [ http://hack.fi/~muzzy/sony-drm / ]

Uninstaller

The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It's called &quot;RebootMachine&quot;. If you have installed Sony's ActiveX control, follow the link to invoke the RebootMachine method . I don't even want to know what the ExecuteCode method does...

The InstallUpdate method seems to download a file in XCP.DAT format, extract a dll from it and then execute stuff. So far I haven't analyzed the code enough to determine if it's exploitable, but I'm guessing it doesn't do any significant verification - meaning this ActiveX control could have exploitable remote code execution hole in it by design. NEEDS URGENT VERIFICATION! If anyone has working uninstall link, please view the source for page at every step and check the javascript it uses. I'd like to see how these methods are supposed to be used.

Also, if anyone has reversed the XCP.DAT format (seems to be zlib based compressed archive), please contact me. It would appear that ability to create these archives is the ability to execute anything on the vulnerable systems

[ http://hack.fi/~muzzy/sony-drm / ]

to the rescue … Sony DRM Rootkit I've been getting a lot of questions in the last week about Microsoft's position on the Sony DRM and rootkit discussions, so I thought I'd share a little info on what we're doing here. We are concerned about any malware and its impact on our customers' machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems. We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta , which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool . It will also be included in the signature set for the online scanner on Windows Live Safety Center . I'll update you if any more information comes up. best, -jasong ------------------------------------------------------------ Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation Team Blog: http:// blogs.technet.com/antimalware

Sony DRM Rootkit

I've been getting a lot of questions in the last week about Microsoft's position on the Sony DRM and rootkit discussions, so I thought I'd share a little info on what we're doing here. We are concerned about any malware and its impact on our customers' machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems.

We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta , which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool . It will also be included in the signature set for the online scanner on Windows Live Safety Center .

I'll update you if any more information comes up.

best, -jasong

------------------------------------------------------------ Jason Garms Architect & Group PM Anti-Malware Technology Team Microsoft Corporation

Team Blog: http:// blogs.technet.com/antimalware

Analysis Sony BMG has made a prudent decision — after more than ten days of intense criticism from industry observers and consumer advocates — to end the use of its highly controversial DRM technology. This will help the company recover from what has become a serious public-relations problem, but Sony BMG still faces lawsuits filed by PC users who allege that their PCs have been damaged by the technology. What makes the Sony BMG incident even more unfortunate is that the DRM technology can be defeated easily. Gartner has identified one simple technique: The user simply applies a fingernail sized piece of opaque tape to the outer edge of the disc, rendering session 2 — which contains the self-loading DRM software — unreadable. The PC then treats the CD as an ordinary single session music CD, and the commonly used CD &quot;rip&quot; programs continue to work as usual. (Note: Gartner does not recommend or endorse this technique.) Moreover, even without the tape, common CD-copying programs readily duplicate the copy-protected disc in its entirety.

Analysis

Sony BMG has made a prudent decision — after more than ten days of intense criticism from industry observers and consumer advocates — to end the use of its highly controversial DRM technology. This will help the company recover from what has become a serious public-relations problem, but Sony BMG still faces lawsuits filed by PC users who allege that their PCs have been damaged by the technology.

What makes the Sony BMG incident even more unfortunate is that the DRM technology can be defeated easily. Gartner has identified one simple technique: The user simply applies a fingernail sized piece of opaque tape to the outer edge of the disc, rendering session 2 — which contains the self-loading DRM software — unreadable. The PC then treats the CD as an ordinary single session music CD, and the commonly used CD &quot;rip&quot; programs continue to work as usual. (Note: Gartner does not recommend or endorse this technique.) Moreover, even without the tape, common CD-copying programs readily duplicate the copy-protected disc in its entirety.

Another letter from Sony Date: Mon, 28 Nov 2005 14:01:04 -0500 (EST) From: contentprotectionhelp <ContentProtectionHelp@info.sel.sony.com> To: D.A.Nicole1@soton.ac.uk Subject: Notification of potential security issue (KMM15645015I21924L0KM) Thank you for contacting Sony BMG Online. Our records indicate that you recently sent us an email in connection with the purchase of a content protected CD, requesting a program to uninstall the XCP content protection software. We are sending you this email because we have been notified of a potential security issue that may arise in connection with the uninstaller program previously provided. To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer. The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal. Nevertheless, for your protection, we are sending this notice to provide you with instructions as to how you may remove the XCP uninstaller files from your computer, curing any associated security risk. Follow these instructions to remove the original uninstaller files: …

Date: Mon, 28 Nov 2005 14:01:04 -0500 (EST)

From: contentprotectionhelp <ContentProtectionHelp@info.sel.sony.com>

To: D.A.Nicole1@soton.ac.uk

Subject: Notification of potential security issue (KMM15645015I21924L0KM)

Thank you for contacting Sony BMG Online.

Our records indicate that you recently sent us an email in connection with the purchase of a content protected CD, requesting a program to uninstall the XCP content protection software. We are sending you this email because we have been notified of a potential security issue that may arise in connection with the uninstaller program previously provided.

To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer.

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal. Nevertheless, for your protection, we are sending this notice to provide you with instructions as to how you may remove the XCP uninstaller files from your computer, curing any associated security risk.

Follow these instructions to remove the original uninstaller files: …

Add a comment

Related presentations

Related pages

Rootkit – Wikipedia

Ein Rootkit (englisch etwa: „Administratorenbausatz“; root ist bei unixähnlichen Betriebssystemen der Benutzer mit Administratorrechten) ist eine ...
Read more

Was Ist Ein Rootkit? | Wir Benutzen Das Wort, Um Die Welt ...

Hab mir einen Rootkit.Boot.Sinowal.b eingefangen. Kaspersky Total Security hat es erkannt, doch wenn ich auf „Beheben“ klicke passiert nichts.
Read more

Die besten Rootkit-Finder - PC-WELT

So funktionieren Rootkits In der Windows-Welt bezeichnet der Begriff Rootkit ein Programm, das Dateien auf einem Rechner so versteckt, dass der Anwender ...
Read more

Bitdefender Rootkit Remover - Download - CHIP

Bitdefender Rootkit Remover Rootkits sind hinterlistig, da sie sich unbemerkt im System Ihres PCs einnisten und von dort aus Daten an Dritte weitergeben.
Read more

Sophos Anti-Rootkit - Download - CHIP

Sophos Anti-Rootkit 1.5 Englisch: "Sophos Anti-Rootkit" ist ein Gratis-Tool, das Rootkits aufspürt und entfernt.
Read more

Rootkit - was bedeutet das? Definition und Erläuterung ...

Rootkit - was bedeutet das? Definition und Erläuterung des Begriffs Rootkit im kleinen Computerlexikon und Glossar von Martin Vogel
Read more

Rootkit | heise online

News und Hintergründe zum Thema Rootkit bei heise online.
Read more

Anti-Rootkit - Download - heise online

Download: Anti-Rootkit 1.08, kostenlos. Über Anti-Rootkit: Sucht und deaktiviert bekannte und unbekannte Rootkits vom Rechner
Read more

RootkitRemover | McAfee Free Tools - Intel Security-McAfee ...

McAfee RootkitRemover is a stand-alone utility used to detect and remove complex rootkits and associated malware. Currently it can detect and remove ...
Read more

Microsoft Malware Protection Center - Rootkits

What is a rootkit? Malware authors use rootkits to hide malware on your PC. Malware hidden by rootkits often monitor, filter, and steal your data or ...
Read more