Sony copy protection debacle gets worse: Used to EXPLOIT "infected"....

...machines. "Infected" in this sense is any machine which has been exposed to Sony's now-recalled copy protection scheme which secretly and silently installs software on unwitting computer users' systems.

First, there was outrage that Sony would install software secretly on a user's machine, in direct violation of a number of state and federal laws. The furor caused Sony to initiate a recall of five million of their discs. But it may be too late for the two million who have already purchased the discs. Because the situation has gotten much worse for those afflicted with Sony's software:

Hackers of all creeds have realized that Sony has done for them what they want most: to compromise the machine. First I came across an article about World of Warcraft players being able to hide programs that they use to cheat if the machine was "infected" with Sony's copy protection. Then another with much more serious implications: CD's Recalled for Posing Risk to PC's which describes that the same software that Sony uses to hide its own code can be exploited by others to hide theirs. All the machine requires is being "infected" by Sony's software which, as I mentioned earlier, is silently and automatically installed.

And as of a few days ago, hackers have started to exploit Sony's victims. The lawsuits have already started against Sony even before knowledge of this exploitation was widely known.

Sony is going to eat this one hugetime!

Oddly, I had already purchased one of these vicious infected CD's. I won't share the name of the artist, they're all too shameful to mention.

I wonder if I'll be able to put a down payment on a new MP3 player with the check from the class-action lawsuit? We'll see.

PB

http://vil.nai.com/vil/content/v_136855.htm

McAfee(R) AVERT(tm) recognizes that this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application. If you agreed to a license agreement for this, or another bundled application, you may have legal obligations with regard to removing this software, or using the host application without this software. Please contact the software vendor for further information.

See http://vil.nai.com/vil/DATReadme.asp for a list of Program detections added to the DATs.

See http://vil.nai.com/vil/pups/configuration.htm for information about how to enable, disable, and exclude detection of legitimately installed programs.

Distribution
To prevent illegal copying of music, some recent Sony music CDs contain Digital Rights Management (DRM) software from the company First4Internet. This software gets installed with a music player provided on the CDs. In order to hide the installation of this additional software, it drops a program ("XCP") that hides any file or process that starts with string “$sys$”. The behavior of XCP was observed on October 21, 2005 with the Van Zant CD.

More information of how to remove XCP is available at Sony website and http://updates.xcp-aurora.com/

With the latest DATs, McAfee detects, removes, and prevents reinstallation of XCP. Please note that removal will not impair the copyright protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP (http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html ). System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself.

Characteristics
A SonyBMG music CD is inserted in the CD player of a computer system running Microsoft Windows. If the CD has the DRM software, the following EULA is presented:

Some excerpts of EULA are shown below.

* "As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the SOFTWARE) onto YOUR COMPUTER .The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise."
* install one (1) copy of SOFTWARE onto the hard drive of YOUR COMPUTER , solely in machine-executable form;
* install one (1) copy of any APPROVED MEDIA PLAYER(S) contained on this CD onto the hard drive of YOUR COMPUTER, solely in machine-executable form
* use the SOFTWARE and any APPROVED MEDIA PLAYER(S) contained on this CD to access the DIGITAL CONTENT on YOUR COMPUTER or on an APPROVED PORTABLE DEVICE”

Installation

*
The autorun feature of the CD starts a process called “go.exe” which is an enhanced installer by F4I. It installs the file $sys$DRMServer.exe, which is the main component for installing the XCP service.
*
$sys$DRMServer.exe creates a service named "$sys$aries" using file aries.sys located in the hidden folder %sysdir%\$sys$filesystem.The display name given to this service is “Network Control Manager Service”.
*
Creates HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
$sys$aries
* XCP hides processes, files and directories whenever the name starts with string “$sys$”. It also hides some specific registry keys that point to the path of these binaries.
* Any random file created with a name that begins with “$sys$” will automatically get hidden.
* This is a security risk as some virus scanners will not be able to detect or delete any malicious programs that take advantage of this cloaking.

NOTE: Heuristic detection was added to the 4612 DATs for files likely to be attempting to exploit the security hole created by XCP.Files matching this signature may be detected as New Malware.j

Manual Removal Instructions:

*
Run “net stop $sys$aries”
*
Delete %sysdir%\$sys$filesystem\aries.sys

Top of Page

Symptoms

* Any file of folder with the name starting from $sys$ will get hidden.
* Presence of file aries.sys in %sysdir%\$sys$filesystem folder.

Top of Page

Method Of Infection
Currently this security risk is being distributed via Sony BMG music CDs that has content protection purchased from F4I.
Top of Page

Removal Instructions
AVERT recommends to always use latest DATs and engine . This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations
Top of Page

Variants
Name Type Sub Type Differences
Top of Page

Aliases
Name
SecurityRisk.First4DRM (Symantec)
XCP.Sony.Rootkit (CA)

They knew exactly what they were doing and its consequences. It was unethical as hell and any high school computer science student would have known as much.

URGENT! Timing is critical to save earthquake victims before winter!

If a 19 year old in Scotland infects 500k computers, they get arrested.

And if they do, the fine will be the equivalent to a slap on the wrist. Like the love-tap to Microsoft. I guess it's up to us, folks.... Boycott Sony!

URGENT! Timing is critical to save earthquake victims before winter!

I'm more and more happy with my Mac.

Is there no penalty for committing this illegal act in the first place?

clusterphuk possible. Yes, that's right the ultimate computer viral infection, Micro$hit. If you don't run windoze you can't be infected (I think I read that even macs block installation unless you give it permission). This is a direct consequence to the fundamentally flawed OS that M$ has foisted on the world.
An (O)perating (S)ystem has to do only a few things. Tell the computer what it is, what components are installed, how to communicate with those devices, manage memory, and most importantly, prevent root access to any application except through the OS itself after receiving explicit permission given by the authorized user.
M$ leaves thousands of holes in their OS mostly through bad code, but many are there on purpose so M$ can access your computer and see what you've got and what you're doing with it. The most obvious example is their registration scheme used by XP. This leaves a built in backdoor that is exploited by thousands of virus' and malicious programs to wreak havoc on your system. Of course no OS is completely secure, but M$ makes it so easy that children with no real technical knowledge, running freely available scripts, can build a network of, in some cases, thousands of infected 'zombie' computers to launch DOS attacks without the computers owners knowing anythign other than their computers are being 'sluggish'. This is just one example, try googling the following;
back orafice
sub-seven
packet sniffers
Srvany.exe
rootkit
netbus
I'm sure there are many more that have some along since I left the biz but I think the point is made.:argh: