|
|
|
Sony DRM Uses Rootkit Techniques
By: Paul F. Roberts
2005-11-01
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
Sony DRM Uses Rootkit Techniques (
Page 1 of 2 ) It hides its presence, it can't be removed without damage … and it's legal.New digital rights management technology shipping on music CDs by Sony Corp. of America/Bertelsmann AG artists employs stealthy, rootkit-style techniques to hide from users, according to a security expert.
The new technology, which Sony has dubbed "sterile burning," manipulates the Windows core processing center, or "kernel," to make the DRM almost totally undetectable on Windows systems.
These DRM files are almost impossible to remove without fouling Windows systems and could be used by malicious hackers to hide their own programs, according to Mark Russinovich, chief software architect at Winternals Software Inc., a company that makes administrative software tools.
Sony BMG acknowledged that the rootkit-style features are part of DRM technology that began shipping with CDs in 2005, but referred technical questions about the technology to First 4 Internet Ltd., the Banbury, England, firm that developed it.
 For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
Russinovich said he discovered the Sony rootkit technology after scanning his own computer with a tool called RootkitRevealer that he developed.
Russinovich, who is an authority on rootkits, said he was shocked by the discovery.
"Given the fact that Im careful in my surfing habits and only install software from reputable sources, I had no idea how Id picked up a real rootkit," he wrote on his blog.
After discovering the program, Russinovich began a detailed analysis of it that turned up the name of First 4 Internet, a UK firm that developed the software for Sony.
Russinovich said he believes that the software was installed on his system by a copy-protected CD of music by Sony BMG artists The Van Zant Brothers that he recently purchased from Amazon.com.
Through a detailed analysis of communication between the media player installed from the Sony CD and the rootkit files, Russinovich was able to determine that the rootkit files were installed with the media player and communicated with it.
Russinovich was reluctant to discuss the details of how the DRM software works, citing fear of prosecution under the DMCA (Digital Millennium Copyright Act). However, he said the rootkit features help enforce the sterile burning limits on copying Sony music files.
A Sony BMG spokesperson said the sterile burning and rootkit technology is intended to act as a "fence" or "speed bump" for users who want to try to go beyond the limit of three copies on the companys DRM-protected music.
Like other so-called "kernel mode" rootkits, the Sony DRM software interacts with the system service table, a core component of the Windows operating system kernel that coordinates the interactions between instructions from different Windows applications and the kernel.
Read details here about the threat of rootkits on enterprise networks.
By "hooking" the Windows kernel in this way, kernel mode rootkits can intercept communications between the kernel and the Windows API, filtering or distorting the instructions and information that are sent from the kernel.
For example, the Sony DRM software did not appear in the Windows Explorer or the Windows registry, where information on installed programs can typically be viewed, Russinovich said.
Next Page: Rootkits arent necessarily malicious.
|
|
�������x}r8qռ�Fsw1E�)%[rey-%L*�EB��%);�ϩ��o7�~郒l'9'NŖ�nt7�F��?��o~$rhiOH1�%3�TI�C"I�~x�h#(~4`Z)_rdx�BԲ|W�R�#YĮtj�5���5�Gl$J~x#A���:u :@�PL9�uƜMCٜi�7'2 X�m 8���N�0��,,Z P8!�h]
�\(�~&c) ߷8|}䛿S=|e�3��g71m( C
Jd/B(?c�c5~G{F��?�0/Pcw
�0}�'dd9=r4x�;2oVcl�v�y!rs�#�g߮�z$nPr&N7w#205AR�Z"[
�XdTj��ӑc�)�p�
�`p*�)ZX�tGL:"fK>1P:x }3~bA2xFaiH'�l6XA�x�'C�,\tY֡�_kY@בO6O)�|@?�Au�ӱCԣz�r"˚79hey�nݟJ|
bT9.OcѴ
ѷL{ĩq3{{w_�*�
u&G��,;�ڎ6жD^Ԣz�C�}l_]G;�r ��+ FvRߙ+0Q\�&*+Jx:K2�A�>z���`Y��%pq鸨�SX@vIna�>E�4fEQ
,g٠%?[׃m&m}Yvf0R*C�A-t?c�SzqwѺ{\zw}rѻ%yə{F0pgs�Z?�܌/v��o?,@=����j�iT%%�V|M�Ժpv9'9I�?.�+�`lDmYܾΑ\RyǛȃ[3R(�y#0ri���4(�-ߦAf@7[��@$k:���YKS�70���3�h�Ks;�n�ZK�0�[=RFp�\� Д��a�#Xذ�1�"%̛^ґ:)`Iz/��(AM/��
�5|*\($ٛ�"G��;�z̈+\��R@��3�Al8{Ø*^*,-�j�\gכUsN�VWt]ۻ4eя0-�p�x=i\��=mwm+>cq4Y`I�-. ¹:zStTt�nR7K�T,�+*&�rO
f[Ԗ-Pò˔A
~~;�fC���aͨ6sO�|V�ix�>:ACA�4icŦh4.@ӧ&�h`C:�ҋ:L��
w|h��x:� #
00gw9�LP#iwK۠h&r<�kIMlLJ.??6� �
G`p���&��xk�=`DkwGGHb1LG��TE}�vACAX�z��]�
�X.�l62-0���s�٥6F\KQ��-�2(%łdh��� 4.gP)AH �=k��� ���99[�
��8#!b\JZ2'9\u{B#ʙ8C\\.�τR��Z
z)0ٜ��ʬ$5M힟u]_�
ȉ#�m"0�%X����
-gZ
X��5β
fT8UJ
>Ҥ7=� K�b�i]ye&,`b��HCb�;N-:� ?G\ύ�7!v<;�%�t0�f"̴b֜��ira�*Gj
+)d�z~�#JCx^`��é3h{q#%IAg��=�U檳�Htlzo-V,joEI8�Ga]jk-�\<�W�7�Bɶ/Xaa1EY�Q^JKHD@CR)Ե�
aY��^`(yt�MʆТq҆CTC��Ss�
>�
)\T5))Kc�ՂZ^Ϛg+ �L��
�4��
�TlVCax3�]Zz�As,K=ZGn�l.n9�
9�{y4�%2N�?APiSt
@I*5%}�끆�_ƅ/c%�|o2rl\�:b暚8�\,��uaOnJ+Ws<&mM8`
;D�ۓ�Ӝh2�F��ñiH5ߴ��iF+eM�&-JJPT$'���i/#Y���X�Tر,10}65{APOK)i� + M~��.��hPU*1
"I�;4/V
�G�{۹OQ*#؋��k��o` 2l�3sF&/�frsE% y�pӞ�rFVyUB濙?O�~ԪbVmZQrTU߬
Ls1)' Sf|�)Nb_ޝo�>4z�xpj7�p�e�&zg|ɺI�Xɑ1�[DG`G �nȵ(�5�zf��y�@L� tD�z#x��أ�L HMҜ�NH��eT9RRkEB�ZG
�cqc�@`L �؇^gm/Jz\+*5EW1������ር54��M|�8�ڳ"ZJ
qvsTy�9k�Y%�f+aE�L4=9_CYTy3is{�9~o��ޒ-gn�;pi-u�Qby.Am �/��Ur-|�&q3�旁 hy2抪�d�L4Ω,6��خiϼV&>�e>c'}\�c'o�&\�$t/]�� wl~kPow��(*��Kq3`93"豣mBt�X�+'&-AA=>V+6Xk�=�
�-H�^{~?I�q9p,�J�L�H-U4�qMݗo[?kK#ohksR�G<@̙5Y*�%
=EЋqcꞃSLBԺخOl�$o�n�p\a3 -S`e3*
~��g^`�.�R9Ճ~��)�rK5�E�;4Ћ7�U7P�#I�(OU?�VRTRXUʅwϢ
C{Jp�imEB�%3ǟ6Z�-�ܛ`@O|OO]T0%e�zI�Mqza/;#nK�-%. ހذw0
M\6%Q讻j^o ��Zf$s,*.i���-e
fόT!֎� :&ZQRjϢpӁ9tD&l~" tDU2qy27(k�M_L7 xG��?ws~<̡f�02Nr|$UJZ�VJ�H4��:��*J�e!%�O*'�-U*j
vi�^�`| @)c'd1s<ɷw�f/lCXx|{
`?K�X�XD�>DiF\{e"�>ZXa/nLGF�Dccbh^{�zY��_&�O(0�h_�pm;dU]uv�'HG�Ϣ.�w�UO}ѻ�H�n 1`oSN4�jG�Yk�NE�m�=O;�?G0��cl9'a��R)%bzO&
;4iQ%uɌyjNtJ)SBt��$2H PU7,O$e=lI2 KBh%bbVHR�Ӽޝm ybXýO3BNmc%yx4�*k�85(Ay�N�H�YJiIw�3DJ^MjpVK�
ɏh�8�=Na.���˼r/�uϏ*Um_f�=zD:'�M{q?8H8�:Gw*b9,_빿Aݾpe9?�jwhGt3�q��vbϓ�~�\Czs��gOɝ2sʶ�Ժl+ҿܳRpfi#�ހ4�[Ҽ4�5L0�g,H~"ZЃ�>�u?�z}j_ﯣ&�=)sǣAlh5�9obJo�_7a4tͥ�R^ϫ���@< b[_��I{tH��z>X6��N
ĢWi#6^3�~1O O=p�Զ؉dzExxg!,d9��a}�43G0[ʱ=�Ι��2�HB%;euw';S�'gSc7/H�F#%`&ySϱ�F�@|Ր��� ;as*|�b��\<�U� W�;1ޢ �I�]i|(&x6�RSg�/9ߘ�����P�??\=3q� ɛx�{3d\ڊ�C��fKa~�/�ih4_�q27
~x+lF)Y9Ө+ŒRŇ�&L銿u��p~rP,�y�v\HWәÅp\`i?!=njS�VO5
�r=з��#"T�R"�]DŽ�e|@:fxGOR09ca:,�a���}���.1#�;g̾rxߘy�E))�h<^VEN+Tw(s~�(gNKMJ}s?t
z�V4 ��ϴf� �P�E� Ie�,`1]�D9h/i|�/��`��7Fs�֭v`~4n,�: �^`u߲Y�Q�ί8_'>Hх-�~��wӼ���V#X|pY}+ќ
ƶ7v��sa{и�SU�c,�k~(1�Ha] cӞ#anDϞ#D#!h^9@ �v$ҌT4WGV~)�
zJt��"9c�M�/Ԉ�&o/�W�-c�,q�*3Emr....oܥVU*?Km@m oh�=,1`פʾ�7w;aM 8yfC(_yblv�[_�ju��rb1c�nlm�[@�J�!FAX&
Ghkc7s+B�W�U�ۜJ�T�=>�r<��Vu�~{c�!;Η4b,*JAv.@�P;͞dh@��'�8O0Dn#FM%_ۧ��a͙毮8+'Q�g:-Fw8rW��6=�6�K`Ix�Jh�J͑3�6K��ΌHv�z;�?Pz^�!b?�tf�Ts}Y�q7�Mn~ƨcUª�Q;*̷�!۱kl}e&L�0:b��,8./�M.��}ދLaY-�9�FX� rώ|kx\q=�q5C.�Bo(�_fƆ�ߚ۹Q��tL415鮗�QEӽ6۬WY[ƴ0fERrk�5�[���6௺�a}�^��Ǖ�=ua�+jvm,H�uV)ˆP3��_2�|6ˡs�zl~�J���FRce։
V$��N�/"*Θh֖�P2a�D�+5{/2:rpB�ӯ�\;�=:\ãC>�|�MypLU��<ʜ~2~//u~aG}S�e���hO�`�>i��C"&pvP]?�z
Uc�b`\�51�i-,ZDQ{IAũ?yx=\?>*��es�Wo|֊�[NiΞëD(X`%��\k>�QiHጸ�:-FRoo!^>�٨��0>$O,S?%e�ͦ��1a�� :.Mqnʟ�WrD~��Sǃf
9s�/ǃST#%A$Z��RcঀqT?���o�w;N 69v}xwGu�?�}t\)aw9Ƕ&*ƫv0y�RX�*WG$U�Pؾ0Q9!"��ذz~�r,z���f6�v�T9Ep�'9m���+A#C!5z��adwx$ƽrt�yydL��qlʸMuMj
@�ja\ $blRK 'p.
I��Ň!&q��K��Ib�e3)�4k�0[2Ω,,
Y4𪡐K711\RË�jXY/OQ/K�]ZX:~eL<^^AFZs5WHk̘xi4�vWٜ�AK5`
�*Z!Ѥ�F�--Fo>A1�R9mnbfֆ>ʳ��ylm�_z^3�sok5Fn&y)m'h�zBRKovor̈́P:U�?sÑ|'7'D[T�vXݟ�`͝Kf�D2�g�2vCV`m
4,\��1�\πTn��A4�`c"=dR%�<,g7{XϩZ,Jvw(k1���yJM-TZI�ܣz ��9>]gwD&zܪ
�>=$��Hy)ނyJ
Y�4��ca�}X2�+;0gQ�b#�>"A�eӃ�,/'����pr�1;
w-k�ۨ]>)Ǝ$h�@Jၜ��{i/+1�~Iګ�������Μ/0ڱ��]s�t�s>_��3B�sl^1~"jsq
s9�ʒ23^��lfmYQ v�B�ۥ]�aiJ!%Χ0��l6#�a��:�Iߥ#�N¯n��9�*1f=0S)yf��,?`�B71w�jzN۠{1^�4ƿJ< E3+M(<�1�W<00t'PʲjN�T]OpYVHY��_&ru�Y�!_�E��_�+'p֢7Ϟ 7dk�V0��p�wA>po2zU,�UGZ~M"?{|�v�ـ�j�E~E:��td
�6ȃ��;"&s'ُp�[eS�;"ΐEoX�V{+$νO��g-2uFf."��Q��[$B�p4w{f\W}G��{<3G}m"����y;fZ���a�0�(>� C�OwE)�dq;(�� [z.p٥O��к�|ɧtC[�!m#!kA�1H3�'T~{woB��ԝ��8p4�.gj5T%%���P9
d�U� ?M=/>nrn�-i`Ik l��d
�D�ps<�`�F$�1LL�D�i�gEӦ�xʂR[G�#ab��WoP$P`��+wdc�||�9Ǩ��$G_$R��} (]`�WU��
w�T�--���!�L)%nmn$|�s�^50��S�,0C�<{Vj��xp�Ƨ�x�m�)lD
<���23��kR!ɖàzP8�Y|oby�LgA~\b�@Ԑ0��(J$Ѕ:�y,@#!��9ω��O'cu7úޝ'/(��
@Ka1c�~PBM�Ф�Ps]��+J9q:<>KqAguU�@n VH+�^@0��3��ޏ@�SIS��`��h\}"�[$�68vn�59k_t�oWj({uttѹnv�ƅL'ƿdW&�R0mw�5ufvʜPδ�'\�_#\]eqxWixɎ(a�h,.6wjI�t�W[(%^ٍ/!�b�~0`b01SlnM�3/N|v˒W%玑uԢz h�4�Q`1D?sUN>{0�8���SD~}> v�ԼVxy�xQ�g
fB&pj3�彌r�Р(?�@��Pase'l.rN+��g:�NFsOPis�ʀ�]1>]�w�}��}�����v3�e:�P1�/3�(By7�:c|A~3�:cz^F{z��_n?n2�dԿ�>�3��
2o�(�_�2#*�>f�1~wP~U�{w]Fww�$)c�f5opv%sQ^52\�}U
U�K닌c(g�g���~2&Εb�+@~W~ kJ+ťW�
7׳KL3cn5:@bCa �c|:�,y&@���^>&c����˼XH{R}tE�OI>t�+iDLw<ߔ[nNJ>s\ȜHd�3,F�D51QUނb>p�|bO��vHy5ik|V/O�
8�uߜ:S�����?|YV&@Y8'R�?Ѱs�3@�z:}K@$~<8�,@�ꖉ�$us#RRՒRJZVr?�%Hd"8""2x55JA._$`r�XR8.��P�K=#
��.=]^t f�5ϡ'�!�pfJ-�@ P��c�ztbeQ��Y�YmRfp�-y|y�؛�ގe�@��V�o��9X�j�,/#�R��Q7�+\wșC_�pot1R�
��d�D҃yhp䃿�t�8e>��k
ӮS_Ѓ7�' �� Nv�ZZO�,ir2���Fd}#�aq�1lef~�,D|݇-gn<<�T#�0�?fu|qfk6�cﺮǝ)Z'/Հ�'�"Plj?q.ؘ_.$�z���b0OV>ಓH+�1�IB��o`Z(>/A2gI
�!fIკ�&
n��~4gi�-}x��=
�%4Id�`-߳\Hk`c?94vB9�
H|\���,!#1ˌY Mж �{k�݅*q8w I7�,Nd=:s>��&ѰbAtN[�)#,|H^SPsXf@-N��-N�k.|c� C�
>%��
U ^{�#D3dư4!9�P%�X^�_#rF33��1F#qy]�� YV8;�T"�}bNm�%� 1o)�%&�/j[�i>�Oe��{BI<��5_x�|XT��,sD��?�>K:31U)֒�_�/g�Wd&%�}YQ ��v.ychFz%�$tnP/��9"Ź
oPm
b/�yJ>?��T|=
5;\6LDRg��}A�0~N:}�jV0��? `�~wax'g约1cbV!qe�F�ӧ�-["@��O2�C24`)�{c<��z�nG}��}�1$+vG�D
gw>��6'كl2=hM��(Eْ;0�F-�߇Fu:l�Y 7�96
O���~���0qGĮ2C|R2ϜUpv�R������?93_[mr xgs
@DqDgPv;[llQ/>@ׂ}�Of�ݏ2Z7lk��CKrX}P/)W:�OOg�sZ�%n^��H��"��,c�
0У,:0
-qs::h݆G��[X�xԬ{�[+�qy6` <Щ0�\bXe�܌�1MF}�khT[�)^WD�l���K^ogyc/�|Wa=v����s�^`6igNb��c/�φŀ��f_q�x�N|L/�X�u!}ő,,�L[녗O?8�C�7Ѱ0�L�,luE�G%��RrNCc
�0F ��:h2
19-f@�xI1%h3l䃈mAb�?�M\K��uO+_1dF[Wy�&F�[5Vj"<&o�(FҢΰ
\岞��JN�0�1{l~r;)�#Es̥D/5^JB\sKl�xTɉY+z[q;�f[hh
/b�;f�1Բq�G'��
|
Network Security & Hardware 
