The Sony CD Fiasco of 2005
- In late October 2005, Mark Russinovich (operator of the SysInternals blog) tested the latest version of RootkitRevealer (RKR)
- Russinovich practiced very safe computing, and even wrote an article on detecting rootkits for the June, 2005, edition of Windows IT Pro
- Much to his surprise, RKR revealed a large number of hidden system files on his PC, an obvious symptom of a rootkit infection
- His blog entry
What RKR revealed
(from Mark Russinovich’s blog entry)
Note that these files were hidden (last column) and many started with $
sys$
Sony CD Fiasco continued
- To confirm that he had detected a rootkit, Russinovich analyzed the system with his own tool, LiveKd (Live Kernel Debugger)
- LiveKd detected that the system services table (a table of function pointers) had function pointers patched into it that were obviously not in the address range of the kernel
- See 2nd screen shot in his blog entry (next slide)
- Disassembling one of these functions showed it was from the aries.sys device driver, which was one of the hidden files detected by RKR
What RKR revealed
(from Mark Russinovich’s blog entry)
The circled function pointers are clearly different than the others
Sony CD Fiasco continued
- While the directory was hidden, once he knew of its existence from RKR, he could open a command prompt window and change directory (CD command) directly into it
- Sure enough, there were the rootkit device drivers and other files:
Sony CD Fiasco continued
- Using IDA Pro to disassemble the entire driver, Russinovich discovered that it hooked enough system services to hide “every file, directory, Registry key or process whose name begins with
$
sys$
- To confirm, he made a copy of notepad.exe called
$
sys$
notepad.exe, and it disappeared from view!
Sony CD Fiasco continued
- Russinovich also detected unsafe race conditions in the rootkit device driver
- After renaming the driver, he rebooted and the rootkit was no longer active
- All files were visible
- A string dumping tool revealed that the files were part of a product called “Essential System Tools” from a company called “First 4 Internet”
Sony Fiasco: The Plot Thickens
- The First 4 Internet web site had nothing about “Essential System Tools” or aries.sys, but revealed that the company developed Digital Rights Management (DRM) software, including a copy protection application called XCP
- Google revealed that the company had DRM contracts with several major audio CD companies, including Sony/BMG Music
Sony Fiasco: The Plot Thickens
- Russinovich recalled having just recently bought and played a Sony/BMG CD (ironically, entitled Get Right with the Man) that required you to install its media player in order to play it on a PC
Sony Fiasco: The Plot Thickens
- When he played the CD again, there was an increase in CPU usage by process
$
sys$
DRMServer.exe
- The Services tab of Process Explorer identified the app as “Plug and Play Device Manager,” which is an obvious attempt to mislead the user into thinking that this is a core Windows service, which it is not:
Sony Fiasco: The Plot Thickens
- Russinovich found no means to uninstall the rootkit
- And no mention in the EULA (End User License Agreement) that software that could not be uninstalled was going to be installed on his system
- So he removed the files and their associated registry keys manually and rebooted
Sony Rootkit: Can’t Uninstall
- Manual installation led to a major problem, as is often the case with rootkits:
- The CD drive had now disappeared from the system’s view
- Windows permits a form of device driver chaining called device filtering, and XCP had installed a device filter called Crater.sys (another ironic name) that had cratered his system by tunneling into the device driver chain for the CD drive
Sony Rootkit: Can’t Uninstall
- When he tried to delete the registry entries that accomplish the chaining, he got an “access denied” error
- Luckily, he was expert enough to work around that and delete the chained drivers for both the CD drive and the IDE channel for the CD drive (Cor.sys)
Sony Rootkit Problems
- User is not told the software will be installed and cannot be uninstalled
- A user who is notified by a rootkit detector that there are hidden files, and who then deletes those files, will lose the use of the CD drive and probably not know what to do about it
Sony Rootkit Problems
- A legal problem: Philips owns the trademark to the “CD” symbol, and forbids its use on any non-pure audio CD
- Any intruder now could install files that begin with
$
sys$
and piggyback onto the XCP rootkit, getting his files hidden for free!
The Fiasco Hits the Fan
- The October 31, 2005 blog entry led to major media coverage
- Sony at first said that the EULA warned about the software, and that the EULA told how to uninstall it
- Later admitted this was not true, started providing uninstall instructions
- Business Week article revealed Sony was warned on October 4 (!) by F-Secure, an AV vendor
The Fiasco Hits the Fan
Classic quote:
Most people don’t even know what a rootkit is, so why should they care about it?
by Thomas Hesse, President, Global Digital Business, Sony/BMG
The Sony Patch
- Sony got First 4 Internet to provide a patch to update the rootkit
- The 3.5MB “patch” included a whole new version of the DRM software
- Immediately after installing it, Russinovich noticed a new entry called MediaJam in the Add/Remove Programs list:
(from his second blog entry)
The Sony Patch continued
- MediaJam was a heretofore unused name
- Clicking on it to uninstall it produced an error! Another uninstallable package!
- The patch just provides the ability to unload the device driver, restoring the system to its normal state
- However, unloading the driver when it is about to execute could crash the system, due to a race condition in the driver’s design