digg

Facebook Connect Join Digg About

BioShock Installs Rootkit, Including Demo

gamingbob.com BioShock installs a rootkit on your computer system, which is also included with the demo.

Who dugg this? Made popular Aug 25, 2007

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

193 Comments

show profanity settings
expand all
  • Kahlnen, on 10/10/2007, -13/+164Didn't Sony say: "Rootkits Are Okay, Because No One Knows What They Are" a little while back?
  • estvir, on 10/10/2007, -16/+144You guys need to actually figure out what a rootkit is, it may help.

    "It doesn't install a rootkit. It's a registry value that Rootkit revealer gives you a notice of. Just like every file that your Spyware detector pings on isn't neccessarily a trojan. This ISNT a rootkit, just a nasty registry entry."

    "Except that it is different, because it doesn't open up any security holes in your machine. The evil of the rootkit was that it allowed for a number of different security holes. Be mad about copy protection if you want. But don't spread FUD."
  • mucnix, on 10/10/2007, -5/+72"I searched for the SecuROM software and could not find it"

    You don't understand what a rootkit is do you?
  • hmunkey, on 10/10/2007, -24/+87Buried as inaccurate. It DOES NOT install a rootkit. Dumbass, do research.
  • StaticThunder, on 10/10/2007, -11/+73Its not a rootkit, but it IS securrom crap I don't want on my system. I didn't need another reason not to buy this game, but they gave me one anyway.
  • Maasneotek, on 10/10/2007, -4/+39FYI this guy has no clue what hes talking about. Once he was proved wrong he changed the article. Its not a rootkit which he fully admits NOW on his blog. He's just fishing for hits. I know that sounds harsh but I have no other conclusion when someone post inflammatory bogus info, without doing any research past a couple of 12 year old screaming about rootkits and lawsuits on the forums...
  • charityjustice, on 10/10/2007, -12/+36A complete non-issue.

    Its not a rootkit. Its just an annoying copy protection scheme that crybabies have taken it upon themselves to call a "rootkit" in order to get some free press out of the issue.

    360 fans, dont feel all superior over this. The game still runs, looks, and plays better on the PC.
  • mahoua, on 10/10/2007, -4/+25FTA :
    *REFERENCES TO ROOTKIT HAVE BEEN REMOVED, FURTHER INVESTIGATION HAS REVEALED A MISUNDERSTANDING IN THE THE SECUROM SERVICE
  • inactive, on 10/10/2007, -4/+23Did you even read the article??
    Its NOT a rootkit!
  • curunculus, on 10/10/2007, -7/+25Like many others I installed the Bioshock demo, played it and then later uninstalled it. Much to my horror I later discovered that even the demo installs Sony's Securom DRM sh*tware and, whats worse, leaves Securom on your system even if you uninstalled the Bioshock demo!

    This is a security risk!

    So without further ado:

    Securom uninstallation instructions for Windows XP SP2

    Disclaimer 1: Only attempt these uninstallation instructions if you are reasonably computer literate and have backed-up your entire system.
    Disclaimer 2: Only attempt these uninstallation instructions if you have no games installed which require Securom to be present.
    Disclaimer 3: Only attempt these uninstallation instructions if you previously had to authorised your PC with Securom before you could play a game and that game is now uninstalled.

    * Step 1: Uninstall the Bioshock demo.

    * Step 2: Remove the Securom registry entries.
    The Securom registry entries are deliberately made non-removable by default. In order to remove them download the http://www.microsoft.com/technet/s [...] lNull.mspx RegDelNull registry editing utility from Microsoft and install it on your C partition.
    Run the following two commands from a Windows command prompt: "C:regdelnull HKEY_CURRENT_USERSoftwareSecuROM -s" and "C:regdelnull HKEY_USERS\SoftwareSecuROM -s" where "" can be determined by searching the registry for the "Securom" directory key. This "" typically has a form like "S-1-5-21-2052111302-1757341266-724545543-500". Once these two RegDelNull commands have been successfully issued the registry should be checked to confirm that these two keys have been deleted. If they are still present they will now be removeable due to the action of the RegDelNull utility.

    * Step 3: Removal of the Securom service and related utilities.
    Open a Windows command prompt and change directory to "c:windowssystem32". Type "uaservice7 /remove". This will stop the Securom user access service, and clean up its relevant registry entries. On the Windows command prompt type "regsvr32 /u cmdlineext.dll". Reboot and then manually delete the files "uaservice7.exe" and "cmdlineext.dll" from "c:windowssystem32". Note: Both of these files are Securom installed files which can be verified by checking their file properties (Right click - Properties).

    * Step 4: Removal of Securom files under "C:Documents and Settings".
    Securom installs a hidden directory with 6 files under "C:Documents and Settings\Application DataSecurom". The first 4 ordinary text files can simply be manually deleted once Windows explorer has been configured to show hidden files and folders. The two remaining malformed nominally unremoveable files require a special method to delete: Invoke a Windows command prompt with full Administrator privileges by typing the following into a Windows command prompt: "at /interactive %systemroot%system32cmd.exe" e.g. "at 9:02pm /interactive %systemroot%system32cmd.exe". This will open a new Administrator command line when the time set has been attained. In this new command prompt change directory into the Securom folder e.g. "cd C:Documents and Settings\Application DataSecurom". Issue the following command to show the two remaining hidden malformed files: "dir /A". To delete the two remaining hidden malformed files issue the following command: "del /F /AH *". Confirm "yes" for each of the two file deletions of the malformed files. Finally, the directory "C:Documents and Settings\Application DataSecurom" can be deleted as per normal practice from within Windows explorer.
  • TheNik, on 10/10/2007, -3/+20Can't you just shut up and enjoy the goddamn game?
  • TrevorBradley, on 10/10/2007, -3/+20Turn on hidden folders, and look to see if there's a SecuROM directory in C:\Documents and Settings\[username]\Application Data\. I found the folder in there, wasn't sure if it was BioShock that installed it though.

    Good instructions for removing it here:

    http://isohunt.com/forum/viewtopic.php?t=85806
  • andre4u, on 10/10/2007, -1/+17From http://www.techdirt.com/articles/20051108/0117239_F.shtml:

    Thomas Hesse, President of Sony's Global Digital Business, literally says: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
  • hawkspur, on 10/10/2007, -8/+23It's. Not. A. Rootkit.

    Buried as inaccurate.
  • TWRAM, on 10/10/2007, -9/+23From what is being said around the internet, there are different versions of the demo that don't include the SecuROM service. The RootkitRevealer program from microsoft picked up the service when I ran it. Is it a true "rootkit"? most likely not, but the service is still showing up, when it didn't need to be included in the demo.
  • Subterfug, on 10/10/2007, -2/+14It is ironic then that piracy is not plagued with these problems.
  • victorguttmann, on 10/10/2007, -2/+14Quite frankly I can't believe they're limiting the number of installs at all. The DRM techniques are really just getting crazy/desperate.
  • chokeaduck, on 10/10/2007, -0/+12Didn't they just have a huge class action lawsuit for a bunch of CDs in 2005/2006 including rootkits when placed in a CD-ROM drive? Foo Fighters In Your Honor comes to mind... I paid for the damn album, I should be allowed to rip it on my own.
  • mucnix, on 10/10/2007, -0/+11"Removing a rootkit is NOT impossible, but very difficult to do without backing up and formating the HD."
    you're right about that part
  • Jugalator, on 10/10/2007, -1/+11Rootkits intentionally use tricks to hide themselves from registry/file scans etc, so if it does that, it is one, otherwise not. The purpose doesn't really matter though, and it doesn't have to be someting like a virus.
  • DROWE859, on 10/10/2007, -0/+10Nice poem, but anyways, companies need to realise people are going to pirate with or without protection. They only hassle the legitimate customers this way.
  • Bamborzled, on 10/10/2007, -3/+12SecuROM is made by Sony. Proof: http://www.sonydadc.com/americas/prod.newtech.secu.go
  • Yukimi, on 10/10/2007, -3/+12even if its not a rootkit its a crappy DRM that wasnt disclosed. just as bad if you ask me...
  • Vektuz, on 10/10/2007, -3/+12It does not install a rootkit. Its still very invasive, phones home, etc, but its not a rootkit.
  • mikochu, on 10/10/2007, -1/+9I miss having to deal with this crap... /sarcasm
  • flameboy, on 10/10/2007, -0/+8There is no such thing as a trusted company
  • JayRD, on 10/10/2007, -3/+11Because I am a paying customer, I get screwed over?! ***** that, I'm not buying this.
  • Ignignokt01, on 10/10/2007, -2/+10God you're an idiot...
  • Altanar, on 10/10/2007, -5/+13THERE IS NO BIOSHOCK ROOTKIT. I don't know who's worse: The ***** morons who post sensationalist articles on their blogs to get ad revenue or the Diggtards who vote the articles up without even checking them. Oh, and then there's the wastes of human life that not only digg up ***** rumors, but also post trite comments saying how much better their Mac/Linux machine is because they don't have to worry about stuff like that.

    This article is almost as idiotic at the "Mother Teresa was an atheist" post. I mean, come on. A person writes once, 50 years before she died, that she wasn't sure God existed. All of a sudden she was an atheist.

    So, Digg is nothing more than a tabloid. Too bad, it used be somewhat useful for finding good news stories.
  • Cl1mh4224rd, on 10/10/2007, -1/+9Comment abuse, but read the comments attached to the linked blog post...

    The guys admits he only used the word "rootkit" because he knew it was something people would type into search engines. It's not really a rootkit, but he doesn't care.
  • tehpwnrate, on 10/10/2007, -0/+8How is this about Sony?
  • jdaniel284, on 10/10/2007, -2/+9A rootkit is a software tool or set of tools that allows someone access to OS functionality not reserved for that user. How you can say that this is not a "rootkit" is beyond me.

    Call it whatever you want, a rootkit, a *****, a violation of trust, a crime, trojan, a virus, an annoyance, an univited guest, whatever. The point is that this piece of software is NEGATIVE and SECRETIVE. It has no place on anyone's computer unless they are clearly informed beforehand.
  • smek2, on 10/10/2007, -1/+8Man, i'm so glad i did not installed the new Systemshock, err imean Bioshock demo. And i won't do so in the future. because, even if it's technically not a "rootkit", its Securom and everybody who knows a little bit about this matter, stays away from this crap.
  • Canadianinjapan, on 10/10/2007, -0/+7I want this ***** off my computer when I uninstall the game. It isn't an issue of piracy.
  • curunculus, on 10/10/2007, -0/+7Digg strips backslashes ... you can get the original post here: http://www.gamingbob.com/forum/viewtopic.php?f=33&t=300
  • KlayBorg, on 10/10/2007, -1/+7Shoo Mactard, nobody cares.
  • inactive, on 10/10/2007, -0/+6Correct terms are important in the tech world, and at one time Digg was a tech related site.
  • nreynolds, on 10/10/2007, -1/+7It's more like saying "I'm going to talk about a company that has nothing to do with this article because I'm dumb as hell"
  • Canadianinjapan, on 10/10/2007, -1/+7securom should not remain on the system after you uninstall it. Makes one angry enough to pirate the game out of spite.
  • inactive, on 10/10/2007, -1/+7Can you dl the game for free for your 360?

    Don't answer that.
  • ByronT, on 10/10/2007, -3/+9This is the internet.
  • pixelat3d, on 10/10/2007, -0/+5Some users are reporting that they aren't getting the "root kits" installed, either they're not checking properly (as a the software does hide itself)or they got lucky. I got one from the demo, reformatted today just to make sure it's completely gone. While this package is not malicious (people usually scream bloody murder when they hear root kit), it behaves in VERY disturbing ways and does open up avenues to spying etc. It's not some 'h4x0r' kid who's doing it ... but it wasn't some h4xor kid when sony pulled this ***** the first time either. Buy the 360 version if you can, if not go ahead and buy the game to support Insomniac (now 2K Boston), but wait for a 'scene' release, as they will no doubt do their best to strip all this securom ***** out. You would think Sony would've learned their lesson by now, but they obviously haven't. This is the same crap we went through a couple years ago with starforce, just ratcheted up quite a few notches.
  • Anubis2051, on 10/10/2007, -1/+6sounds like the reason you own a mac is because you don't enjoy playing good games... leme know how chess is going for ya, ill be over here playing half-life...
  • DarkSideofOZ, on 10/10/2007, -5/+10It's not a rootkit, the only reason it shows up with the rootkit detector is because of the * on the end of the registry key entry, which causes Microsoft's detector to flag it with the message "Key Name Contains Embedded Nulls.” So before you start blabbing your idiocy further perhaps you should look into your claims before you hit submit.
  • KlayBorg, on 10/10/2007, -0/+5SAME REASON I TYPE IN CAPS!!1!!!!!1!@!!!!@@!!!!11!11
  • devjunkie, on 10/10/2007, -0/+5Mighta been easier to just make a batch file w/ all those steps ;)
  • korvan504521, on 10/10/2007, -0/+5game IS cracked already.
  • grumpyrain, on 10/10/2007, -1/+6No, a rootkit has nothing to do with privilege escalation and everything to do with attempting to cloak a process or file so it can not be seen by the API calls relied on by for example explorer to list files in folders, or task manager to list active processes. Malware likes to use rootkits because they allow them to evade virus and spyware scanners.

    I disagree with Estvir in part, although we are probably talking about the same thing from different angles. RR does not use hash based signature comparisons to generate hits in the way that spyware detectors do. Quoting sysinternals

    "Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures."

    So basically they use the typical APIs to read in the registry (for example), and compare that with what is stored in the registry files. A discrepancy means that something has modified what is reported to your applications. Most of these discrepencies are where the API returns a null terminated string, but a registry key has been written containing a null in the middle of the string. When a high level application reads the registry string, it will only be told up to the null. (This looks to be the case here)

    Whether or not what it stores afterwards is benign is really a means / ends argument. I want to stick away from calling this a rootkit for the simple reason of the connotations. Using a cloaking technique is not necessary synonymous with malware, and this is probably just an ill-advised copy protection implementation.
  • h4mx0r, on 10/10/2007, -3/+8I can't decide whether to bury this as dupe or inaccurate...
  • hawkspur, on 10/10/2007, -2/+6It's not spin you idiot. The damn thing isn't a rootkit, and the guy admits it isn't on his blog.
  • Fetching more discussions...
    Show 51 - 100 of 194 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.