The DRM software is called XCP and was created by UK-based First 4 Internet. It installs automatically when a CD is played on a PC and hides itself deep within the operating system. Security experts have blasted the cloaking mechanism, which is called 'rootkit', because it could be exploited by virus writers. Malware designed to take advantage of the veil provided by Sony BMG started appearing last week.
According to a research note published by Gartner, the use of "spyware techniques… constitutes bad business practice and should be discouraged". The note went on to say that sneaking software onto a computer without consent is "unacceptable" behaviour.
Gartner also criticised Sony for deliberately making the process of removing XCP complicated: "It was deliberately designed to be difficult to remove, and although Sony has now issued a patch that 'decloaks' the software, the process for completely removing the software from the user's computer is complex, requires the user to interact with Sony and is not included with the CD".
Personal firewall developer Zone Labs, which is owned by enterprise security firm Check Point, also slammed Sony on Monday for using what it called 'hacker-type techniques' to copy protect CDs.
Laura Yecies, general manager at Zone Labs and vice president at Check Point, said: "While we understand Sony's need to protect its digital rights, compromising the security of its customers by using hacker-type technologies such as rootkits that create points of entry for actual hackers are not the answer."
Microsoft has said it will protect Windows users from Sony's DRM software by updating its AntiSpyware and Malicious Software Removal Tools to allow its detection and removal.
Sony has now stopped production of CDs using XCP software but the company has admitted that it will continue using an antipiracy tool developed by SunnComm.