Chris did a great job of mentioning a new CD-protection scheme in his journal the other day and I’d like to take it a step further and elaborate on it a bit. Let me give you the basic behind this first. Sony, the most evil of the music companies, has made use of a new copy-protection scheme for their CDs. This protection involves not only DRM technology but something called a RootKit to HIDE that technology. Basically, they use a DRM scheme to limit how many times you can use that CD in a computer, if you can/can not copy it, make MP3s out of it, etc. That DRM software isn’t noticable by the end user because it’s hidden from Windows by the Rootkit. A Rootkit is basically cloaking technology that hides files, registry entries, running processes, etc. The thinking is if the end user can’t find it, they can’t shut it off. I won’t get into how much I think this is complete and total bullshit, but you can probably already guess my displeasure.
The main problem here is that this RootKit doesn’t exist ON the CD, no no, that would make sense, no, this baby is INSTALLED AND HIDDEN on your computer. Meaning, if you buy a Sony copy-protected CD, this Rootkit is being installed, activated and hidden without your knowledge. You can read more about the specific hiding/revealing, software aspects of this over at Mark’s SysInternals Blog (thanks to Chris for the original link).
Ok, so copy-protected music is evil, right, everyone with me? Good, cause here comes the next leap. The software makes very slight changes to the things it wants to hide. Basically, after you’ve listened to Madona for a few minutes and this thing is up and running on your system, all you (or anyone) would have to do to USE IT, would be to add “$sys$” to the front of a file. Windows will NEVER see it. So, viruses, trojans, hacks, etc, can be completely and totally hidden from EVERYTHING by adding a few characters to the front of the filename. Now, this would only work for those of use who have put a Sony CD in our computers, but still, the implications are frightening. Anti-Virus programs couldn’t find’em, system scans, etc. No running processes to be detected. Totally stealthy.
So, now we have a) a program that hides things completely from windows and everything else for that matter and b) a way to hide things OURSELVES.
Yup, that’s right kids. WE could hide things. Think about it this way… if you’re a hardcore cheater in online games, what’s the one thing you fear? Your cheat being detected right? How is that cheat detected? The most common checks are for file size/date/origin/manipulation and for running processes. Now, cheaters have gotten smart over the past few years. Now they’re way beyond simply editing a DLL or hacking the registry. Now the newest trend is creating “code caves”, essentially making a bubble in the code while it’s running, injecting their cheat, using it, they collapsing the bubble so it’s undetectable. The process works because the code is inserted into memory randomly and so quickly that most active scanners won’t detect it. What if you could have that process running 24/7/365 and it would NEVER be detected? That’s what Sony just gave to cheaters everywhere. A simply way to hide a running process from even Windows itself. If it’s hidden it can’t be seen as running and if it isn’t running it can’t be detected and if it can’t be detected, cheating just got easy.
Now, I play BF2. I enjoy it. But it’s anti-cheat system is Punk Buster, a mediocre at best system for scanning active processes/drivers and information sent to and from game servers. All I would have to do to cheat is to go buy the latest Santana CD, add “$sys$” to my hack and fire up the game. How fucking sick is that?
Way to go Sony. I hope you realize exactly what you’ve done. You’re not only evil for using a method like this to rob honest paying customers of their right to use the music they bought, but you’ve also given millions of people a relatively easy way to rob the rest of us out of good clean video gaming fun.
Is this all theoretical, is Matt worried over nothing, could this really happen? Yeah, it could, and has: World of Warcraft hackers using Sony BMG rootkit.
Way to go guys. Fucktards.