DonDaddy
The guys at Sysinternals (http://www.sysinternals.com/), makers of great free security and diagnostic software, have discovered something unsettling with their new RootkitRevealer program: Those assholes at Sony have incorporated blackhat hacking techniques into their Digital Rights Management software, putting a rootkit onto the computer of anyone who plays music CD from Sony on their computer.
A rootkit is defined as "a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard."
Mark of Sysinternals details how he found the Sony rootkit and all the trouble he had getting rid of it:
"I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLMSystemCurrentControlSetServices I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLMSystemCurrentControlSetSafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.
I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec: psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back.
The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files."
So basically, if you're not a computer badass like Mark, you've pretty much fucked yourself if you run a good rootkit detector and removal program on a computer you played a Sony CD on.
A rootkit is defined as "a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard."
Mark of Sysinternals details how he found the Sony rootkit and all the trouble he had getting rid of it:
"I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLMSystemCurrentControlSetServices I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLMSystemCurrentControlSetSafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.
I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec: psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back.
The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files."
So basically, if you're not a computer badass like Mark, you've pretty much fucked yourself if you run a good rootkit detector and removal program on a computer you played a Sony CD on.