Network News

X My Profile
View More Activity

Hackers Raid Sony's Playbook

Over the weekend, I was contacted by a Security Fix reader who spends a great deal of his time taking apart software applications to find security vulnerabilities (which he occasionally sells to security companies that use them to brag to their customers about how great their security products are, but that's another story altogether).

This young man told me that his current project revolves around the subject of the blog entry I posted last week regarding Sony BMG's anti-piracy program, which uses rootkit technology to hide its components from users and to defy removal from their PCs.

(I've agreed not to name this individual because technically his activities could be construed to run afoul of the twisted anti-circumvention statutes included in the Digital Millennium Copyright Act, violations of which have led to some pretty bizarre legal battles.)

I doubt Sony would be bold enough to invoke that law -- which makes it a crime to circumvent technological measures used to protect copyright works -- in this instance, but this situation  illustrates how it can have a chilling effect on security research.

Anyway, this kid was so ticked off over Sony's tactics that he and a friend spent the better part of the last few days deconstructing the program and trying to find remotely exploitable security flaws in it. The guy said he hadn't yet found any, but judging from some of the other news coming out today, it sure looks like he's not the only one taking a closer look at the Sony software.

As I reported last week, Sony issued a "patch" to unhide the files cloaked by its anti-piracy program (and to exert some damage control on a public-relations nightmare). But according to new research by the guy who discovered what the Sony program was up to -- Sysinternals' Mark Russinovich -- Sony's patch can lead to a crashed system and data loss.

The folks at Computer Associates also looked into the patch, and found that "it has a broken uninstall that removes the rootkit in a way that can cause Windows to crash." CA also confirmed Russinovich's latest research, which found that the music player software that ships with the protected CDs "sends the names of the CDs a user is listened to, along with the user's IP address and listening habits back to Sony without permission from the user."

At any rate, this type of swift reaction to corporate malfeasance (perceived or actual) is common in the security research community, and we saw it in action earlier this year when Internet Security Systems and Internet router maker Cisco Systems sued former ISS researcher Mike Lynn to prevent him from disclosing the details of a serious security hole in Cisco's products, which are responsible for routing a large portion of the world's Internet traffic.

Within hours of news that Lynn was fighting a temporary restraining order, many in the security research community went ballistic, with several groups working overtime to try to reproduce Lynn's work and release a program that would allow attackers to exploit the flaw (Cisco finally issued a patch just last week for the flaw Lynn discovered).

On a related note, several news outlets are reporting that Lynn has landed a job with Sunnyvale, Calif.-based Juniper Networks, Cisco's chief rival.

By Brian Krebs  |  November 7, 2005; 1:35 PM ET
Categories:  From the Bunker , Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft to Bundle Anti-Spyware App With Windows
Next: Microsoft Patches Windows Image Problem

Comments

I thought capitalism was supposed to be about building a better mousetrap. Reading your blog, I get the impression that it's rather about using over-priced legal talent to prevent somebody else from building that mousetrap....

Posted by: M Henri Day | November 7, 2005 1:59 PM | Report abuse

The BBC has a follow-up item on this:

http://news.bbc.co.uk/1/hi/technology/4413856.stm

This is their third item on this disgusting incident. Credit to them. This story has made a big splash in tech news but it off the radar for most mainstream news organizations - people who, by and large don't understand tech issues and don't follow what's going on in the tech world.

First 4 are a shameless and obscenely immoral outfit. Matthew Gilliat-Smith, managing director of this British company, has now abused F-Secure for having analyzed his spyware and said what dangers it exposes people's machines, too. He said: "They have a vested interest." Talk about the pot calling the kettle black. Such a comment beggars belief.

Hopeully, the British police will soon move in on him and his criminal operation.

Posted by: Damian | November 7, 2005 2:14 PM | Report abuse

If circumventing protections to copyrights is illegal, then buddy from SysInternals who wrote the article about the whole thing and even DEMONSTRATED how to remove the ROOTKIT - basically broke the law.

You guys need a new government that will protect the citizens and consumers. And not one that is more concerned with protecting the monopoly businesses through corrupt patent and copyright protections at the expense of science and consumers.

Posted by: SmartITGuy | November 7, 2005 2:49 PM | Report abuse

If I was a hacker and did this kind of activity (installing a rootkit on someones PC) I could be charged with a crime...right?

How come I'm not hearing of charges being brought against Sony?

Posted by: David B | November 7, 2005 3:47 PM | Report abuse

what will prevent a virus writer to use the same technique and wreck havoc?

Posted by: kamal | November 7, 2005 4:27 PM | Report abuse

What ever happened to the term.. "Innocent until proven guilty" ? I guess big business has become the Judge and Jailor of citizens. Where does the line get drawn between oversteping the line and sensible behavior? I find it an outrage that companies can do this type of behavior and wind up with only a slap on the wrist, when a citizen who does this would find themselves in a heap of trouble! When freedom of speech is under attack because of trademarks and copyrights what will be next the very language we can speak? Will the only thing we will be able to say is nothing at all?

Posted by: Pittsburgh | November 7, 2005 5:28 PM | Report abuse

gdfgdfg

Posted by: dfgdf | November 7, 2005 7:58 PM | Report abuse

Any article on this story should talk about how users can defend themselves. You don't need any special software.

Antispyware/Antivirus companies like CA are reactive. They wait for someone like Mark Russinovich to discover the malware and then create a solution for detecting and removing it. You always want to be proactive with security if you can. The Windows XP permision model allows you to do this and it is a great way to maintain the integrity of your system in a world of unpatched IE vulnerabilities and rampant sneaky DRM software.

If you are running Windows XP just run as a non-administrator user. Rootkit or "stealth" programs require administrator privileges to install. First create another account with administrator privileges if you don't already have one. Then change your account type to a normal user. Install software into your "My Documents" folder or if it is a multiuser system, into the "Shared Documents" folder. Whenever a program requires you to install as administrator think long and hard on whether you trust the source completely. Obviously Sony has lost that trust.

-Chris

Posted by: Chris Wysopal | November 8, 2005 10:13 AM | Report abuse

Chris wrote:
"Antispyware/Antivirus companies like CA are reactive. They wait for someone like Mark Russinovich to discover the malware and then create a solution for detecting and removing it."

This is not always true. We here at F-Secure detected this rootkit even before it was written with our generic rootkit detection technology.

Mikko / F-Secure

Posted by: Mikko | November 8, 2005 12:58 PM | Report abuse

Why the bitching? The DRM was voted in by Congress which all of us elected, except for those who sat on their hands on election day. You want to find the guilty, I suggest that you look in the mirror. If you don't like the DRM and the corporate conquest that has gone on, get somebody new in DC. Until then, just roll over and play dead.

Posted by: Anon | November 8, 2005 2:33 PM | Report abuse

pwn nubs.

Posted by: Sowitki | November 8, 2005 3:57 PM | Report abuse

"Why the bitching? The DRM was voted in by Congress which all of us elected, except for those who sat on their hands on election day. You want to find the guilty, I suggest that you look in the mirror. If you don't like the DRM and the corporate conquest that has gone on, get somebody new in DC. Until then, just roll over and play dead."

Maybe so, but those corrupt politicians care more for Big Business than their voters. It isn't who you vote for, but which one is less corrupt than the other.

As well, this isn't about DRM, this is about a spyware/malware install that a company installed without my knowledge onto my computer. If they used DRM that is one thing, running a hidden program that I have no clue what it is doing is another.

Posted by: Shane | November 9, 2005 3:09 PM | Report abuse

Mikko / F-Secure:

"We here at F-Secure detected this rootkit even before it was written with our generic rootkit detection technology."

Questions:

1. What, if anything, did F-Secure do with the findings once they detected it?

2. Why did F-Secure not make it known as did Mr. Russinovich? I ask this question because the indication is that F-Secure detected it before anything was reported by Mr. Russinovich.

Has any research been done to find out what other Sony media types might contain this type of spyware?

Posted by: Xylo | November 15, 2005 8:42 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company