Another Kind of Root (Kit)

Usually when I write about roots, its to complain about how poorly mine works. But we have a different sort of root in the news, and it’s related to Sony, trojan horses, and online roleplaying. So let’s depart the world of Norrath for today and talk about the Real World ™.

News broke last week that hackers had used a spyware program that is part of Sony’s digital rights management system for music CD’s to compromise World of Warcraft.

Let’s try to sort out the details of this as it pertains to Everquest II. If you loaded a music CD into your computer during the last year, you may have seen a EULA pop up and ask for your agreement. The EULA stated that additional software would be loaded on your system. It did not state that this software would be hidden, uninstallable, nor that it would contact Sony via the internet. It did all of these things. This software is now known as XCP, and was made by a third party, a company known as First 4 Internet.

This software used a technique called a rootkit. This technique intercepts basic system functionality to make certain sets of files disappear from view on your ystem. This, of course, makes it difficult to delete them, which is why it is used. In the case of Sony BMG, the rootkit hid all files and processes with names beginning with “$sys$”. Furthermore, the Sony rootkit altered the operating system in such a way that anytime you want to see all the files in a folder and other such basic functions, code contained within the files loaded and hidden was run. This was in order to filter out the files that were being hidden.

But there’s the rub. First of all, they filter out ANY files with names begining with “$sys$”. So some other person, with arguable fewer scruples, could then conveniently hide their software simply by giving all their files names that began with “$sys$”. You wouldn’t need to bother with checking for the root kit first, you might just use the names and get the benefit whenever your trojan horse happens to land on a system with Sony’s root kit. After all, one estimate places the number of name servers which have been queried by XCP at well over half a million compromised systems.

For the unintiated, a name is something which translates a name like “” into an internet address, which is something like Computers address each other with these numbers, and name servers tend to service fairly large computers. Since there is very likely more than one personal computer with XCP installed for each of these name servers, that means more than a million, possibly several million compromised hosts.

Furthermore, if you are lucky enough to learn about this vulnerability by running some unusual software that can detect hidden files, simply removing these files will make your system unusable. Why? Well, do you remember when I said that certain basic system functions now used the new files (which were, by the way, hidden)? Well, if you remove those files, those basic functions will now no longer work. Your system won’t go back to the old, system-installed definitions all on its own. Instead, these functions will fail in very messy, ugly ways whenever you try to use them. Such as when you try to look at the files in a folder using Windows Explorer.

How does this impact Everquest 2? Well, first of all, XCP was promulgated by another branch of Sony, Sony BMG. It was part of their digital rights management scheme, intended to prevent users from ripping music off of CD’s. I’ve seen no sign that SOE has made use of this technology. Nor have I read any reports of cheat programs for Everquest 2 that use this technology. Of course, WoW has a launcher which looks for cheat programs and, as far as I know, SOE does not. Or perhaps SOE is smarter about how they gather and use information. So Everquest 2 appears to not have any direct impact from this.

In any case, I highly recommend that you stay far away from any copy-protected CD’s, especially on any computer that is connected to the internet.

I’d say that Sony blew it in several ways. First, they relied on “security through obscurity”, the idea that if they just didn’t tell folks how something worked, or what it did, no one would be able to figure it out and exploit it. This idea never really works.

Second, they got permission to install software from the EULA, to be sure. But there was no notification that this software would a) phone home to Sony, and b) not be uninstallible. This is a serious abuse of the customer.

Finally, it was a sloppy job that introduced a big vulnerability. It doesn’t surprise me that it was done under contract with a third party. I’ve known some Sony engineers, and they would have seen the problems involved with XCP immediately. Who knows, perhaps they did oppose it, and were outflanked by executives who didn’t want to spend the money? It’s happened before. I am not against companies protecting their IP, but this scheme was clearly done on the cheap. Now how much is it costing them?

It appears that Sony has started to realize what a big problem this is for them and is trying to reverse course as well. There is news that they are working with the virus protection companies to add removal software. But I’m not overly optimistic. Uninstalling patches like this have a way of interacting poorly with other system upgrades, such as Service Paks, and special device drivers that may have been loaded. The functions that XCP alters are fairly stable and few programs will play with them, so there’s hope there. Because if it doesn’t work, users will have to reinstall everything from scratch or buy new computers to get rid of it. Let’s hope that’s not what happens.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>