Printable View
Well the work done by Dan Kaminsky showed that networks all over the world have been affected by the rootkit, even in countries where the CD's haven't been sold. It is quite possibly true that those CD's weren't sold in Australia, but of course that doesn't stop people bringing them in from the US, or buying them from US online suppliers.
I notice on the list on this page http://news.bbc.co.uk/1/hi/technology/4456970.stm that one of the bands listed is:
The Bad Plus and the Album name is Suspicious Activity
Some sort of weird irony in that ?
The band knew nothing about it. From http://www.thebadplus.com/Quote:
COPYRIGHT-PROTECTION ACTIVITY?
More soon...stay posted!
The American edition of our recent release, "Suspicious Activity?", was copy-
protected by Sony/BMG without our prior knowledge. Unfortunately, we are now
further informed that Windows PC users must be advised that any attempts to
remove the anti-piracy software could result in your having to reinstall the operating
system. Mac users are not affected. The European edition of the disc does not
feature this copy-protection software.
While we would love for you to hear "Suspicious Activity?", we are compelled
to recommend that until a safe protocol is posted on this site that you
think twice before loading the American version of the CD onto your PC--and
we profoundly regret any difficulties that Sony/BMG's copy protection has
created for any Windows users.
i have been following this story for awhile now ... and have been warning people i know about these sony cds.
my niece has just written to me to tell me that she is infected. she is running XP HOME and has GO-BACK installed but she says she cannot remember when she listened to her sony cd on her pc and so using GO-BACK is a moot point (would it even work anyway?).
i told her to do nothing until i do some research on the available removal procedures.
microsoft's anti-spyware site says: "We also wanted to take a moment to confirm that we are not removing or disabling Sony’s XCP software. We are only removing the rootkit component published by First 4 Internet which is included as part of Sony’s XCP software. We will continue to monitor the situation and react as conditions change."
doesn't sound promising, does it?
however, symantic's site (at http://securityresponse.symantec.com...isk.aries.html) seems to be a removal tool for sony's software. does this look legitimate to any of you? could i safely recommend that she use this to remove the sony software or does it only remove parts of it? she is far from computer savy and only uses her laptop to play music and transfer it to her ipod.
thanks in advance.
Google search on "Sony rootkit" as of 11-22-05 = 14,700,000 and climbing. We can make a difference.
Currently there is no save removal tool, although several companies are supposed to be in the process of developing one. The removal tools that are being referred to, do not remove the Sony stealth rootkit, it just uncloaks it, so that it is visible.
For the latest information on removal tool status, you might want to bookmark
Mark Russinovich's blog.
http://www.sysinternals.com/Blog/
Here is an excerpt from his most recent post on his blog.
Here are some other other links that you might want to check out.Quote:
Victory!
I’m proud to announce a significant victory in the ongoing Sony Digital Rights Management (DRM) saga; Sony has capitulated almost entirely. While not publicly admitting blame for distributing a rootkit, providing no uninstall for the DRM software, implementing a music player that sends information to Sony’s site, and supplying a remotely-exploitable ActiveX control for the on-line uninstall they eventually made available – all without any disclosure to users – they have come close.
Sony BMG’s site now includes a prominent link on its front page, “INFORMATION ON XCP CONTENT PROTECTION,” that takes visitors to a page with a statement from Sony that declares its concern over the security issues raised by its software. The first paragraph points out that Sony licensed the software from First 4 Internet, which while true, does not hold Sony any less responsible for its use of the software or the contents of the End User License Agreement (EULA).
The paragraph continues by saying that Sony will offer consumers that have purchased the spyware-laden CD’s with unprotected versions, that they are suspending production of the rootkit-based CD’s and that they are recalling existing from store shelves, which they’ve said elsewhere comes to around 2 million units. Furthermore, Sony has finally withdrawn the spyware-like uninstall-request process, which included the download of an ActiveX control that’s proven to be its own security risk, and promises the imminent release of a stand-alone uninstaller. Note that because the control is also used in the update patch, I strongly recommend that you do not apply the patch to disable the cloaking, but instead follow the manual steps I've outlined to disable the rootkit and wait for Sony to address the flaws.
Why did I qualify my statement regarding their response? Two reasons: first, as I’ve stated, they don’t admit wrongdoing, only that the software was a security concern. Second, there’s no statement on Sony’s site or their press releases regarding future policy. They go as far as saying that they “will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music”, but say nothing about their stance on rootkits or disclosure during software installation.
Speaking of disclosure, I hope this story isn’t over. Attention now needs to turn to the broader issues that go beyond DRM to software in general. They include acceptable behavior of commercial software, from both legal and ethical standpoints, and appropriate disclosure of software behavior. We’ve been living in a world of hazy laws surrounding EULAs and ideally this case will lead to more clearly defined laws and standard judicial principles.
There are several pending class action lawsuits, likely more to come, and its my expectation that a U.S. government agency will eventually announce a formal investigation. The Federal Trade Commission is the one most likely to take up the case and if so, some of its recent actions against spyware vendors may have set promising precedents.
Of course, this first victory would not have happened without your participation in bringing the story to the attention of the media both in this blog and in other publications. I congratulate everyone that voiced their concern over the trend Sony’s software portended and I encourage you to continue to fight for a long-lasting resolution on the issue of software installation and disclosure.
http://www.nytimes.com/2005/11/22/te...gy/22sony.html
http://blogs.zdnet.com/BTL/?p=2177&tag=nl.e589Quote:
Sony BMG Sued Over CD's With Anti-Piracy Software
By TOM ZELLER Jr.
Published: November 22, 2005
In separate legal actions yesterday, the Electronic Frontier Foundation, an influential digital rights advocacy group in California, and the Texas attorney general filed lawsuits against the music publisher Sony BMG, contending that the company violated consumers' rights and traded in malicious software.
They are the latest in a series of blows to the company after technology bloggers disclosed this month that in its efforts to curb music piracy, Sony BMG had embedded millions of its music CD's with software designed to take aggressive steps to limit copying, but which also exposed users' computers to potential security risks.
The copy-protection software, called XCP, was bought by Sony BMG from a British company, First 4 Internet, and was installed on 52 recordings, totaling nearly five million discs, according to the music publisher, which is jointly owned by Sony and Bertelsmann.
Texas sues Sony:
http://news.zdnet.com/2100-1009_22-5...ml?tag=nl.e589
Note that the Copyright law includes "fair use" and other provisions - -
http://www.law.cornell.edu/uscode/17/107.shtml
Cheers,
Linda
;) :rolleyes: :cool:
my niece thinks she installed sony's rootkit last wednesday. she does have GOBACK installed on her laptop (my xmas present to her last year). would running GOBACK to a point earlier than that be a good idea? i mean, would GOBACK be able to restore the infected files in as much as they are invisible to windows itself let alone GOBACK?
btw, has anyone in this thread been infected themselves ... and what have you done about the problem?
The only reliable solution that I have heard of is to wipe the hard drive and re-install everything. Even Mark Russ........ stated on his blog that it would be impossible for most users or even IT Pro's to manually uninstall this rootkit. I think that you have two choices.
1. Wait until Microsoft has a fix in their Microsoft anti-spyware software (beta).
2. Do and f-disk and reinstall everything.
I think that using GoBack would be risky for several reasons on a par with Sony uninstall "activeX" component, which just opened up other issues.
Linda
thanks linda. yeah, i thought goback would be a long shot.
but since she does nothing else with her machine than buy music online, rip the cds she owns and transfers music to her ipod ... she has no real "security" issues to speak of. i think she can live with the problem until ms comes up with a fix.
btw, she's on aol. she discovered the problem because aol has some sort of firewall that is blocking the rootkit from phoning home.
More here on the legal action aginst Sony:
http://news.bbc.co.uk/1/hi/technology/4459620.stm
zeszut, if you have some imaging software such as Norton Ghost or Acronis True Image, you could take an image of that drive as it is now, and then give GoBack a go. Then if it doesn't work, you can simply restore the image and you're no worse off.
thanks, sparks. my niece doesn't have ghost (neither do i and we're 400 miles apart) and is not a real techie anyway.
she has no cricital info on the machine (except her music which i've advised she backup periodically) and aol seems to have a firewall. that's how she found out about the infection. aol's firewall kept telling her it was blocking the sony rootkit from phoning home. never thought i'd have a compliment for aol. who new?
i assume that if aol's firewall is blocking outgoing traffic then it might block incoming trojans looking to exploit the '$sys$' prefix on the rootkit's hidden files as well.
i've advised her to just sit tight until a removal tool becomes available.
i wonder what the other thousands of infectees are doing about this?
From recent news, it's doubtful that M$'s antispyware will EVER really and fully remove the rootkit, but you might keep an eye on CounterSpy.
while searching for counterspy, i came across a post by Kevin McAleavey, author of BoClean.
it was described on another forum as "the ONLY tool that can cleanly and safely remove every bit of the Sony Rootkit. (He was forced by his attorneys to not release it free to the public, as he so much wanted to do, but he has posted the manual steps for the safe removal of all of the rootkit (at dslreports)."
it can be found at http://www.dslreports.com/forum/rema...7570~days=9999
It's now 14,800,000 which is catching up to Sony Playstation which gets 19,800,000.Quote:
Originally Posted by LindaHewitt
Sony gets 216,000,000
PC gets 598,000,000
a gets 8,970,000,000
Some good news...
Texas sues Sony BMG for spyware violations
...and this is just plain hilarious!
Scotch tape stymies Sony copy protection
:DQuote:
According to Gartner analysts Martin Reynolds and Mike McGuire, Sony's XCP technology is stymied by sticking a fingernail-size piece of opaque tape on the outer edge of the CD.
hnn (headline network news - cable station in usa) just mentioned one of the lawsuits against sony ... and that sony has recalled it's copy-protections discs.
the story was short and therefore not totally accurate ... but it IS the first time i have heard any mention of this in the mainstream news.
Usil,
The scotch tape solution is really hilarious. Thanks for posting this link.
Linda
Here are some good questions, I'd like to see some answers to them:
http://www.theregister.co.uk/2005/11...drm_questions/
Well... I'm very disappointed about CounterSpy's official posture on this issue as well. Below is a direct quote I received from the inquiry:
We cannot do anything at this time and I have not been given an
official
word on when or if we will be supporting this.
Warm Regards,
Jamie L. Hudson MCP XP
Consumer Support Technician
Doesn't inspire a lot of confidence, does it?
Well, my feeling is that CounterSpy is doing the best they can, given the constraints of their lawyers. Even though we all agree that Sony went about this as wrong as wrong can be (given their approach and fix to this mess), the software in question was/is still a Digital Rights Management program. And there are laws in the USA (the DMCA being chief among them) that give content owners broad protection. And removal of DRM software carries penalties that companies like CounterSpy don't want to bear. So, sadly, they are just being cautious.
(Personally, I hope Sony takes a major bath over this. I don't condone illegal copying and so forth but my PC is still (at least for the moment) my PC. I place on it what I want. Not Sony!)
finally!
there was a story on the TODAY SHOW (on NBC in usa) about sony's rootkit. maybe more (non-techie) infected people will be aware of the reason for their problem.
the big downside was that the reporter ended the story telling viewers to go to sony's site for help removing this software.
Huh now it's dropped back to 13,800,000 for sony rootkit and 13,000,000 for sony +rootkit and 1,900,000 for sony rootkits and 1,840,000 for sony +rootkitsQuote:
Originally Posted by Nix
How can the figures have dropped ?
People losing interest and removing it from their web pages ?
Nix,
Were you using the Google search engine for all searches?
If you were not using Google, then what search engine were you using?
I just did a Google search on "Sony rootkit" and got
14,700,000.
Cheers,
Linda
;) :rolleyes: :cool:
Results of about 4,500,000 English pages for "Sony rootkit".
from Google at 2:45 pm eastern time. usa.
seems to be quite a big fluctuation.....?
I'm typing sony rootkit with no quotes, capitals or anything, hitting search and get 13,800,000
This is the link after the search is complete http://www.google.com/search?hl=en&l...it&btnG=Search
I'm very perplexed.
Maybe it's cached on a server somewhere ?
rootkit sony got me 13,900,000
http://www.google.com/search?hl=en&l...ny&btnG=Search
This is really very strange. I just did a Google search on Sony rootkit and got 13,800,000.
BTW, all of the searches were done with Google with no quotes and only the s of sony was capitalized.
The only thing that I can figure is that the searches are hitting different servers.
I would love to find out what is really going on.
Cheers,
Linda
;) :rolleyes: :cool:
interesting development ...
my niece just wrote me to say "I received a cd in the mail this weekend, it's on EMI (capital) and when I put it into my computer, it tells me to agree to some stuff and it downloads software or something. It completely scared me and I'm not sure if I should or shouldn't."
anyone know if EMI has this same thing going?
I googled EMI Rootkit and got over 300K hits. This is the first link shown, which says NO, EMI doesn't use rootkit, from CNet:
http://news.com.com/EMI+We+dont+use+...3-5937108.html
IMHO if she can listen to the cd without downloading any "stuff", then do that....does it say what 'stuff' will be downloaded?..
A lot of labels have DRM software on them While they aren't all as bad as the Sony rootkit, a lot of them are still nasty in their own way. Personally I wouldn't allow a DRM infected CD anywhere near my PC's.
Gee,,,,seems like Mickeysoft is deeply involved in DRM. Is it not?
http://www.microsoft.com/windows/win...a/drm/faq.aspx
There is a software update from MS that I chose not to download some time ago because of the DRM.
"Microsoft Windows XP
"Update for WMDRM-enabled Media Players (KB902344)
Download size: 614 KB , 2 minutes
Install this update on your PC if you use a portable device that accesses subscription media content protected by Windows Media Digital Rights Management. After you install this update, you may have to restart your computer. Details... "
Did this DRM upgrade apply just to XP?
I'm asking because I have W2K.
I just checked in Windows Update and I do not show a separate update with an associated KB article ....2344. I also checked to see if there were any updates waiting to be installed and there were none.
This upgrade was released in June 2005. Here is the link for the KB article on this.
http://support.microsoft.com/default...b;en-us;902344
It appears from this article that DRM is built into some portable media players and that this was a firmware upgrade for these portable players. This is not the same thing as putting a rootkit on your PC.
I am not a media player expert but this is my take based on reading this KB article.
Comments.........
Cheers,
Linda
;) :rolleyes: :cool:
Linda, It was an optional update in XP software (as against 'critical') that came up when I checked 'windows update' from the link in 'start'.....since I don't use a portable device I ignored it, but remembered it when the sony debacle occured, because of the 'DRM'.......(and posted the info in response to what Ridge's post above said.)
....Happy to know its not a rootkit, but I don't like things that report/check and go out from my pc.
I find this whole DRM thing intrusive and disturbing. :(
Poppy,
I agree with you. I don't like anything about this DRM debacle and the deceptive business practices of putting code on personal computers without full disclosure. It really undermines a user's ability to manage security for their computer(s).
Linda
What did Sony know and when did they know it?
http://www.theregister.co.uk/2005/11...y_drm_spitzer/
I just went to mtv.com/overdrive and upon having the site load, a dialog box came up saying:
"The owner of the protecteed content you are trying to acess requres you to first upgrade some of the Microsoft Digital Rights Management (DRM) Components on your computer.
Click ok to upgrade your DRM Components.
Details
When you click OK, a unique identifier and a DRM security file are sent to a Microsoft service on the Internet. THe file is replaces with a customized version that contains your unique identifier.
This increases the level of protection provided by DRM."
Clearly, I didn't click "Ok". I closed out IE. Since when do you have to have any type of DRM "protection" to watch a video? Not sure if this is related to Sony in any way, just wondering what this was all about and figured it has some bit of relevance to this thread.
The only thing this 'protects' is the owners of the content. In that,if you try to dn/load it as streaming media and you have the (so'called) drm installed, it can kill your dn/load and/or possibly report your actions to the copyrights owner via Micro$oft! :rolleyes:Quote:
This increases the level of protection provided by DRM."
Good thing I'm extremely paranoid and just closed out IE, huh? :D
Let us not forget the bribing of radio stations and the like to play their music more often. Sony settled for 10 Million on that case in July!
http://www.betanews.com/article/Elio...DRM/1133281904
Sony is really a SLOOOOOOOW Learner!
This is an excerpt from http://blogs.chron.com/techblog/.
December 07, 2005
Cheers,Quote:
Different Sony CDs pose security risk
Don't think you're safe from Sony's security-sloppy programming if you just stay away from CDs with the First4Internet rootkit-based technology.
Sony and the Electronic Frontier Foundation say the company's CDs that use digital rights management software from SunnComm Technologies also puts users at risk:
The danger is associated with copy-protection software included on some Sony discs created by a company called SunnComm Technologies. The vulnerability could allow malicious programmers to gain control of computers that have run the software, which is typically installed automatically when a disc is put in a computer's CD drive.
The issue affects a different set of CDs than the ones involved in the copy-protection gaffe that led Sony to recall 4.7 million CDs last month, and which has triggered several lawsuits against the record label.
Sony and SunnComm have got a patch for the affected software, which controls users' ability to rip songs and copy the CDs:
. . .the EFF asked computer security company iSec Partners to study the SunnComm copy protection technology, which Sony said has been distributed with 27 of its CDs in the United States. iSec found the hole announced Tuesday and notified Sony, but news of the risk was not released until SunnComm had created a patch.
Sony said another security company, NGS Software, has tested the patch and certified that it addresses the vulnerability.
The patch can be downloaded from Sony's site. A list of the CDs affected in the United States, and a slightly different list in Canada, is also posted on the site.
Sony said it will notify customers though a banner advertisement directly in the SunnComm software, as well as through an Internet advertising campaign.
Sony appears to have learned something from the bungling of the rootkit issue, handling this incident comparatively smoothly. However, the greater lesson -- that restricting its customers' ability to use the music they buy is bad business -- apparently has yet to sink in.
Linda
;) :rolleyes: :cool:
I really like this bit:Since when did an adware component have any place in music copy protection software? :rolleyes:Quote:
Sony said it will notify customers though a banner advertisement directly in the SunnComm software...
It's hit BBC news now http://news.bbc.co.uk/2/hi/technology/4511042.stm