X
Tech

CA targets Sony DRM as spyware

Security company Computer Associates will detect and remove Sony DRM rootkit software.
Written by Suzi Turner, Contributor

Computer Associates, maker of security software, has announced their anti-spyware program PestPatrol will detect and remove Sony's rootkit-enabled DRM software. I spoke to Samuel Curry, Vice President, Product Management of Computer Associates, yesterday and he confirmed that four pests from Sony have been added to PestPatrol's new definitions slated to be released this week. Curry indicated CA's technical researchers spent the last several days testing the software and Sony's patch.  Their findings are quite disturbing.  The Sony XCP (Extended Copyright Protection) software includes the rootkit, installed with only vague notice and consent to users, has reportedly been distributed on over 2 million Sony BMG CD's.  Technical details and reasons for the software's inclusion in the pest database can be found here on the eTrust Spyware Encyclopedia website. The Sony pests have been dubbed XCP.Sony.Rootkit, Music Player, XCP.Sony.Rootkit.Patch and XCP.Sony.SP2.

The Sony Music Player was demonstrated by Mark Russinovich, the programmer who originally discovered the rootkit technology on a Sony BMG CD, to connect to Sony's servers and transmit information including the user's IP address and the name of the CD and songs being played.  Sony BMG CD's with this XCP software will not open with any other player, so the user is forced to install the Sony software to play a DRM enabled CD on their computer.  In response to the outrage, Sony issued a so-called patch which has been found to be problematic as well.  The patch removes the rootkit but creates new issues. CA's description:

This change removes rootkit functionality and addresses the vulnerability associated with the XCP.Sony.Rootkit. It also reduces hard drive scans on the part of the falsely named "Plug and Play Device Manager" service. Despite these benefits, XCP.Sony.Rootkit.Patch displays no notice of what it will do, offers no opt-out once invoked, and removes the rootkit in a manner which can cause system crashes. The aries.sys driver file installed by XCP.Sony.Rootkit is called when one of several hooked functions are called by any program. If a program has just initiated such a call when it is removed by this patch, what used to be a pointer to aries.sys is now a pointer to unallocated memory, which can cause a blue screen of death. (Emphasis mine)

Once installed, SP2 cannot be removed through ordinary methods. Sony's website contains a form, though not easily located, where the user can request an uninstaller. Curry reported CA requested the uninstaller Thursday evening and again though the weekend. Finally they received an email response on Monday later afternoon.  The process for obtaining the uninstaller is patently ridiculous.  Here are the steps.

User fills out online form and registers for download.
First email arrives.
User has to click link in email.
User has to download an activeX control which sends out unknown data to First4Internet.  Note that activeX controls are generally considered to be security issues also.
User must provide more information.
Second email arrives telling the user to wait again.
Third email arrives eventually.
User has to click link and download second ActiveX control in order to download uninstaller.

What happens next is unclear.  Curry reported as of this morning, CA has not been able to get the second activeX or an uninstaller to run. 

There are concerns about the corporate environment.  How many employees take CD's to play at work?  The user installing the CD and DRM rootkit on a corporate computer could affect the entire corporate network, and with the phone home technology, potentially expose sensitive information. Good for CA in targeting and removing this threat.  I think they are totally justified and I hope other anti-spyware vendors follow suit.

I understand that if the user has auto-run disabled for their CD-ROM drive, they can rip the songs from a DRM-protected CD, then burn them to another CD. CA has provided instructions for disabling auto-run here.

When I think about this picture, Sony's use of this DRM rootkit technology, their insensitive reaction and denials in the face of proven facts, and the preposterous process users have to endure to get an uninstaller, I *really* wonder what Sony could be thinking.  Users affected by this DRM software are not stealing copyrighted work; they are people that paid good money to purchase an, IMO, overpriced CD.  Why would any company treat their customers in this fashion?  I just cannot fathom it.  It is utterly unconscionable.

The recording industry whines about losing revenue due to piracy, yet Sony turns around and treats legitimate paying customers in such an arrogant, callous and insensible manner. Can the individuals running Sony BMG be so stupid?  If anyone can explain this to me, please do.

Editorial standards