Sony DRM Rootkit

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

The Sony rootkit (aka ARIES Rootkit, XCP technology) is on many music titles now as a copy protection scheme. Sony’s DRM rootkit doesn’t stop the music CD from playing on standard consumer electronics CD players, but when you go to play it on your computer the DRM rootkit automatically installs itself. When played on a Microsoft Windows PC, Sony’s DRM system forces you to play the music though their special software, which secretly installs the rootkit, just like a virus.

Sony installs a system-level application that effectively hides all file names from the user with specific filenames. These files are still present on the system and can be run normally, however any mention of their presence on the system is hidden from the user. This could allow authors of malicious software to use Sony's DRM software to hide their trojan horses on your computer.

The Sony DRM rootkit is a virus in essence. It hides itself so that even many technical computer experts can’t find it. Furthermore, it scans everything running on the system when active, and it causes computer performance to slow.

If you are actually able to find the Sony DRM rootkit and remove it yourself, you will likely lose access to the CDROM drive on your computer. Clean removal is extremely difficult, even for a professional computer technician. The way the rootkit replaces a driver for the CD drive will cause your CD drive to be disabled when you remove the Sony DRM rootkit.

An interesting part of the rootkit is the $sys$DRMServer service created by its installation. This pseudo system service is not a true service and does not respond to the 'NET STOP' commando. Once the part of the DRM rootkit that hides the files from you is disabled, you will be able to see a $sys$filesystem directory in the system32 path under c:\windows which will contain the pseudo service along with other embedded files.

Fallout

Wiki-boycottsonybmgdrmrootkit.gif

The Sony DRM rootkit resulted in massive boycotts of Sony and BMG, legal action, and a recall of the music media containing the malware / virus. In 2005 Sony BMG has struck a deal with the plaintiffs in a class action lawsuit over copy-restriction software it used in music CDs. The record label has agreed to compensate buyers of CDs that contained the rootkit virus.

Sony stated it will immediately recall all DRM rootkit (XCP) CDs and replace them with ones that are virus free. It has also agreed to offer incentives to U.S. customers to "ensure that XCP CDs are promptly removed from the market." Sony is not recalling MediaMax CDs, but has agreed to compensate buyers of these albums by allowing them to download one free album, as well as offering them MP3 versions of the music on the MediaMax album.

According to the EFF (Electronic Frontier Foundation) SonyBMG settled the case providing a range of remedies and compensation to purchasers of CDs with the XCP technology or the MediaMax technology. SonyBMG ultimately stopped putting any DRM on its CDs sold in the United States. Sony may continue to market the cd discs containing the virus in foreign markets.

Opportunism

Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs. Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory.

Prevention

When you insert a Sony CD into your computer, do not accept the Sony End User License Agreement (EULA). Accepting this long document in legalese effectively means you give permission for Sony to install software on your computer. Don't.

Hold down the shift key when you insert a CD disc into the drive. This will prevent autorun from executing the rootkit. But keep in mind you may still launch the rootkit by clicking the cd drive letter icon in windows explorer, or certain applications such as Windows Media Player may also launch the rootkit.

Don't put a Sony BMG music CD in your computer. Discs with Sony's DRM cannot be officially called Compact Discs, as they violate the original "Red Book" standard devised by Sony and Philips in June 1980. They can be easily spotted as the cases will not feature the familiar 'Compact Disc' logo.

Detection

Method 1

Create a file with the name $sys$ on your computer, if the file disappears you are most likely already infected with the Rootkit.

Method 2

Open an MS-DOS Command Prompt (Windows XP click START, RUN, and type 'cmd' ENTER

 Microsoft Windows XP [Version 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.
 
 C:\Documents and Settings\owner>cd \
 
 C:\>cd windows
 
 C:\WINDOWS>cd system32
 
 C:\WINDOWS\system32>cd $sys$filesystem
 The system cannot find the path specified.
 

The example above shows what is visible on the MS-DOS Window. In this example the system is clean, there is no Sony DRM Rootkit. If the last cd command had allowed entry into a $sys$filesystem path then this would indicate the presence of the Sony DRM Rootkit.

Removal

Sony DRM Rootkit Removal Patch

Sony has released a patch in response to criticism. However, the patch does not disable the DRM rootkit and simply unmasks some of the rootkit that was hidden. Some users report more problems after using the Sony patch.

Don't Trust ANYTHING released by SONY.

LavaSoft 3rd Party Tool

Lavasoft's ARIES Rootkit Remover is the best known tool for removing the Sony DRM Rootkit.

Manual Removal

This is a very touchy process that is executed incorrectly your system could be rendered unbootable. This process is not guaranteed by any means, and due to variants and reports of opportunistic virii, even if executed correctly, something could go wrong. Just be advised before you begin, and make sure you have completed a comprehensive system backup.

Handyperson's guide to removal of SONY ROOTKIT best illustrates the manual removal process. Credit goes to Kevin McAleavey who posted this guide on an Internet forum. It is imported here for permanency retention and edited for compression and simplicity.

  • Must be done from the administrator - Full Control account
  • Open an MS-DOS prompt and navigate to the path c:\windows\system32\$sys$filesystem
  • Delete the ARIES.SYS file in the $sys$filesystem directory and reboot the system
  • Open REGEDT32 (not regedit) and right click on the HKEY_LOCAL_MACHINE hive and select PERMISSIONS from the dropdown menu.
  • Click on "everyone" and make sure that FULL CONTROL is checked
  • Use FIND (Control-F) to locate anything that matches "$sys$"
  • First things you'll encounter are under the HKEY_LOCAL_MACHINE files, under the SOFTWARE key, delete them (see below)
  • $sys$reference
  • ECDDiskProducers
  • SONYBMG
  • Then, as you continue to FIND more $sys$ items, BE CAREFUL! Some can be deleted, SOME HAVE TO BE EDITED!
  • In "WBEM\WDM" you'll spot some UUID's and there will be crater.sys. Any such references that DON'T have IMAPI are safe to just delete. This will be the first one you encounter after the above. DELETE. Same for the one in WBEM\WDM\DREDGE ... DELETE!
  • The next stop will be under various "ControlSet00x" keys. You'll stop at the "CoDeviceInstallers" ... for each "$sys$caj.dll" you encounter. Usually it is the first UUID entry and the last. Look for the $sys$caj.dll entry and remove ONLY that particular value for a UUID where it appears and do NOT delete anything else.
  • Next is the "Enum" area - IDE or SCSI depending on what you have. Look for an entry on the right side that says "LowerFilters" ... but don't delete anything. Double-click on the "LowerFilters" name. That will bring up an EDIT screen. In the EDIT screen, what you need to do is move the cursor up where it says "$sys$crater" and CAREFULLY remove it, and pull any lines below it up. NORMALLY the line below will be IMAPI.SYS but could be something else, and more following. The OBJECTIVE is to remove the $sys$crater ONLY and then pull the line below it up to where the crater.sys WAS. Objective is to leave everything ELSE intact and JUST lose $sys$crater!
  • Should you encounter a "LowerFilters" that *ONLY* contains "$sys$crater," then you can DELETE it, but usually the "LowerFilters" has another item. Make certain that the top item isn't blank!
  • Now search to "UpperFilters" and remove "$sys$cor." If "$sys$cor is the ONLY entry, then you can delete that item. If there is anything ELSE in there, then you must edit OUT the "$sys$cor" as was done with "$sys$crater." Each system is different and thus the uncertainty here. You ONLY want to get rid of "$sys$crater" and "$sys$cor".
  • Be careful not to remove anything else or you will lose access to your CDROM drive(s).
  • $sys$cor will show up in other places, under the name "ActiveChannel." You can DELETE that whole value too.
  • ANY place where only $sys$cor or $sys$crater shows up as a value can be DELETED as LONG AS there are no other "dependencies" listed.
  • If there are other items, you MUST edit OUT the $sys$whatever and LEAVE THE OTHERS INTACT by removing the entire line which contains either $sys$crater or $sys$cor ...
  • Search to the "ROOT" entries! You'll see the following KEYS which need to be deleted:
  • LEGACY_$SYS$ARIES
  • LEGACY_$SYS$DRMSERVER
  • LEGACY_$SYS$LIM
  • LEGACY_$SYS$OCT
  • Just delete the entire KEYS themselves, so the above are GONE.
  • search to the "SERVICES" entries! You'll see the following keys next:
  • $sys$aries
  • $sys$cor
  • $sys$crater
  • $sys$DRMServer
  • Just delete the entire KEYS themselves, so the above are GONE.
  • That completes the "CurrentControlSet" ... expect to go through a repeat of the above for EACH user's individual "ControlSet" until you've done them all. How many depends on how many "users" on the machine.
  • click on the HKEY_LOCAL_MACHINE hive and select PERMISSIONS from the dropdown menu and remove the checkbox for "everybody" that granted "everyone" "FULL CONTROL."
  • reboot the system
  • When the system comes back up, GO to that $sys$filesystem folder and delete the remainder - you'll now have permissions to do so. And finally, wipe THESE files from your SYSTEM32 folder:
  • $SYS$CAJ.DLL
  • $SYS$UPGTOOL.EXE

It is a lot of work and a bit risky to your system, but you have completed the removal process.

References and Resources

  • A blog article Sony’s Rootkit: First 4 Internet Responds explains how poorly written the Aries.sys api interceptor is and why the presence of the Sony DRM Rootkit not only makes your Windows system less stable, it prevents you from isolating and indemnifying problems with your system that could otherwise be easily addressed as they arise.

Related

For Linux Users:

 

Key Words: spyware , malware , trojan , crash , aries.sys , XCP technology