Anti Rootkit Blog

A final approval to a settlement in a class action suit against Sony BMG has been issued by a federal judge. It ends a long running debacle that Sony BMG in which have paid a heavy price for their rootkit planting actions. At least 15 class action suits were brought against Sony BMG by lawyers and some were judged together in some states as they were so similiar.

If anyone bought a CD that contained the imfamous rootkit they can receive replacement a CD, free music downloads and additional cash payments have also been mentioned. Every person who had bought one of the CD’s ( here is a list of the offending CD’s ) should go and get a replacement under the terms of the settlement. The more people who apply the more big corporations will see that trying to mess with people’s computers will have an adverse affect in the future and should put them off trying such an action.

The Sony BMG rootkit sandal broke out in Nov 2005 after Mark Russanovich discovered something funny when he went to listen to a Sony music CD. He discovered that the DRM software installed a rootkit that hide the Digital Rights Management (DRM ) files so that users could not bypass the DRM software. It was soon released that malware writers could use the same technology to hide their own files on a Sony BMG infected PC.

First4Internet’s XCP and SunnComm’s MediaMax were the names of the DRM software installed and hidden by the rootkit.

The final agreement (click for PDF) is here. Get a copy and if you have some of the CD’s and are affected get a refund.

Keep Safe

regards
Steo
www.antirootkit.com

A group of hackers have shown how they can use the Sony BMG rootkit to help them cheat on World of Warcraft. World of Warcraft (WoW) is a very popular online game created by Blizzard Entertainment.

When WoW is installed another program is installed along with it called “The Warden”. It checks a player’s computer memory for running processes that match certain software tools that are considered cheats. The check is automatic, only reports violators, and explicitly allowed under the terms of service and end-user license agreement. Blizzard Entertainment have been accused of using “The Warden” as a “spyware” program.

WoW cheaters can now use their cheat programs, hidden using the Sony rootkit. All they have to do is to rename the files by putting a $sys$ in front of the filename.

Greg Hoglund has created a program called “The Governor” that will show users what “The Warden” spyware is doing in the background.

Keep Safe

regards
Steo
www.antirootkit.com

F-Secure have reported in their blog recently that a German version of the DVD film Mr & Mrs Smith starring Brad Pitt and Angelina Jolie contains copy protection that uses stealth techniques.

The DVD uses copy protection from Settec called Alpha-DVD which stops users from copying the DVD. Settec have made an uninstaller available. The F-Secure blog shows how Blacklight found a file called wtsap32.exe which was a hidden service. No files were been hidden which makes the rootkit a bit less dangerous. If it was able to hide files it could then have been used by criminals to hide their own files using the rootkit.

It is amazing to see companies still using techniques like this, especially after the Sony rootkit debacle that hurt their customer base and was a public relations nightmare.

The German edition of the DVD seems to be the only one affected.

Keep Safe

regards
Steo
www.antirootkit.com

The US Department of Homeland Security has that the use of rootkit’s with commercial software will have to stop or else it will be regulated by the government. He spoke in particular about the Sony rootkit debacle which shows the extent to which the fiasco has had on consumers and worldwide attention.

“We need to think about how that situation could have been avoided in the first place,” said Jonathan Frenkel, director of law enforcement policy with the DHS’s Border and Transportation Security Directorate, who was speaking at the RSA Conference 2006 in San Jose, California.

The DHS has called before for software vendors to be careful with the way their software may use stealth technology for protection purposes. The Sony BMG episode hit thousands of customers who bought music cd’s infected with the Sony rootkit. The rootkit was then exploited itself by hackers who used it’s capabilities to hide it’s own malware.

It seems that again it will boil down to a definition of rootkit’s, what’s acceptable and what’s not, when it comes to software. Only then can regulation or legislation be useful.

Keep Safe

regards
Steo
www.antirootkit.com

Mark Russinovich has discovered two CD Emulation programs that seem to use rootkit technology to evade from Digital Rights Management software. Mark wrote in his blog recently that two popular programs called Alcohol and Daemon Tools try to fool the Operating System into thinking that they are not there and thus any DRM software will be fooled as well.

Mark used Rootkit Revealer to find that the software was using stealth techniques such as false registry entries to hide from the OS. From there he found discrepancies between what Windows thought was there and what actually was. On tracing the discrepancies he found that hidden device drivers and misleading registry entries were employed by the CD emulation and CD/DVD copying software.

The use of rootkit’s within commercial software should not be tolerated and is not as was seen with the Sony rootkit debacle. Both Alcohol and Daemon Tools “seem” to be using such techniques to defeat DRM.

Keep Safe

regards
Steo
www.antirootkit.com

Microsoft have this month included an update for the Windows Malicious Software Removal Tool which adds detection and deletion for “F4IRootkit,” Microsoft’s name for the Sony rootkit that was shipped with over 5 million CDs.This is a good move from Microsoft as many thousands of unsuspecting users are known to have the Sony rootkit on their system. This follows the news that the rootkit can be used by virus writers and Spyware makers to hide their files. Recently a new Trojan called Stinx-E was found that dropped a file called $sys$drv.exe which is basically a backdoor for hackers to execute commands on the infected computer.

Sony’s rootkit hides all files that begin with $sys$ so that they are not visible to anti virus products. Thus by creating a trojan, virus or spyware whose filename begins with $sys$ hackers can use the Sony installed rootkit to hide files and remain undetected.

Keep Safe

regards
Steo
www.antirootkit.com