When Mark Russinovich was testing his company’s security software last week, he came across a disturbing find: a Sony BMG CD he purchased from Amazon had secretly installed DRM software on his PC and used “rootkit” cloaking methods to hide it. With the story sweeping across the Net, Sony is attempting to clean up its mess.
Hmmm, so Windows users must run as root to listen to a Sony music CD, eh?
Oh, what’s that? 99% of them already are running as root?
What do they do about rootkits then? Purchase additional software to find and remove them?
You’re kidding me.
This whole Windows security thing is odd to me.
Edited 2005-11-03 20:35
This whole Windows security thing is odd to me.
Me too. I’m a Sr. UNIX Admin and for the longest time I thought Windows was inherently insecure. But now I think I just never understood it. I guess to truely be secure you just have to buy the latest and best security software available, which ends up giving you an advantage over the other OSs. You will preemptively be protected from viruses, trojans, spyware, adware, rootkits and DRM, once you purchase the best protection money can buy from Norton/Symantec and Microsoft.
I wish this level of security was available on Linux. I am prompted for my root password anytime I want to install DRM or a rootkit. Nothing is automated, not even downloading patches. I have to manually tell my computer when I wanted to /sigh/
> You will preemptively be protected […]
You probably meant “proactively”
By the way, you seem to fail understanding what a rootkit is and how it can affect Unix as well as Windows (a rootkit is nothing but a modification to the system –nowadays, usually in the kernel– to hide some resources).
>> You will preemptively be protected […]
> You probably meant “proactively”
nope – i think he definitely meant pre-emptively.
after all – the only real way to get protection for a windows system is to install the protection from a virus *before* the virus is released.
of course – the AV companies will have to invent time machines to achieve this – but no-one ever said that protecting the windows was easy.
Some Linuxs such as Ubuntu 5.10 have an autoupdater like windows that tells you when you have updates automaticly and prompts you to install, or at the very least view them. You could always script an update too.
As for Linux/Unix AV software, it is out there, if you want it to run, schedule a job and have it run every night, no big deal. There is the brightside of a linux/firefox combo immune to the vast majority of malware.
I provide linux support consulting as well as custom software and I have found any Linux malware on even the machines running in DMZs. Of couse I never run as root and (gk)sudo for everything, they guys to leave their server logged in as root are asking for it. My 2 cents.
Yeah, fairly sure you missed the irony in the parent…
Hahaha You’re right, thats what I get for reading this while working.
I think you are being a little liberal with the facts. Consider this.
1. A very small percentage of people are using Unix/Linux as a desktop. Those that are running nix desktops are much more aware of security and usually have more technical knowledge. This knowledge might include recognizing potential malicious code and knowing the danger of running as a super user.
2. Most people who use computers just want to do their work. They are not interested in understanding the internals of PCs and are certainly not concerned about a rootkit.
3. By far the largest percentage of computer users are Windows users. Combine this with #2 and consider the fact that most Windows installs default to using an admin account and you start to see a problem.
4. Sony was intentionally hiding this rootkit by not allowing it to be uninstalled. They were also taking advantage of points 1, 2, and 3 and preying on unsuspecting consumers.
Now before you say that anybody who uses a computer should have to undergo some type of training before they are allowed to use the Internet, let me add this. I partially agree with this idea, but also understand that personal computers have always been marketed as “appliances”. People don’t need training for their refrigerator, toaster, or television, so they assume that their PC should act similiarly. There are fingers of blame to point everywhere, but the problem is not with “dumb” end users. It lies with shady marketing and distribution pratices as well as a lack of security by vendors and developers.
A little history about rootkits. Rootkits were actually born on UNIX. The name rootkit was taken from the ability of an attacker to take control of the host with root privileges. They would often replace /bin/login or something similiar. There are 3 classes of rootkits, binary, kernel, and library kits. If you are interested there is an excellent history of rootkits available at (caution PDF download ahead)
http://www.rootsecure.net/content/downloads/pdf/unix_rootkits_overv…
Oh, what’s that? 99% of them already are running as root?
Yup.
My one time playing about with Admin/Regular User under WXP came when I was trying to help my brother put Spybot and Opera on his home computer. My dad had set it up, and instructed my brother that he wanted to use his “regular” account and not login as “admin” unless he needed to.
I sit down, and try to install software and it fails repeatedly and I’m getting cryptic error messages that don’t help me. I reboot the machine. Only *then* do I discover that there’s an Admin/Regular account thing going on. Aha.
In a bit of truly BRAIN DEAD design, there was never any sort of prompt giving me the opportunity to enter a password and get software installed. (Nor was there a way [that I could find] to do a bit of fast user switching. [Maybe it’s not on XP Home?]) Nope. If we wanted to put software on, we had to run as Admin for the duration.
At any rate, given that running as anything but the Admin makes sofware install more of a PITA than it should be, why are we surprised that people tend to run as Admin?
I mean, on OS X, when I’m running my everyday account, and go to install sofware, a little box pops up and asks for the admin password. I type that in, and am good to install that one bit of software and/or make the needed change.
(I wish Ubuntu would do that — pop the little authenitication window open — but at least there, I can open the frelling terminal and sudo the software on rather than having to login/logout.)
In a bit of truly BRAIN DEAD design, there was never any sort of prompt giving me the opportunity to enter a password and get software installed. (Nor was there a way [that I could find] to do a bit of fast user switching. [Maybe it’s not on XP Home?]) Nope. If we wanted to put software on, we had to run as Admin for the duration.
I agree that windows should prompt you and let you know when something needs elevated privs. Vista of course is supposed to do this but thats more than a year away.
Not sure about XP home, but on XP Pro you can hold down CTRL-SHIFT and right click most objects to ‘RunAs…’ for launching processes with other credentials.
I believe that W2K has a version of SUDO?
http://www.ss64.com/nt/su.html – su info
http://www.ss64.com/nt/runas.html – runas info
not sure if they have a sudo exactly
but at least there, I can open the frelling terminal and sudo the software on rather than having to login/logout
Right-click->Run as… I’m pretty sure it’s been there since 4.0, and know it’s been there since 2000.
There’s no rule that says you have to run Windows as an administrator. That some software fails to run as a limited user is a flaw in that specific software — I’ve been running my Windows machines as a limited (or at most a “Power”) user for over five years without any more significant problems than I’ve seen on my GNU/Linux installs.
Right-click->Run as… I’m pretty sure it’s been there since 4.0, and know it’s been there since 2000.
In Win2k, you had to hold down shift while right-clicking to get “Run as” to appear (at least, in the first version/service packs). You don’t have to hold down shift to get it to show up in XP, but that only makes it a little bit better.
E.g., Random Q. User, running as a non-admin, tries to install a piece of software from a CD he bought at Staples. He inserts the CD, it auto-runs, and – if he’s lucky – it pops up an error saying “You need admin access to install this app.” If he’s not lucky, it gets halfway through the install process, and then halts on some wonderfully helpful message like “Cannot write to blah – permission denied!”
Just happening to be savvy enough to know about the “Run as” command, he opens up his My Computer window and double-clicks the icon for the CD containing his newly-purchased software. What happens? Instead of showing him the contents of the CD, it auto-runs the installer again, and gives him the same error. So now, in addition to the esoteric knowledge about the “run as” command, he also has to have the esoteric knowledge that has to right-click the CD and select “open” to actually view its contents.
So yes, there are ways around the problems with Microsoft’s implementation of multi-user. The problem is that you have to know a handful of decidedly non-obvious tricks to make it work worth a damn.
And the example above is one of the less-confusing scenarios. What about when Random Q. User tries to change his network settings, and finds out that “Run as” doesn’t work on Network Connections? Or what about when he needs a filemanager window with Administrative permissions? Ridiculously, the only way to accomplish either as a non-admin user is to run iexplore as admin (not explorer, that doesn’t work), and then “change” it to a filemanager by typing c: or “control panel” in the address bar. And even that doesn’t work 100% – try changing a filename, the change won’t actually show up until you manually refresh the window.
Right-click->Run as… I’m pretty sure it’s been there since 4.0, and know it’s been there since 2000.
See, the thing of it is, at home, I have never run XP or any of the NT based Windows OSes. I run OS X and Ubuntu.
At work, where I run XP Pro, Systems has prevented us from playing around with the Admin tools and XP has no obvious, easy to find command line.
start->run->cmd ?
Runas is included in shortcuts well 2k anyway…
XP Home does make it even harder to run a limited-user/admin system – you can’t modify file permissions without rebooting into Safe Mode ferchrissakes!!! – but given that it is Windows, this has a ‘silver lining’.
One thing that’s extremely difficult to do is open a root Explorer shell. KDE (and I imagine other Linux DEs) will complain or flat-out refuse if you try this, because even if you understand the least-privilege principle, it’s easier to make a mistake or be tricked into doing something destructive in Konqueror than on the command-line. Do you – can you – ever know all the things a graphical shell might do when you click a certain file?
The right-click -> Run as… (or command-line ‘runas /user:<user> myprog.exe’) works for any .exe or .cpl, but it’s a nightmare to try and use it with Explorer, which might be no bad thing, particularly as Explorer can jump outwards to the Web at the brush of a wrong key…
[OK, Konqueror can do so too, I know. My real pont was Explorer is just a bit more … famed … for its propensity to do things you didn’t expect nor want to]
Fast User Switching is a service in XP, which provides both the ‘switch user’ option at logout, and the ‘Run as…’ functionality.
Should Windows nanny you with software installation? Not necessarily. If you admin your PC in this way, you’ll know that installing many apps is impossible as ‘non-root’. If you let others use it with limited accounts, you’ll have probably told them how – and why – they are sandboxed from such abilities.
Apps should be designed to allow for such scenarios. If a developer hasn’t considered this possibility, I’ll wonder: have they thought *at all* about non-admins actually *using* their software? Alarm bells!
Maybe the problem is that software installation (on Windows at least) is almost always a closed box. If you don’t know what an install is gonna do – new files placed where? What registry changes? – how can you possibly know if it’ll succeed or puke? I give top marks to installers that:
1- Check permissions of the user;
2- If there’s a problem, inform the user and *explain* what specific operation needs higher rights;
3- Offers options of where to install main program files *and* user data (with defaults of course, for those who don’t care);
4- Does not place *ANY* frickin’ shortcuts in any menus or desktops other than those I specify!
now you can cheat in games without being caught (http://www.securityfocus.com/brief/34) ;-P
This is just the beginning…
Well, Mr. Senior Unix Admin,
Evidently you’re not very good at your job. There are plenty of rootkits infecting the Unix and Linux world too. Just google’rootkit”.
I would hate to have you in charge of my Unix systems if you’re not even aware of this.
I just googled “rootkit no root authentication required on unix” and came up with zero relevant results.
I’m tempted to google “rootkit upon music cd insertion on unix”, but I can anticipate the results, this query actually begin a subset of the one above.
I would hate to have you in charge of my Unix systems if you’re not even aware of this.
Why is that? Run into a rooted UNIX system lately? The last one I encountered was my slackware 4.x system. Its was hacked through ftp by a person with a brain, not a script or a music CD. After that I decided to learn a bit about security.
Now, more than 5 years later, I have yet to find another one. At least not on any systems I configured.
Face it, *nix is vulnerable to rootkits, there are plenty of them. But to install a rootkit, you would need root privelegies, something which can be gained by for example exploits. I think rootkits are the biggest security threat to *nix, but since most *nix users don’t run as root for browsing the net and using irc, the chance of getting infected is lower – especially if you have a decent firewall.
That’s assuming those are the only infection vectors.
Anyway no form of security is any good if it’s not used. How good would Windows security be if people actually used it?
That’s assuming those are the only infection vectors.
Such as?
What other ways are there to have software install on a *nix based system?
Well, one way would be to repeat over and over in various OS security discussions that *nix is just as insecure as Windows. Saying it repeatedly makes it so, and hence, your *nix computer can get infected in any way a Windows computer can. Or maybe my deductive logic skills ran astray…
Edited 2005-11-04 00:36
Corrupting binaries at the software mirror.
Sony would never change their stance if they were not cought, red handed. At all cost do not buy any sony products!
I’m surprised no one has asked this yet, so I’ll ask.
Why should we trust Sony to remove the rootkit they wanted on our computers in the first place, wouldn’t that belike handing a convicted murderer a loaded gun.
Aaaah… And so it begins.
Sometimes I’m just Soooo glad I use my Amiga as my main machine. None of their crafty skank will affect us.
The Futures bright… The Futures Orange. (Os4)
🙂
Yeah, makes me happy I use my ct60’d falcon as my main machine too
So, the “rootkit” aspect is just the file-hiding “feature,” right? From the article:
“The patch will be made available for download from Sony BMG’s Web site, with another offered directly to antivirus vendors. The DRM software will not be removed, however, only uncovered; that means users will still be unable to delete it without risk of rendering their CD drive inoperable.”
But I wonder, how well do these copy-protected CDs play on Linux?
But I wonder, how well do these copy-protected CDs play on Linux?
They’re just regular music CDs with a rootkit and media player set to autorun. If you don’t have autorun enabled or aren’t running as administrator (or are using an operating system that doesn’t offer autorun for Windows executables), the copy protection and rootkit won’t affect you — it’ll appear to be a standard music CD (with some extra data files).
what would you expect from a corporate that is part of RIAA ?? Root kits, system wide scans, activating by phone calls, huge fines, using powerful lawyers are the in-thing.
Here is some good info for people wanting to know about running as limited users on windows http://nonadmin.editme.com/
Also in xp I know if your running as limited and want to get admin abilites there is a few programs out there for that.
Plus though CMD you can do a runas /profile /user:mahincenameadminname cmd and get a new CMD window with admin abilities and do what you need with the admin account, install stuff, edit settings, change file and folder permissions using cacls or get subinacl seeing as it has more abilities than just cacls does.
Do any other commercial programs install rootkits? For example: I purchased a Sony Vaio with Soundforge installed. It only allowed 20 mp3 conversions. Also, Nero 6.6 Ultra allows on 25 or so mp3pro conversions. Are the counters for these mp3 conversions stored in some hidden, non deleteable file or rootkit? How would someone find out? Do we have to go through the pain that Mark Russinovich went through to even find out?
[quote]Do any other commercial programs install rootkits? For example: I purchased a Sony Vaio with Soundforge installed. It only allowed 20 mp3 conversions. Also, Nero 6.6 Ultra allows on 25 or so mp3pro conversions. Are the counters for these mp3 conversions stored in some hidden, non deleteable file or rootkit? How would someone find out? Do we have to go through the pain that Mark Russinovich went through to even find out?[/quote]
Yes, some programs store “hidden” counts of such things, whether in the registry, or hidden files. You can discover the locations of these files under normal circumstances just by logging the program’s install process, or if it is already installed, looking at what modules and drivers/services it uses, what it accesses in the registry, and it’s disk access.
Btw, interesting info about Soundforge. No wonder Sony bought it. They bought it to sabotage it! I bet they are planning to put some kind of DRM in it, if they haven’t already. Someone should check. :^(
By not informing the user of the install, providing no uninstall and also “cloaking” it, isn’t Sony skirting the law if not already breaking it? It seems to me in the U.S. they are required by law to inform the consumer on the outside of the package of any restrictions or limitations.
I have played lots of CDs on Linux incl. several Sony’s and have never been prompted to become root to do so. Could it be that Sony skipped Linux and because they wanted the secrecy and knew that Linux wouldn’t be able to keep one but would prompt to become root?
If Sony had had any chest hair they’d have put up a sign saying “Playing this CD will install copy prevention software requiring elevated privileges. Continue [y/n]?”
But I guess profits won over the chesthair.
Still, the issue is disturbing. Now, if it had been some twilight recording startup by a couple of hackers – but Sony? Who else of the “trusted” companies is invading peoples private space by stealth?
It’s not like the mechanism is unknown on Linux.
http://la-samhna.de/library/rootkits/
has a list of several nasty rootkits for Linux.
“In a bit of truly BRAIN DEAD design, there was never any sort of prompt giving me the opportunity to enter a password and get software installed.”
You can always do a runas in the cmd window, give the admin account info and install the programme.
I do that on my machine.
Has anyone considered the breaches of privacy and law here?
There should be a class action lawsuit against Sony!
Can’t do that in the U.S. anymore, we call it tort reform.
“Can’t do that in the U.S. anymore, we call it tort reform.”
Yes you can. The question is… is it justifiable?
going off topic here for a sec…
tort reform will never solve anything. it only protects big business and helps the rich stay richer.
just the way GW wants it.
Well its things like this that distroy geek consumer confidence. SCO, Sony… um that autorun thing a while back.
[NOTE rant section]
Sony equipment is ok but their firmware sucks. I cant belive I bought a Sony DVD burner over a liteon.. shame on me
[end of rant]
I request that OS news have a poll about the matter about OSnews readers opinion poll reguarding their behavior and its consiqences. Oh well no blue ray for me…. I thought microsoft were bad. Sony now your right up there with SCO shame on you…
Shame on average users with Admin accounts… RunAs service is great
Under the UK Computer Misuse Act (and, quite likely, equivalent EU legislation) it’s basically monkey with someone’s computer without their consent – especially if it actually breaks functionality. It would be a criminal offense; they’re basically giving people a Trojan.
If these ever did / do get sold in the UK, it’d be committing a criminal offense in trying to protect themselves from copyright infringement (a civil offense)… (!!!)
The answer is simple. Don’t buy CD’s from Sony or any other company that uses copy protection on their CD’s. All Sony is doing is driving people back to pirating software.
Any computer that has Sony’s rootkit can be used by other hackers. The WoW cheating hack is the first reported but I am sure there will be others. Since you have to be root to play the CD, this give hackers a free ride in. The hackers will then use the rootkit to hide their files on your computer.
Ero Carrera, a researcher at F-Secure, a computer security firm, said “The code of the application is not exactly well done. I would tend to believe there are people already working on finding exploits.”
If you try to remove the rootkit, your CD drive will stop working.
The patch does not remove the software. It only makes the rootkit visible to antivirus programs.
Depending on how many CDs were sold that have this rootkit, this could create plenty of security problems.
I haven’t bought an actual hard music cd in years. That’s what I use iTunes for. I get the one song I like, and am gracefully spared whatever crap the artist had to put down to fill the CD. Its kind of rare now-a-days to find a CD that is good from start to finish. Take music from iTunes, apply DRM removal software / or just burn the CD and re-rip it. Viola no more Copy Protection, and now the music sits on my Media machine where I can play the music on anyting that handles “mp3”.
Just one more nail in that format. If consumers can’t trust the CD manufactures to not mess with their computers then they’ll find someone they can.
Wait wait wait…
Don’t get into a big hurry to remove that rootkit! Well, not until you have leveled up some.
😉
http://www.theregister.co.uk/2005/11/04/secfocus_wow_bot/
So all it takes is a $sys$ prefix to files… anyone want to prefix eclair test virus and run a virus scan? Because im sure virus writers are doing that right now..
I agree you mgraham76.
Just incase many of you aren’t thinking about this yet, but I’ll bet there many other music/companies/lables are employing the same tactic. It’s totally dishonest of them.
Although it’s a rare occasion for me to insert someones cd/dvd in my computer, now it went to a different level. I’ll never use anyones cd’s anymore, especially if they’re not computer/security savvy.
I suspect EVERY disc will have some type of protection on it afterwhile, and the cd/dvd buying software will quickly come to a drag or stop, until they change their practices.
To be honest with you, the safest cd’s & dvd’s you can get hold of are the ones you download. They have been stripped of their deceitfulness.
And speaking of deceitfulness, have anyone ever noticed this:
When we buy dvd’s we are “paying” for the production cast/crews “MISTAKES”. They cramm all that extra crap onto the dvd’s and then they charge us for it. I don’t care how they made the movie. I don’t care that they forgot their script, the “out-takes”, bloopers. I just want the move.. no more, no less. And NO “menues”. Are these companies willing to make versions of their movies without all that crap? and charge less?
A classic case of deceitfulness by the entertainment industry:
you go to the movies and you see a movie, then when the movie comes out on DVD, it’s NOT what you went and seen in the theatre. My complaint would be of the movie “Eraser” with Arnold Swartzennager & Vanessa Williams. At the end of the movie (IN THE THEATRES) the “soundtrack “Erase” by Vanessa Williams was played. On the radio it was said that you will NOT get that song ANYWHERE, because it wasn’t packaged anywhere. It was also said the “soundtrack” is not in stores and it won’t be.
Nevertheless, I bought the VHS copy of it, JUST for the soundtrack at the end. Well, fast forwarding to the end, where the credits are shown, there was not even a 10 second piece of the song at all. It was in the movies with it, but not on my “PAID” version. Was I deceived? I “KNEW” I was. Well, I did download the song (I wanted what I “paid” for) and I still have it. They cheated me, so I took action.
Why are we being deceived & having to pay for versions of a movie that we didn’t ask for?
Theatre Version = Maybe You’ll Get One
Director’s Version = Was that the one in the theatres?
Special Edition Version = What’s so special about it? I would need to compare it to the “CAM” shot taken from the theatre.
and all the other versions. Why aren’t we getting exactly what we pay for from the entertainment industry?
Do they tell us we have an option to buy what we saw before? nope. They think they know perception of viewers, and that is… “About time this comes out, they won’t remember all that they saw in the movies months ago.” That wouldn’t be a bad idea,,,, a central “CAM” station where you can comapare your bought movie from the one that was shown in theatres.
If these companies took away all of their sneaky practices, lowered their prices and remained honest to “buyers/supporters”, and get rid of the RIAA and other organizations, and just simply put a “Please Donate” for their works/causes, I’m sure they would surpass their expected “profit margin”
One Man’s Opinion