{"id":392,"date":"2005-11-01T16:11:14","date_gmt":"2005-11-01T08:11:14","guid":{"rendered":"http:\/\/www.nargalzius.com\/blog2\/http:\/www.nargalzius.com\/blog2\/archives\/2005\/11\/2005_11_01_1611.php"},"modified":"2005-11-01T16:11:14","modified_gmt":"2005-11-01T08:11:14","slug":"sony-drm-installs-a-rootkit","status":"publish","type":"post","link":"http:\/\/nargalzius.com\/blog\/archives\/2005\/11\/01\/sony-drm-installs-a-rootkit","title":{"rendered":"Sony DRM Installs a Rootkit?"},"content":{"rendered":"<blockquote>\n<h2><a href=\"http:\/\/it.slashdot.org\/article.pl?sid=05\/10\/31\/2016223&amp;from=rss\" title=\"View\">Sony DRM Installs a Rootkit?<\/a><\/h2>\n<p>An anonymous read writes &#8220;SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It&#8217;s installed with a DRM-encumbered music CD, Van Zant&#8217;s &#8220;Get Right with the Man&#8221;. (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, such as hiding any executable file that starts with &#8216;$sys$&#8217;. Russinovich also identifies several programming bugs in the method it uses to hook system calls, and chronicles the painful steps he had to take to &#8216;exorcise the daemon&#8217; from his system.&#8221; This house is clear.<\/p>\n<p><em>via <strong><a href=\"http:\/\/slashdot.org\/\" title=\"Visit Slashdot\">Slashdot<\/a><\/strong><\/em><\/p>\n<\/blockquote>\n<!--more-->\n<p>You don&#8217;t have to read the article, as its almost <em>too<\/em> long. And even if you understood what he was doing, you&#8217;d still want to just skip to the bottom line. Still, it&#8217;s good that someone did a comprehensive test.<\/p>\n<p>Here&#8217;s my proposed summary of the article in 3 short paragraphs.<\/p>\n<hr \/>\n<p><a href=\"http:\/\/en.wikipedia.org\/wiki\/Rootkit\" title=\"What is a rootkit\">Rootkits<\/a> are covered in Wikipedia, so I won&#8217;t waste time defining them. However it is to be mentioned that while rootkits in themselves are bad things by etymology, there <em>are<\/em> legitimate applications which use rootkit-like functions\/behaviour. <span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_392_1('footnote_plugin_reference_392_1_1');\" onkeypress=\"footnote_moveToReference_392_1('footnote_plugin_reference_392_1_1');\" ><sup id=\"footnote_plugin_tooltip_392_1_1\" class=\"footnote_plugin_tooltip_text\">1 <\/sup><\/a><span id=\"footnote_plugin_tooltip_text_392_1_1\" class=\"footnote_tooltip\">This is a very important nuance, because function does not equal purpose. Which is the reason why you can&#8217;t simply don&#8217;t call just any kernel-mode program that is able to intercept, patch, or cloak files\/processes as a rootkit. I&#8217;m really still torn wether or not Sony&#8217;s program, while intrusive, should still be called such.<\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_392_1_1').tooltip({ tip: '#footnote_plugin_tooltip_text_392_1_1', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top right', relative: true, offset: [10, 10], });<\/script> Kaspersky anti-virus is a perfect example&#8230; and for arguments sake, so <em>should<\/em> Sony&#8217;s DRM mechanism.<\/p>\n<p>This is the reason why the guy went through all of those tests, to see if these rootkit-like functions the software had were legitimately needed for the software to work &#8211; and there weren&#8217;t <em>other<\/em> hidden files or consequences that could compromise a system <span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_392_1('footnote_plugin_reference_392_1_2');\" onkeypress=\"footnote_moveToReference_392_1('footnote_plugin_reference_392_1_2');\" ><sup id=\"footnote_plugin_tooltip_392_1_2\" class=\"footnote_plugin_tooltip_text\">2 <\/sup><\/a><span id=\"footnote_plugin_tooltip_text_392_1_2\" class=\"footnote_tooltip\">In that case it would REALLY be a rootkit by definition.<\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_392_1_2').tooltip({ tip: '#footnote_plugin_tooltip_text_392_1_2', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top right', relative: true, offset: [10, 10], });<\/script> to unauthorized access (in the hacker\/cracker sense).<\/p>\n<p>Bottom line is that the DRM software was proved to have an irritating (and arguably a malicious) side-effect &#8211; which is crippling users&#8217; system components should you try to mess with it. The main point of the article was that DRM implementation is being taken too far &#8211; that end-users are being inconvenienced <em>too much<\/em> for the sake of defending a <em>flawed<\/em> copyright mechanism.<\/p>\n<hr \/>\n<p>For Windows users, I highly suggest you download that application he used (Rootkit Revealer) It&#8217;s lightweight (a standalone app) and pretty accurate. However it isn&#8217;t very discerning &#8211; it will display ALL discrepancies wether they be legitimate or not. So you still have to decide your own whether what it detects are rootkits or not.<\/p><div class=\"speaker-mute footnotes_reference_container\"> <div class=\"footnote_container_prepare\"><p><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_label pointer\" onclick=\"footnote_expand_collapse_reference_container_392_1();\">Notes<\/span><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_collapse_button\" style=\"display: none;\" onclick=\"footnote_expand_collapse_reference_container_392_1();\">[<a id=\"footnote_reference_container_collapse_button_392_1\">+<\/a>]<\/span><\/p><\/div> <div id=\"footnote_references_container_392_1\" style=\"\"><table class=\"footnotes_table footnote-reference-container\"><caption class=\"accessibility\">Notes<\/caption> <tbody> \r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_392_1('footnote_plugin_tooltip_392_1_1');\"><a id=\"footnote_plugin_reference_392_1_1\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8673;<\/span>1<\/a><\/th> <td class=\"footnote_plugin_text\">This is a very important nuance, because function does not equal purpose. Which is the reason why you can&#8217;t simply don&#8217;t call just any kernel-mode program that is able to intercept, patch, or cloak files\/processes as a rootkit. I&#8217;m really still torn wether or not Sony&#8217;s program, while intrusive, should still be called such.<\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_392_1('footnote_plugin_tooltip_392_1_2');\"><a id=\"footnote_plugin_reference_392_1_2\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8673;<\/span>2<\/a><\/th> <td class=\"footnote_plugin_text\">In that case it would REALLY be a rootkit by definition.<\/td><\/tr>\r\n\r\n <\/tbody> <\/table> <\/div><\/div><script type=\"text\/javascript\"> function footnote_expand_reference_container_392_1() { jQuery('#footnote_references_container_392_1').show(); jQuery('#footnote_reference_container_collapse_button_392_1').text('\u2212'); } function footnote_collapse_reference_container_392_1() { jQuery('#footnote_references_container_392_1').hide(); jQuery('#footnote_reference_container_collapse_button_392_1').text('+'); } function footnote_expand_collapse_reference_container_392_1() { if (jQuery('#footnote_references_container_392_1').is(':hidden')) { footnote_expand_reference_container_392_1(); } else { footnote_collapse_reference_container_392_1(); } } function footnote_moveToReference_392_1(p_str_TargetID) { footnote_expand_reference_container_392_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } } function footnote_moveToAnchor_392_1(p_str_TargetID) { footnote_expand_reference_container_392_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } }<\/script>","protected":false},"excerpt":{"rendered":"<p>Sony DRM Installs a Rootkit? An anonymous read writes &#8220;SysInternals.com guru Mark Russinovich has a detailed investigation of a rootkit from Sony Music. It&#8217;s installed with a DRM-encumbered music CD, Van Zant&#8217;s &#8220;Get Right with the Man&#8221;. (Mmmm, delicious irony!) The rootkit introduces several security holes into the system that could be exploited by others, &hellip; <p class=\"link-more\"><a href=\"http:\/\/nargalzius.com\/blog\/archives\/2005\/11\/01\/sony-drm-installs-a-rootkit\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Sony DRM Installs a Rootkit?&#8221;<\/span><\/a><\/p><\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[5,13],"tags":[1021,1095],"class_list":["post-392","post","type-post","status-publish","format-standard","hentry","category-internet","category-technology","tag-rootkit","tag-sony"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/posts\/392","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/comments?post=392"}],"version-history":[{"count":0,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/posts\/392\/revisions"}],"wp:attachment":[{"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/media?parent=392"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/categories?post=392"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/nargalzius.com\/blog\/wp-json\/wp\/v2\/tags?post=392"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}