p2pnet - rss feed: Muzzy: Sony BMG DRM spyware
p2p news / p2pnet: Muzzy is the guy who first found an excellent reason to avoid using Sony BMG’s First 4 Internet XCP DRM spyware.
But he also has a few thoughts on Finland’s new copyright legislation.
On Sony BMG’s DRM spyware, “I’ve collected some of my findings about the Sony’s XCP DRM rootkit here,” he says on his research page, going on:
“The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It’s called “RebootMachine”. If you have installed Sony’s ActiveX control, follow the link to invoke the RebootMachine method. I don’t even want to know what the ExecuteCode method does…
“The InstallUpdate method seems to download a file in XCP.DAT format, extract a dll from it and then execute stuff. So far I haven’t analyzed the code enough to determine if it’s exploitable, but I’m guessing it doesn’t do any significant verification - meaning this ActiveX control could have exploitable remote code execution hole in it by design. NEEDS URGENT VERIFICATION! If anyone has working uninstall link, please view the source for page at every step and check the javascript it uses. I’d like to see how these methods are supposed to be used.”
He also mentions L.A.M.E., saying:
“On the CD, the file ContentsGO.EXE contains some strings:
00056c18 68 74 74 70 3a 2f 2f 77-77 77 2e 6d 70 33 64 65 http://www.mp3de
00056c28 76 2e 6f 72 67 2f 00 00-30 2e 39 30 00 00 00 00 v.org/..0.90….
00056c38 4c 41 4d 45 33 2e 39 35-20 00 00 00 33 2e 39 35 LAME3.95 …3.95
00056c48 00 00 00 00 33 2e 39 35-20 00 00 00 00 00 00 00 ….3.95 …….
“The big question is, what are they doing there? I’d say this indicates that the executable has been compiled against static LAME library, which happens to be LGPL. I don’t have any further evidence about this, other than lots of data from libmp3lame being included and easy to find. I have no idea what the DRM system or the installer would do with LAME.
“It might be accidentally linked in, someone else checked and didn’t find any matching code.
“Three more files on the CD (in compressed XCP.DAT) also contain LAME strings, these are yet to be analyzed, stay tuned… My initial analysis shows that there’s code referencing tables that match LAME data! This could be a proof of violation! BinDiff didn’t seem to help, I don’t have the tool myself but considering it does graph comparison, it won’t be able to match indegree of the functions. I suppose I’ll contact Sabre-Security and ask them about it :)”
If you stop the music, you’re breaking the law
Meanwhile, Muzzy is in Finland and on his personal page has a link that points out the country’s new copyright law forbids circumvention of technical measures, but “doesn’t draw a line” at what the measures are allowed to do. “As a demonstration I’ve implemented a protection system that lets the music play, but prevents stopping it,” he says.
“If you stop the music, you’re breaking the law.
“The technical implementation is done with a rootkit technique, in which the kernel of the operating system is modified to deny any requests to terminate the player. It calls for NT-based windows (2000, XP, 2003, Vista).
“Beta-version, use at your own risk, can crash the OS,” says Muzzy.
“The demo song is ‘Hurjat Hipit - Vedä paska huuleen’, copyrights are owned by Hurjat Hipit and the protection is placed on the song by their request. More information about the band:
“If you try it, please report to the address muzzy@iki.fi and tell what operating system you used and what happened.
“IMPORTANT: This version no longer supports unloading, so once you play the song YOU CAN’T STOP IT WITHOUT REBOOT!”
Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local political representatives. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance.
See:-
research page - Muzzy’s research about Sony’s XCP DRM system, November 13, 2005
L.A.M.E. - Sony DRM rips off L.A.M.E., November 14, 2005
copyright law - New Finland copyright rules, October 5, 2005
November 15th, 2005 at 2:21 pm
This will show my age but way back there used to be a British Heinekin commercial that said something like “Heinekin reaches the parts other beers can’t reach” and I’ve noted that over and again p2pnet also reaches the parts that other *news* sites like zeropaid and slyck don’t even mention, let alone reach.
This follow-up story on the Sony DRM code is a good example of what I mean. Kudos to p2pnet. Keep it up!
November 15th, 2005 at 4:29 pm
Sony is a company that bundles spyware with its product, and it should be treated as such by customers, antvirus, and antispyware vendors. Sony should be treated no different from any other malware producer. I for one will not only NOT BUY Sony products, but I will also pressure others not to buy Sony products as well. Sony should also be made to implement the remedies recommended by the E.F.F. http://p2pnet.net/story/6983 If these measures bankrupt Sony, than that is fine as far as I am concerned as long as Sony is required to liquidate its assets in order to make good the damages it has caused. Maybe if all of this happens to Sony, it will serve as a deterrent to other companies.
November 15th, 2005 at 4:31 pm
Sony is a company that bundles spyware with its product, and it should be treated as such by customers, antvirus, and antispyware vendors. Sony should be treated no different from any other malware producer. I for one will not only NOT BUY Sony products, but I will also pressure others not to buy Sony products as well. Sony should also be made to implement the remedies recommended by the E.F.F. http://p2pnet.net/story/6983 If these measures bankrupt Sony, than that is fine as far as I am concerned as long as Sony is required to liquidate its assets in order to make good the damages it has caused. Maybe if all of this happens to Sony, it will serve as a deterrent to other companies.
November 15th, 2005 at 4:50 pm
Sony has pulled XCP .
November 15th, 2005 at 6:34 pm
That is not good enough. Sony still trespassed on private property, defrauded users, opened up their computers to security problems, have not released a decent remedy to fix the problem they caused, and they have not paid customers for the problems they have caused. If I were a cracker who specialized in writing spyware and I released a trojan in the guise of a useful program, I would most likely be fined, arrested and thrown in jail. If I wrote a program that totally cleaned my malware out of victims’ computers (which Sony has not released), the act might get me some time off of my jail sentence, but it would by no means allow me to walk away unscathed.
What Sony needs to do in this case is be forced to pay to have their malware removed from each computer they have infected, pay customers for the time wasted because of their malware, and give them a non-infected CD to replaced the one that had the malware. Sony needs to do all of this at its own expense. Sony should also pay a hefty fine and all legal fees for its crime. The fine should be about 5% of its total revenue for this year. Imposing penalties like this is the only way to deter other companies from acting as if they can do anything they want with no regard for consequences.
Unfortunately, a reasonable penalty like the above will most likely not happen. Sony executives will bitch and moan about how many jobs would be affected and how ‘it would hurt the economy.” By the time the penalty is decided, it is very likely that the lawyers for both parties will be made rich and Sony victims will get some paltry discount on the next Sony CD. If Sony does as the E.F.F. requests, I might start buying Sony products again after a year is up.
November 16th, 2005 at 9:50 am
This just keeps on getting better and better. Well i’d like to say something to the perps.
Thank you Sony. Thank you for putting the consumer acceptance of drm back by years, if not decades. You’ve managed to do in a few short weeks something that would have taken the EFF years to achieve.
Way to go ;o)