After Criticism, Sony Issues Fix for Hidden Rootkits

Walaika K. Haskins, newsfactor.com Thu Nov 3, 5:35 PM ET

Sony (NYSE: SNE - news) has admitted that it included a stealth rootkit on some music CDs shipped in 2005 and has issued an update to remove the hidden software one day after it was discovered. The company had drawn criticism from security experts who warned that the technology could serve as a tool for hackers.

The nearly undetectable monitoring utility, part of the company's digital-rights management (DRM) technology, was aimed at preventing consumers from producing illegal copies of CDs. The software installed itself automatically in Windows systems whenever a CD was inserted. Any files contained in the rootkit are invisible and almost impossible to remove.

Security expert Mark Russinovich of Sysinternals discovered the hidden rootkit and posted his findings on the company blog on November 1st. Russinovich wrote that although he checked in his system's Add or Remove Programs list, as well as on the vendor's site and on the CD itself, he could not find uninstall instructions. Nor, he says, could he find any mention of it in the End User License Agreement (EULA).

Stealth Tactics

A rootkit is a set of tools commonly used by hackers to circumvent antivirus software and control a computer system. Most rootkits are engineered so that common PC monitoring mechanisms cannot detect them. The rootkits are designed to tuck themselves in to the most basic level of the operating system and remain hidden from users.

A Finnish antivirus company, F-Secure, reported that it had spent several weeks recently trying to find the cause of some unknown files reported by a user who suspected an audio CD as the cause.

Mikko Hyppnen, chief research officer at F-Secure, said hackers could use the rootkit to insert their own files by inserting a simple command at the beginning of the file name that would render them undetectable by most antivirus software. On the F-Secure blog, Hyppnen wrote that he heard rumors that Universal is using the same DRM system on its audio CDs.

Privacy? What Privacy?

Although industry analysts said they cannot fault Sony's motives, some saw the company's initial failure to disclose the hidden technology as a violation of U.S. copyright laws. According to Jared Carleton, an analyst at Frost & Sullivan, Sony is overstepping the fair-use clause that gives consumers the right to make backup copies.

"[Sony] is saying, 'No, we are not going to pay attention to U.S. copyright law that's been generally accepted for the past 30 years,' " he said.

Carleton likened the hidden DRM to malware, and said it was no different than adware and spyware. He said that if Sony was shipping DRM-protected CDs, the company needed to put a notice on its packaging. Consumers understand that artists should be paid for their music, he said, but he added that consumers don't like this type of secrecy.

Andrew Jaquith, senior security analyst at Yankee Group, said the company behaved badly and that there could be a backlash. He said that the desire to protect intellectual property is understandable, but that Sony should have been upfront about its DRM technology, and would have been better off using industry-standard software.

"I haven't seen a single positive comment about this and it makes them look at little slimy," Jaquith said. "They should have been above-board and should have used software that they hadn't cobbled together themselves."

On the Web page containing the update, which enables users to detect and remove the rootkit, Sony said its technology did not pose a security risk. "This component is not malicious and does not compromise security," the company's post said. "However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."

The fix can be downloaded at http://cp.sonybmg.com/xcp/english/updates.html.

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

Several other Sony-BMG CDs are protected with a different copy-protection technology, sourced from SunnComm, including:

My Morning Jacket, Z
Santana, All That I Am
Sarah McLachlan, Bloom Remix Album

Fallout from Sony CD flap getting worse
Researchers says software removal scheme aggravates security hole

BOSTON - The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony’s suggested method for removing the program actually widens the security hole the original software created, researchers say.

Sony apparently has moved to recall the discs in question, but music fans who have listened to them on their computers or tried to remove the dangerous software they deposited could still be vulnerable.

“This is a surprisingly bad design from a security standpoint,” said Ed Felten, a Princeton University computer science professor who explored the removal program with a graduate student, J. Alex Halderman. “It endangers users in several ways.”

The “XCP” copy-protection program was included on at least 20 CDs, including releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.

When the discs were put into a PC — a necessary step for transferring music to iPods and other portable music players — the CD automatically installed a program that restricted how many times the discs’ tracks could be copied, and made it extremely inconvenient to transfer songs into the format used by iPods.

That antipiracy software — which works only on Windows PCs — came with a cloaking feature that allowed it to hide files on users’ computers. Security researchers classified the program as “spyware,” saying it secretly transmits details about what music the PC is playing. Manual attempts to remove the software can disable the PC’s CD drive.

The program also gave virus writers an easy tool for hiding their malicious software. Last week, virus-like “Trojan horse” programs emerged that took advantage of the cloaking feature to enter computers undetected, antivirus companies said. Trojans are typically used to steal personal information, launch attacks on other computers and send spam.

Stung by the controversy, Sony BMG and the company that developed the antipiracy software, First 4 Internet Ltd. of Oxfordshire, United Kingdom, released a program that uninstalls XCP.

But the uninstaller has created a new set of problems.

To get the uninstall program, users have to request it by filling out online forms. Once submitted, the forms themselves download and install a program designed to ready the PC for the fix. Essentially, it makes the PC open to downloading and installing code from the Internet.

According to the Princeton analysis, the program fails to make the computer confirm that such code should come only from Sony or First 4 Internet.

“The consequences of the flaw are severe,” Felten and Halderman wrote in a blog posting Tuesday. “It allows any Web page you visit to download, install, and run any code it likes on your computer. Any Web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get.”

Sony BMG spokesman John McKay did not return calls seeking comment. First 4 Internet was not making any comment, according to Lynette Riley, the office manager who answered the company’s phone Tuesday evening in England.

Mark Russinovich, the security researcher who first discovered the hidden Sony software, is advising users who played one of the CDs on their computer to wait for the companies to release a stand-alone uninstall program that doesn’t require filling out the online form.

“There’s absolutely no excuse for Sony not to make one immediately available,” he wrote in an e-mail Tuesday.

Other programs that knock out the original software are also likely to emerge. Microsoft Corp. says the next version of its tool for removing malicious software, which is automatically sent to PCs via Windows Update each month, will yank the cloaking feature in XCP.

Sony BMG said Friday it would halt production of CDs with XCP technology and pledged to “re-examine all aspects of our content protection initiative.” On Monday night, USA Today’s Web site reported that Sony BMG would recall the CDs in question.

Computer viruses had emerged that took advantage of security holes in the copy protection software.
November 16, 2005: 12:08 PM EST More about Microsoft

BARCELONA, Spain (Reuters) - Music company Sony BMG, yielding to consumer concern, said Wednesday it was recalling music CDs containing copy-protection software that acts like virus software and hides deep inside a computer.

Sony BMG has used the XCP copy-protection software on 49 titles from artists such as Celine Dion and Sarah McLachlan and produced an estimated 4.7 million music CDs. Around 2.1 million units have been sold on to consumers.

The software, developed by British software makers First4Internet, installs itself on a personal computer used to play the CD in order to guard against copying, but it leaves the back door open for malicious hackers.

"We share the concerns of consumers regarding discs with XCP content-protected software, and, for this reason, we are instituting a consumer exchange programme and removing all unsold CDs with this software from retail outlets," Sony BMG said in an statement.

Sony BMG announced in a separate statement it would distribute a program to remove the software from a PC where it jeopardizes security.

"We deeply regret any inconvenience this may cause our customers. Details of this (recall) program will be announced shortly," Sony BMG said.

Sony said will soon issue more details about the swap programme. Consumers can identify their copy-protected CDs by a Web address on the back of the CD containing the letters XCP.

Of the 49 titles, 24 were new major releases. The remaining albums were reissues and other material from the catalogue.

Sony reiterated that the copy-protection software installs itself only on personal computers and not on ordinary CD and DVD players. Market research group NPD Group found in a recent survey that around 36 percent of consumers listen to their CDs on a personal computer.

Outcry
Problems with the copy-protection software became acute last week, when the first computer viruses emerged that took advantage of security holes left by the program.

Responding to public outcry over the software, Sony BMG, the music venture of Japanese electronics conglomerate Sony Corp. and Germany's Bertelsmann AG had said on Friday it would temporarily suspend the manufacture of music CDs containing XCP technology.

It then provided a patch to make the hidden program more visible. At the time it did not recall the CDs or offer a program to remove it from computers. Sony BMG's patch and the removal software still left PCs vulnerable, according to software engineers.

The anti-virus team at Microsoft Corp. (Research) said Tuesday it would independently add a detection and removal mechanism to rid a personal computer of the Sony's DRM copy-protection software. It should have a deeper understanding of its own operating system, and how to remove software safely.

The software installs itself only on PCs running Microsoft's Windows operating system.

Sony BMG has positioned itself as a defender of artists' rights. It had re-emphasized Friday that copy-protection software is "an important tool to protect our intellectual property rights and those of our artists."

Sony BMG last week was targeted in a class action lawsuit complaining that it had not disclosed the true nature of its copy-protection software.