More on Sony's "DRM Rootkit"

A couple of days ago we posted a story about Sony DRM installing a rootkit. Since then we have seen many more stories on the subject that I thought were worth sharing. manno gave us a link to the inquirer and salemnic sent us a page from the washington post. smallfries gave us one from PC Pro. It's nice to see this story not getting lost in the cracks since the implications are gigantic.

Re:DUPE?

[kyouteki]

Not a dupe, an update. Surely additional viewpoints on an issue as large as this warrants additional coverage.

Re:Sue

[Celt]

Nice that you've read up on the matter,
It is not stated in the EULA that this rootkit will be installed, plus there's no way to uninstall it through add.remove programs

First4Internet

[WarwickRyan]

The malware installed is created by a company called First4Internet.

They're based in Banbury, Oxford and their CEO is Mathew Gilliant-Smith DBC.

6 South Bar Street
Banbury
Oxfordshire
OX16 9AA
United Kingdom

All info (and more) available on their website here http://www.first4internet.com/contact.aspx/ [first4internet.com]

That's about 20 minutes in the car for me, should I go pay them a visit - taking the best wishes of the /. community with me? ;)

Re:I don't understand the fuss.

[klubar]

It's software like Sony's that makes windows unstable. A clean install of Windows with only "certfied for windows XP" software is rock solid. It's once you start added badly written drivers and other code the mucks into the OS that it becomes unstable. As the systeminternals article indicated, the driver doesn't follow the rules for unloading itself and other violations that can lead to the blue screen of death. Perhaps MS should increase the level of warnings about non-certified code, but users would still click-thru and blame the OS when it crashes.

It's not a Windows-specific problem, it's just that Sony has only implemented it for windows.

Re:Russinovich's Take

[jurt1235]

how to get rid of it...

Except that he put a link to a form, and not to a way to get rid of it. Looking further into the sony website the code used seems to originate from http://www.xcp-aurora.com/ [xcp-aurora.com] . Maybe that is the root of all problems.
Sue Sony -> Sony sue Aurora -> Lawyers will get rich and happy.

Yes, this is bad

[Sheepdot]

Sony could be held liable in a class-action lawsuit. Anyone can design a virus and name it "$sys$" now, and AV software won't be able to detect it if this rootkit is installed. An IM worm could use this naming scheme, only infect a few thousand people, and the news would report, "SONY's DRM software used to hide latest virus". It'd be a horrible blow, and they'd totally deserve it. I still think we'll see a virus/worm that does this before the end of this month.

On a related note: World of Warcraft hackers are now using Sony's DRM rootkit to hide from "the Warden" [wowsharp.net]. I tried to submit this as a standalone story, but since I saw this DRM news update, I figured I'd post it here.

Is Sony aiding and abetting cheaters?

Re:Let us hope:

[n0dalus]

Unfortunately Sony may be able to claim that they offer an uninstaller.

From TFA:
Hypponen said the only way to uninstall the program in the conventional sense (without running the risk of hosing your system or CD-ROM drive) is to contact Sony BMG directly via a Web form and request removal.

At that point, a real, live person will call you back and ask for all kinds of information about your system, and your reason for wanting to remove the software. You're then directed to a Web page that downloads an ActiveX program (yes, you must be using Microsoft's Internet Explorer to do this), which determines what version is installed and reports that back to First4Internet. Then you get an e-mail containing a link to another site that downloads something that finally uninstalls the Sony program.

So, although they make you sell your firstborn to get it, they apparently do offer an uninstaller. IANAL, but maybe someone can still argue that the uninstaller needs to be bundled with the CD. Sony might also be liable if the installation damages your computer.

Not in Europe?

[Alphix]

It might be interesting to note that in this newspaper article [aftonbladet.se] (sorry, only in Swedish), the Swedish CEO of Sony states that the copy protection is not used for CD:s sold in Europe and that "no copy protection will be introduced before it works well both for consumers and copyright owners" (which can of course be interpreted in many ways).

Re:I don't understand the fuss.

[vegardh]

It burned 1-2% CPU _when the player was not running_, for starters... Read the article.

Re:I don't understand the fuss.

[Anonymous Coward]

If you RTFA, you'd know that Sony's DRM allows anyone else to use the hole they have created to put files on your system that will not be detected by antivirus software. That's not a big deal to you?

Re:Sue

[OverlordQ]

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

Umm, nice to see that you didn't read the EULA either.

Re:Sue

[garcia]

It is not stated in the EULA that this rootkit will be installed, plus there's no way to uninstall it through add.remove programs

I assume that you were trying to somehow infer that I didn't read the EULA [sysinternals.com]? Well, I did, but I'll post the important part of it here because it's fairly apparent that you did not, or at least didn't fully comprehend what it said:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

See that part about "the SOFTWARE will reside on YOUR COMPUTER until removed or deleted"? That's what people agree to when they click "I agree" on the EULA screen.

As far as being able to uninstall it via "add/remove programs", I wasn't aware that this made software dismissable via legal grounds. I thought it just meant that you could proudly wear the "Made for Microsoft Windows" on your retail box.

Re:Sue

[Anonymous Coward]

this EULA was MODIFIED after the story has surfaced - so if you are going to claim reading the documents - at least try to get the right ones.

Sony should immediately recall all XCP'd CDs

[yeremein]

Any malware whose filename/registry keys start with $sys$ will be shielded from antivirus and antispyware software by XCP. This gaping security hole represents a great opportunity for script kiddies. Sony should do the responsible thing and immediately recall all rootkit-infested CDs.

Re:Regardless of where this goes...

[xtracto]

You may be interested in my signature... and my XCP affected Album list [slashdot.org].

Hope this helps!

Re:Sue

[_bug_]

It is not stated in the EULA that this rootkit will be installed, plus there's no way to uninstall it through add.remove programs.

You can contact Sony directly [sonybmg.com] and they will send you tools to remove the DRM software.

The F-Secure blog [f-secure.com] talks a little about this. It appears their removal software installs ActiveX controls.. just really messed up.

Re:Not in Europe?

[axolotl_farmer]

The situation with Copy-Control CD is much worse in Sweden (and in the rest of Europe) than in the USA. Most major label CDs by scandinavian artists, as well as many international releases are protected/crippled.

I only have a few old crippled CDs, and I don't buy any new ones, so I can't tell if the rootkit is on anyone of them.

However, the Swedish Sony exec is blatantly lying in the article when he claims that Sony won't release any copy-controlled CDs until the protection works well for both the customers and the record labels.

Fix for the problem

[Anonymous Coward]

Posted by: Dickrichard | Nov 1, 2005 11:03:07 PM

I'm posting this via a proxy just in case Sony doesn't like what I post...
After reading this news story I decided to go after this software and defeat it, and I did.

The following is how you kill this hidden install. I did this in Windows XP Pro, so attempt on another OS at your discretion. This will require Administrator rights. Please read through the entire instruction set, and if you don't feel comfortable attempting this, then don't. The rest of you, follow me ;)
1. hit windowsKey+R to open the RUN command. Type services.msc to run the services dialog. Find 'Plug and Play Device Manager' in the list, right click and choose Properties. Under the General tab of the box that comes up, in the middle there should be the "startup type" of the service. Set this value to "disabled" and click OK. Next find the service named 'XCP CD Proxy' and set its startup type to disabled as well. You won't be able to stop these services, only disable them from starting next time Windows starts.
2. Download and run the latest Blacklight beta from http://www.f-secure.com/blacklight/ [f-secure.com] This program will find the 'super hidden' CD proxy files we're trying to get rid of. When it finishes searching click next until you reach the screen that shows you all the hidden files it found. Select all these files and click the "rename" button to the right. Windows will restart once you click OK, and the files will be renamed.
3. Once Windows restarts you will have lost any and all CD/DVD drives. DON'T PANIC! Hit windowsKey+Pause/Break to open up your System dialog. Click on the Hardware tab, then on the "Device Manager" button. Your system will not list any CD/DVD drives, but you should see IDE slot(s) that have little yellow circles with exclamation points over them indicating a device with a problem. In order to restore the drivers to their un-sony-altered state you must right click on the affected device and choose "uninstall driver". Do this for each device with a problem.
4. Now that you have uninstalled the affected drivers, simply navigate to your Control Panel via the Start Menu and choose "Add Hardware". The add hardware wizard will run and find your previously disabled devices. Your drives are now restored and functional, and this potentially dangerous menace vanquished.
5. Advanced users may now go and clean up the mess, but this step is not necessary. Delete renamed files, and dare I say it, registry keys that pertain to Sony's program. Use this list for reference: http://www.europe.f-secure.com/v-descs/xcp_drm.sht ml [f-secure.com] but nothing really beats searching.

As an added note, once I got my drives back up and running, I popped in the CD that put this program on my computer. I was able to use a multi-session aware program (Roxio) to access the audio portion of the disk and rip MP3s to my hard drive where they will now be listened to in my preferred player the way God intended it to be. Oh, and the only illegal thing that went on here was what Sony did!

CONSUMER 1 - SONY 0

P.S. Once you rip MP3s from your Sony disc, burn it the old fashioned way, with gasoline and a match!

Re:I don't understand the fuss.

[Anonymous Coward]

You are assuming that Sony has (a) written the code properly, and (b) there's no way to exploit this code externally from the running system. Anything that hides itself from the running process list and prevents itself from being uninstalled is a potential hole in your system. Example...there is a buffer overflow in Sony's DRM software, which you can't remove because you can't see it. It's running as a driver, as the "system" user, which means it can do pretty much anything it wants. A userspace program (LimeWire?) triggers this DRM by trying to play a Sony DRM'd song, and triggers the buffer overflow exploit. Once this exploit is triggered, the attacker can download whatever they want to the compromised machine, creating another zombie, or whatever they want really.

This is just an example, I'm sure a real cracker could come up with something doable.

Re:How to beat this...

[mopslik]

Anyways, nothing is the EULA says that I can't just go and delete it.

Except that, if you read through Mark Russinovich's blog [sysinternals.com], you'll see that it cripples your system when you do this.

When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD [drive]. Now I was really mad... I know from my past work with device driver filter drivers that if you delete a filter driver's image, Windows fails to start the target driver.

He goes on to detail the steps that were necessary to bring his computer back to fully-functional condition. It's not for Joe Q. Public.

Re:Contains LAME code?

[Ender Ryan]

No, LAME does include a decoder. I use it to decode my MP3s when making audio CDs for my car. MP3s, which, just for the record, I have encoded from CDs which I own.

Offtopic: Ya know, I don't have an actual CD player suitable for playing the CDs I buy. I absolutely cannot keep the original discs in my car, as they only last a few months getting shuffled around. Hell, they take a beating just being in my car, in a CD carrying case. Other than while driving, I listen to music while working, in several different locations, on my laptop.

Not just "Sony"

[uqbar]

Boycott all of Sony Music - this includes labels like:
Arista Records
BMG
Columbia Records
Epic Records
J Records
Jive Records
LaFace Records
Legacy Recordings
Provident Music Group
RCA Records
RCA Victor Group
RLG - Nashville
Sony
So So Def Records
Verity Records

As a recording engineer / producer I'm against piracy - but I also hate DRM screwing with my machine and making it hard to enjoy the music I purchased in the way I want.

Support indy labels, and write letters to artists you like that are on majors - tell them to move on to an indy label or start their own.

And if you're really mad (as I am) boycott all of Sony. While Sony music walks to its own drummer, the parent company can't be loving the bad publicity.

I stopped buying all Sony products (including the pro gear I use as an audio engineer) when they initially started their annoying DRM. It is easy to break, but makes normal use of the CD harder.

There's more than one law here.

[argent]

This is part of what you need if you want to listen to Sony's music legally.

On the one hand, it's perfectly legal for me to play that CD on my laptop without running that software. Even assuming a clickthrough license is valid, I can simply refuse to accept that license, refuse to install the software, and treat it as an ordinary audio CD. If I'm not running Windows on my laptop, in fact, I don't even have an opportunity to use their spyware-enhancer.

On the other hand, even if it WAS a legal requirement, any contract that involves on or the other of the parties performing an illegal act as a requirement for fulfilling that contract is void. There's a reasonable case that this software violates the DMCA and thus the license is invalid.

Which takes you back to the first hand.

Re:I don't understand the fuss.

[earthforce_1]

The problem can exist for any drivers that operate under kernel mode, which is unfortunately true for Linux as well. Fortunately, while Linux supports fewer devices than windows and the functionality is often more spartan, (i.e. 3D graphics cards) we are fortunate that they don't make it into the kernel until the are solid.

The BSD zealots have a point here - it is more secure to have all drivers run in separate sandboxes, so a borked driver won't bring down the whole OS.

Re:Russinovich's Take

[slavemowgli]

Easy. Slashdot punishes you for moderating stuff down, and moderators know this, so pretty much everything that's even remotely interesting gets modded up.

Re:Simple Solution: Boycott Sony to Death

[rolfwind]

The problem with simply boycotting (on a small scale, as I assume most non-geeks don't care) is that companies won't understand why sales for product X or for their company as a whole are down and it is human nature to look everywhere but within.

Look at the RIAA/MPAA and their correlation of sales/piracy. They'll never link sales could be down because the current music sucks or whatever - it's always the market's fault somehow - piracy, recession, depression, etcetera.

So next time you are tempted to buy a Sony product and instead decide to boycott it, write them a nice (I mean it) letter (not email) to their headquarters, preferable to a manager (find it on their site):

http://www.sony.com/SCA/senior_mgmnt.shtml [sony.com] (sorry, this is the best I can find, you'll have to go from there)

Explaining why you didn't buy their product. Specifically link it with their DRM practices. Include a copy of the reciept for the product you did buy - this way the impact on the bottom line is tangible and credible.

A small boycott without communication your frustration is nearly worthless.

Let them know how you feel....

[Hachey]

Follow this link [sonymusic.com] to send a comment to Sony. I know I won't be buying their products anymore, and I sure as hell let them know.

Technical Issue Feedback form...

[pfrCalif]

should be filled out by all angry individuals... http://cp.sonybmg.com/xcp/english/form8.html [sonybmg.com]

i'm safe...

[Anonymous Coward]

I just upgraded to Symantec's Internet Security Suite 2006. Latest, greatest, and safest...

oh sh...

"The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case." -cnet

Re:Sue

[ajs318]

You only need to sue if there has been a violation of civil law. What Sony have done violates criminal law on several counts -- it is deception, misuse of a computer, criminal damage and aiding and abetting the misuse of a computer. Don't call a lawyer, call the police!

iTunes Does the Same Thing

[cmd]

Apple's iTunes installs new CDROM drivers in the same way. I believe Apple was doing this before Sony.

Re:... until removed or deleted.

[Curunir_wolf]

There is yes, but the EULA hasn't been truly tested, thus why it still stands.

I think the bnetd case [eff.org] pretty much gives software publishers carte-blanche in restricting what you can do. They held that (1) the EULA was enforceable (2) it removes the consumers rights granted by copyright and DMCA laws (3) The UCC covers the transaction because the software is goods sold (4) the software is licensed, not sold, because the EULA says so.

In short - EULAs are enforceable, even when they are wordy, vague, and contradictory. And, they are contracts since they say "if you don't agree, return this for a refund" - even though there is no realistic way to actually get your money back for opened software.

Here's the address of the guy to write to at Sony:

[trudyscousin]

Mr. Thomas Hesse
President, Global Digital Business
Sony BMG Music Entertainment Company
550 Madison Ave.
New York, NY 10022-3211

I wrote this guy last summer after reading a piece in the New York Times featuring him discussing Sony's oh-so-wunnerful SunnComm copy protection. I can't locate the original NYT article, but this one [timesleader.com] says almost exactly the same thing.

I didn't receive a reply. I thought I stood a good chance of receiving one since I couched my language in civil terms and didn't call him a pig fucker. So, see what works for you.

Re:... until removed or deleted.

[rhetoric]

to clarify: DMCA != EULA. Not enough money to sue != no legal basis to sue.

Re:... until removed or deleted.

[KDR_11k]

If they don't take it back, you have legal grounds because then you're practically forced into agreeing. The courts said an EULA is to be expected and a no-reverse-engineering clause is to be expected. If there's some additional stuff that you cannot be reasonably expected to know about beforehand AND they refuse to undo your sales contract (which you can be reasonably expected to think they'd do) then it's either being forced into accepting the contract (not sure about the legal term but I think it's not extortion when it involves contracts) or being sold a good that's not what they told you it was (fraud, you are expected to know that there's some form of EULA but you're also expected to assume the standard terms, these days more and more crap is being thrown in).

Re:Sue

[CastrTroy]

The really crappy part is, is that this only hurts the legitimate users. People who wish to pirate the CD will just pop it in a Linux computer and rip it. Or they will just disable autorun on their CD drive. I'm not sure about this method specifically, but this seems to bypass every copy protection mechanism i've seen on music CDs. The rest of the users, are stuck out in the cold, using crappy players that come on the disc to play the CDs, as well as not being able to copy the CD onto their hard drive. Which kind of violates your fair use rights, depending on how you interpret them. Not to mention the fact that they have software on their computer that may be hard to uninstall, and may be doing things the user doesn't want it to do.

Take action to stop Sony from cont this outrage

[Rasta_the_far_Ian]

Express your outrage in a letter to Sony Investor Services contact. State that you will no longer purchase Sony products, and will be very leery of Sony as an investment in your retirement plans due to this clear demonstration of Sony's lack of ethics in its business practices. Physical letters work best. The address, from Sony's 2005 Annual Report, is:

Sony Corporation of America
Investor Relations
550 Madison Ave, 27th Floor
New York, NY 10022-3211

If you want a laugh, check out Sony's views on Corporate Social Responsibility site at http://www.sony.net/SonyInfo/Environment/about/ind ex.html [sony.net]

From that site: "The Sony Group recognizes that ... Sound business practices require that business decisions give due consideration to the interests of Sony stakeholders,including shareholders, customers, employees, suppliers, business partners, local communities and other organizations."

I wonder how they think installing rootkits on customer computers promotes the interests of Sony's customers!!!

Re:... until removed or deleted.

[griffjon]

Actually they now link to the kind folks who made this software for 'em and will provide an uninstall feature... ...but the damned thing requires ActiveX.

http://updates.xcp-aurora.com/unsupported.aspx [xcp-aurora.com]

Sigh.