Sony installs hidden malware on your machine

Written by Wil Harris

November 1, 2005 | 12:39

Tags: #drm #malware #rootkit #spyware #van-zant

Companies: #sony

An enterprising tech writer has discovered a bundle of info about the DRM that Sony installs on your PC with the new Van Zant CD.

The information is disassembled, literally, here.

The nutshell is this: Sony releases the new Van Zant CD. On the computer, it only plays within its own executable, not via Windows Media Player or any other software. You are allowed to burn three copies of the CD, and then it's done with.

Well, it appears that, to enforce this DRM, Sony are installing device drivers, DLLs and registry hacks, then running a Rootkit process to mask their installation. If you attempt to uninstall the playing software, the device drivers are left installed, and are left active. Trying to delete the drivers manually - providing you can even find them - can leave your PC crippled. The code is programmed so badly, you can be losing 1-2% of your CPU time even when the CD isn't in the drive, as the DRM software is searching your machine to check nothing is going on that it should know about.

This technique of masking files and folders to prevent detection is commonly used by malware and spyware to prevent uninstallation. Only by using a RKT detector can you see the processes running and from there, it's an incredibly complicated process to break down the inbuilt protections in the software. The author of the article linked spends a lot of time disassembling hex entries and C code to try and get to the bottom of what on earth the Sony code is doing. It's an enlightening read in to how this stuff gets cracked. Here's a quick quote:

"I deleted the entry, but got an access-denied error. Those keys have security permissions that only allow the Local System account to modify them, so I relaunched Regedit in the Local System account using PsExec: psexec –s –i –d regedit.exe. I retried the delete, succeeded, and searched for $sys$ again. Next I found an entry configuring another one of the drivers, Cor.sys (internally named Corvus), as an upper filter for the IDE channel device and also deleted it. I rebooted and my CD was back."

All in all, if you care about digital rights mis-management, this article is a great read. Go take a look, then tell us what you think about the whole shenanigans in this thread in the News Forum.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04