Sony music CD's install DRM malware (or: 'Turn off Autorun for Music CD's!')

[Sparta]

BBC News article

Spoiler Full Article :

Sony slated over anti-piracy CD
By Mark Ward
Technology Correspondent, BBC News website

Sony's music arm has been accused of using the tactics of virus writers to stop its CDs being illegally copied.

One copy protection system analysed by coder Mark Russinovich uses cloaked files to hide deep inside Windows.

The difficult uninstallation process left Mr Russinovich saying that Sony's anti-piracy efforts had gone "too far".

In response to criticism, Sony BMG said it would provide tools to users and security firms that would reveal the hidden files.

Search history

Mr Russinovich, a renowned Windows programming expert, came across the Sony BMG anti-piracy system when performing a scan of his computer with a utility he co-created that spots so-called rootkits.

Rootkits are starting to be used by a small number of computer virus writers because they allow malicious code to be inserted deep inside the Windows operating system, meaning that it will not be spotted by most anti-virus scanners.

Rootkits are used to hide malicious software once it is installed and ensure it is not found and removed by anti-virus programs


After extensive analysis Mr Russinovich realised that the "cloaked" software had been installed when he first listened to the CD album Get Right With the Man CD by country rockers Van Zant.

Although resembling a virus, Mr Russinovich found the hidden files had come from an anti-copying system called Extended Copy Protection (XCP) developed by UK software company First 4 Internet.

About 20 titles are thought to be using the XCP software and in May 2005 Sony said more than two million discs had been shipped using the technology. XCP is just one of several anti-piracy systems Sony is trying.

XCP only allows three copies of an album to be made and only allows the CD to be listened to on a computer via a proprietary media player. The hidden files are installed alongside the media player.

The CD plays normally on a hi-fi system and the copy protection does not affect computers running on Apple Mac or Linux operating systems.

Ridding his computer of XCP proved difficult and briefly crippled Mr Russinovich's CD player.

Writing in his blog about the incident, he said: "Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall."

Mr Russinovich said the licence agreement that he accepted when he first listened to the CD made no mention of the fact that he could not uninstall the program or of the significant changes it made to his computer.

If Sony BMG released XCP copy-protected CDs in the UK this oversight could leave the music company open to prosecution under the Computer Misuse Act because it made "unauthorised" changes to a machine, said net law expert Nick Lockett.

"There would be no problem if there's a big screen coming up saying as part of the anti-piracy measures this CD will amend your operating system," he said.

Mr Lockett added that Sony might be inadvertently provoking piracy as consumers irritated by the anti-copying system rip the tracks to get around the restrictions.

Virus link

Mr Russinovich feared that diligent users trying to keep their systems clean of viruses could stumble across the hidden XCP files, delete them and inadvertently cripple their computer.

His worries were echoed by Mikko Hypponen, chief research officer at Finnish security firm F-Secure, who has been looking into XCP since he first came across it in late September.

"What we are scared of is when we find a new virus written by someone that relies on the fact that this [XCP] software is running on tens of thousands of computers around the world," he said. "The rootkit would hide that virus from pretty much any anti-virus program out there."

Mathew Gilliat-Smith, chief executive of First 4 Internet, said the techniques used to hide XCP were used by many other programs and added that there was no evidence that viruses were being written that took advantage of XCP.

He said the debate on the net sparked by Mr Russinovich's work had prompted the company to release information to anti-virus companies to help them correctly spot the hidden XCP files. Consumers can also contact Sony BMG for the patch to unveil, rather than remove, the hidden files.

He said that users were adequately warned about the copy protection software in the licence agreement and were told that it used proprietary software to play the CD.

"It's clearly packaged on the CD that its copy-protected," he said.

A spokesman for Sony BMG said the licence agreement was explicit about what was being installed and how to go about removing it. It referred technical questions to First 4 Internet.

Mr Gilliat-Smith said Mr Russinovich had problems removing XCP because he tried to do it manually something that was not a "recommended action". Instead, said Mr Gilliat-Smith, he should have contacted Sony BMG which gives consumers advice about how to remove the software.

Getting the software removed involves filling in a form on the Sony website, visiting a unique URL and agreeing to have another program downloaded on to a user's PC that then does the uninstallation.

He added that First 4 Internet had had no complaints about XCP since it started being used eight months ago. He also added that the latest generation of XCP no longer used cloaked files to do its job.

"We've moved away from using that sort of methodology," he said.

Sony is now installing rootkit software (under the guise of 'XCP' ('extended' copyright protection)) with the autorun feature on new(er) music CD's of theirs. The alleged purpose is to ensure a lack of unnecessary copying of purchased material, but the software can easily be used for much more nefarious purposes, and furthermore unnecessarily bogs down system resources as a set of cloaked, nearly-impossible-to-find-or-remove files. Some computer guru (Mark Russinovich from Sysinternals.com) somehow noticed it after purchasing a Sony CD - "Get Right With the Man" of all things (gotta love random irony). After running a ridiculous amount of crazily esoteric system analysis tools (details), he managed to track it down. He posts it last Monday, and now it's starting to make it into more of the (online) headlines (PC World (Headline: "Is Sony trying to kill the CD format for music?")).

Sony's response was to issue a patch (which only makes the files visible, and potentially may not remove anything):
"We want to make sure we allay any unnecessary concerns," said Mathew Gilliat-Smith, CEO of First 4 Internet. "We think this is a pro-active step and common sense."

Getting caught red-handed and then issuing a 'fix' that doesn't remove the problem apparently counts as pro-active now. Anyway, the supposed patch is 3.5 megs in size, and has been accompanied by much suspicion (it allegedly may actually be enhancing the very files it purports to placate). Furthermore, the same guy from Sysinternals now figured out that the original rootkit software is phoning home: "Mark from Sysinternals has digged a little deeper into the Sony DRM and discovered it Phones Home with an ID for the CD being listened to."

(in a still further odd twist, Sony's rootkit files actually enable a bypassing of Blizzard's rootkit anti-cheater files for World of Warcraft ("Warden", which nobody was too pleased with either). Whether that's just sheer fluke coincidence after WoW's heralded entry into Sony's Everquest-dominated MMORPG genre is up for guesses, I suppose.)

The gist of the matter being that you all should apparently disable autoplay for your music CD's on your PC's, rather than dealing with this garbage (R-click drive(s), properties, autoplay tab, 'take no action' for music CD's (or check here: Autoplay disable instructions). Good luck.

Aren't mega-corporations grand?

 

[wit>trope]

The alleged purpose is to ensure a lack of unnecessary copying of purchased material, but the software can easily be used for much more nefarious purposes, and furthermore unnecessarily bogs down system resources as a set of cloaked, nearly-impossible-to-find-or-remove files.

How are they nearly impossible to find? Can't you just go to Folder Options and make sure you have it set to show Hidden files and to show protected system files -- then every single file should show up right? It would just be a matter of two clicks.

Does this software automatically install or is there like a EULA that if you read it tells you about it?

I want to hear Sony's side of the story.

To delete them you could probably start in Safe Mode and then just delete them from there.

 

[bad_ronald]

There are some files which will not appear even after checking the "show hidden files and folders" option as well as unchecking the "hide protected operating system files" option. The best way that I've found to truly see everthing that's on your hard disk is to use linux (using a linux live CD like Knoppix is more convenient) to access the files and see the entire directory structure (though most distros only have read support for NTFS formatted disks - unfortunately Knoppix is one such distro (at least the last time I checked)).

 

[IglooDame]

How are they nearly impossible to find? Can't you just go to Folder Options and make sure you have it set to show Hidden files and to show protected system files -- then every single file should show up right? It would just be a matter of two clicks.

Does this software automatically install or is there like a EULA that if you read it tells you about it?

I want to hear Sony's side of the story.

To delete them you could probably start in Safe Mode and then just delete them from there.

From The Register:

http://www.theregister.com/2005/11/12/sony_suspends_rootkit_drm/

Sony's unfortunately worded phrase "ease of consumer use" reminds us that while the stealth DRM software installs itself without permission (the click-through statement fails to inform of the user of its true nature), uninstalling it requires the CD buyer to request permission from Sony via a web form. So it's hard to take Sony BMG's assurances seriously.

You can read Sony's statement here. Symantec has posted an advisory and removal tool here.