If you play Sony Music CDs on a Windows PC then be afraid

quote:

Originally posted by ROTF:
Doesn't affect Mac users

Yet. The only machine I've had affected by a rootkit was a unix box.

quote:

Originally posted by Steve G:

quote:

Originally posted by ROTF:
Doesn't affect Mac users

Yet. The only machine I've had affected by a rootkit was a unix box.

Steve - please tell me more.

If you buy the october issue of "Linux magazine" you'll find the free, complete distro of SUSE 9.3 Linux for desktop users.
This distro includes all the stuff you need to run common softs like Realplayer, Adobe, cd-dvd burning softs.
I think that makin' a partition on your HD just for a trial is worth enough.
And Sony can spy someone else.

quote:

Originally posted by ROTF:
Steve - please tell me more.

One of our Solaris boxes was infected with a rootkit a year or so back which exploited a bug in the telnet process to gain root access. It was a right pain in the arse clearing it out.

If people are writing viruses and rootkits for Solaris boxes then I can't see them ignoring other unix flavours such as OSX.

Thanks Steve

Just installed and run rootkit hunter and luckily I seem OK - but there are definitely possibilities for an exploit on Mac OS X.

Rotf

On Tuesday, Mark Russinovich's discovered the new new Van Zant CD, published by Sony-BMG contained aggressive anti-piracy malware. This low-level, hidden code not only prevents you playing the CD in Windows Media Player, WinAmp or any other software, but the drivers installed without user consent to run the in-built player chew CPU time even when you're not playing music and can leave your PC crippled if you attempt to remove them. Sony-BMG has done a U-turn.

You can download the Service Pack from the XCP-Aurora.

November 2, 2005: Service Pack removes the cloaking technology component used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.

The download requires Microsoft's ActiveX - one of the major vulnerabilities in browser-based security that plague Internet Explorer. FireFox is commonly believed to be a more secure browser because it does not support ActiveX, yet FireFox users wanting to download the XCP Service Pack because of concerns it opens them to 'potential security vulnerabilities' are greeted with this message:

ActiveX Unsupported
Sorry, your Internet Browser does not support ActiveX Controls.
Please use Microsoft Internet Explorer to continue.

In other words, please switch back to the browser you've moved away from for security reasons in order to download the patch that removes the security issues from software that Sony installed without permission.

Dear Friends,

Does this indicate that Sony/BMG discs should simply be avoided now, then? I occasionally use my little computer to play CDs and I don't want this sort of thing happening.

I'll note this and avoid them in future, for the sake of this "heads up," on a precautionary basis.

Fredrik

quote:

Originally posted by Fredrik_Fiske:
Dear Friends,

Does this indicate that Sony/BMG discs should simply be avoided now, then? I occasionally use my little computer to play CDs and I don't want this sort of thing happening.

I'll note this and avoid them in future, for the sake of this "heads up," on a precautionary basis.

Fredrik

Fredrik

When one of the offending CDs is placed in a computer, it should display a copyright message before you get to any music content. It is only when you click OK or ACCEPT to say you agree with the copyright that the unwanted software is installed. If you simply eject the disc at the copyright message then no harm is done.

If there is no copyright message then it should be fine. However, there is always a possibility of stealth behaviour. I think some of the new security programs that protect a PC are getting up to speed on this and will protect your PC, but it is alarming that Sony should do such a thing in the first place.

Best regards, Rotf

Fredrik

Amazon's catalogue tells you if the CD is CONTENT/COPY-PROTECTED CD. Here is an example.

Rotf

anybody thought of turning off autorun on their cd player?
Even better protection is to refuse to buy any "cd" with copy protection.

quote:

Originally posted by ROTF:
Fredrik

Amazon's catalogue tells you if the CD is CONTENT/COPY-PROTECTED CD. Here is an example.


Rotf

Not Always!

Can I chime in with

"None of my LPs have done this to the computer"

DS

quote:

anybody thought of turning off autorun on their cd player?

Yep, that was my first response when I heard about this issue.

Nick

http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/


Seriously you have to ask yourself if Sony really want to fail any harder in the music industry?

Sony stops making anti-piracy CDs

The CDs affected in the US include Natasha Bedingfield's Unwritten
Sony has said it will suspend the production of music CDs with anti-piracy technology which can leave computers vulnerable to viruses.

The move came after security firms said hackers were exploiting the software to hide their creations.

The software has been used by viruses to evade detection by anti-virus programs and infect computers.

Sony said it had a right to stop people illegally copying music, but added that the halt was precautionary.

"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," the company said in a statement.

Viral trio

In late October Sony BMG was found to be using stealth techniques to hide software that stopped some of its CDs being illegally copied.

Windows programming expert Mark Russinovich discovered that the Sony XCP copy protection system was a so-called "root-kit" that hid itself deep inside the Windows operating system.

XCP uses these techniques to install a proprietary media player that allows PC users to play music on the 20 CDs Sony BMG is protecting with this system. The CDs affected are only being sold in the US.

Soon after Mr Russinovich exposed how XCP worked security experts speculated that it would be easy to hijack the anti-piracy system to hide viruses.

Now anti-virus companies have discovered three malicious programs that use XCP's stealthy capabilities if they find it installed on a compromised PC.

Backdoor virus

Security firm Sophos said it had found a virus attached to a spam message posing as an e-mail from a British business magazine. The subject line of the message is: "Photo Approval Deadline".

Those opening and running the program attached to the mail will have their computer infected with the Stinx-E trojan. The virus is also known as Breplibot and Ryknos.


Sony was trying to stop illegal copying of its CDs
This virus opens a backdoor into infected machines and tries to download more malicious code from the net to further compromise an infected machine.

A bug in the code of the first variant of this virus prevented it working properly but now other versions of the malicious program are appearing that fix this problem.

So far the numbers of people caught out by the virus is thought to be very low.

Graham Cluley from Sophos said he expected other virus writers to start exploiting the Sony XCP code.

Sony apologised, saying it was working with computer security firms to address the problems.

The news came as more legal challenges to Sony's use of the anti-piracy program were being launched.

At last count six class-action lawsuits have been started against the company.

As the Boycott Sony blog pointed out, the appearance of these viruses could make it much easier for lawyers to argue that the XCP software can cause real harm to a user's computer.

Thanks Martin, lots of info in your post - I think the least Sony could do is make an announcement and offer to replace all the CDs that people have bought with malware on them. Hopefully the lawsuits will suceed and Sony will be obliged to act in an honourable way.

They actually had the software for mac as well, however admin password was still required. Nevertheless it was not made clear what was being installed without reading through the agreement.

Sony recalls copy-protected CDs
Sony BMG is recalling music CDs that use controversial anti-piracy software.
The software was widely criticised because it used virus-like techniques to stop illegal copies being made.

Widespread pressure has made the music giant remove CDs bearing the software from stores. It will also swap bought CDs for copies free of the XCP anti-piracy software.

Sony is also providing software to make it easy to remove the controversial program from Windows computers.

Swap shop

Sony's music arm could be recalling millions of CDs because at least 20 discs are known to use XCP some by best-selling artists such as Celine Dion, Natasha Bedingfield, and Amerie.

One of the discs, Neil Diamond's 12 Songs, was the top seller on Amazon.com for several days.


XCP PROTECTED CDS
Trey Anastasio - Shine
Celine Dion - On ne Change Pas
Neil Diamond - 12 Songs
Our Lady Peace - Healthy in Paranoid Times
Chris Botti - To Love Again
Van Zant - Get Right with the Man
Switchfoot - Nothing is Sound
The Coral - The Invisible Invasion
Acceptance - Phantoms
Susie Suh - Susie Suh
Amerie - Touch
Life of Agony - Broken Valley
Horace Silver Quintet - Silver's Blue
Gerry Mulligan - Jeru
Dexter Gordon - Manhattan Symphonie
The Bad Plus - Suspicious Activity
The Dead 60s - The Dead 60s
Dion - The Essential Dion
Natasha Bedingfield - Unwritten
Ricky Martin - Life

No detailed figures have been given by Sony for how many CDs are protected with XCP or how many have been sold.
However, work by respected net expert Dan Kaminsky found that more than 500,000 networks have at least one machine on them using XCP.

Although the CDs containing XCP were only released in the US, Mr Kaminsky found that 44,000 copies were installed on machines in the UK.

In its statement announcing the recall Sony BMG said: "We deeply regret any inconvenience this may cause our customers and we are committed to making this situation right."

Security exploit

The alarm about XCP was raised by Windows programming expert Mark Russinovich who discovered that it used a "root kit" to install itself deep inside the operating system.

Subsequent to his discovery virus writers started exploiting XCP's stealthy abilities to hide their own creations.

In the same statement about the recall Sony BMG said it would make it much easier to uninstall the XCP system from Windows PCs on which is has been installed.

Before now any customer wanting to rid their PC of XCP had to go through a several stage process of telling Sony what they wanted to do and then waiting for it to respond. As well as being criticised for its inconvenience security researchers found that the uninstaller left Windows machines vulnerable to several exploits. The XCP copy protection system only installed on machines running Windows.

Writing on the Freedom to Tinker blog, researchers J Alex Halderman and Ed Felten found that cleverly written webpages could exploit the programming code used to remove XCP to install their own potentially malicious programs.

The pair also provided tools that help people work out if their Windows machines have been left vulnerable in this way.

The news about the uninstaller came as anti-virus firms and Microsoft announced tools to find and remove the "root kit".

The row about XCP has also led to Sony BMG facing several class-action lawsuits over the potential security problems that the software causes.

Uninstalling Sony-BMG Entertainment’s spyware-like application from a PC could be more harmful than having downloaded it in the first place

For affected users, this represents a far greater security risk than even the Sony rootkit. Ed Felten, a professor of computer science at the Ivy League university and author of the weblog "Freedom to Tinker." warned that the rootkit remover allows any website to run code onto a PC and take command of it.

"Any web page can seize control of your computer; then it can do anything it likes," Felten wrote on his blog. "That's about as serious a security flaw as you can get."

The uninstaller downloads a program onto PCs called CodeSupport, which remains on a unit after a user leaves Sony's site. The program is labelled as safe for scripting, so a site can download code onto a PC – without user permission – by using it.

Probably irrelevant to this thread but Blue Man Group's "Complex" CD will not play the music tracks on my computer. It automatically opens a couple of short videos instead. I presume this odd behaviour does not have any detrimental effect on my computer?

I wouldn't be so sure. It's probably installed some software on your pc in order to achieve that and that software could be doing just about anything.

The story around the Sony music CDs that use hacker-friendly root kit rights-management software keeps getting worse. As Robert Vamosi explains, criminal hackers have already figured out how to exploit the vulnerability, and Sony's "fix" can actually make PCs more vulnerable. Consumers are already beginning to boycott Sony over this, and now some businesses are considering banning all audio CDs from the workplace, fearing that simple music CDs could open up a corporate network to hacking. Thanks a lot, Sony.

Full Story Here

I fell foul of this trying to load Clapton's "Tribute to Robert Johnson" into my iPod (which failed, of course). I knew nothing of the potential problems, and didn't notice the barely legible CD case sticker.

The Sony software is now stuck in my PC. I intend to boycott Sony CDs in future and sincerely hope there will be a successful class-action against Sony.

Could Sony have handled the situation any worse?? Anyway I've found a couple of useful links.

First there is a full list of all of the 52 XCP titles.

And in an amusing finding it looks like some of the code used in the rootkit was actually stolen from the LAME VideoLAN project in which DVD Jon (MPAA tried to sue him for breaking DVD encryption in Norway)is a contributor and Sony/whoever wrote the rootkit could have used copyrighted material.