(The following only applies when listening to the affected CDs on your computer. Listening through a home or auto CD player is not impacted.)

The music industry is not happy that you have the ability to play a CD on a computer. You can copy, rip, re-mix, share, or send the music to other devices without purchasing another CD. To prevent this, the industry has begun using copy protection schemes. Most are trivial to defeat.

Sony, however, recently released several titles protected by means of rootkit technology, which is what crackers use to gain control of your PC without your knowledge. A rootkit gives you system-level control of a computer -- you own it.

A well-respected security expert discovered Sony's scheme accidentally after testing his own computer with a product he created to discover rootkits. He eventually traced it back to Sony's digital rights management (DRM) software, which had been installed on his computer when he played a protected CD.

In essence, Sony altered Windows so that you can't play their CD without the DRM protections (copying, ripping, etc.) However, the license agreement didn't mention that they were installing system-level software on the computer. Worse, the files they install are hidden and can't be viewed without special tools.

The programmer had such tools and was able to identify the files and remove them, although with difficulty. Unfortunately, this broke his computer. He was furious. After much work (of a kind not available to any but the most technically proficient) he was able to get it running again. He posted his experiences online and a firestorm erupted.

His main points were 1)the software was installed without user knowledge 2)it was poorly written and caused problems on users' PCs 3)removing it damaged users' computers 4)the rootkit technology left a path on your computer for unscrupulous crackers to exploit, much like virus writers do.

Under pressure, Sony issued instructions on their web site telling users how to remove the cloaking (display the hidden files). Unfortunately, if a user does that and then proceeds to delete their files, they will lose use of their CD drive, or worse.

The story is ongoing. The company that created the DRM scheme is arguing with the guy who discovered it. Sony is taking major heat from users but you can bet this will not be the last attempt by the music industry to restrict how and where you listen to music. Whether that's valid or not is another discussion. The current issue is that Sony is making users install software that can harm their computer and leave it vulnerable to attack.

quote:

---

"Sony says any CDs that contain the software are labeled "Content enhanced & protected" on the front and back of the product packaging. A quick advanced search on Google of Amazon's site turns up more than 24,000 hits for "CONTENT/COPY-PROTECTED CD."

---

I purchased a CD, (a Country artist who's name I won't mention, but who's Steeler is a member here) and notice that label. I hought "Content Enhanced" was a reference to the fact that it was double sided. One side is CD, the other is DVD.

I made a personal use copy on my Mac Powerbook without a problem (I think).

Quicken got into it with their Turbo Tax a couple of years ago because it installed "spyware" for limits of use. There was an uproar and they posted instructions on their web site about removing it. They still lost customers over that.

Sony/BMG DRM Rootkit

A.K.A: All Your Computers Are Belong To Us

I have been watching this develop since Mark Russinovich first blogged about it on October 31, 2005. I recommend that only technically advanced members read his findings on his blog. It will give you a headache if you aren't already into Windows security issues.

Somebody here posted about playing a Copy Protected CD on his MAC computer. He is the lucky one, in that the rootkit only installs on Windows operating systems.

This event is in flux and is rapidly evolving into a major snafu for Sony/BMG, First4Internet (the authors), Universal and others who distribute this cloaking technology. At the heart of the issue is the debate about how far legitimate companies can go to protect their intellectual and copyrighted properties.

My feeling is that we would not be at the junction at this time were it not for the millions of people who are/were swapping copyrighted music and movies illegally for the past couple of years. Most of these CDs and DVDs were originally purchased by people who ripped the content and put it in their shared folders, for all the world to grab, for free.

Now, as a result of the illegal behaviour of the filesharers folks who legally purchase music and videos that contain copy protection software are at risk from that very technology. Hackers are going to have a field-day with this and are already hard at work developing exploits and passing on their finding among their communities. Right now they are using Sony's own rootkit against itself to hide the presence of ripping and game cheating programs from the copy protection program!

This copy protection (rootkit) program was poorly written, so to speak, in that it was rushed to market before thorough testing for legal or security problems. The programmer who is responsible for it solicited coding assistance from readers of a newsgroup!

The top executives at Sony don't think that this is such a big deal; much ado about nothing. Here is a quote from one of the commenters on Mark's Blog, about a telephone interview NPR had with Sony management:

quote:

---

Did anyone click on the link MARK provided and actually LISTEN to the audio??

In this Audio, you will hear a comment from Thomas Hessa (not sure of spelling), PRESIDENT of Sony BMG's Global Digital Business. In this Audio and he says "Most people, I think, do not even know what a Rootkit is, so why should they care about it?"

FREAKING UNBELIEVEABLE!

Click on the LISTEN button on this link here to HEAR it yourself! http://www.npr.org/templates/story/story.php?storyId=4989260

---

Now you all know what we are up against! This is a company without a conscience, or common courtesy, or who gives a hoot about any damage they may cause to the computers belonging to the people who legally purchased a Sony Copy Protected CD. The fact of the matter is that SONY DOES NOT WANT PEOPLE TO PLAY SONY/BMG MUSIC CDs ON THEIR COMPUTERS, PERIOD. If you pop one of these CDs into a home or car CD player it plays as expected, without installing any software... unless your CD player is also capable of reading MP3 encoded CDRs. Then you may end up with a damaged/rootkitted CD player!

From http://www.sonymusic.com/labels/index.html and http://www.sonybmg.com/ :
http://www.arista.com/ http://www.bluebirdjazz.com/index.jsp http://www.bmgclassics.com/ http://www.bmgheritage.com/ http://www.bnarecords.com/ http://www.columbiarecords.com/ http://www.epicrecords.com/ http://www.j-records.com/ http://www.laface.com/ http://www.legacyrecordings.com/ http://rcarecords.com/ http://www.rcavictor.com/index.jsp http://www.sonyclassical.com/ http://www.sonynashville.com/ http://www.sonywonder.com/ http://www.soso-def.com/ http://www.verityrecords.com/ http://www.windham.com/index.jsp

NEW TEST ***
You can check if this "rootkit" is installed on the systems you are responsible for. This can be done by right clicking on your desktop, selecting New from the menu, selecting Folder from the submenu and naming the folder $sys$test

If the folder disappears, your system is compromised with the Sony DRM software and you would be advised to seek the assistance of a professional Microsoft Windows technician.

Be cautioned that the Patch currently offered by Sony could cause your computer to crash as it is also poorly written and requires the installation of an ActiveX control. In a nutshell, the patch tries to unload the rootkit while Windows is running, which causes most computers to crash instantly. If they had gone about this in the correct manner the driver would be unloaded upon rebooting, after the references to load it were deleted from the (hidden) registry keys that launch it as a service.

What a freakin mess!

Wiz
Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 07 November 2005 at 11:23 AM.]

quote:

---

Is this something that would be eliminated if a person elected to run a Debug script on their hardrive and reinstall the O.S. and everything else?

---

Those who are advanced level users can follow Mark Russinovich's method to eliminate the rootkit without reinstalling the OS. Read his entire Blog, including the reader comments and follow links to other reports. People have posted methods to safely remove this rootkit and restore the CD drives. This involves a combination of Recovery Console, Safe Mode, RootKitRevealer and Find New Hardware techniques. Mark has already performed the debugging and posted his results on his blog, at http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html

Steinar

------------------
www.gregertsen.com

Lucky for me, My copy of Martina's "Timeless" doesn't appear to have this garbage. I could just imagine cleaning out my wife's XP box after getting tricked into loading the rootkit.

------------------
2005 Carter S12U 7x5, Blanton D10 8x4, Peavey Session 400 Limited Wedge, Goodrich L120, Boss ME50 effects pedal

[This message was edited by Mike Ester on 10 November 2005 at 09:47 AM.]

Hackers use Sony anti-copy software to hide in PCs

quote:

---

AMSTERDAM (Reuters) - A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc.

Under a subject line containing the words "Photo approval", a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down the firewall and gives hackers access to a PC. The malware hides by using Sony software that is also hidden -- the software would have been installed on a computer when consumers played Sony's copy-protected music CDs.

"This leaves Sony in a real tangle. It was already getting bad press about its copy-protection software, and this new hack exploit will make it even worse," said Sophos's Graham Cluley.

---

Read the article here: http://today.reuters.com/...US-SONY-HACK. xml

[This message was edited by Wiz Feinberg on 10 November 2005 at 09:20 AM.]

SARC: http://www.symantec.com/avcenter/venc/data/backdoor.ryknos.html

Some details:

Backdoor.Ryknos is a Trojan horse that attempts to utilize the SecurityRisk.First4DRM security risk to hide itself on the compromised computer. It can infect Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP computers. It opens a back door on the compromised computer.

Read the rest on SARC.

First time I tried the renaming the new folder reverted to the "new folder" name and did not accept the "$sys$test" but did not disappear either

Second time I tried renaming I got an error message saying "cannot rename file; cannot read from the source file or disc"

Do I have this rootkit installed? I recently purchased Emory Gordy Jr's wife's newest CD and it had the EULA prompt which I unwittingly agreed to.

Thanks for this---insidious as it is it might be here to stay!

Looks that way. And the lawyers have given them a single user out with the "accept disclaimer" gambit.

But get a few hundred crashed systems, the potential for thousands more,
and one savy class action lawyer,
and things might change.

Going into someones system root, likely is in violation of Microsoft's liscencing agreement,
unless THEY also are in on the deal. Certainly not beyond the pale with them...

Brad

News Flash

Sony BMG 'temporarily suspends' production of music CDs with copy-protection

"Stung by continuing criticism, the world's second-largest music
label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave
computers vulnerable to hackers," Ted Bridis reports for The Associated Press. "Sony defended its right to prevent customers from
illegally copying music but said it will halt manufacturing CDs with the 'XCP' technology as a precautionary measure. 'We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use,' the company said in a statement."

quote:

---

First time I tried the renaming the new folder reverted to the "new folder" name and did not accept the "$sys$test" but did not disappear either

Second time I tried renaming I got an error message saying "cannot rename file; cannot read from the source file or disc"

Do I have this rootkit installed?

---

Try this test. Right-click on the desktop and create a new folder. Try renaming it " old folder "
If successful, try renaming it " folder$sys "
If successful, right-click on the desktop and hit F5. If the folder stays put with that name add another dollar sign after sys: " old folder$sys$ " then refresh the view. If the folder remains, rename it " $sys$folder " and see what happens when you refresh the desktop. Let me know the results.

Wiz Feinberg
Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 13 November 2005 at 10:50 AM.]

it didn't dare say they are defending THIS version of the a anti-theft system... hmmmm.

No word in Microsoft's take on this.
Sony basically hacking the Windows system EVERY time a user puts in a cd.
Huh!

Microsoft to Zap Sony DRM 'Rootkit'

Microsoft Corp. will start deleting the rootkit component of the controversial DRM scheme used by Sony BMG Music Entertainment.

The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology.

According to Jason Garms, group product manager in Microsoft's Anti-Malware Technology Team, the rootkit removal signature will be pushed out at Windows users through the anti-spyware application's weekly signature update process.

Read his statements on his Blog, at: http://blogs.technet.com/antimalware/archive/2005/11/12/414299.aspx

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

http://en.wikipedia.org/wiki/XCP

Sony’s Web-Based Uninstaller Opens a Big Security Hole

http://www.freedom-to-tinker.com/?p=927
Tuesday November 15, 2005 by Ed Felten

quote:

---

Over the weekend a Finnish researcher named Muzzy noticed a potential vulnerability in the web-based uninstaller that Sony offers to users who want to remove the First4Internet XCP copy protection software. We took a detailed look at the software and discovered that it is indeed possible for an attacker to exploit this weakness. For affected users, this represents a far greater security risk than even the original Sony rootkit.

The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

A malicious web site author can write an evil program, package up that program appropriately, put the packaged code at some URL, and then write a web page that causes CodeSupport to download and run code from that URL. If you visit that web page with Internet Explorer, and you have previously requested Sony’s uninstaller, then the evil program will be downloaded, installed, and run on your computer, immediately and automatically. Your goose will be cooked.
......
How can you protect yourself against this vulnerability? First, for now don’t accept the installation of any software delivered over the net from First4Internet. (Eventually First4Internet may deliver a fix over the net. That may be worth installing.) That will keep CodeSupport off you machine, if it’s not already there.

To see whether CodeSupport is on your computer, visit our CodeSupport detector page using Internet Explorer.

If you’re vulnerable, you can protect yourself by deleting the CodeSupport component from your machine. From the Start menu, choose Run. In the box that pops up, type (on a single line)

cmd /k del “%windir%\downloaded program files\codesupport.*”

---

quote:

---

It looks as though the uninstaller as claimed last night, does have more serious implications than the original rootkit, in Sony’s continuing DRM nightmare. Basically, the uninstaller will allow any web page to run arbitrary code and or remotely control your pc. Which is sort of the holy grail of remote exploits. The ActiveX control called CodeSupport that is required to get the uninstaller is the culprit here. It remains on system after uninstall and is marked safe for scripting.

---

quote:

---

By going through the uninstall process, you are supposed to feel more protected as you just got rid of nasty malware. Well you are now open to all sorts of new exploits, and you are supposed to think you are protected again.

Amazing how the programmers at First4Internet are so incompetent and continue to introduce security holes onto your system.

---

quote:

---

I almost installed Sony’s active-X uninstaller until I saw that it was written by First4Internet, the same people that wrote the original rootkit. I said, “you have to be kidding!”. There was no way that I was going to let the same company that put a rootkit on my computer also install an active-X program. I dodged that bullet with a little common sense. Fool me once, shame on you. Fool me twice, shame on me! And of course, shame on you Sony for doing this in the first place. I’m waiting to remove the rootkit until I’m convinced that the removal code is finally written well and correctly, and that it has been verified.

---

2: A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 15 November 2005 at 04:24 PM.]

Since Sony has suspended using this technology, I was thinking that the equitable solution would be to demand a clean copy for my daughter. I went to their website, and found that apparently, they are going to institute an exchange program. Kinda took some wind out of my sails, but I wrote them a 'comment' anyway:

quote:

---

My daughter just brought home the latest Trey Anastasio CD......with XCP protection. Due to the security concerns there is NO WAY this CD will be allowed near the computer...which unfortunately for her, is where most of our CDs get played. So my daughter spent her hard earned money from an after school job to buy a CD which she can't play where she wants to hear it.
I purchased my first Sony product 30 years ago: a TC-353D reel to reel which I still have. Through the years, I have bought Sony cassette recorders, Walkman, and Camcorders with confidence in the Sony name. Different division perhaps, but same name, and my confidence is now shattered! My aging computer needs replacement and I was considering a Sony, but now I could never trust the name and would always worry if spyware might come pre-installed.

I am outraged that SonyBMG would subject it's PAYING customers to this abuse. I can respect your right to protect copywritten material, but you have gone too far. I was planning on demanding a clean copy of the CD for my daughter, and now I see that you are planning to make that offer available. This is a step in the right direction. Please put me first on your list when this offer becomes available.

---

What is truly scary about this DRM process is that it hides completely from the system, so you can't tell if it's actually running. Microsoft has admitted that there is no way to fully scan a system for "root kit" infections.

FYI, some firewall products (such as Zone Alarm and Black Ice) will warn you if you're computer is trying to call an outside system. This can be handy in providing warning of such contact, which you can block by default. At least Sony wouldn't know what music you were playing . . . .

Steve

Boggles the mind!
The Sony legal team must be cataleptic in fear and agravation
right around... NOW!!

What is "
WHAT the **** were your thinking!!" in Japanese?

If Microsoft is QUICKLY writing an uninstaller for both
of them "malwares" ; the C.P. and it's uninstaller,
you can bet they will send Sony a BIG bill.
Would Bill Gates crew work for free... yeah right.

First4Internet will likely be toast soon,
and I sure as shooting would not want to EVER use their name on MY resume.

Job Interviewer :
You worked for WHO that year.....
Uh, um, oooohhh weelll, we'll call you.

Job Applicant:
"Oh sorry, I took a year off and went to Tibet...
but I heard about those Sony guys....

First4Internet Who???
Bon chance les mecs la!

I love my Mac.

[This message was edited by David L. Donald on 16 November 2005 at 01:02 PM.]

quote:

---

I love my Mac.

---

Fortunately, because OS X users don't run with admin privileges by default (like Windows) it's much harder to accidentally install it.

Macintouch reports:

quote:

---

Digging into the "enhanced" content on the disk, he found a Start.app that, when run, shows a license agreement, then asks you for an admin password. On entering this, it installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext.

---

Anti-Malware Engineering Team

Sony rootkit signatures now available

We have analyzed several versions of the rootkit that have been shipped as part of Sony’s XCP software. We are calling the family WinNT/F4IRootkit. We chose the name based on the company that authored this component. We have added detection and removal for those versions via the online scanner at the Windows Live Safety Center. To quickly scan and remove those versions of the rootkit from your computer, you can select the "Full Service Scan" followed by the "Quick scan" option.

The Windows AntiSpyware Beta will be able to detect and remove this as well with the 11/17/05 signature release. Detection and removal will also be added to the December release of the Malicious Software Removal Tool which will be released the second Tuesday of December.

We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change.

There has also been quite a bit of discussion on the web around the ActiveX control that was later released by First 4 Internet and Sony to neutralize the rootkit. The ActiveX control has been cited with a variety of issues / vulnerabilities and it was quickly pulled off of the Sony site. If you have concerns with this ActiveX control it can be blocked by following the directions at the MSRC blog.

Source: http://blogs.technet.com/antimalware/archive/2005/11/17/414741.aspx

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services

[This message was edited by Wiz Feinberg on 17 November 2005 at 08:07 PM.]

Hello from Amazon.com.

We're writing about your order for the following CD(s):

Dreamin' My Dreams

Dreamin' My Dreams

The Sony CD(s) listed above contain XCP digital rights management
(DRM) software. Due to security concerns raised about the use of CDs
containing this software on PCs, Sony has recalled these CDs and has
asked Amazon.com to remove all unsold CDs with XCP software from our
store.

Since you purchased this CD from Amazon.com, you may return it to us
for a full refund regardless of whether the CD is opened or unopened.
Just visit www.amazon.com/returns and indicate that the CD is
"defective" as the reason for return.

Thank you for your understanding. We hope to see your again soon at
Amazon.com.

Seems even Sony has "seen the light". Only worry is what will they develop now that this has been halted??

Of course Sony would target Mac's too.

So I guess Linux sounds pretty good these days
as a listehning platform...

Total Recall, starts to get a new meaning.

[This message was edited by David L. Donald on 18 November 2005 at 07:41 AM.]

quote:

---

Information on the CD Exchange Program
Consumers who wish to exchange their XCP content protected CDs or also receive MP3 files of the titles in addition to their replacement CDs should visit http://cp.sonybmg.com/xcp for a list of titles and versions, specific instructions and shipping information. There will be no charge to consumers for shipping in either direction.

In addition to providing replacement CDs by mail, SONY BMG is making available MP3 files to consumers who are exchanging their XCP content protected CDs. Consumers who choose to receive MP3 files will receive an e-mail with a link to the MP3 downloads upon SONY BMG's receipt and verification of their XCP CDs.

---

This just in from Sony/BMG...

Bear in mind that this issue is almost a month old today

This was sent today as a followup to a request for assistance in uninstalling the Sony DRM rootkit. The request was sent during the first week of November, 2005 and this reply arrived on November 28, 2005.

quote:

---

Thank you for contacting Sony BMG Online.

SUBJECT: Notification of potential security issue

Our records indicate that you recently sent us an email in connection with the purchase of a content protected CD, requesting a program to uninstall the XCP content protection software. We are sending you this email because we have been notified of a potential security issue that may arise in connection with the uninstaller program previously provided.

To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased. The security issue may arise when a user downloads the program to uninstall the XCP software files from a computer.

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal. Nevertheless, for your protection, we are sending this notice to provide you with instructions as to how you may remove the XCP uninstaller files from your computer, curing any associated security risk.

Follow these instructions to remove the original uninstaller files:

1. Using Windows Explorer, go to WINDOWS\Downloaded Program Files\
2. Locate CodeSupport
3. Right click on the file and select Remove from the pop-up window
4. The file is now removed from you computer system

If you cannot find the file in the Windows\Downloaded Program folder then you should run a search for the file as follows:

1. Click Start.

2. Click to open "My Computer."

3. Press the key combination Ctrl + F to open the search window.

4. In the "Search for files or folders named" box, type codesupport.
The word "codesupport" does not contain a space.

5. Click Search Now.

6. If the file is located, right-click on the file to reveal a menu.

7. In the menu click to select the "Remove" option.
This choice forces Windows to safely uninstall the control.

If the file CodeSupport is not found then your computer is not affected.

We sincerely apologize for any inconvenience this may cause. We are in the process of providing an updated version of the uninstaller program for the XCP content protection software through our customer support site ht*p://cp.sonybmg.com/xcp. This web site also contains general information about XCP protection as well as the various additional steps SONY BMG has taken to address consumer concerns regarding the XCP software.

---

quote:

---

To be clear, the security issue is not raised by the presence of XCP content protection technology on the music CD you purchased.

---

quote:

---

The likelihood that you have been exposed to any security risk by using the program to uninstall the XCP technology is minimal.

---