Reacting to criticism of its CD copy protection, Sony on Wednesday posted a patch that reveals files previously hidden by a rootkit. But that may be closing the barn door after the horses bolted, since hackers are already discussing ways to use the rootkit to conceal their own code.
Wednesday, Sony put a patch on its Web site that "removes the cloaking technology component on SONY BMG content protected CDs," according to a statement on the site. The patch can be downloaded and installed while online, or a 3.6MB file can be retrieved for later installation.
But even as it posted the patch, Sony defended the technology. "This [rootkit] component is not malicious and does not compromise security. However, to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released."
Although Sony said it has been using the First4Internet-developed digital rights management (DRM) software on selected CDs for several months, it was only this week that researchers discovered the technology relied on a rootkit to hide files. The practice was quickly condemned by other security experts because rootkits are typically only used by virus, worm, and spyware writers to hide their code.
Helsinki-based F-Secure, which along with independent researcher Mark Russinovich published results of an investigation into the Sony DRM, tested the patch and confirmed it revealed once-invisible files. "It now seems that the DRM software no longer attempts to hide anything on the computer," F-Secure concluded. "The rootkit driver (aries.sys) is removed from the system during the update."
The copy protection scheme itself, however, remains on the PC, and cannot be removed without special tools and a complicated, risky procedure. F-Secure, in fact, continued Thursday to recommend that users request additional software from Sony to remove all traces of the DRM software. Users must fill out this Web form to make the request.
Sony's change of heart may have come to late. Hackers are already debating how the DRM's rootkit can be used for malicious ends.
On a site dedicated to hacking Blizzard Entertainment's popular "World of Warcraft" online game, posters have discussed using the rootkit to hide their code.
"For only $14.99 you get a well done RING0 rootkit that is able to hide vs Warden/Hackshield," wrote a poster identified as "Outlaw." All some has to do, he said, was "1) Buy the CD, 2) Run the CD, 3) rename 'myhack.exe' to '$sys$myhack.exe.'"
Blizzard installs a client -- dubbed spyware by some -- called "Warden" that sniffs out World of Warcraft cheaters by scanning active processes and comparing them to known cheat software. Not surprisingly, Warden doesn't "see" any files that are hidden with Sony's content protection rootkit; all a hacker need do is add the '$sys$' prefix to filenames.
Outlaw recommended the Sony rootkit to other hackers. "The design of the rootkit is not that good but I don't think there is a single public kit out there that is more usable for the job then this one.
"1) Blizz can not ban you for using it, 2) The kit is more or less stable, 3) The kit is 100% virus free, 4) Even a half brained ape could use it."