EXPOSED: The Windows Rootkit Scandal by Sony

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
now you and i both know that we only ever made copies for limited personal archival use but i'm not talking about you and me i'm talking about the regular people and they copied a lot of music illegally for shame [Music] hey i'm dave welcome to my shop did you know that sony once shipped a roof kit on 22 million copies of its own cds and what's even more surprising is that they did it completely intentionally in order to hijack the operating system install their own drm code phone home about your listing habits and then hide it from not only the users but even microsoft themselves and they did it by exploiting one of the very components that i was the dev manager for back at microsoft way back in the day i'm dave plummer retired software engineer from microsoft going back to the ms dawson windows 95 days and if you subscribe i'll even let you sit in the front row it's one of the tales from my microsoft days that i've been putting off telling for a while because i've been a bit scared to talk about it it was a little too close to home being one of my own components and sony's a pretty big company but it's been more than 16 years at this point so i think i might as well let it all out and the irony in all of this is that i'm actually something of a sony fanboy i mean i'm literally recording this on a sony fx3 camera of which i own multiple and i'll later watch it back on my sony oled tv as i listen to it on my sony xbr receiver or my sony noise cancelling headphones so when i found out that sony had used its collective mic to basically exploit and attack one of my own components within windows i was more than a little shocked but i need to back up let's jump in the wayback machine and travel to the year of my retirement from microsoft 2003 so i can set the stage now when it comes to a huge project like microsoft windows ultimately every component needs to have an owner there was even an excel spreadsheet somewhere on a server that listed each component to the operating system and its owner along with their name email address and sometimes even their home phone number in case of emergency like if it was an important component such as the thread scheduler or the heap manager some components are not under active development anymore but they still need an owner assigned to them in case something comes up with them so for example i might own task manager and product activation and even the shell copy engine and stuff like that all of which are generally getting feature work or changes made during the current release but at the same time i would be assigned a number of what i'd call legacy components just for the sake of them being able to have a responsible adult's name assigned to them so i wound up owning things like calculator and cd auto run and those of you who know a little bit about the sony root kit probably already sensed where this is going and that it has nothing to do with calculator and you're right as an aside you might think that owning something like calculator would be dry and boring and it probably is until one day when someone finds an edge case bug and calc returns a bad result well it's never happened yet thankfully i mean there are odd edge cases like subtracting two from the root of four doesn't always yield exactly zero that sort of thing but nothing like the old pentium floating point bug where you'd get an outright wrong answer back from f div but trust me checking code into calculator or being the name on the code review line can have a certain amount of pucker factor because the stakes involved are really high and the press would be really bad if you did make a mistake cd auto run was more like what you're thinking a boring state-old component that nobody loved maybe a few people hated and that normally just did his job year after year with few people noticing it as this name implies cd autorun is code that runs inside the shell's explorer process and when a new cd is inserted into the drive it raises an event that the shell monitors for so it knows when and what has happened when the drive is ready the disk spins up the shell suddenly takes a peek of the disk to see if there's a setup program or similar that should be launched automatically that way when you put in a cd for a program or a game it just starts your mom doesn't have to look up the name of the program to run in a manual or search around the disk for it with file explorer so it sounds like it could be a handy feature and indeed most of the time it is but it could also be the source of bugs if whomever authored the cd didn't do it properly or if a cd that really shouldn't even be auto running keeps popping up a useless window every time you insert it most of the time however autorun was just something that people didn't think about at all because like i said it just did the same predictable thing every year so while there was no major feature work planned for autorun there was still periodic maintenance done on it to make it easier for developers a better experience for consumers more reliable more robust and so on and those features were all done by a french canadian fellow that worked for me at the time whose name was stefan now the french pronunciation of stefan doesn't come through outlook very well though so he literally had to change his microsoft alias a few weeks into his job there because too many people were misreading it or reading it lazily and calling him stephanie but i digress stefan was a great engineer and otter run was a bit of a waste of his talents but everybody's got to start somewhere and that's kind of where he started little did he know how exciting it was going to become now the story i'm going to lay out for you here today doesn't paint a very flattering portrait of sony back in the early 2000s for example when pressed by a reporter about the root kit a vp told the reporter most people i think don't even know what a root kit is so why should they care about it moreover some of the attitudes towards the consumers were completely adversarial now granted this was at a time when a lot of people were getting their music illegally with napster and so on but rather than run off and invent a great streaming service like apple did sony was going to be content with ferociously defending its territory to show what their attitude was like back in those days consider what their senior vp had to say at an industry conference back then the industry will take whatever steps it needs to protect itself it will not lose that revenue stream no matter what sony is going to take aggressive steps to stop this we will develop technology that transcends the individual user we will firewall it at the source we will block it at your cable company we will block it at your phone company we will block it at your isp we will firewall it at your pc we shall fight on the beaches we shall fight on the landing grounds we shall no heroes i just getting into it but i should stop now it's never a good sign when a company sees their very own customers as an existential threat and decides to go to war with them where's the love sony and how did we get to this place would ed sony so backed into a corner and afraid that it started drawing up battle plans in two words napster and dat although dat is an acronym for three words so that's four words but never mind napster is really a subject big enough for its own video but in summary it was a peer-to-peer mp3 sharing system where you could find pretty much any and all music all free and completely in violation of pretty much every law and moral principle out there there were two primary reasons i think that people resorted to such piracy the first was the legitimate need to make a backup of your cd or to get a decent copy for your car something i think you were always entitled to at least one of then the second is something i'll call the collector instinct it's something i've seen people do with pirated software as well once people start to build a collection they collect just for the sake of collecting and they mentally keep score by the size of their collection they collect music or software and they store it and catalog it even if they never listen to it or play it so there was that but the first reason that single legal copy issue became suddenly much more important with the release of digital audio tape commonly known as that or d-a-t i'm told that you've always been allowed to make one copy of your media for personal non-commercial purposes and when people were using analog audio cassettes which were generally fairly poor quality and got worse with each use or even just over time the industry didn't mind as much cd was so much higher in fidelity that people would continue to buy cds even if bootleg cassettes were available just because cd quality was that much better but with that that was suddenly no longer true that can run full 16-bit samples at 44.1 kilohertz the same as a cd so it's able to make a perfectly lossless copy of a cd and you can make a copy of the copy and a copy of the copy and a copy of that copy and even that will be literally identical to the original cd this was the industry's greatest fear come true perfect fidelity copies of copies with unlimited generations the first serious proposed solution was known as copy code and it was basically a notch filter detector the content would be mastered with a 3.8 kilohertz notch filter applied and that machines would be required to include a chip that would detect such material and then refuse to copy it there was only one major problem you could hear the difference with the notch filter and many will tell you that it wasn't subtle and reportedly was not even that effective either so people pushed back hard enough that it ultimately killed the proposal things then settled down a bit when sony bought cbs records because now sony was both a record label and a maker of dat recorders the next perhaps more reasonable approach then was a serial copy management system that prevented digital copies of copies it was enacted by congress in 1992 and it also imposed taxes on blank cds that could be used to store music so that meant there would be a difference between data cdrs and music cdrs and the taxes on music blanks were high enough that they were close to the price of buying a pre-recorded cd from a music store what rendered it all moved however was effective lobbying by the computer and electronics industries that exempted personal computers from the act it would actually mean that if you bought a blank music cd to duplicate a pre-recorded cd in a home theater machine of some kind it would run you perhaps 15 but if you did it on your pc you could do it for a buck seems like a bit of an oversight to me but if nothing else it set the stage also for the massive amounts of digital piracy that would erupt with napster tons of software aimed at creating and consuming pirated music came out and both windows and the mac introduced easy ways to rip and copy music tracks from pre-recorded cds you'll note that i'm just straight coming out and assuming this is usually piracy and i'm straight up calling it that now you and i both know that we only ever made copies for limited personal archival use but i'm not talking about you and me i'm talking about the regular people and they copied a lot of music illegally for shame what no one knew or even suspected was how far sony would go to protect its turf what they did next was completely unprecedented they root kitted every windows machine into which one of their protected cds was inserted so let's talk about roof kits let's say you are a very bad man and you want to write some very bad software there's some very bad stuff you write your very bad virus and you give it a name like benji.cis and you infect machines and so on like a virus but you are extra clever and you want to be elusive and hard to find and hard to remove you're so clever in fact that you hack the windows apis for find first file and find next file so that when anyone even the windows shell or a virus scanner for example looks right in the folder where benji.cis lives it just comes back empty it's a ghost because you've hacked the apis to lie and say it's not even there now a command prompted virus scanner will skip over it too as i said because not even windows can see it at that level anymore this is of course a problem and it's one that super developer mark russonovich now technical head of azure at microsoft set out to solve back in 2006 he was working on a tool called rootkit revealer that would as you can likely guess from the name detect rootkits it did so by doing things at the lowest level possible down at the anti-core apis or even the driver level and then up at the highest level and comparing the results anything below the level of your hacked api will still see benji.cis but it will be invisible to everything above it by comparing the results of a very low level enumeration with the high level api calls rootkit revealer would detect any discrepancy as a potential rootkit attack one day when mark was working on the latest version of rootkit revealer that set off the cloaking alarm he was surprised as he's quite careful about installing software only from reputable sources so how could he have picked up a rootkit all the normal scans came back empty so he did what folks like mark do in such a situation he broke out the kernel debugger to get medieval on it on a 32-bit system the windows kernel normally lives in an address range that always starts with eight so all the service routines level up at eight bajillion hex code loaded by the user later will be located somewhere else entirely like at a high address starting with an f a quick look through his system kernel service table revealed at least two obviously patched functions on closer inspection he verified that those patched functions were pointing to driver code living in a file that was cloaked there that distortion see it now while you can't see a file that's cloaked in this matter it's still there and you can load and access it if you know its full path [Music] so equipped with this knowledge he simply copied the cloaked driver file to a new folder where he was able to see it and then he was able to load it into the ida pro disassembler and take a closer look at the code mark b mark the first thing he did was find a bug in it like the fact that allowed for unloading the driver which a shamed piece of code like that can never actually do as somebody might be about to just execute it then there's no way to inform them or prevent that from happening which leads to a blue screen mark spent a good deal of time on the technical trail of the rootkit and i'll include a link to his blog in the video description that details most of it long story short however what he confirmed is that sony had installed the rootkit on his machine and that it was drm or digital rights management software better known as copy protection he must have acquired it when he had inserted one of their music cds into his machine at some point the technology had apparently come from a developer known as first for internet originally and sony's decision to use it on music cds meant that it was included on some 52 different titles they called it extended copy protection or xcp for short over 22 million cds would be shipped with some form of copy protection in this period and 2 million of those would be specifically the xcp rootkit variant the estimates for how many machines were ultimately infected range from a few hundred thousand to over a million depends on how you're counting which version of the root kit and there was two and one was kind of worse than the other but both are similar and don't get permission and so i'm kind of lumping them in together but i want to talk about xcps in particular the xdp protection prevented you from ripping the raw audio tracks off of the cd the software remains resident in the user's system intercepting all accesses of the cd drive to prevent any media player or ripping software other than the one included with xcp itself from accessing the music tracks of the sony cd it didn't matter which cd ripping software you used because it was done down at the driver level and of course since you couldn't read or play the tracks yourself you couldn't duplicate them either which was the primary intent of the whole thing you might be surprised that so many people would willingly agree to install such a thing well it helps that it didn't matter whether you accepted the eula that big license agreement that you normally skip over during setup or not according to wikipedia if you declined it still got installed of course the euler didn't even mention the copy protection system anyway so i guess it's not surprising or meaningful in the end anyway aside from the legal and ethical questions surrounding the secret root kitting of up to a million of machines rasanovic's technical analysis of the rootkit code revealed a number of other concerns first it contained bugs and security holes that could be exploited by malicious worms and viruses because it was buggy and ran down within the kernel any such exploits provided instant privilege escalation to administrative rights next he noted that it was always running in the background consuming both cpu and memory regardless of whether a cd was even inserted or not and as mentioned earlier it contained bugs and design defects that meant attempts to stop and start the driver could blue screen the entire machine and finally it provided no one installer and cloaked itself in such a way that anything but a truly surgical and expert attempt to remove it could yield a system that wouldn't boot or that would boot with missing drives soon after mark's mention of the problems several of trojans and worms were released by hackers that exploited xcp security holes some were intended simply to aid cheating in online games but others were more sinister so i said that people didn't know what rootkit was anyway so why should they care but now that they knew the computing public was by and large outraged when they found out and sony was forced to release a removal tool now the only problem was that it didn't actually remove the root kit it merely uncloaked it better yet in order to even download the removal tool you had to sign up with your email address and agree to receive bulk emails from third-party marketing companies at least according to the included privacy policy that you were required to accept in order to proceed through the process as icing on the cake the uninstaller which as i said didn't even really work also installed an activex control marked safe for scripting that contained backdoor methods microsoft responded by using the little known method known as the activex kill bit to remotely disable that activex control but perhaps i've said too much eventually sony did release a new and improved removal tool which was both new and improved in the sense that it actually did something sony continued to promise that there were no security risks associated with the anti-piracy technology despite multiple reports of viruses and malware actively exploiting it ultimately the u.s cert branch of the department of homeland security issued an advisory about the dangers of the sony root kit along with helpful advice such as do not install software from sources that you do not expect to contain software such as an audio cd it's a bit maddening giving that it was effectively a silent drive by install once you got the setup rolling and none of the users had any idea that they were even installing it but soon after the lawyers rode to the rescue new york and massachusetts issued advisories and the state of texas sued sony bmg and multiple class action lawsuits were filed against them in new york and california all this unwanted scrutiny revealed other problems as well such as the fact that the sony rootkit had included open source software such as an mp3 encoder from a software publisher that was actually gpl they believe and they didn't follow the license agreement in any way by now sony was in enough hot water that it had to capitulate they settled most of the legal actions now you're too late to submit a claim now but if you head in time you could have received seven dollars and fifty cents and one drm free sony album of your choosing sony pulled all the remaining xcp titles from the shelves as i said i'm quite a fan of most sony products and i'm guessing there must have been a massive cultural shift in the days since this all happened which was back in the 2005 to 2007 time frame i don't think they would have survived otherwise which executives remain from those days i have no idea but for those that do i hope and assume that their attitudes towards the consumer have evolved a bit the xcp protected cds plainly carried the xcp logo and carried an explanation similar to the following this cd is equipped with xcp copy protection technology preventing the downloading or burning of the musical content one thing you can be sure they all did have in common was that they lacked the official cd logo because their wonky protection format didn't comply with the official cd standard known as the red book could you get infected by it today well you have to have a 32-bit version of windows but believe it or not if you did you still can on the current 32-bit build of windows you'll be prompted so that it can't do a drive-by installation on you but if you press and go on and go through the steps it will indeed install unfortunately when i saw somebody try their system would no longer boot for some reason so i don't recommend you try it even out of curiosity one good thing did come of all this i think the public got its first taste of music drm and it was such a bitter pill that it really laid the groundwork for the music streaming ecosystems like spotify and itunes the notion that we were going to buy and collect individual drm audio tracks just wasn't going to happen the big services provide by and large every song you want online and you can play your own local tracks for content that you own that they do not have and so doing they address both sides of the coin that we talked about earlier the legal backup copy issue and the collector instinct that's good not only do you get essentially infinite copies of your music but your music collection is also essentially limitless in size as long as the subscription costs are fair it's a great solution for everyone certain types of artists don't fare as well with streaming revenue as they did with album sales but it opens up the doors for others and the world keeps on spinning into the futures steve miller would have said a long time ago if you enjoy this kind of industry tale told from an insider perspective i'd be honored if you consider subscribing to my channel so you don't miss future episodes in the windows war stories series and check out the playlist for prior episodes i don't have any patreons and i'm not selling anything i'm just in this for the subs and likes so please be sure to leave me one of each before you go actually i am selling one thing but i don't keep the profits that's the classic dave's garage mug available in the channel store any and all channel profits from views and merchandise in calendar year 2021 are being donated to the uw autism center so grab a mug where the satisfaction of knowing that you helped a kid is absolutely guaranteed to make your coffee taste better not a guarantee thanks for joining me out here in the shop today in the meantime in between time i hope to see you next time right here in dave's garage [Music]
Info
Channel: Dave's Garage
Views: 184,301
Rating: undefined out of 5
Keywords: scandal, sony rootkit, rootkit levitate, rootkit ambush, rootkit, rootkit real love, sony, rootkit wildfire, rootkit virus, rootkit do it, rootkit concrete jungle, rootkit oh you, rootkit good2go, copy protection, sony hack, rootkit monstercat, rootkit against the sun, music, drm, hacking, Scandalous, windows 10
Id: PqWjq2SdzpI
Channel Id: undefined
Length: 20min 47sec (1247 seconds)
Published: Thu Dec 02 2021
Related Videos
The Art of Code - Dylan Beattie
NDC Conferences
3.3M
Blame Me: The INSIDER Secrets of Windows Product Activation!
Dave's Garage
242K
LOOK inside the SECRET menus of a Vegas Slot Machine!
Dave's Garage
409K
HACKED! How a Buffer Overflow Exploit works, plus Code Red!
Dave's Garage
99K
We asked a Retired Microsoft Windows Engineer 100 Questions! Why oh Why? Find out!
Dave's Garage
88K
SEXadecimal: How and why!
Dave's Garage
57K
Cicada 3301: The Internet's Greatest Mystery!
Dave's Garage
63K
!!STOP!! - Why Are Windows Blue Screens Blue? Find out!
Dave's Garage
296K
The Ten Second Autism Test
Dave's Garage
121K
The Secret Life of Microsoft Interns - by Davepl
Dave's Garage
58K
Windows 11 Pinball: by the original Microsoft programmer of the XP Game port
Dave's Garage
111K
06.Secret History of Windows ZIPFolders
Dave's Garage
134K
The Retro Chip Tester Pro does it all
Adrian's Digital Basement
65K
It's MY Fault! The Windows 11 Disk Formatter
Dave's Garage
167K
Hacking Task Manager on 1024+ Cores w/ Cool Video Demos!
Dave's Garage
160K
Don't Talk to the Police
Regent University School of Law
16M
E01: Stupid C++ Tricks with Dave
Dave's Garage
108K
Can you fit an Entire Windows App inside a QRCode?
Dave's Garage
60K
How AOL Beat Microsoft: Messenger Wars!
Dave's Garage
40K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.