PDA

View Full Version : Is It Possible For Corporations To Keep Their Big Fat Noses Out Of Our Computers?


truebeliever
11-02-2005, 01:02 AM
Sony, Rootkits and Digital Rights Management Gone Too Far

Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from thre June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:

http://www.sysinternals.com/blog/images/rootkit1.gif

Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran Process Explorer and Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to LiveKd, a tool I wrote for Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking.

Rootkits that hide files, directories and Registry keys can either execute in user mode by patching Windows APIs in each process that applications use to access those objects, or in kernel mode by intercepting the associated kernel-mode APIs. A common way to intercept kernel-mode application APIs is to patch the kernel’s system service table, a technique that I pioneered with Bryce for Windows back in 1996 when we wrote the first version of Regmon. Every kernel service that’s exported for use by Windows applications has a pointer in a table that’s indexed with the internal service number Windows assigns to the API. If a driver replaces an entry in the table with a pointer to its own function then the kernel invokes the driver function any time an application executes the API and the driver can control the behavior of the API.

It’s relatively easy to spot system call hooking simply by dumping the contents of the service table: all entries should point at addresses that lie within the Windows kernel; any that don’t are patched functions. Dumping the table in Livekd revealed several patched functions:

http://www.sysinternals.com/blog/images/rootkit2.gif

I listed one of the intercepting functions and saw that it was part of the Aries.sys device driver, which was one of the images I had seen cloaked in the $sys$filesystem directory:

http://www.sysinternals.com/blog/images/rootkit3.gif

Armed with the knowledge of what driver implemented the cloaking I set off to see if I could disable the cloak and expose the hidden processes, files, directories, and Registry data. Although RKR indicated that the \Windows\System32\$sys$filesystem directory was hidden from the Windows API, it’s common for rootkits to hide directories from a directory listing, but not to prevent a hidden directory from being opened directly. I therefore checked to see if I could examine the files within the hidden directory by opening a command prompt and changing into the hidden directory. Sure enough, I was able to enter and access most of the hidden files:

http://www.sysinternals.com/blog/images/rootkit4.gif

Perhaps renaming the driver and rebooting would remove the cloak, but I also wanted to see if Aries.sys was doing more than cloaking so I copied it to an uncloaked directory and loaded it into IDA Pro, a powerful disassembler I use in my exploration of Windows internals. Here’s a screenshot of IDA Pro’s disassembly of the code that calculates the entries in the system service table that correspond to the functions it wants to manipulate:

http://www.sysinternals.com/blog/images/rootkit5.gif

I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view. Besides being indiscriminate about the objects it cloaks, other parts of the Aries code show a lack of sophistication on the part of the programmer. It’s never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. There’s no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition I’ve described. They’ll have to come up with a new approach to their rootkit sooner or later anyway, since system call hooking does not work at all on x64 64-bit versions of Windows.

After I finished studying the driver's code I rebooted the system. The cloak was gone as I expected and I could see all the previously hidden files in Explorer and Registry keys in Regedit. I doubted that the files had any version information, but ran my Sigcheck utility on them anyway. To my surprise, the majority did have identifying product, file and company strings. I had already recognized Dbghelp.dll and Unicows.dll as Microsoft Windows DLLs by their names. The other files claimed to be part of the “Essential System Tools” product from a company called “First 4 Internet”:

http://www.sysinternals.com/blog/images/rootkit6.gif

I entered the company name into my Internet browser’s address bar and went to http://www.first4internet.com/. I searched for both the product name and Aries.sys, but came up empty. However, the fact that the company sells a technology called XCP made me think that maybe the files I’d found were part of some content protection scheme. I Googled the company name and came across this article, confirming the fact that they have deals with several record companies, including Sony, to implement Digital Rights Management (DRM) software for CDs.

The DRM reference made me recall having purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies. I scrounged through my CD’s and found it, Sony BMG’s Get Right with the Man (the name is ironic under the circumstances) CD by the Van Zant brothers. I hadn’t noticed when I purchased the CD from Amazon.com that it’s protected with DRM software, but if I had looked more closely at the text on the Amazon.com web page I would have known:

http://www.sysinternals.com/blog/images/rootkit7.gif

The next phase of my investigation would be to verify that the rootkit and its hidden files were related to that CD’s copy protection, so I inserted the CD into the drive and double-clicked on the icon to launch the player software, which has icons for making up to three copy-protected backup CDs:

http://www.sysinternals.com/blog/images/rootkit8.gif

Process Explorer showed the player as being from Macromedia, but I noticed an increase in CPU usage by $sys$DRMServer.exe, one of the previously cloaked images, when I pressed the play button. A look at the Services tab of its process properties dialog showed it contains a service named “Plug and Play Device Manager”, which is obviously an attempt to mislead the casual user that stumbles across it in the Services MMC snapin (services.msc) into thinking that it’s a core part of Windows:

http://www.sysinternals.com/blog/images/rootkit9.gif

I closed the player and expected $sys$DRMServer’s CPU usage to drop to zero, but was dismayed to see that it was still consuming between one and two percent. It appears I was paying an unknown CPU penalty for just having the process active on my system. I launched Filemon and Regmon to see what it might be doing and the Filemon trace showed that it scans the executables corresponding to the running processes on the system every two seconds, querying basic information about the files, including their size, eight times each scan. I was quickly losing respect for the developers of the software:

http://www.sysinternals.com/blog/images/rootkit10.gif

I still had to confirm the connection between the process and the CD’s player so I took a closer look at each process. Based on the named pipe handles I saw they each had opened when I looked in Process Explorer’s handle view I suspected that the player and $sys$DRMServer communicated via named pipes and so I launched Filemon, checked Named Pipes in the Volumes menu, and confirmed my theory:

http://www.sysinternals.com/blog/images/rootkit11.gif

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad.

I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\Control\SafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.

When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad. Windows supports device “filtering”, which allows a driver to insert itself below or above another one so that it can see and modify the I/O requests targeted at the one it wants to filter. I know from my past work with device driver filter drivers that if you delete a filter driver’s image, Windows fails to start the target driver. I opened Device Manager, displayed the properties for my CD-ROM device, and saw one of the cloaked drivers, Crater.sys (another ironic name, since it had ‘cratered’ my CD), registered as a lower filter:

http://www.sysinternals.com/blog/images/rootkit12.gif

Unfortunately, although you can view the names of registered filter drivers in the “Upper filters” and “Lower filters” entries of a device’s Details tab in Device Manager, there’s no administrative interface for deleting filters. Filter registrations are stored in the Registry under HKLM\System\CurrentControlSet\Enum so I opened Regedit and searched for $sys$ in that key. I found the entry configuring the CD’s lower filter:

http://www.sysinternals.com/blog/images/rootkit13.gif

I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec: psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back.

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

11-02-2005, 01:05 AM
I've found that the best way to stay secure on the internet is to use a fake IP address on a computer that doesn't belong to you.

Yes, it's moral.

truebeliever
11-02-2005, 06:38 AM
No, it's as bad as the cockheads who desire to look into your private business via their full of accidental and on purpose holes in their operating systems.

You have no business highjacking someone elses computer.

A freakin Christian? And you judge me, frater man?

You cannot surf anonamously...PERIOD! Unless you are using a purpose built, commercial, "anonamous" server which is probably intelligence service run. If not, they can DEMAND to see the originating I.P on their server via warrent...so get over surfing anonamously.

noNWO4me
11-02-2005, 10:59 AM
mihai_bravu wrote:
I've found that the best way to stay secure on the internet is to use a fake IP address on a computer that doesn't belong to you.

Yes, it's moral.

To Truebeliever and Others: People do it all the time---especially at your local library.

They get a yahoo or hotmail address using a fictitious name. FOR NOW!!

The only problem is when the library asks for your library card in order to use the computer.

Then you're NOT so anonymous if anyone of "THEM" wants to know who used computer 10 at such and such time.

PS: Thumb scans are implanted in most of the mouses with clear sides. However, for those of you who don't think so----- Then why do you indulge in learning about conspiracy???

We must remember, that technology today is far more advanced then they tell us.

PSS: Used hand scan at work to clock in and out!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Next thing ya know, I'll have a chip in me. Maybe I already do. Just had surgery this month and had to go under.

Marsali
11-02-2005, 11:06 AM
Dang, fra nothing, how is it that you can keep track of all of your many user names? You must have to keep a list handy (the latest being noNWOforme).

11-02-2005, 01:54 PM
truebeliever wrote:
No, it's as bad as the cockheads who desire to look into your private business via their full of accidental and on purpose holes in their operating systems.

You have no business highjacking someone elses computer.

A freakin Christian? And you judge me, frater man?

You cannot surf anonamously...PERIOD! Unless you are using a purpose built, commercial, "anonamous" server which is probably intelligence service run. If not, they can DEMAND to see the originating I.P on their server via warrent...so get over surfing anonamously.

You don't know the situation. Trust me, it ok.

Insider
11-02-2005, 02:25 PM
mihai_bravu wrote:

truebeliever wrote:
No, it's as bad as the cockheads who desire to look into your private business via their full of accidental and on purpose holes in their operating systems.

You have no business highjacking someone elses computer.

A freakin Christian? And you judge me, frater man?

You cannot surf anonamously...PERIOD! Unless you are using a purpose built, commercial, "anonamous" server which is probably intelligence service run. If not, they can DEMAND to see the originating I.P on their server via warrent...so get over surfing anonamously.

You don't know the situation. Trust me, it ok.

It ok!!!!!!
:-D :lol: :-D :lol: :-D :lol: :-D :lol: :-D :lol:

truebeliever
11-02-2005, 07:55 PM
The fraterman is talking about "trojaning" someone elses computer. NOT using his local libraries hotmail account.

My own ethical nature on this subject says no to a private computer. If you wish to use Bill gates's, go ahead and crash the %^&$ out of it as well while you're their.

True, i of course forgot about the obvious internet cafes etc...

However, with the use of the net by terrorists and naughty bank hackers you will soon have to present I.D and your thumb to surf.

With the severe hiccups the net is causing the Globalists at the moment they mey never get to that point and simply head straight to war as the net is causing them endless headaches in the propaganda game.

One final thing fraterman...you have said endlessly who is afraid of the big bad NWO lackeys? So stand tall nigga.

11-02-2005, 08:10 PM
truebeliever wrote:
The fraterman is talking about "trojaning" someone elses computer. NOT using his local libraries hotmail account.

My own ethical nature on this subject says no to a private computer. If you wish to use Bill gates's, go ahead and crash the %^&$ out of it as well while you're their.

True, i of course forgot about the obvious internet cafes etc...

However, with the use of the net by terrorists and naughty bank hackers you will soon have to present I.D and your thumb to surf.

With the severe hiccups the net is causing the Globalists at the moment they mey never get to that point and simply head straight to war as the net is causing them endless headaches in the propaganda game.

One final thing fraterman...you have said endlessly who is afraid of the big bad NWO lackeys? So stand tall nigga.

I AM the head Nigra!

igwt
11-02-2005, 10:46 PM
True Believer, what you posted is amazing! Know these things exist, but haven't had such a clear explanation of how rootkits operate. Not to mention that handy little utility, 'disassembler' are you into coding, software development etc?

truebeliever
11-03-2005, 12:06 AM
Nay. I am a genius to the man on the street but a bad amature with the professionals.

A friend passed it on. My friends are all high level geeks of the true order.

It's an excellent article produced my someone for no other reward but the truth. That is why the money grubbing swine who own the planet will always fail...they cant comprehend people going against them out of sheer nobility.

I am a simple unemployed man on the margins. Or, as I like to call myself...a G.I.R.M.

Globalist

Induced

Renaissance

Man

Formerly known as an unemployed bum. Or, as my friends alledge, a man with too much time on his hands.

igwt
11-04-2005, 12:09 AM
truebeliever wrote:
Nay. I am a genius to the man on the street but a bad amature with the professionals.

A friend passed it on. My friends are all high level geeks of the true order.

It's an excellent article produced my someone for no other reward but the truth. That is why the money grubbing swine who own the planet will always fail...they cant comprehend people going against them out of sheer nobility.

I am a simple unemployed man on the margins. Or, as I like to call myself...a G.I.R.M.

Globalist

Induced

Renaissance

Man

Formerly known as an unemployed bum. Or, as my friends alledge, a man with too much time on his hands.

Got your number :lol:

David
11-04-2005, 09:12 AM
Taken from http://news.yahoo.com/s/nf/20051103/tc_nf/39083

After Criticism, Sony Issues Fix for Hidden Rootkits

Sony (NYSE: SNE - news) has admitted that it included a stealth rootkit on some music CDs shipped in 2005 and has issued an update to remove the hidden software one day after it was discovered. The company had drawn criticism from security experts who warned that the technology could serve as a tool for hackers.


The nearly undetectable monitoring utility, part of the company's digital-rights management (DRM) technology, was aimed at preventing consumers from producing illegal copies of CDs. The software installed itself automatically in Windows systems whenever a CD was inserted. Any files contained in the rootkit are invisible and almost impossible to remove.

Security expert Mark Russinovich of Sysinternals discovered the hidden rootkit and posted his findings on the company blog on November 1st. Russinovich wrote that although he checked in his system's Add or Remove Programs list, as well as on the vendor's site and on the CD itself, he could not find uninstall instructions. Nor, he says, could he find any mention of it in the End User License Agreement (EULA).

Stealth Tactics

A rootkit is a set of tools commonly used by hackers to circumvent antivirus software and control a computer system. Most rootkits are engineered so that common PC monitoring mechanisms cannot detect them. The rootkits are designed to tuck themselves in to the most basic level of the operating system and remain hidden from users.

A Finnish antivirus company, F-Secure, reported that it had spent several weeks recently trying to find the cause of some unknown files reported by a user who suspected an audio CD as the cause.

Mikko Hyppnen, chief research officer at F-Secure, said hackers could use the rootkit to insert their own files by inserting a simple command at the beginning of the file name that would render them undetectable by most antivirus software. On the F-Secure blog, Hyppnen wrote that he heard rumors that Universal is using the same DRM system on its audio CDs.

Privacy? What Privacy?

Although industry analysts said they cannot fault Sony's motives, some saw the company's initial failure to disclose the hidden technology as a violation of U.S. copyright laws. According to Jared Carleton, an analyst at Frost & Sullivan, Sony is overstepping the fair-use clause that gives consumers the right to make backup copies.

"[Sony] is saying, 'No, we are not going to pay attention to U.S. copyright law that's been generally accepted for the past 30 years,' " he said.

Carleton likened the hidden DRM to malware, and said it was no different than adware and spyware. He said that if Sony was shipping DRM-protected CDs, the company needed to put a notice on its packaging. Consumers understand that artists should be paid for their music, he said, but he added that consumers don't like this type of secrecy.

Andrew Jaquith, senior security analyst at Yankee Group, said the company behaved badly and that there could be a backlash. He said that the desire to protect intellectual property is understandable, but that Sony should have been upfront about its DRM technology, and would have been better off using industry-standard software.

"I haven't seen a single positive comment about this and it makes them look at little slimy," Jaquith said. "They should have been above-board and should have used software that they hadn't cobbled together themselves."

On the Web page containing the update, which enables users to detect and remove the rootkit, Sony said its technology did not pose a security risk. "This component is not malicious and does not compromise security," the company's post said. "However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

The fix can be downloaded at http://cp.sonybmg.com/xcp/english/updates.html.

noNWO4me
11-04-2005, 01:25 PM
Marsali wrote:
Dang, fra nothing, how is it that you can keep track of all of your many user names? You must have to keep a list handy (the latest being noNWOforme).

Ummmmm! Excuse me, Marsali!
I am not fra nothing, or anyone else.
Just thought I'd stop in to see how things go here at Club Conspiracy, and decided on some input.

Don't know who bugs you, but I'll stay away from you if you want.

Geez, what a welcome mat I got here!

igwt
11-04-2005, 04:40 PM
LONDON--Technology buffs have cracked music publishing giant Sony Music's elaborate disc copy-protection technology with a decidedly low-tech method: scribbling around the rim of a disk with a felt-tip marker.

Link (http://news.zdnet.com/2100-1009_22-917908.html)

igwt
11-04-2005, 04:49 PM
Link (http://www.techweb.com/showArticle.jhtml?articleID=173403155)

igwt
11-04-2005, 07:00 PM
Malware now doing the DNS switcheroo. More interesting computer hacks. Link below.

Link (http://www.securityfocus.com/brief/36)

igwt
11-15-2005, 03:36 AM
There have been several significant developments in the Sony DRM story since my last post. The first is that, despite Sony’s and First 4 Internet’s claims that their rootkit poses no security risk, several viruses have been identified in the wild that exploit the cloaking functionality provided by the rootkit. Besides F-Secure and Computer Associates, most antivirus companies were slow to label the Sony rootkit as a risk. But the discovery of viruses that use the rootkit to hide files has caused many to identify and disable the rootkit in their latest scanning signatures. My guess is that they were waiting for an actual security threat to shield them from a potential problem with Sony. For example, Microsoft initially responded cautiously when questioned about its position on Sony’s use of rootkits, but Jason Garms, a member of the Microsoft Windows Defender team (formerly Microsoft Antispyware), announced in the Windows Defender blog this weekend that Microsoft is also releasing signatures and a cleaner for the rootkit.

Full Article (http://www.sysinternals.com/Blog/)