Sony RootKit Still A Problem?

XMilkProject writes "Current research indicates that some "350,000 networks--many belonging to the military and government--contain computers affected by [Sony's rootkit]." This is down from over half a million last month. "The security researcher worked from a list of 9 million domain-name servers.. asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches." Will Sony face future repercussions for this potentially long-term damage?"

Nothing for you to see here. Please move along.

The first rule of the Sony Rootkit is that we do not talk about the Sony Rootkit.

The second rule of the Sony Rootkit is that we DO NOT TALK about the Sony Rootkit.

Re:Of Course, that is Sony's Security Policy

Security through Obscurity.

You missspelled "obsurdity". Why do people keep doing that? ;)

Safe..

Because new music sucks.

Makes you wonder....

... what kind of person takes their Sony CDs to work in order to play them on PCs on a military network. Kinda bizarre that that's even possible.

Makes me sleep better, on the other hand, to see that there are music lovers even there.
You know how the saying goes: Where one sings you may sit down and sing along, bad people have no song. ;)

Re:Makes you wonder....

Well, the scenario of taking CDs to work to play them on networked military PCs is not implausible at all; there are thousands of GS/staff employees who do that. What is implausible, at least in my experience, is those users having admin access to their machines. Was this rootkit able to install on XP under a user or power user account?

Re:Makes you wonder....

What's implausible is the Sony executives responsible for distributing a hidden exploit aren't basking in the Guantanamo sun. Had this been Swedish or Thai teens you can bet your ass their faces would adorn newpapers worldwide and software giants decrying the vandalism.

exactly correct

The sony rootkit fiasco is an example of criminal conduct, not a civil tort matter. Why some high level Sony USA execs aren't in the slammer now is beyond me. Like you said, if some teenage scripter had done this, they would be facing 30 years or something, but because it's a large important company they are facing a few fines.

Re:exactly correct

Why some high level Sony USA execs aren't in the slammer now is beyond me.

Rich people don't go to jail; also, the law hasn't caught up to this kind of crime, especially on this scale. (Martha Stewart went to prison because she was charged and convicted under well-understood and established laws.) Ask the average attorney what the crime is here and you'll get blank stares, not because it isn't blatantly illegal, but because the average person doesn't know or care about this kind of thing.

Like you said, if some teenage scripter had done this, they would be facing 30 years or something,

Unless Daddy is loaded. Then he'd get 20 hours community service and six month's probation. OTOH, if the teen in question was middle- or lower- class, its PMITA prison time.

Re:Makes you wonder....

.. what kind of person takes their Sony CDs to work in order to play them on PCs on a military network. Kinda bizarre that that's even possible.

Once upon a time, bringing in the CD would have been the safest way to listen to music. Nothing can be copied to a CD, and nothing could be brought in on a pressed CD other than music. Nothing for Military Security to be worried about. Ipods and other MP3 players could potentially be used to sneak data out.

Of course now with the DRM crap on the "CD", this is no longer true. The once friendly store bought CD is now a potential risk. Way to go Music Industry! And you wonder why sales are down in 2005 from 2004...besides crappy offerings.

They might as well change their name to

NOSY

Get Back On Our Own - Boycott Sony

I personally don't buy CDs so I wasn't affected but from what I've heard there are some serious problems with the "patch" Sony provided. I'm just a bit curious... Does the patch keep the rootkit permanently disabled and removed? It seems to me that if we put a deviant Sony CD back into our computer that the rootkit would just be reinstalled. Then do we have to run the patch again? This is rediculous. I've do not intend on purchasing any music that has the SONY lable on it. This to me is just plain stupid. What gives Sony the right to install deviant software on "MY" pc and then make it stealth so that I don't know it's there. As far as I'm concerned I think that's the lowest a company can go. That's stooping to the level of those bastard red headed step children Spammers/Spyware installer/Virus/worm pushing assholes.

I'm to the point now watching this rediculous attempt from Sony to attach it's controls on something that I purchase the rights to use/listen/backup and trying to enforce through deviant means. What is this rootkit supposed to do!? They just wanted to install it for the Hell Of It? Nope, it's supposed to reinforce their stupid DRM bullshit and keep me from listening to the music that I paid for. I'm to the end of my rope. I think that there needs to be a group or mutiple groups put together that should purposefully break what Sony is trying to do. I've been years out of the programming/Computer industry and thus lack the skills to do it, but I think that we should form Anti-DRM, anti-Sony groups to demolish the protection that they put on their stupid CD's. I will not from this day forward purchase anymore music from Sony until they drop their Bullshit practices. I call for a Boycot of Sony's Music. I'm not sure what one man can start, but I'll be damned if I'm going to stand around any longer and watch Sony impose itself on me! They want me to buy their shit, then they want to enforce by deviance their policy, and after all that they hijack my PC for WHo knows what! Ahhh! Time for a Revolution. I love my PS2, but am refusing to play it again until SONY stops all this Bullshit! No more video games purchased either. Damn you Sony! Leave me the Hell alone! Stay off of my Computer and my CD's! Damn you!

With that said, I feel somewhat better, but am still disturbed deep inside that they would have to stoop to that level to try and enforce their protection. Maybe they don't realize that as the sound comes out of the speakers it can be recorded with a MIC and pirated that way, or through LINE OUT. Damn them. Rant Over.

Re:Get Back On Our Own - Boycott Sony

Better yet, you could take in an old box and drop it on the front desk and go "Excuse me, you've installed a virus on my PC via a Sony CD. Will you be removing it or should I charge by the hour at £X00(add as many 0s as you likee, but 2 sounds about right) for having to remove it via a repair guy (don't say you, it seems supicious).

Demand compensation (for petrol to get there), the money to fix it and if they refuse tell them you'll take them to court for the damages (claim the box was used for something important like hosting websites and the rootkit has not passed some safety tests that all servers must pass at your company).

Aww the fun of being a sick little geek :D

The quote that sums it up

"While the security issues related to the copy-protection software have apparently affected U.S. government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.

"I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."

I for one, welcome our new corporate overlords.

The answer is clear. The U.S. must invade Japan to overthrow the government responsible for this cyber terrorism.

Apology?

By the way, regardless of the magnitude of this problem currently, has Sony ever formally apologized for their damaging rootkit? They've said that most people "shouldn't care", or that it was their "right" to cripple people's computers, but I've not once heard them say sorry. Can anyone clarify?

Re:Apology?

There you go:

http://ars.userfriendly.org/cartoons/?id=20051117& mode=classic [userfriendly.org]

Repercussions? Nah.

Will Sony face future repercussions for this potentially long-term damage?

Probably not. They're already getting off somewhat easy for the original hubub.

Settled too soon.

If you look at the settlement in the New York District court it is nothing more than a slap on the wrist. Sony knowingly infected computers with what amounts to a trojan horse. In return they have to pay a little money and promise not to do it again. That's insane when you consider the witch hunts that have taken place for 16 year-old kids releasing a virus. Sony needs to pay and pay dearly for their deliberate criminal actions. The government always wants to send hackers a strong message...well then the same applies to corporations!

http://religiousfreaks.com/ [religiousfreaks.com]

You obviously didn't read the settlement

As part of the settlement, Sony is agreeing not to enforce two key portions of the EULA

1. A $5 limit on damages
2. The requirement that you must sue Sony in New York

Once the settlement is official, Sony will have opened themselves up, such that they can be sued in court anywhere in the United States.

Small claims court is the most likely venue, because you don't really need a lawyer to represent yourself and if Sony doesn't send a representative, you get a default judgement.

Collecting might be a bitch, but in this case, it definitely won't be the lawyers making all the money.

Repurcussions? No.

"Will Sony face future repercussions for this potentially long-term damage?"

No they won't because they're a huge multinational corporation who will probably layoff some employees and reward their top execs from the whole ordeal. I'm not trying to be some hippie about this, it's just the way the world works.

Sony's unintended consequences hurts them

Robert K. Merton listed [atfreeweb.com] five causes of unanticipated consequences:
(I have applied them to Sony's decision to use rootkits)

1. Ignorance (It is impossible for Sony to anticipate everything.)

2. Error (Incomplete analysis of the rootkit problem, or following habits that worked in the past but may not apply to the current situation.)

3. Immediate interest in stopping a computer from copying something, may override long-term interests of sustaining their reputation as honest and trustworthy.

4. Basic values of trusting your customers may require or prohibit certain actions like installing a rootkit, even if the long-term result might be unfavorable. (These long-term consequences may eventually cause changes in those same basic values.)

5. Installing malware on people's computers is always a self-defeating prophesy (Fear of some consequence drives people to find solutions before the problem occurs, thus the non-occurrence of the problem is unanticipated.)

Simple answer..

Will Sony face future repercussions for this potentially long-term damage?

Of course not. They may pay a (relatively) small fine or two, but a quick a donation to a politician here and there, and that'll be all she wrote.

Government and Military

The whole concentration on the fact that military and government computers were infected is a tad sensationalist. You hear military or government and see DARPA or CIA.

In all odds the machines they're talking about are your typical office machines, used mostly for clerical work. Your network admin might not really worry or care about someone screwing it up; in all odds the people using them don't know enough to mess stuff up that badly.

I think all this is going to entail is the IT divisions of the important branches of the US government running rebuilds a little ahead of schedule...

Easy (non) solution...

Take away the sonybmg.com domain name. Seems a reasonable punishment for domains used in such a way... Yes, I know the problem of infested machines that remain vulnerable thanks to Sony would still exist.

Sony won't be harmed, users will

"Will Sony face future repercussions for this potentially long-term damage?"

Sony won't be harmed at all. But since this incident an Air Force unit I used to belong to can no play music cd's on computers. Doing so can result in corporal punishment.

Problem not eliminated

Part of the problem with the Sony Rootkit is the fact that many stores **STILL** are selling the rootkit enhanced CDs.

I personally have seen this at several Borders stores in my area, and each time I mention this to the management I recieve blank "deer in the headlights" looks.

Re:Problem not eliminated

You would receive a similar blank stare if you remarked about mercury levels in the cans of tuna you are buying at the grocery store.

The retail checkout line is not the place to wage these types of battles.

Re:Problem not eliminated

rootkit enhanced CDs

This battle is one of propaganda as much as anything else. If you use the enemy's terminology, you've already lost.

These are rootkit infected CDs. Use that phrase in conversation with your non-techie friends. 'Damn, I got an infected CD from Sony.' They'll not grasp all the geek details, but they'll get the picture.

Similarly, call what it is trying to do 'Digital Restrictions Management' whenever you have to explain what 'DRM' is. It's a far truer portrayal of what's going on.

Sony, the new ELO?

...I heard somewhere that if you play these new Sony CD(s) backwards, the rootkit data will say, "yur sole iss miiine. yur sole iss miine. Haaaaale Goooooogle! Whaaaaaat issss thigh bidding miii massster? RaaaaaaaaaaAaAaaAaaa!" ...and a plume of blood will shoot out of your CD tray and melt your face like that dude from Raiders of the Lost Ark.

\\//_

End result

These CDs will be out there forever, in users' libraries and bought and sold by used CD shops and flea markets. The end result of this fiasco is that Sony discs are something you watch out for and don't risk sticking in your computer, unless you're running the latest antivirus/antispyware software.

Sony == Dangerous to my PC

What a great way to promote a brand.

Friction burns ...

... is what the individual would have gotten from being hauled into the slammer so fast - had it been an individual who performed what Sony did.

/sure it's been said, bears saying again

Sadly, no.

Sadly, not only will Sony face no long term damage, but this will be a blockbuster year for them as they release PS3 and millions of quick-to-forget Slashdotters rush out to buy a PS3.

If consumers were smart, they'd go buy a Nintendo Revolution - or even an Xbox - and intentionally skip the next Playstation. Unfortunately, they won't, because their souls are fueled by acquisition and shiny-new-toy syndrome.

No.

Will Sony face future repercussions for this potentially long-term damage?

No. Who do you think pays our politicians' wages? Are they going to bite the hand that feeds?

Worst marketing move ever...

Well, second only to Intel's dropping their Pentium brand from their Pentium chips. To quote Weird Al, "It's all about the pentiums, baby"

One point, one question

First thing to note - just because a computer belongs to the military or any other branch of the gov't does not mean it is 1) a secured computer 2) a computer with access to sensitive materials. This computer could be the janitors computer.

What the hell...300,000 people are placing music CDs at work? No wonder our government gets nowhere - they are all busy listening to music and playing games. Get a regular CD player people - they aren't that expensive.

A sticky question

I don't know the current government policy on use of computers for non-work use but it used to be very strict. Same thing at many large corporations.

So does the presence of such a policy weaken any case against Sony?

Government: You infected our computers.

Sony: Surely this is not true as your policy clearly forbids personal use of computers. Are you operating in violation of your own policy?

Here's a thinker

You would think that Military or Government agencies wouldn't allow their employees to put CDs into their computers for security reasons alone. Its rather sad that anyone can bring in a random CD and pop it in. No wonder secure data is able to walk off of those "secure" computers so easily. [Guard] - Please empty your purse please miss. [Woman] - Nothing in there except for my personals and some music CDs. [Guard] - Ok miss, you may pass. [Woman] - {murmering under her breath} Sucker...now wheres those classified documents.

Nah they will get off scott free

They are a company, and a VERY large one to boot. They honestly can do no wrong unless it involves actually stealing money and getting caught doing it, and even then they would get away with it after they make a big scene to asure the public.

See Sony does things like this and its called a mistake. A hacker does something much less, and its call terrorism. Go USA!

Governement PCs

"350,000 networks--many belonging to the military and government..."

I used to do assistant net admn in the armed forces, and it's amazing how little security there is on most military computer networks. They don't allow DHCP, but as the admin I found that there were no lockdowns on installing software like AIM and such. Only problem was, network security was dictated by higher commands, so I could do nothing but watchdog the system.

So it's really no suprise to me to so this rootkit affecting so many military and government compys, given their lack of conecern about system security.

What I don't and never have understood is..

Who are they affecting?

People who download music won't be affected, because they are downloading (IE Not buying the infected CD's)

So, just who are they trying to spy on? The customers who are giving them money and doing what they want?

It's so... 180 degrees out...

Record Yet

Have we broken the record yet for Slashdot articles about a single company over a single issue across a limited period of time?

Pwned

Sony only agreed not to ship more CD's with the existing rootkits. Nothing against improved versions. In fact...

Your new Sony-BMG non-standards compliant music disc contains the Pwned.exe wonderful pretty music player. Click here to hear the music you've already paid for. Remember, you cannot return opened CD's for any refund. Have a nice day!

Many viruses don't achieve this level of penetrati

From the article: "I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."

I think this is a larger problem - that Sony can do what is clearly an unauthorised incursion into the core of someone's computer without being sued.
2.1 million cds have been sold. So something of the order of magnitude of 2.1 million computers have been infected by this rogue code. Many viruses don't achieve this level of penetration!!!! I doubt the combined force of slashdot readers has achieved this level of penetration either! hehe

If an individual had perpetrated this, whether or not he had the best intentions he would be arrested immediately. But Sony because it has such a strong brand, has only been sued in a few US states by a few Attourney Generals. Despite this being without any doubt prosecutable at the highest level.

I hate to whinge on about this but why on earth are coporations less obliged to follow the law of the land than individuals!! Its a joke.

Never made sense

Those figures reported for the rootkit infections never made sense. Half a million computers? As respected security expert Bruce Schneier noted: [schneier.com]

"Even more interesting is that there may be at least half a million infected computers... I say 'may be at least' because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business."

As Schneir notes, these are not big selling CDs. Here is the list from the EFF link above:

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

While Dan Kaminsky's methodology seems basically sound, if the results don't add up it suggests that there is something else going on. Maybe somehow each computer queried more than one DNS server, or some similar effect occured to artifically inflate the number of computers he is counting.

Question

How does this person know that his data wasn't corrupted by other efforts that might have also been doing this same scan simultaneously to his?

"Recalled" "CDs" still on store shelves

I find it ludicrous that these supposedly recalled CDs are still on store shelves available for purchase. I bought my daughter a CD of teeny-bopper music the other day and she put it in her computer ... ACK!

On the plus side, on the front of the application it silently installed was a notice of how to download the uninstaller ... but I thought these CDs were supposed to be recalled and no longer sold?

Boycott *ALL* Sony products ...

... for at least a year. That's what I'm doing, even though I didn't buy any affected CDs. Yes, they did make token attempts to make things better for some victims, but they NEED to suffer a while for such a stupid decision. Any company that thinks it's OK to install malware on their paying customers' computers does not deserve my business, and it does not deserve yours.

Yes, I know that SONY is a huge company with lots of independent decisions. But it's all one corporation, and it needs to feel pain for this stupidity. Its size just gives us more opportunities to boycott it. No Sony tapes, no Sony TVs, no Sony cameras, no SONY nothing until this year is over.

The boycott needs to be for a limited time; that's why I said a year. If we never start buying from them again, then they lost us no matter what. If the boycott is for a finite time, then they know they can sell to us again ---- as long as they don't repeat this silliness. If they do, they should expect more pain.

Not affected....

I got the new Leo Kottke / Mike Gordon CD (it's really good, btw) and it has this alleged "copy protection" on it. I never knew about it was on this CD until I read about later. I have autoplay turned off, and I use CDEX to make mp3s (for my iRiver H120). Everything worked just peachy. Rootkit, schmootkit, I can't believe I'm that unusual, especially in the /. crowd. This only affected people who aren't afraid to agree to license agreements.

Now I understand how Joe computer user could get infected, and hey, it's Sony, I can trust them right?

Even though I was able to avoid the copy protection without even knowing about it, I'm still gonna trade it in for a non DRM version, if they are offered.

The right thing:

I think that what is needed, is an Explorer plugin, to be made freely and widely available, which circumvents this "cloaking" technology (using Mark Russinovich's term).

If all of this "cloaking" crap were to be made irrelevant, then these kinds of things would no longer be a security issue - it would return administrative control over machines to the machine's owner. Whether that's Symantec's cloaking for their recycle bin, or whether it's Sony's rootkit, or anything else.

Computer owners don't need a corporate nanny protecting them from shooting themselves in the foot. Good software design does that. Not sneak tactics.

Jail time?

What about the /. article [slashdot.org] just a few days ago. All the guy did was delete an account of his supervisor and he got

three months of imprisonment, three months of home detention and three years of supervised release, plus a $5,000 fine and $20,350 in restitution.

The monetary point where the Computer Fraud and Abuse Act kicked in was $5,000. Since it took IBM contractors $20,350 in time to find the problem and get the guy his account back, the judge used that number as damages. If we count our time to find and remove this rootkit as damages, Sony is WAY over the limit. I say we send some execs to jail and see if they want to break the law like that again.

The other side of this situation...

I'm not an attorney, so I can't say for sure, but what this tells me as an everyman, is that I now have legal precendent to get away with something like this.

Everyone is talking about "How 16 year olds get hunted down" (and that's the truth) but now, those 16 year olds have an actual legal defense. Pay a fine, and you're done. SONY did it. Why not me? Because I'm a person, and they're a company? You'll have a hard time defeating that argument with a jury of rational people, now that SONY is getting away with it.

They've established a large-scale distribution model of a rootkit. The next person to do the EXACT same thing, on their own, now has legal backup they didn't have before.

I honestly don't know how I feel about that, but I think it's intriguing enough to merit discussion.

Any attorneys out there to comment?

until ALL old copies of the CDs are recalled

the problem will continue. it seems the only government agency that piped up about the threat, DHS, should be the lead agency to recover all copies under Sony's dollar.

wait, this fits too many doomsday scenarios.

is this all A Plot?

Just like Microsoft is held accountable?

Why should Sony be held accountable? As long their EULA says they are not, they are not. Just like when Melissa hit seven years ago, and Microsoft got in no trouble at all for letting businesses the world over get torpedoed. Bull!@#t.

Irony

Does anyone else find it ironic that many of the computers were infected by pirated copies of Sony's DRM'ed discs?

The data might also show how widespread piracy has become. The 52 music titles released with the XCP software were only released in North America, he said. However, the network apparently affected by the Sony BMG issue covered 135 countries. About 4.7 million discs were manufactured and about 2.1 million had sold, according to Sony statements.

"The global scope is the big mystery here," he said. "It is fairly likely that a lot of the discs were pirated."

Since corporations are "persons"

Given that corporations get to enjoy many "rights" as if they are a person, perhaps they need to be punished in the same way as well. If you or I "rooted" that many computers, let alone military computers, we'd be headed to federal prison.

If some Sony executives were sent off to prison, I don't think we'd see many instances of this sort of copy protection again. ;)

named, host, dig....

So just for the record, the command line in *nix that would check for xcpimages.sonybmg.com in named running on localhost could be this, correct?

host -r xcpimages.sonybmg.com localhost

If it can answer with the IP then it's cached and if it cannot then it is not cached; is that right?

Cheers.

Another reason for the goverment to use more *nix

I ripped and encoded (into Ogg Vorbis, of course) a Sony-distributed CD that had the rootkit on it (My Morning Jacket's Z) on my Ubuntu box without a hitch. It's currently living on both my HD and my MP3 player. Zero problems--just popped the CD in, told it to rip and where, and it's done. Easy. No rootkit issues, no security issues, just music I enjoy however the hell I want to enjoy it, thank you very much. Twelve bucks well-spent.

Re:cybercriminals

I agree. And consider this: If Sony is NOT prosecuted, then we have "lowered the bar" to the point where nobody can be convicted of hacking anything. They might still prosecute hackers for theft, fraud, phising, etc. but the malicious virus writers will be off the hook. And if the civil class action suits are settled for chump change, then the bad guys could ride on that bandwagon as well. "Your honor, the precendent has been set. Sony deliberately infected millions of PCs. Our research indicates the class action settlement had a net cash value of about $1.00 per class member. Why should my client have to pay any more than Sony did?"

Re:How-to?

You use an iterative query.

Re:How-to?

You do a non-recursive lookup.


[root@kryten pete]# nslookup
> set norecurse
> www.xmob.co.uk
Server: 192.168.0.1
Address: 192.168.0.1#53

Name: www.xmob.co.uk
Address: 217.77.184.55

> www.microsoft.com
Server: 192.168.0.1
Address: 192.168.0.1#53

Non-authoritative answer:
*** Can't find www.microsoft.com: No answer
>

Re:cybercriminals

No one using all caps will be taken seriously.

Re:New security rule -- can't play music CDs

As an administrator of a 80 node (both PC and Mac) campus, I just instituted this security rule with all of my users mainly because of the Sony rootkit exploit. Albeit, the Corporate policy is that Company computer resources should only be used for business purposes, and playing music CDs on your computer isn't a business purpose.

The less problems I can proactively prevent BEFORE I have a problem is less work that I have to do to fix the problem AFTER something sneaks up.