Sony DRM Rootkit
I've been getting a lot of questions in the last week about Microsoft's position on the Sony DRM and rootkit discussions, so I thought I'd share a little info on what we're doing here. We are concerned about any malware and its impact on our customers' machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems.
We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.
I'll update you if any more information comes up.
best,
-jasong
------------------------------------------------------------
Jason Garms
Architect & Group PM
Anti-Malware Technology Team
Microsoft Corporation
Team Blog: https://blogs.technet.com/antimalware
Comments
Anonymous
January 01, 2003
PingBack from http://microsoft.wveighteen.net/archive/microsoft-study-guides-exam-questions-real-examscom/Anonymous
January 01, 2003
PingBack from http://www.nynaeve.net/?p=124Anonymous
January 01, 2003
PingBack from http://www.keyongtech.com/3339464-p2p-file-sharingAnonymous
January 01, 2003
PingBack from http://efrain.onlinevidssite.info/windowsmalicioussoftwareremovaltool.htmlAnonymous
January 01, 2003
PingBack from http://www.cg-blog.cn/cg/microsoft-targets-sony-spyware/Anonymous
January 01, 2003
PingBack from http://blog.phoenixbkn.com/2009/06/15/how-to-protect-yourself-from-sony-drm-rootkit-malware/Anonymous
January 01, 2003
PingBack from http://mollie.onlinevidssite.info/malicioussoftwareremovalvista.htmlAnonymous
January 01, 2003
When you put a music CD in your computer, it starts to play. Is it cool? Probably, but not to everybody....Anonymous
January 01, 2003
PingBack from http://www.allsoftwarenews.org/software-news/microsoft-will-remove-sonys-drm/Anonymous
January 01, 2003
PingBack from http://www.leray.us/nukem/2005/11/15/well-i-was-mistaken-on-what-would-go-down-sigh/159Anonymous
January 01, 2003
Когда вы засовываете музыкальный CD в компьютер, он тут же начинает играть. Здорово, правда? Может не...Anonymous
January 01, 2003
PingBack from http://bradyn.newsdigestdirect.info/windowsmalicioussoftwareremovaltool.htmlAnonymous
January 01, 2003
PingBack from http://windowsdefender.start4all.com/2009/06/15/how-to-protect-yourself-from-sony-drm-rootkit-malware-phoenix-all-in-one-blog/Anonymous
January 01, 2003
PingBack from http://blog.federicosanchez.info/2005/12/08/la-guerra-contra-la-pirateria/Anonymous
January 01, 2003
PingBack from http://www.colindiponio.com/2005/11/14/microsoft-and-the-sony-drm-rootkit/Anonymous
January 01, 2003
PingBack from http://computers.blognicity.com/?p=70Anonymous
January 01, 2003
PingBack from http://blog.federicosanchez.info/2005/12/08/ecos-de-la-guerra-contra-la-pirateria/Anonymous
January 01, 2003
PingBack from http://www.georgholzer.at/blog/2005/11/13/danke-sony/Anonymous
January 01, 2003
PingBack from http://www.titandb.de/?p=28Anonymous
January 01, 2003
PingBack from http://www.solo-technology.com/blog/2005/11/13/foldershare-and-ms-vs-sony/Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
There have been several significant developments in the Sony DRM story since my last post. The firstAnonymous
January 01, 2003
PingBack from http://www.hilpers.org/219028-sony-cds-and-copy-protection/3Anonymous
January 01, 2003
PingBack from http://microsoft.wveighteen.net/archive/microsoft-careers-home-3/Anonymous
January 01, 2003
PingBack from http://cg.honest-men.com/cg/microsoft-targets-sony-spyware/Anonymous
January 01, 2003
PingBack from http://kian.videositelink.com/computertriestoinstallantimalware.htmlAnonymous
January 01, 2003
PingBack from http://microsoft.fdsdfsdf.info/2008/04/18/microsoft-will-remove-sonys-drm/Anonymous
January 01, 2003
PingBack from http://www.oxigenstar.com/tecnologia/proteccion-de-microsoft-contra-el-quotrootkitquot-de-sonyAnonymous
January 01, 2003
PingBack from http://microsoft.wveighteen.net/archive/amazoncom-microsoft-frontpage-2003-software/Anonymous
January 01, 2003
PingBack from http://www.federicosanchez.com.ar/2005/12/08/primeros-episodios-de-la-guerra-contra-la-pirateria/Anonymous
November 12, 2005
Good for you guys!Anonymous
November 12, 2005
Finally... good work, glad to see at least Microsoft isn't scared of sony.Anonymous
November 12, 2005
Good job! Thanks for sticking up for the little guys!Anonymous
November 12, 2005
As a IT Specialist this is the kind of things i am scared of.
I help manage over 200 computers and this is the kind of thing we fear. We tell people you get 20 hours of Internet access every month. We tell people you can not install any software. Everyone's access settings is just a regular user. But we tell them its OK to listen to a music CD. Not only will the root kit not install because the accounts are limited, but on Sony's web site they used to have information on how to install it even though you are not administrator. And you know what, out of our 200 computers, we had 3 of them infected with this root kit. I had to reformat the computers in order to safely know that no other Sony software is on there.Anonymous
November 12, 2005
That's good, I know a few people who have discovered this rootkit has been installed.Anonymous
November 12, 2005
Excellent news! I was getting worried about Microsoft's wishy-washy stance in various media publications.Anonymous
November 12, 2005
Thank you very much!Anonymous
November 12, 2005
Good Move Guys!Anonymous
November 12, 2005
Before seeing this, I wouldn't have belived that MS is truly objective when it comes to malware removal. This changes my mind. It makes feel a lot better about using Microsoft products.
Thanks!Anonymous
November 12, 2005
Cheers, guys. I'm glad someone higher up decided this was wrong.Anonymous
November 12, 2005
Very nice.Anonymous
November 12, 2005
Great to see Microsoft step up like this and recognize these actions for exactly what they are: hurtful and dangerous to consumerAnonymous
November 12, 2005
The comment has been removedAnonymous
November 12, 2005
The comment has been removedAnonymous
November 12, 2005
Glad to hear it.Anonymous
November 12, 2005
Great work guys!Anonymous
November 12, 2005
Thanks for doing the right thing!Anonymous
November 13, 2005
Thank you Microsoft. This is the right thing to do.Anonymous
November 13, 2005
Sony reserve the right to protect their intellectual property - but not at the risk of exposing our PC's to external threats.
I applaud Microsoft for taking this path - as they do with any company that try this sort of thing - with no fear or favour.Anonymous
November 13, 2005
I would like to see Windows fixed to not allow these types of programs to install in the first place.Anonymous
November 13, 2005
Thanks a lot - perhaps it would also be useful if you put something into Windows to warn people when these things try to install, and require their permission before they get onto the system (at which point they become difficult to remove) - this way legitimate uses of rootkit technology (e.g. Kaspersky Antivirus) will be unaffected but any future unethical uses such as this will be prevented. In any case, it's good to see Microsoft finally taking a stand against big companies that think they have the right to install malware on Microsoft customers' machines, simply because they own a restricted intellectual right in a sound recording.Anonymous
November 13, 2005
The comment has been removedAnonymous
November 13, 2005
Well done Microsoft!Anonymous
November 13, 2005
Don´t praise them too loud guys.
Of course this is the right thing to do, but I would take any bet, that in the not-so-far future there will be a "Microsoft-Certified" way to do very similar things...Anonymous
November 13, 2005
Excellent, thank you MS for removing the rootkit portion of this software.
However, it would be cleaner to remove the software entirely (just like you do with other dangerous software).
Why treat Sony software as different to 180solutions or Claria?
If the software is on the machine it should be vaped.Anonymous
November 13, 2005
The comment has been removedAnonymous
November 13, 2005
Well done.Anonymous
November 13, 2005
The comment has been removedAnonymous
November 13, 2005
I understand that Sony-BMG used two different DRM software packages for different albums. One, called XCP is from First4Internet. The other is from SunnComm, called MediaMax. Will your solution remove both XCP and MediaMax?Anonymous
November 13, 2005
But what does this mean?
That you will just make visible the rootkit files?
Or will you remove all or some of the program?
Or will you (sceptic here) just recommend 'Ignore' when the rootkit is found.
Toy ManAnonymous
November 13, 2005
The comment has been removedAnonymous
November 13, 2005
Thanks Microsoft!
I definately didn't think Microsoft would delete sony, but they did!Anonymous
November 13, 2005
Kudos to Microsoft for siding up with the little guys and being objective in this issue!
I mean, really, this is coming from a Mac lover.Anonymous
November 13, 2005
That's something I expected in my best dreams. Absolutely great move.
It also convinved me to download windows antispyware right now.Anonymous
November 13, 2005
I thought microsoft was all into the DRM stuff? Anyway, this is good news for the people who use windows.Anonymous
November 13, 2005
We don't have this problem on Linux, you know. ;)Anonymous
November 13, 2005
Just to make sure I have this right.
Microsoft doesn't remove the XPC software, but rather, un-cloaks it, makes it so that it's no longer hidden with rootkit technology. Is this correct? Also, since XPC has already provided a tool that uninstalls the rootkit (which doesn't work very well, like everything made by First Four Internet, but that's beside the point) is Microsoft just copying that uninstall method? or are they using a different one? I'm afraid of the removal process causing more problems than leaving it there does, what with complete removal causing people to lose access to their CD drives and such.Anonymous
November 13, 2005
Thanks guys. I had decided to buy a PS3 when they come out in the spring, but after I had to re-format my hard drive twice because of Sony's malware (I didn't realize my problems were caused by the Sony rootkit the first time), I had decided that Sony doesn't want my business. Since Microsoft has taken a stand against this kind of bad business practices, I believe that a 360 is the way to go.Anonymous
November 13, 2005
The comment has been removedAnonymous
November 13, 2005
Awesome! I figured it was going to take a company with the size of Microsoft (or similar) to actually stand up and generate a removal tool, given the threat of legal action Sony's EULA imposes. The EULA has been a significant impediment to smaller companies and even independent techs thanks Sony's strong-arm tactics. Way to go MS!Anonymous
November 13, 2005
Good job Microsoft!Anonymous
November 14, 2005
No offense guys, but is your removal tool safe?
Mark Russinovich reported that some attempts to remove the rootkit resulted in BSOD or CD-ROM disappearing from the device manager.Anonymous
November 14, 2005
WOW. I am very happy to hear this from MS. It makes me glad to know that someone with real authority in the computer industry recognizes this issue as a very bad move for everyone.
Good work!Anonymous
November 14, 2005
Good to hear it. I am glad that Sonys DRM is being taken as a serious concern to PC security.Anonymous
November 14, 2005
The comment has been removedAnonymous
November 14, 2005
Excellent move, thank you!Anonymous
November 14, 2005
Buena decision.
GraciasAnonymous
November 14, 2005
However was Sony's tool was harmful to our machines, don't you think that Microsoft made this action for the good of its customers.
Sony and MS has been battling since the release of the Xbox and windows media center, microsoft is trying to invade Sony's market (which is already crowded) and they're ready to hit under the belt to take over Sony's reputation.
What's a maximum of 3% decrease in performance would do to your processes? I am sure Sony is wrong, they should have wrote their DRM Rootkit more efficiently and made it optemized that it doesn't take this much of our precious CPU times, or they should at least mentioned they will...
Wait a second, windows XP is taking all of my resources, why doesn't the "Malicious Software Removal Tool" dettect it?:D
It's just my opinion guys, hope I didn't offend anyone...
peaceAnonymous
November 14, 2005
did Microsoft get smart and actaully wants to save there own operating systems.. imagine how much they would make with stupid people thinkin' they'd have to buy a whole new copy of XP!! haha.. but its good they are, saves a lot of extra time.Anonymous
November 14, 2005
Detection and removal is good. Prevention of ALL rootkits installations; not just XCP, is better.Anonymous
November 14, 2005
Thanks for looking out for your customers. By the way, Xbox rules playstation.Anonymous
November 14, 2005
excellent! Someone at Microsoft is getting paid to do the right thing!Anonymous
November 14, 2005
The comment has been removedAnonymous
November 14, 2005
The comment has been removedAnonymous
November 14, 2005
When will the signature files be available for each solution listed above? (the online scanner, the antispyware beta, and the normal windows malicious software tool)Anonymous
November 14, 2005
The comment has been removedAnonymous
November 14, 2005
Um, I downloaded Microsoft Anti-Spyware Beta, updated it, ran a full-system scan, and IT DIDN'T DETECT THE SONY DRM SOFTWARE! I know I have the software because $sys$DRMServer.exe shows up in my process list. Am I doing something wrong? Why wasn't it detected?Anonymous
November 14, 2005
I'm used to being critical of Microsoft when it does something bad, so it's nice for once to be able to say:
Well done, Microsoft!
Thanks for doing the right thing.Anonymous
November 14, 2005
thank you!Anonymous
November 14, 2005
Autoplay should be protected by better security, so that these programs don't get loaded in the first place. This is just like bootable floppy transferring viruses/malware to the computer on power-up.Anonymous
November 14, 2005
The comment has been removedAnonymous
November 14, 2005
Why Microsoft was unable to find this rootkit before Mark did ?
Are their AntiSpyware SpyNet not working at all ?Anonymous
November 14, 2005
The comment has been removedAnonymous
November 15, 2005
Why play music cds in your computers? Only time I put a music cd in my computer is when I rip em and it works for all cd's I have tried so far. I don't share my MP3's so I don't see this as illegal.
Quote from Little-Gamers.com:
"I don't play cd's in my computer.. That would be just as stupid as microwave your toast"Anonymous
November 15, 2005
keep up the good work! I hope Sony realizes their mistakes!Anonymous
November 15, 2005
The comment has been removedAnonymous
November 15, 2005
Jasong... Wow! What a great position for Microsoft to take on this issue. It's nice for MSFT to be on the 'other side' of it for a change. Sony VAIO and Microsoft have been a great combination for me, but NO ONE has the right to foil or damage equipment I pay for.
Microsoft's tools upgrade to Microsoft's AntiSpyware Beta will correct any damage done to my CD and DVD drives right?
All the best,
Larry T
"Pay to download music? Not interested - I'll either buy media or use my library. As for paying for audio book downloads? Now that I'd like. How about $12/month (up to 10) or $2 a novel." LarryTAnonymous
November 15, 2005
I'll have to go out and get one of those Sony CDs just so I can test and see if it's removed with MSAS and with the Malicious Software Removal Tool. Sounds like a good time to me... Now to find a moderately new artist with music I can tollerate... Ah well...Anonymous
November 15, 2005
Security aside, for support and stability of an OS, why should the installation of a rootkit EVER be allowed? Me thinks the team should work on hardening the core OS...Anonymous
November 15, 2005
The comment has been removedAnonymous
November 15, 2005
The comment has been removedAnonymous
November 15, 2005
According to http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx, the x64 editions of Windows don't allow kernel patching, eliminating the specific rootkit techniques that Sony used.
On that page, it says "For x86-based systems, Microsoft discourages such practices but does not prevent them programmatically, because doing so would break compatibility for a significant amount of released software." I'm curious about this. How much software is there out there that "depends" on this? I think the "security trumps functionality" mantra would say that kernel patching needs to be forbidden for x86 systems as well.Anonymous
November 16, 2005
As this rootkit is a copy-protection thing, will Microsoft violate the DMCA by removing it?
That would be interesting.Anonymous
November 16, 2005
How about fixing the Windows AntiSpyware beta so that it works with new IE7 beta!Anonymous
November 16, 2005
Does this impeded the installation of SP2? My system crashed after my support folks attempted to install SP2. I just accidentally found the reference to this malware. We'd appreciate knowing as we have an organization of over 5K people. Thanks! E. L.Anonymous
November 16, 2005
The comment has been removedAnonymous
November 16, 2005
This certainly sounds like MS is doing the right thing - however the devil is in the details. A few poeple have already asked - what exactly is the MS procedure for removal? Are you able to outline the steps taken by Windows Antispware to remove the Sony malware?Anonymous
November 17, 2005
Agree! Thanks Microsoft! ;)Anonymous
November 17, 2005
Agree! Thanks Microsoft!Anonymous
November 18, 2005
Its nice to see Microsoft have, at last, taken a positive stance in recognising the Rookit issue as being one of a serious nature for many music lovers.
Definately agigantic step for mankindin the right direction.Anonymous
September 06, 2014
Blogs - Anti-Malware Engineering Team - Site Home - TechNet BlogsAnonymous
September 11, 2014
Blogs - Anti-Malware Engineering Team - Site Home - TechNet BlogsAnonymous
October 27, 2014
Blogs - Anti-Malware Engineering Team - Site Home - TechNet BlogsAnonymous
November 05, 2014
Blogs - Anti-Malware Engineering Team - Site Home - TechNet Blogs