Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Antivirus firms consider protection against Sony DRM rootkit 3

Status
Not open for further replies.
Sony have now pulled it. CD's to be recalled and software to be made freely available to remove it. Provide it doesn't make a complete hash of this as well. (the first removal tool had an active x exploit!)

Now all we need it Mr Arrogant to say "Sorry, we made a boo boo", but don't hold your breath on that one!



Only the truly stupid believe they know everything.
Stu.. 2004
 
good News, the makers of BOclean have a solution, but due to legal definitions and what it entails they cannot at this moment release their total fix for this Sony rootkit. I'd be better just posting the link and Nancy_McAleavey's post at the Wilders board!





SONY XCP DRM removal for the Handyperson
Thanks to Kevin:

BEFORE you read this, it's important to note that we're EXTREMELY busy right now with far more serious issues than the media's attention to the "SONY ROOTKIT" phenomenon, and that handling panicked people over this has consumed huge amounts of our time already to the detriment of more important issues. As we near release of BOClean 4.20, all of our attention is focused on that right now. Emails regarding this issue or instant messages will have to wait until AFTER Thanksgiving. Therefore, should you respond to this offering, please don't be offended if I don't have time to respond to those at this time. I encourage further discussion and possible corrections of the advice offered below, but am not in a position to assist owing to far more pressing urgencies. I hope folks will understand the difficult situation that I'm in.

Having found some time to go back and play with the SONY rootkit has been difficult to come by, and our attorneys have been unable to obtain a definitive answer from the justice department as to our creating a specific solution to the SONY "rootkit" problem. However, I have been told that I have a right to my opinion, and as long as I express this as "my opinion" and not that of our company, (I did this on my own time) I should be free to share a chuckle with folks as to the pathetic nature of this "rootkit." And in doing so, I can explain WHY I think it's pathetic as well! So let's have at it, folks can learn from my rant to follow how to take care of this all by themselves!

The "rootkit" indeed hides the uber-secret "$sys$filesystem" folder, which is a subfolder of the WINNT (NT and 2000) or WINDOWS (XP) "SYSTEM32" folder. The rootkit sadly, is UNABLE to hide itself from being accessed directly from a COMMAND PROMPT (found in the start menu/programs/accessories list).

So for chuckles, I opened a COMMAND prompt. I then went (on an XP box, NT and Win2000 would be a WINNT rather than WINDOWS) ...

CD WINDOWS (enter)
CD SYSTEM32 (enter)
CD $sys$filesystem (enter)

Low and behold, on a machine infected by this, I got a PROMPT with $sys$filesystem present! (on an UNinfected machine, you'd get an error of "not found." Surprisingly, it let me HAVE it!) If this directory doesn't show, then you're NOT infected! You're finished right here.

IF $SYS$FILESYSTEM exists, then the first thing we'll want to do is lose the "cloak" and that is a file called ARIES.SYS ... this command will get rid of it, you can successfully delete it while it's running. It's NOT protected! Heh. This command loses the cloak:

DEL ARIES.SYS (enter)

Once you've done this, REBOOT!

At THIS point, you have done what everyone else (including antiviruses, Microsoft and everyone else) is going to do as their FINAL solution - you have successfully "uncloaked" and prevented any further possible exploits of your system. Color it done unless you're brave enough to continue. In going further, a COMPLETE removal is necessary. Here's what I discovered ...


REMOVING THE REST OF SONY'S "TREAT"

After you've rebooted, some services (which are not really services) will run again, particularly the $sys$DRMServer. Trying NET STOP won't work as it's not REALLY a service. You'll get a system error. However, you can now SEE the files when you use the "My computer" file explorer and you'll be able to SEE the "$sys$filesystem" folder now under the SYSTEM32 folder.

You should now be able to move to the formerly-hidden $sys$filesystem folder and it should now be visible after the reboot.

BEFORE you do anything else, you now have to consider if you're brave enough to do manual registry editing, because if you remove anything else and don't clean up the registry, your CDROM and possibly your hard disk(s) *WILL* vanish if "crater.sys" and "$sys$cor.sys" are removed. So if you're uncomfortable with registry editing, STOP NOW! You're DONE!!!

If you do the CD\WINDOWS, CD SYSTEM32, CD $sys$fileystem trick again, you will note that two things that weren't there before will now appear. Those are $sys$DRMServer and $sys$parking. LEAVE THEM ALONE! And there are MORE back in the SYSTEM32 folder. Leave THOSE $sys$*.* files alone for now ALSO!

The $sys$DRMServer.exe file will still be running and cannot be stopped without registry removal and another reboot. So ON to the next step(s) ...


NEXT STEP - REGISTRY CLEANING

Because the rootkit modifies registry permissions, a TEMPORARY trick needs to be applied in order to be successful.

FIRST ... run REGEDT32 (*NOT* REGEDIT) and navigate down to the HKEY_LOCAL_MACHINE key. RIGHT click it and select PERMISSIONS from the dropdown menu.

Click on "everyone" and make sure that FULL CONTROL is checked before proceeding. After you're done, be SURE to come back here and UNcheck it or your machine will be at risk. This elevated privilege is required in order to successfully edit and/or delete the remains, and it's CRUCIAL that you reset this after you're done!

Use the FIND item to locate anything that matches "$sys$" ... there's going to be a PILE of them all over the place, and failure to carry out this portion of it will cause drives to no longer work!

Using FIND, have it search for $sys$ ... certain registry entries can simply be deleted, certain ones must be EDITED, and here's where it gets tricky ...

First things you'll encounter are under the HKEY_LOCAL_MACHINE files, under the SOFTWARE key ... you'll want to delete outright these three:

$sys$reference (right click, DELETE!)
ECDDiskProducers (byebye)
SONYBMG (hasta la vista!)

Then, as you continue to FIND more $sys$ items, BE CAREFUL! Some can be deleted, SOME HAVE TO BE EDITED!!! To find the next, simply hit the F3 key!

In "WBEM\WDM" you'll spot some UUID's and there will be crater.sys. Any such references that DON'T have IMAPI are safe to just delete. This will be the first one you encounter after the above. DELETE. Same for the one in WBEM\WDM\DREDGE ... DELETE!

This qwap also copies itself all over the "CurrentControlSet" keys, and does up ALL of them.

So next stop will be under various "ControlSet00x" keys. You'll stop at the "CoDeviceInstallers" ... for each "$sys$caj.dll" you encounter. On OUR lab rats, it was the first UUID entry and the last. Look for the $sys$caj.dll entry and remove ONLY that particular value for a UUID where it appears and do NOT touch anything else in there!


NEXT STOP IS THE TRICKY!

Next stop is the "Enum" area - IDE or SCSI depending on what you have. HERE, we need to EDIT rather than DELETE! Look for an entry on the right side that says "LowerFilters" ... DO NOT DELETE!!!!! You need to double-click on the "LowerFilters" name. That will bring up an EDIT screen.

In this EDIT screen, what you need to do is move the cursor up where it says "$sys$crater" and CAREFULLY remove that, and pull any lines below it up. NORMALLY the line below will be IMAPI.SYS but could be something else, and more following. The OBJECTIVE is to remove the $sys$crater ONLY and then pull the line below it up to where the crater.sys WAS. Objective is to leave everything ELSE intact and JUST lose $sys$crater!

Should you encounter a "LowerFilters" that *ONLY* contains "$sys$crater," then you can DELETE it, but usually the "LowerFilters" has another item. Make certain that the top item isn't blank!

Next stop in your search will result in "UpperFilters" and here, what you want to remove is "$sys$cor." If "$sys$cor is the ONLY entry, then you can delete that item. If there is anything ELSE in there, then you must edit OUT the "$sys$cor" as was done with "$sys$crater." Each system is different and thus the uncertainty here. You ONLY want to get rid of "$sys$crater" and "$sys$cor" and LEAVE EVERYTHING ELSE INTACT or your drives will vanish.

$sys$cor will show up in other places, under the name "ActiveChannel." You can DELETE that whole value too. ANY place where only $sys$cor or $sys$crater shows up as a value can be DELETED as LONG AS there are no other "dependencies" listed. If there are other items, you MUST edit OUT the $sys$whatever and LEAVE THE OTHERS INTACT by removing the entire line which contains either $sys$crater or $sys$cor ...

NEXT STOP, "ROOT" entries! You'll see the following KEYS which need to be deleted:

LEGACY_$SYS$ARIES
LEGACY_$SYS$DRMSERVER
LEGACY_$SYS$LIM
LEGACY_$SYS$OCT

Just delete the entire KEYS themselves, so the above are GONE.

NEXT STOP, "SERVICES" entries! You'll see the following keys next:

$sys$aries
$sys$cor
$sys$crater
$sys$DRMServer

Same deal as above ...

That completes the "CurrentControlSet" ... expect to go through a repeat of the above for EACH user's individual "ControlSet" until you've done them all. How many depends on how many "users" on the machine.

Once done, BE SURE TO GO BACK and CORRECT the security change to the registry that was necessary to do this - REMOVE the checkbox for "everybody" that granted "everyone" "FULL CONTROL." You DON'T want to leave that permission granted!

And finally, REBOOT!

When the system comes back up, GO to that $sys$filesystem folder and delete the remainder - you'll now have permissions to do so. And finally, wipe THESE files from your SYSTEM32 folder:

$SYS$CAJ.DLL
$SYS$UPGTOOL.EXE

You're done!

PREVENTING REINFECTION

1. Disable "autostart" (google for how)
2. Install BOClean (sorry, I *work* for a living and if I didn't, I wouldn't have KNOWN this answer.)

Permission granted to redistribute and expand upon, please include the original source though - Kevin McAleavey at nsclean.com, makers of BOClean. If I'm going to be sued for this, the least I've earned is credit for the answer.
 
Sony in more trouble over it's rootkit remover, it just gets better!

Sony rootkit remover on the rocks

Alorie Gilbert
CNET News.com
November 17, 2005, 09:40 GMT





Sony's week is getting worse: now the program it's distributing to get itself out of the rootkit mess has been targeted by malware authors




Sony BMG took another blow Wednesday, when a security company said it has found malicious attacks based on software designed to defuse the record label's rootkit-related problems.

Websense's security labs reported that it has discovered several Web sites designed to exploit security flaws in a rootkit uninstaller program issued by Sony BMG. As reported earlier, some Sony CDs deposit rootkit-like code onto people's computers that leave them open to attacks.

Websense has uncovered only a couple of Web sites set up to attack flaws in the initial uninstall program, and the damage they cause appears to be minimal so far. One of them, hosted in the United States, simply restarts infected computers.

"It's someone trying to make a point," said Dan Hubbard, senior director of security and technology research at Websense. "They could have done a lot worse."

Sony became embroiled in controversy earlier this month after the record label was discovered to be distributing secret code similar to a rootkit with certain music CDs as a copy-protection mechanism. Sony BMG recalled millions of these CDs on Tuesday, after viruses exploiting flaws in the rootkits began to appear.

The company also released programs to uninstall the rootkits, but the initial Web-based version has its own set of flaws, Princeton University computer science professor Ed Felten wrote in his blog on Tuesday.

In the case of the US-hosted malicious site, the attacker may have compromised the site without the owner's knowledge, Websense's Hubbard said. The site appears to be associated with Canada's version of the American Idol TV show. Websense also found the following message in the site's malicious code: "Sony DRM Christmas Gift." DRM stands for digital rights management, a type of copy-restriction technology.

"Any user who has downloaded and run the Sony uninstaller program is susceptible to this attack," Websense said in a statement.

A Sony BMG representative did not immediately respond to inquiries about the alert.

However, in response to concerns about the security of its uninstall software, Sony has removed the program from its Web site, and promised to release another version soon.

"We currently are working on a new tool to uninstall First4Internet XCP software," the Sony site now reads. "In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days."

The flaw in Sony's uninstall software was based on an ActiveX progam installed on hard drives, which allowed Web sites to run malicious code automatically in the Internet Explorer Web browser. Some security experts are advising people who think they might have used Sony's uninstall tool to use the Firefox Web browser, which does not support automatic ActiveX controls.

Princeton computer science professor Ed Felten and researcher Alex Haldeman have created a page that tests whether a computer might be at risk as a result of running the uninstall tool.

CNET News reporter John Borland contributed to this story.
 
this is an update for the removal instructions for those who don't want to mes with the registry!


More from Kevin...alternate instructions that don't involve registry fiddling:

Since this article has filtered down to a number of places that I don't have access to and since this seems to be the common reference, a few "expert opinions" offered by some others that don't do this to the degree that I do might put some folks into a position of being scared off. Therefore, wanted to stop back for a minute and further explain a few things in order to reduce people's concerns. I stand by the original directions and shall explain a few misguided concepts that I've seen on SpyBot's site and a few others.

In his original article, Russinoff (sp?) had mentioned that the "cure" provided by SONY was a truly bad idea in that THEIR solution actually tried to stop the ARIES.SYS, and in doing so could cause all sorts of bad things to potentially happen. Referring back to my instructions above, I had noted that the ARIES.SYS file is *not* protected and therefore you can simply delete it. This REMAINS correct. AND safe!

By deleting the file, and then rebooting, you are NOT stopping the so-called "service." It is already loaded into memory and executing from there. The file from which it starts is actually unprotected and irrelevant and therefore can be safely deleted without any impact on the system. Several people appear to be under the misimpression that we're stopping it, and just wanted to clarify that we're merely making it _missing_ upon the next reboot. And if it's not there, it can't start in the first place and therefore when you proceed after that reboot, no potential harm can occur. So the original instructions are quite safe to do.

I also wanted to explain that there is a way to avoid having to edit the REGISTRY as well if you leave TWO of the files in the package behind and DON'T delete them. The two files to leave INTACT if you don't feel up to registry editing are:

crater.sys and
$sys$cor.sys (this latter one is in system32\drivers)

The above two files will do nothing beyond passing their hooks back to the rest of your driver stack since there is no longer the DRMSystem executable to "talk to" after you've done your removals.

However, you DO have to do a process killing on two other files in order to delete those as well, and they're quite stubborn:

C:\WINDOWS\CDProxyServ.exe and
C:\WINDOWS\SYSTEM32\$sys$filesystem\$sys$DRMServer.exe

Once the above two have been shutdown and removed, then those remaining two files that are part of the Lowerfilter and Upperfilter in the registry can stay, and you won't have to edit the registry. Perhaps the free "killbox" utility will handle it, I'm used to our BOClean just handling this. But with those two gone, the remaining crater.sys and $sys$cor.sys are quite harmless for those who wish to avoid editing the registry.

Preferably, my original directions are what you want to do in order to completely rid the machine of this. However, for those who are timid (and for good reason) about editing the registry, this alternative means will get the job done and put the bad boy to sleep without having to do all of that registry editing as a result of the rest of this intrusion being removed. It's an acceptable "shortcut" for those so inclined. The remaining two pieces become inactive without their "hosts" and won't interfere with proper operation if left behind.
__________________
Removing spyware, trojans and malware should be easy.
And it had better be fast.
 
Texas Sues Sony Over Alleged CD Spyware



Texas is suing Sony BMG Music Entertainment, alleging the company illegally installed spyware on millions of music CDs that Attorney General Greg Abbott says can make computers “vulnerable to computer viruses and other forms of attack.”

Abbott said the spyware installs files onto the computers on which the CDs are played.

"Sony has engaged in a technological version of cloak and dagger deceit against consumers by hiding secret files on their computers," Abbott said.

"Consumers who purchased a Sony CD thought they were buying music. Instead, they received spyware that can damage a computer, subject it to viruses and expose the consumer to possible identity crime,” he said.

The lawsuit alleges the company violated a new Texas law protecting consumers from hidden spyware.

Click Here To Read The Lawsuit

Sony says on its Web site that it has recalled all the affected CDs, but Abbott said investigators were able to buy a number of titles at retail stores in Austin as recently as Sunday evening.

Click Here For Sony BMG Web Site

Abbott says the CDs contain embedded copy protection files or XCP technology, which prompts consumers to enter into a user agreement to install a Sony audio player.

Consumers who agree to the terms, however, aren’t aware that files are secretly installed, Abbott said.

Sony says it has instituted an exchange program for consumers who purchased the affected CDs and says the issue involving the CDs arises only when the discs are played on computers.

“We share the concerns of consumers regarding these discs, and we are instituting a mail-in program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection and receive MP3 files of the same title,” the company said.

“We also have asked our retail partners to remove all unsold CDs with XCP software from their store shelves and inventory.”

Click Here For Exchange Program Details

Click Here For Software Update From Sony

The Attorney General, meanwhile, has posted a complaint form online for consumers who have purchased the CDs.

Click Here For Online Complaint Form
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top