Sony's CD DRM Installing Rootkits?!

[Christopher]

The web has been abuzz since a recent article by Mark at Sysinternals preformed an in-depth examination of Sony's DRM programs that come with quite a few of their CD's. The results were stunning -- not in the good sense. What do you guys think of this mishap? Will this be the final catalyst for a true internal shift within Sony?

Further discussion from the BBC:

Sony's music arm has been accused of using the tactics of virus writers to stop its CDs being illegally copied.

One copy protection system analysed by coder Mark Russinovich uses cloaked files to hide deep inside Windows.

The difficult uninstallation process left Mr Russinovich saying that Sony's anti-piracy efforts had gone "too far".

In response to criticism, Sony BMG said it would provide tools to users and security firms that would reveal the hidden files.

Search history

Mr Russinovich, a renowned Windows programming expert, came across the Sony BMG anti-piracy system when performing a scan of his computer with a utility he co-created that spots so-called rootkits.

Rootkits are starting to be used by a small number of computer virus writers because they allow malicious code to be inserted deep inside the Windows operating system, meaning that it will not be spotted by most anti-virus scanners.

Rootkits are used to hide malicious software once it is installed and ensure it is not found and removed by anti-virus programs

After extensive analysis Mr Russinovich realised that the "cloaked" software had been installed when he first listened to the CD album Get Right With the Man CD by country rockers Van Zant.

Although resembling a virus, Mr Russinovich found the hidden files had come from an anti-copying system called Extended Copy Protection (XCP) developed by UK software company First 4 Internet.

About 20 titles are thought to be using the XCP software and in May 2005 Sony said more than two million discs had been shipped using the technology. XCP is just one of several anti-piracy systems Sony is trying.

XCP only allows three copies of an album to be made and only allows the CD to be listened to on a computer via a proprietary media player. The hidden files are installed alongside the media player.

Ridding his computer of XCP proved difficult and briefly crippled Mr Russinovich's CD player.

Writing in his blog about the incident, he said: "Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall."

Mr Russinovich said the licence agreement that he accepted when he first listened to the CD made no mention of the fact that he could not uninstall the program or of the significant changes it made to his computer.

If Sony BMG released XCP copy-protected CDs in the UK this oversight could leave the music company open to prosecution under the Computer Misuse Act because it made "unauthorised" changes to a machine, said net law expert Nick Lockett.

"There would be no problem if there's a big screen coming up saying as part of the anti-piracy measures this CD will amend your operating system," he said.

Mr Lockett added that Sony might be inadvertently provoking piracy as consumers irritated by the anti-copying system rip the tracks to get around the restrictions.

Virus link

Mr Russinovich feared that diligent users trying to keep their systems clean of viruses could stumble across the hidden XCP files, delete them and inadvertently cripple their computer.

His worries were echoed by Mikko Hypponen, chief research officer at Finnish security firm F-Secure, who has been looking into XCP since he first came across it in late September.

"What we are scared of is when we find a new virus written by someone that relies on the fact that this [XCP] software is running on tens of thousands of computers around the world," he said. "The rootkit would hide that virus from pretty much any anti-virus program out there."

Mathew Gilliat-Smith, chief executive of First 4 Internet, said the techniques used to hide XCP were used by many other programs and added that there was no evidence that viruses were being written that took advantage of XCP.

He said the debate on the net sparked by Mr Russinovich's work had prompted the company to release information to anti-virus companies to help them correctly spot the hidden XCP files. Consumers can also contact Sony BMG for the patch to unveil, rather than remove, the hidden files.

He said that users were adequately warned about the copy protection software in the licence agreement and were told that it used proprietary software to play the CD.

"It's clearly packaged on the CD that its copy-protected," he said.

A spokesman for Sony BMG said the licence agreement was explicit about what was being installed and how to go about removing it. It referred technical questions to First 4 Internet.

Mr Gilliat-Smith said Mr Russinovich had problems removing XCP because he tried to do it manually something that was not a "recommended action". Instead, said Mr Gilliat-Smith, he should have contacted Sony BMG which gives consumers advice about how to remove the software.

Getting the software removed involves filling in a form on the Sony website, visiting a unique URL and agreeing to have another program downloaded on to a user's PC that then does the uninstallation.

He added that First 4 Internet had had no complaints about XCP since it started being used eight months ago. He also added that the latest generation of XCP no longer used cloaked files to do its job.

"We've moved away from using that sort of methodology," he said.

Finally, Sony has released a patch to assist in the removal procedure.

You may learn more about this here: http://cp.sonybmg.com/xcp/english/updates.html

[mercury_in_flames]

Hmm, I have a few cd's that wouldnt work in the past if i tried to play them with wmp, with copy control, i used the update, and it said it couldnt find anything .

[Embio]

its things like this that make me stick with my NH900, my computer is not the sole source of portable music - my CD player is.

I do love the BBC

[veezhun]

eac.. 3 words i love

[Richard_p]

This is really qiute shocking, that an international company would adopt such tactics, it's also worth pointing out XCP, more than likely work with other labels too.

I really hate the whole DRM thing though, music once purchased on a CD should be the owners to use as they wish. In the end DRM is pretty damn useles anyway, if someone really wants to copy and distribute it, then they'll always be able to stream it into the computer anyway. I find it hard to imagine DRM will ever be able to stop direct recording.

I feel that having a digital file (especially when it concerns music) is no substitute for having a pallatable, physical disc. For me all DRM does is make what should be simple stuff into real naucences. Look how messed up SS has became.

The 'digital age' is not all it's cracked up to be.

[peare]

That's why I dont buy anything else than electronics from Sony. Sony would better sell its music and movie industry and go back to what was intended to be. Sony engineers make money to be wasted on Hollywood.

I knew that Sonicstage was a crap from the beginning, but being that naive in software arena to inject a virus like code is on top of all. I laughed to my guts.

[Jadeclaw]

Update (crossposted on MDCF as well):

Ok, time to push this thread up again.

First, there is more to this than previously known.

The included player software phones home everytime the CD is played.

Plus, the deinstaller patch can BSOD your MS-Windows session, resulting in possible loss of data.

Windows doesn't like it, when a piece of code is pulled out, while the CPU jumps into it.

Russinovich's update on this: http://www.sysinternals.com/blog/2005/11/m...decloaking.html

Found in the comments:

I smell a class action lawsuit in the making.

See here: http://www.classcounsel.com/

Look under Consumer Protection.

One of the First4Internet programmers asked for help on an open source programmers mailing list,

in exactly the area, which is finally covered by the rootkit:

http://66.249.93.104/search?q=cache:hDmbqX.../showThread.cfm

Do we need another proof of their incompetence?

Addendum: MDCFs Disso founds another one:

http://www.osronline.com/lists_archive/ntfsd/thread2716.html

[bongocanuck]

has anyone tried to uninstal??? does it work..no DRM then?? l ...i read the sony was offering users to crack the DRM software via their support line...

http://www.engadget.com/entry/1234000413047159/

" Sony BMG has come up with an innovative solution for consumers who are frustrated with the company’s new DRM: They’ll help you break it. Turns out the new system, from the U.K.’s First4Internet, renders protected CDs unusable by iPod owners. While Sony might hope that would drive customers to its digital audio players instead, they’ve chosen the more pragmatic — and unusual — route of emailing instructions for a back door exploit to anyone who complains about the problem (Mac users don’t even need this: the DRM is PC-only)"

[Jadeclaw]

A440 tried the online uninstaller, doesn't work, it crashed halfway through the process.

See here: http://forums.minidisc.org/index.php?showtopic=12897 Post #23

Further down in the thread, some new developments.

[Dinko]

Updates...

Offices to review CD practices on company computers:

http://news.com.com/Sony+rootkit+prompts+o..._3-5951177.html

Suddenly Microsoft is everyone's best friend:

http://www.pcpro.co.uk/news/79781/microsof...n-sony-drm.html

Wonder if it has anything to do with PlayStation vs. Xbox

End User License Agreement troubles - you must delete your music if leaving the country:

http://digital-lifestyles.info/display_pag...usiness&id=2770

And of course some satire (a joke on new Sony DRM CDs having limited play count):

http://www.pugbus.net/artman/publish/111405_sonybmg.shtml

What's interesting, is that while the company is called SonyBMG, the Sony brand gets beaten up a lot more than the Bertelsmann side, or the Sony BMG united brand.

[Jadeclaw]

Updates...

Offices to review CD practices on company computers:

http://news.com.com/Sony+rootkit+prompts+o..._3-5951177.html

My take on this:

If I had to head the IT-department of a corporation, I would have banned ALL private datacarriers. Including any Audio-CD.

If employees want to listen to music(where appropriate), they have to bring their own playback devices.

Company property is not for personal entertainment.

If someone still manages to install one of those rootkits, it means trouble for that person.

Suddenly Microsoft is everyone's best friend:

http://www.pcpro.co.uk/news/79781/microsof...n-sony-drm.html

Wonder if it has anything to do with PlayStation vs. Xbox 

Actually - No.

Microsoft has to play nice to the content industry.

Reasons: Microsoft wants to get his Videocodec to be included into the DVD-successor. And they want the content industry to abandon the use of Java for the Menu- and GUI-control on these discs.

That is the reason, why it took so long and that there was no official PR-Release about this.

Instead it was leaked through a company-owned blog.

End User License Agreement troubles - you must delete your music if leaving the country:

http://digital-lifestyles.info/display_pag...usiness&id=2770

This is so american.

Luckily, this EULA is invalid in Germany, as it must be presented before purchase.

However, that doesn't mean, that german law doesn't have its own traps.

And of course some satire (a joke on new Sony DRM CDs having limited play count):

http://www.pugbus.net/artman/publish/111405_sonybmg.shtml

That's a good one.

What's interesting, is that while the company is called SonyBMG, the Sony brand gets beaten up a lot more than the Bertelsmann side, or the Sony BMG united brand.

←

Because many people don't see the difference between Sony Electronics and Sony Music/BMG.

So in short:

Sony Music/BMG == Evil

Sony Electronics == Good guys.

And I'm pretty sure, that the people at Sony Electronics are not happy with the stunts, that Sony Music/BMG pulled off.

My advice to Sony: Get rid of the music and movie business and do what you are best at: Producing great video and audio equipment.

Edited November 14, 2005 by Jadeclaw

[Dinko]

Well it took a while, but I think their solution is very good:

http://cp.sonybmg.com/xcp/

Get a replacement copy of your XCP CD, and if you want, you can register to get mp3 versions of the CD in addition to the replacement discs.

On a related note, I just ran the latest MS Anitspyware check. It caught and offered to remove the rootkit installed by one of the SonyBMG discs.

[Guest Stuge]

I don`t no what is that basically but why sonybmg want to install Junk to someones computer.