Quick Watson; the game's afoot...
Mark Russinovich is truly a hacker's Hacker for Windows systems.
His primary website
SysInternals is an excellent resource for anyone who wants to dig deeply into that convoluted mess of beauty and elegance that is the Windows 2000 and XP Kernel.
His utilities are a great boon to those of us not at his Olympian heights when we try to figure out some strange behaviour with our systems.
He also runs a Blog and
today's entry is a wonderful foray into some unmitigated Crap-ware that Sony installed on his system when he went to play an Audio CD:
Sony, Rootkits and Digital Rights Management Gone Too Far
Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my “Unearthing Rootkits” article from the June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application.
He posts a screenshot showing something very very strange and then continues:
Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug. I immediately ran Process Explorer and Autoruns to look for evidence of code that would activate the rootkit each boot, but I came up empty with both tools. I next turned to LiveKd, a tool I wrote for Inside Windows 2000 and that lets you explore the internals of a live system using the Microsoft kernel debugger, to determine what component was responsible for the cloaking.
Mark then goes through the step by step process he went through to figure out exactly what was happening and he tried to delete it. His CD drive disappeared. Mark then outlines just how poorly written and unsafe to the system this software is (and yeah, he gets his CD drive back again). Finishes off with these thoughts:
The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.
While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.
Posted by DaveH at October 31, 2005 10:52 PM