CA targets Sony DRM as spyware

CA targets Sony DRM as spyware

Summary: Security company Computer Associates will detect and remove Sony DRM rootkit software.

TOPICS: Malware

Computer Associates, maker of security software, has announced their anti-spyware program PestPatrol will detect and remove Sony's rootkit-enabled DRM software. I spoke to Samuel Curry, Vice President, Product Management of Computer Associates, yesterday and he confirmed that four pests from Sony have been added to PestPatrol's new definitions slated to be released this week. Curry indicated CA's technical researchers spent the last several days testing the software and Sony's patch.  Their findings are quite disturbing.  The Sony XCP (Extended Copyright Protection) software includes the rootkit, installed with only vague notice and consent to users, has reportedly been distributed on over 2 million Sony BMG CD's.  Technical details and reasons for the software's inclusion in the pest database can be found here on the eTrust Spyware Encyclopedia website. The Sony pests have been dubbed XCP.Sony.Rootkit, Music Player, XCP.Sony.Rootkit.Patch and XCP.Sony.SP2.

The Sony Music Player was demonstrated by Mark Russinovich, the programmer who originally discovered the rootkit technology on a Sony BMG CD, to connect to Sony's servers and transmit information including the user's IP address and the name of the CD and songs being played.  Sony BMG CD's with this XCP software will not open with any other player, so the user is forced to install the Sony software to play a DRM enabled CD on their computer.  In response to the outrage, Sony issued a so-called patch which has been found to be problematic as well.  The patch removes the rootkit but creates new issues. CA's description:

This change removes rootkit functionality and addresses the vulnerability associated with the XCP.Sony.Rootkit. It also reduces hard drive scans on the part of the falsely named "Plug and Play Device Manager" service. Despite these benefits, XCP.Sony.Rootkit.Patch displays no notice of what it will do, offers no opt-out once invoked, and removes the rootkit in a manner which can cause system crashes. The aries.sys driver file installed by XCP.Sony.Rootkit is called when one of several hooked functions are called by any program. If a program has just initiated such a call when it is removed by this patch, what used to be a pointer to aries.sys is now a pointer to unallocated memory, which can cause a blue screen of death. (Emphasis mine)

Once installed, SP2 cannot be removed through ordinary methods. Sony's website contains a form, though not easily located, where the user can request an uninstaller. Curry reported CA requested the uninstaller Thursday evening and again though the weekend. Finally they received an email response on Monday later afternoon.  The process for obtaining the uninstaller is patently ridiculous.  Here are the steps.

User fills out online form and registers for download.
First email arrives.
User has to click link in email.
User has to download an activeX control which sends out unknown data to First4Internet.  Note that activeX controls are generally considered to be security issues also.
User must provide more information.
Second email arrives telling the user to wait again.
Third email arrives eventually.
User has to click link and download second ActiveX control in order to download uninstaller.

What happens next is unclear.  Curry reported as of this morning, CA has not been able to get the second activeX or an uninstaller to run. 

There are concerns about the corporate environment.  How many employees take CD's to play at work?  The user installing the CD and DRM rootkit on a corporate computer could affect the entire corporate network, and with the phone home technology, potentially expose sensitive information. Good for CA in targeting and removing this threat.  I think they are totally justified and I hope other anti-spyware vendors follow suit.

I understand that if the user has auto-run disabled for their CD-ROM drive, they can rip the songs from a DRM-protected CD, then burn them to another CD. CA has provided instructions for disabling auto-run here.

When I think about this picture, Sony's use of this DRM rootkit technology, their insensitive reaction and denials in the face of proven facts, and the preposterous process users have to endure to get an uninstaller, I *really* wonder what Sony could be thinking.  Users affected by this DRM software are not stealing copyrighted work; they are people that paid good money to purchase an, IMO, overpriced CD.  Why would any company treat their customers in this fashion?  I just cannot fathom it.  It is utterly unconscionable.

The recording industry whines about losing revenue due to piracy, yet Sony turns around and treats legitimate paying customers in such an arrogant, callous and insensible manner. Can the individuals running Sony BMG be so stupid?  If anyone can explain this to me, please do.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yeah Suzi, I can explain it.....

    And it's only going to get worse. I could see it when things like UCITA and the DMCA started showing up. The corporates are and have been motivated 100% by greed. The problem is, our legislators are giving them more and more authority and at the same time reducing consumer rights to an unreasonable level.

    Look what has happened to TIVO lately. One can a record a show only to have someone else decide when it should be erased. Completely assinine.

    Next up? Probably the digital broadcast flag. It all comes down to money. Always has and always will. Those with the money get the most attention in the legislature. It's also money that can stop the dirtbag corporates in their tracks. They will push the consumer as far as they possibly can and when the consumer finally approaches the point that they may stop buying, the intrusions will stop, but not until then.

    In this, I consider myself and "early adopter". I've already stopped buying. Won't buy a digital recorder (especially TIVO), and won't buy copy protected CD's. Maybe someday the majority of consumers will wake up and tell the corporates where to get off.
  • Big company, leave the technical details to underlings

    I truely believe Sony executives do not realize the implications of their product's surreptitious functionality. They strongly believe they have the right to limit illegal copying of their property but don't realize they are using illegal means to do so.

    Their more-technically adept staff, previously charged with the task of protecting Sony's property, are now attempting to recover but of course cannot offer a full retraction otherwise upper management would realize that they have been sold a bill of goods. Only the threat of senior executive jail time (and they are ultimately responsible) will wake them to the serious nature of the charges being laid at their doorstep.
  • What about Amazon and Walmart?

    Amazon and Walmart continue to sell these infected CDs; don't they know they may be forced to be co-defendants in a huge class action lawsuit?
  • Sony DVDs, Laptops all a disaster - beware

    Sony's left hand has no clue what the right hand is doing. As far as DVDs they promote laptops such as the VGN-T17P as being great for the international traveller and the extended battery great for watching 2 whole DVD movies on a long flight. But guess what - if these same international travellers by DVDs from the countries that they visit then they are locked out of playing them on their new Sony laptop. Sony is a complete mess and genrally seems to hold consumers in contempt. I will never buy another Sony product of any form.
    • That's not Sony's fault

      Sorry but the DVD formats were set by international treaty and by law a dvd playback device must be set the format used in specific region. So DVD's from Europe won't work in a laptop from North America configured to play DVD's from North America. This was a requirement of the media companies to control release dates of content by region.
      • Industry standards are not law!

        According to the licensing agreements for DVD technology, the players have to have this, since the licensors are (or are in bed with) the greedy studios which feel it is their right to decide in which country you are allowed to see you righfully purchased media. It is by no means a law and would probably not even be classified as a copy-protection scheme under DMCA. Sony could, if they wanted, include the possibility of having a region-free DVD player in the laptops, but would probably be breaking the DVD licensing agreement.
        • Industry standards are not law!

          Actually they had to agree to implimenting CSS and region coding to licinse the technology to play DVDs. the last company to make a region-free DVD player and sell it to the public was sued and forced to make a revised model never mind it wasn't set to region free from the factory
  • Sony stinks to say the least.

    I made the mistake of purchasing a Sony camcorder only to find out later that the only way I can put the movies on DVD is if I purchase a Sony PC to do the job. It is incompatable with my Dell PC or any other DVD Writer. I can now only transfer home movies to CD.This is totally rediculous. There should be a law to stop them from selling anything like a camcorder without a clear notification that it is incompatable with any other brand PC but their own. No More Sony for me ever. The creaps.
  • Sony BMG - Digital Non-Rights

    I fired off an email telling Sony BMG I wouldn't purchase any digital Audio or Video content disk at any time in the future - period.

    I won't purchase any copy protected disk nor any DRM controlled Hardware that restricts me for any reason. I suppose I'll be stuck with outdated equipment for the foreseeable future.

    I recently read about the new controls that are being placed on the High Definition audio/video content disks that will cause a real problem for all those that currently bought an expensive High Definition Plasma/LCD displays - they won't work with the new content!!

    No wonder there is so much audio/video piracy going on... These companies have bought off our congress. I also feel the same way about these stupid Music download sites - I won't deal with any of them.

    I put all my audio/video content on everything at home on any media I want and I won't change..
    I have total freedom andI'm going to keep it that way.

    • vandalization of private property

      Don't stop with just media... boycott any and all companies/products that sony has invested in. As far as I am concerned, sony's drm is nothing short of vandalization of private property. Can you say, CLASS ACTION LAWSUIT!!! Any attorneys out there to take this on? Of course on a contingency basis ;-P
      • Two class action lawsuits...

        are in the works. First, the firm of Green Welling is taking on the case for California consumers. And the other one will be filed in NY as a nationwide lawsuit. It's a two-way attack! Sweet! ;)
        Tony Agudo
  • Who's the Pirate?

    Let's see -- when I innocently do business with Sony they surreptitiously plant a spy on my "ship" which, under cover, disables my defenses so they can take over, blowing me out of the water if I resist, all having something to do with "piracy."

    Just one question: who is the pirate here?
  • Solution - don't play Sony on PC

    Solution to all of this is to not buy or play Sony CD's. They were worried their precious product would get misused. I won't - I'll leave it safely on the shelf.

    And play my personal music collection instead.

    • Don't play Sony on Windows.

      This isn't a problem with Linux, you know . . .
  • Sony DRM


    Could be Sony's Pearl Harbor...

    Too many other much better, higher quality, and less expensive products out there - a boycott is in order.

    States & the US governements needs to get involved. This would be classed a criminal activity by any other name...
  • This is now a Security Credibility Issue

    All security companies should take notice: ZoneLabs, Symantec, Norton, Panda, et. al. ANY computer security company that does treat a covertly installed root kit as a serious problem should not be taken seriously themselves.

  • Let's not forget Microsoft's resposibility

    Sony is wrong to plant code on MY computer without my permission. But what about Microsoft?
    Why didn't "security conscious" Microsoft warn me of what was happening? What kind of OS would let an application attach itself to the Kernel?

    Bill, I'm talking to you... You need to secure your baby or all the money in the world isn't going to preserve your legacy.
  • One easy way to bypass Sony DRM

    Don't buy their product!