On Mark Russinovich’s Sysinternals Blog, he wrote the following:
Last week when I was testing the latest version of RootkitRevealer (RKR) I ran a scan on one of my systems and was shocked to see evidence of a rootkit. Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden (see my â€œUnearthing Rootkitsâ€ article from the June issue of Windows IT Pro Magazine for more information on rootkits). The RKR results window reported a hidden directory, several hidden device drivers, and a hidden application:
Mark provides images and explanations on his blog to show what he found and how he figured out what was going on.
Mark goes on to say that he’s careful in his surfing habits and only installs software from reputable sources so he had no idea how he had picked up a real rootkit.
He went through some serious diagnostics to figure out what was going on and how it got there.
He traced it all back to â€œFirst 4 Internetâ€ and started some investigative work and found it had to do with DRM.
With the DRM reference, he recalled that he had purchased a CD recently that can only be played using the media player that ships on the CD itself and that limits you to at most 3 copies – Sony BMGâ€™s Get Right with the Man CD by the Van Zant brothers.
He went through some more diagnostics after which he stated resoundingly,
At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didnâ€™t find any reference to it in the Control Panelâ€™s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internetâ€™s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.
But that wasn’t the end of the story. He went on to try to remove this ‘rootkit’ from his system and found there was no uninstaller, no mention of it in the EULA and that beginning to remove it manually disabled HIS legally purchased CD player in his computer and he had to figure out how that happened and how to fix it. Which he did by the way.
Please take a minute to read his story and analysis. His closing remarks are very interesting:
While I believe in the media industryâ€™s right to use copy protection mechanisms to prevent illegal copying, I donâ€™t think that weâ€™ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far.
Thanks Mark for an extremely informative read. Highly recommended reading.
It was already dangerous enough out there with variants of CoolWebSearch and potentially other spyware apparently installing rootkits on computers, but what are people to think when it is being done by what is supposed to be a legitimate company?
Again I ask … when are we all going to say, enough is enough!
The malware C-Dilla was bad enough and there are other methods being used as well as the malicious C-Dilla for DRM on people’s computers.
Even Microsoft is using some forms of DRM to appease the music and movie cartels – despite their own Darknet Paper. (It is a .doc file linked at the bottom of BoingBoing’s page on it.)
And more DRM information in my previous DRM, DMCA, Copyright entries – particularly Cory Doctorow: Microsoft Research DRM talk and Ars Technicaâ€™s Ken â€œCÃ¦sarâ€ Fisher’s When playing a CD becomes a â€˜privilege,â€™ not a right.
When will software, music and movie companies, stop treating ALL their customers as criminals and go after the REAL criminals who make money selling counterfeit and/or stolen software, music and movies?
In the not so distant past, these types of things/tactics would be considered dangerous malware which should be immediately removed … now people think these types of things are legitimate?
I think not.