http://www.vnunet.com/vnunet/news/2145413/sony-rapped-rootkit-music-cd

Sony rapped over music CD rootkit

Record label backtracks after public outrage over cloaking technology
Tom Sanders in California, vnunet.com 03 Nov 2005

Sony (http://www.sony.com/) has released a patch (http://cp.sonybmg.com/xcp/) for a music CD anti-piracy technology after security experts warned that it represents a potential security risk.

The copyright protection software would automatically install when a consumer inserted a music CD with the XCP digital rights management technology in their computers.

The software is designed to limit the number of copies that users can make of the CD and restrict ripping of the disk.

Software developer Mark Russinovich, of Sysinternals (http://www.sysinternals.com/), reported on Monday that he had detected a secretly installed rootkit on his system.

Russinovich traced the software back to Sony and the XCP technology back to First 4 Internet, an English software developer.

The rootkit served to hide the digital rights management technology from the user as well as the system itself, including from antivirus software. When Russinovich tried to remove the application, he found that his CD drive was disabled.

Sony uses the rootkit to prevent the user from removing the copyright protection technology and violating Sony's copyright. But worm authors could exploit this feature to hide malicious applications.

The patch will remove the cloaking capability of the software to enable users to remove the Sony tool. But this will render their systems incapable of playing the CD.
Continued on page 2 > (http://www.vnunet.com/vnunet/news/2145413/sony-rapped-rootkit-music-cd?page=2)
so basically SONY is installing a program onto people's computers without their knowledge or consent, that has ADMINISTRATIVE rights, that is designed to be undetectable by standard Windows Tools and any anti-spyware or antivirus utilities and could potentially have the the ability to hijack your entire system and call "home" whenever it wanted to..... (and I'm sure that they wouldn't keep a database of which songs and cd's you have played on your computer either if they had access to it :rolleyes:)

if you think that you may have this on your system you can detect it with Sysinternal's free RootkitRevealer (http://www.sysinternals.com/Utilities/RootkitRevealer.html)

I read about this a few days ago. Makes me glad I didn't buy the Santana cd I'd been planning to get last week. Once I saw that it was copy protected I put it back. It seems like it's costing them more to come up with all of these programs to bar people from copying than the bootleggers are costing them.

I read about this a few days ago. Makes me glad I didn't buy the Santana cd I'd been planning to get last week. Once I saw that it was copy protected I put it back. It seems like it's costing them more to come up with all of these programs to bar people from copying than the bootleggers are costing them.
i honestly wouldn't be buying ANYTHING from SONY until more details come from them as to what they are going to do to fix this - they are still acting like there is nothing wrong with what they've done, but to many it seems like this would be illegal under the U.S. Computer Fraud and Abuse Act.

this was a very bad move by SONY - even if they hadn't been caught doing this, it certainly wouldn't have done ANYTHING to discourage the mass-market piraters - they ALWAYS find a way around any DRM schemes, its the CONSUMER that SONY is hurting here.

here's another good article about it:

http://www.cnet.com/4520-6033_1-6376177.html?tag=nl.e501

it keeps getting scarier the more I read about this, from wired news (http://www.wired.com/news/rants/0,2350,69467,00.html?tw=wn_tophead_5): ...And the lie the First 4 Internet code tells is a whopper. Under the program's influence, Windows will deny the existence of any file, directory, process or registry key whose name begins with "$sys$." Russinovich verified this by making a copy of Notepad named "$sys$notepad.exe," which promptly vanished from view.

inother words, if you've got this thing on your computer (which the "patch" does NOT remove, it just lets your AV and antispyware programs detect it - there is still NO KNOWN WAY to remove it) you have a wide open back door for any hacker that knows how to exploit it... pissed:

After two weeks of relentless criticism over its XCP copy protection software, Sony BMG Music Entertainment is pulling CDs that contain the software from store shelves. The company is also planning to offer customers a way to exchange CDs that contain the flawed copy-protection software.


"We share the concerns of consumers regarding discs with the XCP software, and we are instituting a program that will allow customers to exchange any CD with XCP software for the same CD without copy protection," Sony said in a statement posted on Tuesday.

'Sneaky' Software

XCP, which stands for Extended Copy Protection, is Windows software designed to limit the number of copies a PC user can make of a CD, but it uses controversial cloaking techniques to hide itself on the computer. Critics had warned that these techniques could gum up a computer's performance or possibly even be used by attackers to attack the machine.


Late last week, the first examples of malicious software that exploited the XCP cloaking mechanism began surfacing, prompting Sony to temporarily cease production of XCP-enabled CDs.


Sony had originally defended its use of XCP, and had downplayed the security and privacy risks associated with the software. With Tuesday's recall, however, the company finally appeared to acknowledge the seriousness of the matter. "We deeply regret any inconvenience this may cause our customers," Sony's statement said.


Still, Sony has some important questions to answer, according to the computer expert who first discovered the problems with XCP.


The biggest problem Sony now faces is helping customers who have installed the nearly undetectable software to remove it from their machines, said Mark Russinovich, chief software architect with Winternals Software LP, who originally identified the potential problem. Users who want to take XCP off their computers had been forced to send an e-mail to Sony and then download an ActiveX control that exposes them to further security risks, he said.

Mop-Up Still Needed

Sony on Tuesday suspended use of this uninstall process and promised to provide a "simplified and secure procedure" for uninstalling XCP. But the company provided no details on what this new procedure might be, or on how customers might exchange their XCP CDs. It also failed to address concerns about a second type of copy-protection software, called MediaMax, that ships with Sony CDs. Computer experts have said that this software suffers from many of the same problems as XCP.


Russinovich had some advice for Sony on how to simplify things. First off, the company should drop the dangerous ActiveX software, he said. Secondly, they should release a secure uninstaller that is easier to obtain. "They should just say, 'If you want the uninstaller, here it is: Click this link to execute it,'" he said. "I've seen no valid reason to have the uninstall process be what it is."


XCP is included in about 20 Sony titles including CDs by Van Zant, Sony has said. Security researcher Dan Kaminsky has estimated that at least 500,000 computers have installed the software

Robert McMillan, IDG News Service

November 16, 2005

To Our Valued Customers:

You may be aware of the recent attention given to the XCP content protection software included on some SONY BMG CDs. This software was provided to us by a third-party vendor, First4Internet. Discussion has centered on security concerns raised about the use of CDs containing this software.

We share the concerns of consumers regarding these discs, and we are instituting a program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection. We also have asked our retail partners to remove all unsold CDs with XCP software from their store shelves and inventory. We will make further details of this program available shortly.

We deeply regret any inconvenience this may cause our customers and we are committed to making this situation right. It is important to note that the issues regarding these discs exist only when they are played on computers, not on conventional, non-computer-based CD and/or DVD players.

Our new initiatives follow the measures we have already taken, including last week’s voluntary suspension of the manufacture of CDs with the XCP software. In addition, to address security concerns, we provided to major software and anti-virus companies a software update, which also may be downloaded at http://cp.sonybmg.com/xcp/english/updates.html. We will shortly provide a simplified and secure procedure to uninstall the XCP software if it resides on your computer.

Ultimately, the experience of consumers is our primary concern, and our goal is to help bring our artists’ music to as broad an audience as possible. Going forward, we will continue to identify new ways to meet demands for flexibility in how you and other consumers listen to music.

Please click here for an FAQ (http://cp.sonybmg.com/xcp/english/faq.html) on this topic.