What is going too far? Of course the record and movie industries are tired of losing money to people pirating their products. Does that give a company the right to secretly install a rootkit on a user’s computer? Sony thinks it does.
Mark Russinovich from Sysinternals found the rootkit nestled clandestinely in the system’s root while performing a routine check of his system. To make a long story short, Mark tracked the offending entries to a company called First 4 Internet. Among other things, they create copy protection for digital media. A Google search showed that this company has business ties with Sony and that the rootkit had been installed through a Sony Audio CD with their new Digital Restriction Management (DRM) copy protection that he had bought earlier in the week. It had a player that he installed from the CD in order to play the content and that the CD also had an End User License Agreement (EULA). The EULA states that there is a limit to the amount of copies you can make (among other things) but there was no mention of the installation of root level camouflaged code. What Sony’s DRM actually did was a lot more. It infected his PC, making the system not only unstable but also vulnerable.
Sony’s DRM installs a rootkit that attaches itself to your operating systems kernel and renames its own processes as those of other important processes to conceal itself. It installs with the SAFEMODE drivers so that it cannot be removed, even in Safe Mode. It hides any file with a name starting with the string $sys$ , so any hacker worth his RAM can take advantage of these infected systems. Several viruses that exploit this vulnerability have been popping up, including breplibot , although none of them have been particularly devastating. The rootkit wasn’t written well, so the DRM can potentially make your system unstable, causing it to crash and hang.
I only know one other kind of software that behaves like this: malicious code and viruses. Sony’s initial response was that its products carry on no such activities, but they quickly changed their tune after taking some serious heat from affected parties. Sony still says that their DRM does not compromise the security of the user’s computer nor does it gather personal information. You can read it all at Sony’s FAQ’s here .
Sony’s rootkit will install on any Windows based PC that opts to install the Sony player that is on the on Sony’s Content Enhanced & Protected (CEP) CD’s. The player prompts you to install it as the only way to listen to the content. It’s said that Sony has used the DRM on 20 different CDs over at least the past 6 months and was previously using a less severe form of malware. Altogether, there are over 2 million CEP disks out there.
Although you can detect the rootkit on an infected system with almost any rootkit-revealing software, you should not use any of these programs to uninstall it. Instead, go to Sony’s BMG FAQs page and do an Uninstall Request with about 5 tedious steps, and they will eventually send you an application to remove the offending software. Sophos has also released Resolve, a set of small applications designed to remove certain viruses and any changes made by them, including the Sony rootkit. Microsoft will also be coming out with a rootkit removal code as patches and updates in their new beta line of anti-Spyware technology, including the Defender (formally known as the Windows Anti-Spyware) and the Malicious Software Removal Tool.
There has already been at least one Class Action Suit against Sony. Just imagine a major virus breakout that exploits this vulnerability, leaving thousands of angry customers with PCs that can’t boot. Worse, business networks could be made vulnerable from any employee listening to their new Sony CD at work. Sony, Sony, Sony… what were you thinking?
On November 11, 2005, Sony announced that it has suspended installation of any rootkit technology on its audio CDs. They said that they believe in protecting their media but when viruses came out late last week that used the DRM-created security hole, Sony really had no choice. As consumers, we can only hope that this deters other digital media manufacturers from using these tactics.
~ Chad