[IP] CD installs virus/spyware
Begin forwarded message:
From: Barry Ritholtz <ritholtz@xxxxxxxxxxxxx>
Date: June 25, 2004 6:27:39 AM EDT
To: Dave Farber <dave@xxxxxxxxxx>
Cc: John Paczkowski <jpaczkowski@xxxxxxxxxxxxxx>
Subject: Re: CD installs virus/spyware
Hey Dave,
Regarding the recent post "Music CD installs copy-protection software"
-- The Register (full article below) has a very different take on it.
This is not DRM software - although that may be its authors goal;
Rather, this is an unauthorized hack -- an "executable file is
automatically and silently installed on the user's machine when the CD
is loaded."
No permissions, no disclosures, no authorization. It meets all the
definitions of a virus.
A least the Velvet Revolver CD (discussed early this week) asks
permission before installing any DRM measures. The new CD from the
Beastie Boys doesn't bother with such niceties.
The great irony is that the Beastie Boys became so successful by very
creatively sampling the works of other artists. Observers have noted
that their 1980's albums (including their masterwork, "Paul's
Boutique") couldn't even get made to day, due to all the newer
copyright restrictions.
Of all people, for these guys to have drunk the DRM Kool-aid is the
ultimate irony -- and sell out. No wonder their fans have been so
angry.
Barry L. Ritholtz
Market Strategist
Maxim Group
britholtz@xxxxxxxxxxxx
(212) 895-3614
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Big Picture: A blog of capital markets, geopolitics, with a dash
of film!
http://bigpicture.typepad.com/comments/
Beastie Boys CD installs virus
By Thomas C Greene
Published Wednesday 23rd June 2004 11:18 GMT
http://www.theregister.co.uk/2004/06/23/beastie_boy_cd_virus/
A new Beastie Boys' CD called "To the Five Boroughs" (Capitol Records),
is raising hackles around the Web for reputedly infecting computers
with a virus.
According to a recent thread at BugTraq
(http://www.securityfocus.com/archive/1/366502/2004-06-17/2004-06-23/
1), an executable file is automatically and silently installed on the
user's machine when the CD is loaded. The file is said to be a driver
that prevents users from ripping the CD (and perhaps others), and
attacks both Windows boxen and Macs.
The infected CD is being distributed worldwide except in the USA and
UK, which prevents us from giving a firsthand report. However,
according to hearsay, we gather that the Windows version exploits the
'autorun' option, and that the Mac version affects the auto play
option.
On Windows, when a CD is loaded, a text file called autorun.inf is
read, and any instructions within it are executed. In this case, the
machine is instructed to install some manner of DRM driver that
prevents copying. We haven't seen either the .inf file or any of the
executables, so we can't say how or at what level it accomplishes this
- or if indeed it actually does accomplish this.
But assuming that the unconfirmed reports are accurate, we have here a
media company infecting users' machines silently with a file that
affects a computer's functionality, without first obtaining informed
consent: a likely violation of pretty much every jurisdiction's
anti-hacking laws. It's possible to foresee criminal charges being
brought at some point: after all, having a good reason for spreading
malware has never been much of a defence in court. And a file that
alters a computer's functioning without the owner's informed consent is
the very definition of malware. Because this malware can be transferred
from machine to machine on a removable disk, and requires user
interaction to spread, it is, quite simply, a computer virus. (A worm,
on the other hand, is distinguished by its ability to spread without
user interaction.)
CD virus protection
Let's look at the ways this autorun business can be defeated. It's
quite easy to disable autorun in Windows by holding down the Shift key
when loading a CD. Unfortunately, this has to be done each time the CD
is played. However, it's easy to insert the CD once with the Shift key
depressed, and then simply rip the tracks to the hard disk. You can
then use the CD in other devices, and listen to your corresponding MP3s
or whatever on your computer.
You can also disable the autorun "feature" on your Windows machine
permanently so that this and other CDs infected with viruses won't
affect you in the future.
To do this, go to the Start menu ==> Run, and type in the command
regedit . Your registry editor will launch. Navigate to the following
key, and edit as shown:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDRom and set
Autorun DWORD=0
It might be necessary to create the value, thus: Data Type: DWORD Value
Name: Autorun Value: 0
As usual, you must reboot your Windows box for the changes to take
effect.
Disinfection
The above procedure assumes that you haven't previously installed the
suspected Capitol Records virus, or a similar one from another fine
entertainment conglomerate. But if you have, you will need to find and
uninstall the malware first. The autorun.inf file on the CD will likely
indicate the name of the relevant file(s), the locations where they're
installed, and any registry changes made.
Armed with that information, go to the Windows 'uninstall' utility:
Start menu ==> Settings ==> Control Panel ==> Add or Remove Programs
==> Change/Remove.
Look for any program files referenced in the autorun.inf file and
uninstall them. If no related programs are listed, you will need to
launch the Windows Search Companion and search for any files named in
the autorun.inf file and delete them manually. Be sure to activate the
options in the "more advanced features" dialog allowing you to search
the entire disk (search system folders, search hidden folders, and
search subfolders).
Now, a word of caution: if the Capitol Records virus has updated a
library file or driver, deleting it might affect your system's
functioning, and you might need to re-install Windows to put things
right again. (Carefully log the time needed to do this and include it
in your criminal complaint.) However, deleting a foreign executable
file is safe, so long as it's not one you actually need. So be careful
about file name spellings so that you don't accidentally delete an
important file that's spelt similar to the one you wish to be rid of. ®
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/