Blizzard's Warden Thwarted by Sony's DRM Rootkit 418
shotfeel writes "First, news of Warden -a bit of code from Blizzard's WoW to trounce game cheats. Then, a Sony rootkit to make your computer safe for music. Now, news that you can use the Sony rootkit to make your game cheats safe from the Warden."
Came up fine for me. (Score:1, Informative)
Published: 2005-11-03
Want to cheat in your online game and not get caught? Just buy a Sony BMG copy protected CD.
World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG's content protection software can make tools made for cheating in the online world impossible to detect. The software--deemed a "rootkit" by many security experts--is shipped with tens of thousands of the record company's music titles.
Blizzard Entertainment, the maker of World of Warcraft, has created a controversial program that detects cheaters by scanning the processes that are running at the time the game is played. Called the Warden, the anti-cheating program cannot detect any files that are hidden with Sony BMG's content protection, which only requires that the hacker add the prefix "$sys$" to file names.
Despite making a patch available on Wednesday to consumers to amend its copy protection software's behavior, Sony BMG and First 4 Internet, the maker of the content protection technology, have both disputed claims that their system could harm the security of a Windows system. Yet, other software makers that rely on the integrity of the operating system are finding that hidden code makes security impossible.
Re:Slashdotted already. (Score:3, Informative)
Re:Just goes to show.. (Score:5, Informative)
-nB
Re:Hell, you knew it was coming. (Score:5, Informative)
Any program that uses the operating system hooks to find out what is going on risks being fooled. The only way around it is to do what RootkitRevealer [sysinternals.com] does, ignore what the OS is saying and go byte-level reading the disk to see what you get, then if you like compare it with what the OS is reporting to see if there's any differences.
Re:Let's bash Sony (Score:5, Informative)
Re:Just goes to show.. (Score:5, Informative)
Sort of. Good ones already employ techniques to try to hide themselves. The difficult part is getting into the kernel, as the Sony DRM software does when you install it.
Virus writers might at this point decide to start using file and process names that start with $sys$, in which case anybody who has installed the Sony DRM app (in particular, WoW cheaters) will be especially vulnerable. I doubt that's a large enough population for the technique to be considered useful, though.
Mostly this is useful for hiding things from prying eyes on your own machine. It is remarkably effective. To prevent malicious apps from taking advantage of it, you might hack the Sony DRM software so it uses, say, $-q8f790vpae-$ as the 'hiding' tag instead of $sys$.
Just watch what you're doing, because as Mark Russinovich points out in the original article, it's not hard to nuke your box by accident in messing with the Sony/First4Internet drivers.
Re:Let's bash Sony (Score:5, Informative)
Another cheat program http://www.wowglider.com/ [wowglider.com] is also getting around WOW's Warden technology by running WOW in a normal user profile in xp, removing access to said user in the wowglider folder, then running wowglider as an admin account. But more than likely you could just install Sony's rootkit, rename your wowglider folder and do the above step for double protection against Warden detecting wowglider.
My point being Sony and First4Internet are saying that the rootkit does not compromise a system's security, when in fact it can and does. And the Cheaters are proving it now, next will be the virus writers.
Re:Just goes to show.. (Score:5, Informative)
It doesn't for two reasons.
First, Warden is not a copyright protection system. It essentially is a EULA protection system. For example, if I use a third party utility to run a speed hack, I can be banned from the game for violating the EULA. I can't be hit up for thousands of dollars for copyright infringement.
Second, as it is installed it in no way would assist in cheating in WoW. A third party can take advantage of what it does do. In other words Sony is not shipping this DRM software with the primary intent to enable cheating in WoW.
In fact, Warden has a greater chance of violating the DMCA since it could access memory that contains copyrighted material after the DRM system has decrypted the work. Luckily the primary design purpose of Warden is also not copyright infringement.
Of course some lawyer may figure out some way to twist all of this around, so who knows.
Re:This whole rootkit business leads one to wonder (Score:3, Informative)
Wow, that's hard to get around.
Once you turn off "Autorun", it's just another quick step with EAC to do a rip and convert to any format you want... I had thought of using my laptop to actually install their DRM to see what kind of crappy quality they had the tracks at, but I'm glad I didn't do that after reading yesterday's article.
Anyways, I'm sure the "other" OS I run isn't affected by this attempt to put shit on my computer that I really don't need....
Re:Let's bash Sony (Score:3, Informative)
Hardly. They're just the first to publicize... this has been floating around in some forums for a little while.
There's less of an advantage to cheating if everyone can do it. So those exploiting this have been keeping their mouths shut...
Re:Just goes to show.. (Score:2, Informative)
According to this BBC report [bbc.co.uk], it only affected Windows users. Everybody else (Mac, Linux, *BSD users) could listen to the CD without problems.
Re:Just goes to show.. (Score:3, Informative)
They've apparently been working closely with Sony and the company who wrote the rootkit to resolve some of these issues, and Sony released some kind of software update tool that removes the rootkit pretty cleanly
Re:Just goes to show.. (Score:5, Informative)
Re:Just goes to show.. (Score:2, Informative)
Actually McD deserved to lose on that one. They were intentionally flaunting/ignoring health department warnings and citations because they had their coffee makers turned up too high, and the liquid was not "safe". Food service code says you can't serve hot liquids at a temp. which causes 3rd degree burns in less than ?20? 30? seconds- time to wipe it off etc. They were serving their stuff at a temp that caused 3rd degree burns in 3 seconds (IIRC). Yes, litigious society, nuisance lawsuits, etc, but this was big evil corp ignoring safety rules that were in place for a reason. HTH.
Re:Just goes to show.. (Score:5, Informative)
It was a total b*tch just to find. The thing would build its directory/itself on shutdown (it seemed) and load then delete any trace of itself at startup, even in Safe Mode. It hid itself from Windows Task Manager and every other scan a could run. I ran some Sysinternals [sysinternals.com] apps such as RootkitRevealer and Autoruns, and showed nothing over and above anything I could account for. Suspecting it was a rootkit anyway, I found some good apps such as Process Guard, and F-Secure's Blacklight(stand-alone executable, pretty nice), and a CLI app called RkDetector. Once I had ran PG I could see what was happenning to my poor little PC. Explorer launches a program called ddrssapi.exe from System32, then would go onto to launch mchshisn.exe every 3 seconds or so. At one point Process Guard counted mchshisn.exe loading over 350 times before grinding to a crashing halt!
Googling ddrssapi.exe or mchshisn.exe yields no hits (or at least didn't, now it'll probably link to this thread), so I renamed the former (because I knew where it was). I was hoping that was the app that created the directory at startup so I rebooted to see if things calmed down.
Process Guard makes no mention of ddrssapi, but is still continuously launching mchshisn, and I notice that it says it's launching from Program Files/Weslorer... Takes about 4 minutes to bring the box down to it's knees, but that gave me enough time to realize that I could do nothing to find this mysterious directory (Weslorer).
I boot into Knoppix 4.0 and low and behold there is PF/Weslorer. Unfortunately for me, Knoppix didn't want to play nice with NTFS, so I couldn't delete the dir. Then I remembered that I had build the Windows Ultimate Boot Disk based on BartPE a few weeks ago. Booted into it and removed the Weslorer (which also shows no google hits) directory and ran a Spybot S&D scan for good measure. I rebooted into my XP install and all was well. No more popups (which caused the autopsy in the first place), no more stray process launching hundreds of times. Just a new systray icon for Process Guard. That things going onto every removable media I have.
I know I still don't really know how it got in and what process it was using to launch itself initially, and that bothers me; but I do not have any symtoms and will have to live with the thought that I got pwned.
Re:Rootkit = new buzzword? (Score:3, Informative)