Fighting fire with fire
In the past few days, stories about Sony’s unique DRM technology have been circulating on the old Intarweb. Basically, when you insert some Sony or BMG music CD’s into your Windows machine, a window with a EULA pops up. As soon as you click “accept”, you get a rootkit from the good folks at www.first4internet.com. The rootkit installs a daemon (or service, if you prefer the Windows parlance) called $sys$DRMServer.exe. This server scans all your running programs two times a second to make sure that none of your software is trying to pirate Sony’s precious music copyrights (naturally, this uses up quite a bit of CPU power and memory even when you are not listening to music. Thanks, Sony!) The rootkit also installs a fake CD drive driver called $sys$crater.sys which shadows your actual CD driver. If you take the obvious step of using a rootkit hunter to delete $sys$DRMServer.exe and its registry keys, you will be unable to use your CD drive because the fake $sys$crater.sys driver will prevent the real driver from loading.
To remove the rootkit, you either need to know a lot about Windows kernel internals, or call Sony technical support to ask them for a special rootkit remover.
So, the rootkit is installed without your knowledge, scans all of your programs (including your private data), hogs your CPU and memory, and is hard to stop or remove. In other words, evil.
Now, you may ask, how does this rootkit prevent you from noticing it in the process table, on your hard drive, or in the registry? Simple. It modifies the Windows syscall table (btw, as an aside: this sort of shit is precisely why the Linux kernel has stopped exporting the address of its syscall table a few years ago) so that when you try to view a file whose name starts with $sys$, it doesn’t get displayed.
And this brings us back to the title of this post, Fighting fire with fire.
You see, when you install Blizzard’s extraordinarily popular MMO World of Warcraft, you agree to run Blizzard’s program called Warden that checks your computer to make sure you are not cheating in the game. When you start the game, you download and start an up-to-date copy of Warden. If Warden finds that you are running a program that’s known to facilitate cheating in WoW (it checks by looking at the list of all open DLL’s, the titles of all open windows, the list of all running executables, and certain bytes of the text section of all running executables), presumably you get kicked off the server or even get your account terminated.
So, Warden is installed without your knowledge, scans all of your programs (including your private data), hogs your CPU and memory, and is hard to stop or remove. In other words, evil.
Now, this is the beautiful part. The good folks at WoWSharp have decided to see what happens when you use Sony’s evil DRM rootkit against Blizzard’s equally evil Warden. And lo and behold — if you rename your cheat program from myhack.exe to $sys$myhack.exe, Warden can’t see it.
This is called fighting fire with fire.
Of course, at the moment it’s all fun and games, but it’s only a matter of time before viruses start using Sony’s rootkit to hide themselves from antiviruses…
(got the idea via this /. post)