Saturday, November 12, 2005

Sony To Customers: #@*$! you.

This is getting tons of press in the tech world, but not much in the mainstream, so I thought I'd write a bit about it too, so I could refer friends & family to what I hope is a reasonably terse description of the problem.

It seems that numerous Sony/BMG CDs come with a trojan horse program that burrows deep into the windows operating system, hides its files, memory processes and registry keys from the operating system, and installs an extra software layer between the OS and the cd-rom drive that, if removed, results in the drive becoming inoperable.

Now hiding stuff from the OS is a neat trick--not for your average, run-of-the-mill code monkey. Just about every program that runs on your machine--including antivirus and antispyware programs, rely on the OS to give it access to things like files, a list of programs currently in memory (processes) and registry keys (that's the OS's whole raison d'etre). If the OS doesn't know about a file, it obviously can't make it available to be scanned. So this is close to complete stealth technology--a jedi mind trick for your security software. "These aren't the bits you're looking for. You can go now. Move along."

Software like this has a distinguished history in the annals of malware--it's called a rootkit and its used by hackers to hide their presence on a machine that they've compromised (aka 'rooted').

Now right there that would be enough to make anybody angry, but it's actually worse. This trojan is implemented in such a way that it extends its 'cloak' to anything whose name starts with a magic string of characters: $sys$. So make a copy of notepad.exe, rename it to $sys$notepad.exe while the trojan is running, and the copy disappears from sight! Or take a registry key, throw $sys$ at the beginning of the key name, and that's gone too.

Making notepad disappear from sight may be a fun parlor trick, but the fact that this thing indiscriminately hides anything with a magic name means that its only a matter of time before some script kiddie adapts a worm to use this to hide their own nasty payloads from your computer. The change would be as easy as changing a filename from IHopeTheyDontFindThis.exe to $sys$TheyllNeverFindThisHaHa.exe. Nice.

There are full tech details on the sysinternals website.

So what to do? Well as a practical matter you obviously don't want to put any of the affected CDs in your computer. There are lists of which CDs have this tech on them out on the net, but I'm personally inclined to err on the side of caution and not mess with anything that has the Sony name on it.

I'm also going to boycott Sony products until I hear about a serious response to this problem--which at a minimum will have to include a complete recall and free replacement program for all infected cds, and an easily accomplished and safe uninstall process for infected PCs. Preferably the people responsible for implementing this in the first place will also be fired.

So I guess I'm not going to be getting Shadow of The Colossus for Christmas. [Sob...]

No comments: