Sony, Rootkits and Digital Rights Management Gone Too Far - The Orange Mane

alkemical · 11-07-2005, 10:26 AM

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:

Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran Process Explorer and Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to LiveKd, a tool I wrote for Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking.

Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.

(more on site)

http://www.sysinternals.com/blog/200...al-rights.html

alkemical · 11-08-2005, 01:28 PM

alkemical · 11-10-2005, 02:28 PM

http://www.usatoday.com/tech/news/20...-hackers_x.htm

Bad things hide in PCs using Sony BMG software
AMSTERDAM (Reuters) — A computer security firm said Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.
Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, British anti-virus firm Sophos says.

When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden — the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

alkemical · 11-11-2005, 01:24 PM

http://today.reuters.co.uk/news/news...archived=False

Sony BMG pulls CD software

AMSTERDAM (Reuters) - Music publisher Sony BMG said on Friday it would stop making CDs that use a controversial technology to protect its music against illegal copying.

"As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology," it said in a statement.

The decision follows the discovery on Thursday of the first virus that uses Sony BMG's CD copy-protection software to hide on PCs and wreak havoc.

11-07-2005, 10:26 AM	#1
alkemical Guerrilla Ontologist rorrim\|mirror Join Date: Apr 2001 Location: Future Posts: 42,696 Adopt-a-Bronco: Prima Materia	Sony, Rootkits and Digital Rights Management Gone Too Far Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application: Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran Process Explorer and Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to LiveKd, a tool I wrote for Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking. Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API. (more on site) http://www.sysinternals.com/blog/200...al-rights.html

11-08-2005, 01:28 PM	#2
alkemical Guerrilla Ontologist rorrim\|mirror Join Date: Apr 2001 Location: Future Posts: 42,696 Adopt-a-Bronco: Prima Materia	bump

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

11-10-2005, 02:28 PM	#3
alkemical Guerrilla Ontologist rorrim\|mirror Join Date: Apr 2001 Location: Future Posts: 42,696 Adopt-a-Bronco: Prima Materia	http://www.usatoday.com/tech/news/20...-hackers_x.htm Bad things hide in PCs using Sony BMG software AMSTERDAM (Reuters) — A computer security firm said Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc. Under a subject line containing the words "Photo approval," a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, British anti-virus firm Sophos says. When recipients click on an attachment, they install malware, which may tear down a computer's firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden — the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

11-11-2005, 01:24 PM	#4
alkemical Guerrilla Ontologist rorrim\|mirror Join Date: Apr 2001 Location: Future Posts: 42,696 Adopt-a-Bronco: Prima Materia	http://today.reuters.co.uk/news/news...archived=False Sony BMG pulls CD software AMSTERDAM (Reuters) - Music publisher Sony BMG said on Friday it would stop making CDs that use a controversial technology to protect its music against illegal copying. "As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology," it said in a statement. The decision follows the discovery on Thursday of the first virus that uses Sony BMG's CD copy-protection software to hide on PCs and wreak havoc.