Sony’s latest DRM installs as a rootkit on your PC.

I’ve been following the saga unfolding over at Mark’s Sysinternals blog about his recent discovery that his PC suddenly had a rootkit installed on it thanks to a DRM scheme developed by a company called First 4 Internet that Sony BMG is using on copies of a Van Zant CD he had recently purchased. As you may recall I’ve written about rootkits before and how they scare the hell out of me because they make it possible to hide malicious software almost completely so it was quite a surprise to read about how a major company was using of a DRM system that makes use of rootkits to hide itself from users. Mark goes into great detail on how he discovered the rootkit, figured out who it belonged to, what it was doing, and how to get rid of it which, as it turns out, isn’t that easy to do as Sony doesn’t make any kind of an uninstall available:

At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.

I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\Control\SafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.

When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad.

Mark got his CD drive back without having to restage his system, but his tech knowledge goes way beyond my own so I’d probably just end up restaging the whole PC to get rid of it. Since Mark first posted his story on his blog the mainstream press has picked up on it and Sony’s had to engage in some serious PR work to head off a lot of angry people out there. Both Sony and First 4 Internet swear that the DRM software does not pose any security risks to your system and couldn’t be misused by malware writers in any way. A claim that is directly contradicted by the fact that some World of Warcraft cheaters are already using it to hide their cheat programs from Blizzard’s Warden anti-cheat software (a bit of software that Blizzard has taken no small amount of heat for themselves).

Sony does supposedly make an uninstaller available, but you have to submit two different forms to request having the uninstaller emailed to you. Something Mark has attempted and still not gotten from Sony as of yet. Sony does, however, make available a 3.5MB patch that removes the cloaking from the rootkit by updating the DRM software to “Service Pack 2.” You don’t have to fill out any forms to get that, they’ll happily just let you download that from their servers. Assuming you even know that you have their crappy DRM software installed on your system in the first place. Which, if you’re not on the skill level of Mark, you probably wouldn’t know unless you happen to own the same CD he does and have played it on your PC.

The point remains that nowhere is it mentioned in the EULA for the CD that Sony will be installing this software on your PC nor is there any information on how to disable or unload it. Nor is it mentioned that the CD sends data back to a Sony web server:

There’s more to the story than rootkits, however, and that’s where I think Sony is missing the point. As I’ve pointed out in press interviews related to the post, the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There’s no way to ensure that you have up-to-date security patches for software you don’t know you have and there’s no way to remove, update or even identify hidden software that’s crashing your computer.

The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony’s site and sends the site an ID associated with the CD.

I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site.

Since this second article was posted the folks at First 4 Internet have responded to it with a rebuttal that does a piss poor job of actually defending the product:

First 4 Internet and Sony also continue to argue that the rootkit poses no security vulnerability, repeating it in the description of the patch download. Any software that hides files, processes, and registry keys based on a prefix of letters can clearly be used by malicious software.

First 4 Internet’s final rebuttal relates to my complaint that as part of a request to uninstall their DRM software Sony requires you to submit your email address to their marketing lists. First 4 Internet says:

An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.

The Sony privacy policy the comment refers to clearly states that Sony may add a user’s email address to their marketing lists:

Except on sites devoted to particular recording artists, we may share the information we collect from you with our affiliates or send you e-mail promotions and special offers from reputable third parties in whose products and services we think you may have an interest. We may also share your information with reputable third-parties who may contact you directly.

Again, the fact is that most users of Sony’s DRM won’t realize that they even have software that can be uninstalled. Also, the comment does not explain why Sony won’t simply make the uninstaller available as a freely accessible download like they do the patch, nor why users have to submit two requests for the uninstaller and then wait for further instructions to be emailed (I still have not received the uninstaller). The only motivation I can see for this is that Sony hopes you’ll give up somewhere in the process and leave their DRM software on your system. I’ve seen similar strategies used by adware programs that make it difficult, but not impossible, for you to remove them.

I’m a fan of Sony products in general, but this nonsense strikes a critical blow to their credibility in my eyes. It’s not so much that I have a problem with them trying to protect their content as much as the dishonest and dangerous methods their using to do it. The First 4 Internet DRM software does introduce a major security risk to your PC whether they want to admit to it or not and there’s no easy way to uninstall it without jumping through hoops and sending all sorts of info to Sony—such as CD title, Artist, your name, etc.—and hoping they make good on their promise to send you an uninstall utility. The fact that this software which removes from you control over a part of your own PC is never even mentioned in the EULA as something that’ll be installed is just outrageous. If it causes problems that lead to system crashes you’d never be able to diagnose them because you don’t even know it’s there.

Sony has caught so much heat over this that the folks over at EMI are preemptively pointing out that their DRM software doesn’t use rootkits and they haven’t even considered using First 4 Internet’s crappy DRM solution:

“The content-protection software that we’re using can be easily uninstalled with a standard uninstaller that comes on the disc. EMI is not using any software that hides traces of the program. There is no ‘rootkit’ behavior, and there are no processes left running in the background,” said an EMI spokesman in a statement.

EMI also said it was not working with First 4 Internet, the U.K. company that created the copy-restriction software for Sony, although it is trialing other content-protection software.

“EMI is not using First 4 Internet technology. We recently completed a trial of three content-protection technologies (Macrovision’s CDS300, SunnComm’s MediaMax and SonyDADC’s key2audioXS), and First 4 Internet’s technology was not one of those tested,” said the spokesman.

EMI was prompted to issue this press release after rumors started to circulate that they and Universal Music Group did use First 4 Internet’s protection scheme. The folks at Universal Music Group haven’t responded to those rumors as of yet.

So this is what it’s come down to in the fight by the content producers to keep you from using their CDs in ways other than they want you to. They’re willing to install rootkits that could open your system up to all manner of security issues and then make it difficult as hell for you to get rid of it to try and stop something that it has no hopes of preventing. A quick search of a bit torrent tracker site or two reveals that Van Zant’s album Get Right with the Man has been available on the file trading networks since pretty much the day it was released.

Again and again it’s the legit purchasers who end up finding themselves being limited in what they can do with that new CD they purchased as well as possibly having their PCs compromised by software they didn’t even know was going to be installed because it was never mentioned in the EULA. Meanwhile the pirates have not only gotten the music for free and can burn as many copies or load it onto their iPods all they want to, but they don’t have to worry that the music they’re illicitly enjoying may end up compromising their PCs in the bargain. You have to wonder if the folks at Sony are trying to stop people being pirates or actively encouraging them to become pirates.

Meanwhile the folks at CNet’s are reporting that a lawyer is already prepping a class action lawsuit against Sony:

“We’re still investigating the case and talking to different people about what happened to them,” Green said on Friday. He plans to argue that under California law, if you buy a copy-protected CD from a music store, you should be informed that a spyware-like utility will be implanted on your hard drive.

Sony has backpedaled a little, saying that the hidden files can be uncloaked. But customers still have to beg for help if they want to uninstall the software.

Still, it may be too late for the entertainment giant to fend off the plaintiff’s bar. One recent court case in Illinois, Soleto v. DirectRevenue, sets a nonbinding precedent that lawyers expect to be invoked against Sony.

In that case, DirectRevenue was sued for installing spyware on Windows computers without obtaining proper authorization from a user. U.S. District Judge Robert Gettleman said the company could be sued on trespass, Illinois consumer fraud, negligence, and computer tampering grounds.

Then there’s a California spyware-related law that says a company may not “induce” anyone to “install a software component” by claiming installation is necessary to “open, view or play a particular type of content.”

Translation: Sony could be in double trouble. Its Windows software is hardly necessary to play music—the disc works just fine on a Macintosh or in an old-fashioned CD player.

Meanwhile, dozens of other states are considering similar laws, each with slightly different wording. So is Congress.

Such legislation probably wouldn’t stop companies from installing this crap on your system, but it should at least mandate that you’re notified during the install process that it’s going to happen and ask for your explicit agreement to it before doing so. Sony has every right to insist that you install whatever they want you to before you can listen to their CDs on your PC, but they should be telling you about it and giving you the chance to say no thanks.

The above article is also interesting because it points out that trying to remove the software without using an official uninstaller from Sony could be considered a violation of the DMCA as well:

In a bizarre twist, though, it’s not only Sony that could be facing a legal migraine. So could anyone who tries to rid their computer of Sony’s hidden anticopying program.

That’s because of Section 1201 of the Digital Millennium Copyright Act, which bans the “circumvention” of anticopying technology.

“I think it’s pretty clear that circumventing Sony’s controls violates the DMCA,” says Tim Wu, a Columbia University professor who teaches copyright law. (Violations of the DMCA include civil fines, injunctions, computer confiscations, and even criminal penalties.)

Wu noted that one possible reprieve might come from last year’s ruling from a federal appeals court in a case dealing with garage door openers—it said no copyright violations were taking place, so no DMCA violation occurred. Then again, another federal appeals court objected to bypassing anticopying technology used in DVDs, which is probably a closer analogy.

So if you weren’t a felon prior to playing that new Van Zant CD you could end up becoming one if you try to remove the DRM software Sony put on your PC. One way or another they’re just determined to make a criminal out of you yet.

11 thoughts on “Sony’s latest DRM installs as a rootkit on your PC.

  1. It seems to me that this:

    U.S. District Judge Robert Gettleman said the company could be sued on trespass, Illinois consumer fraud, negligence, and computer tampering grounds.

    trumps this:

    In a bizarre twist, though, it’s not only Sony that could be facing a legal migraine. So could anyone who tries to rid their computer of Sony’s hidden anticopying program.

    That’s because of Section 1201 of the Digital Millennium Copyright Act, which bans the “circumvention

  2. Len,

    I agree and right-thinking people in most walks of life might agree but what are the chances that the courts will ultimately end up protecting the consumer rather than the company? On appeal I suspect that any protections that the consumer might win will be overturned, because you know, we are all children that can’t be trusted to make our own decisions.

    Now where’s my damn binkie?

  3. This is exactly the reason I haven’t bought a CD in the past 5 years (aside from the fact that they still cost an arm and a leg) – they tangle you up in so many unneeded double-edged addons and self-interested ‘protection’ programs, then sue you when you try to get yourself out of the shitstorm they produce in their wake.

    And hey, on that note, according to time-warner, if you mute commercials or channel surf on TV, you are officially a thief and the TV execs hate you…if you download MP3s, you are officially a thief and the RIAA hates you…if you dub a movie off HBO, you are officially a thief and the MPAA hates you…whats next? Am I still allowed to store leftover pizza in the fridge, or will pizza hut sue me?

  4. Ok, I tried to post earlier, so here goes my third attempt…

    Sony’s rootkit can be circumvented by:

    A) Disabling Autorun. It can’t install if autorun in Windows is disabled.

    B) Running Linux, BSD, MacOSX, etc.

    C) Allowing the rootkit to install, but then appending $sys$ to the front of any file’s name that you want to hide from the rootkit and from other prying eyes, such as Blizzard’s Warden.

    So, can Sony get sued for this? Who knows. Can Microsoft, every Linux company, every BSD company, and Apple get sued because of DRM circumvention? Who knows. Can Blizzard sue Sony for circumventing it’s anti-hacker/security software? Who knows.

    This is what happens when Congress is allowed to make tech decisions.

  5. This is one of the myriad reasons I run (only) Linux. Though given that I live in California, maybe I should install Windows on one of my own boxes, buy the CD, and stick it in the drive. Then I could get in on the class action lawsuit!

  6. I’m just waiting for the resale of CDs to become illegal. I own about 500, most of which were bought 2nd hand. I can forsee a time when a CD will have a license that will say :-

    “This CD recording is for your own exclusive personal use. You may not distribute, copy or backup this CD in any way. You may not play the music on this CD to any third party. You may not dispose of this CD in any way that a third party gains access to the music stored on it, including sale, rent, loan or any other method. You are responsible for securing this CD against third party access. If we judge that a third party has accessed/listened to the music on this CD through your negligence, you will be liable under law for damages to us in the amount of not less than $10,000 per violation. If you have deliberately permitted a third party access to the music on the CD you will be liable for damages of not less than $100,000 per violation, and we will notify law enforcement where you may face felony charges of Unauthorised Distribution of Copyrighted Material, with a maximum penalty of life imprisonment and an unlimited fine. By breaking the seal on this CD, you have agreed to these terms.”

    Naturally these t&c will be inside the CD case…

    Far fetched? Or plausible? You decide…

  7. So, can Sony get sued for this? Who knows. Can Microsoft, every Linux company, every BSD company, and Apple get sued because of DRM circumvention? Who knows. Can Blizzard sue Sony for circumventing it’s anti-hacker/security software? Who knows.

    This is what happens when Congress is allowed to make tech decisions.

    TheJynxed – someons GOTTA make decisions on tech (law). I’d say that an elected body is a good start. Now if you are complainign about the technical savvy of elected bodies… ah well, might as well complain about the fact that the collected intelligence of a comittee is lower than that of its average member.

    “This CD recording is for your own exclusive personal use. You may not distribute, copy or backup this CD in any way. You may not play the music on this CD to any third party.

    As far as I know, its already illegal (read: impossible) to sell Half-Life 2…

    Legal? Sure, as logn as we are talking new contracs. Unpleasant though. For sure.

  8. By breaking the seal on this CD, you have agreed to these terms.

    We were talking about this at lunch.

    So what happens when you get a CD home, and you get an EULA which is inside the case, that you don’t agree with.

    Does the store have to take it back?
    Does the company who sells it? (e.g Sony?)

    I know that there was an effort to make Microsoft buy back copies of windows a few years ago, on pre-installed systems, but am not sure where that ever went.

    Just curious

  9. This isn’t only huge security risk and outrageous breaking of consumer’s right but also enormous stability risk.
    Like everyone who’s “playing” with computers knows, installing even plain software can cause serious problems, even crash OS, not to mention drivers but this is entirely different thing.
    Now we’re talking about messing up in kernel/“core” level of OS.

    IMO these copyright fascists should be executed, in this case approriate method would be 0.50” BMG. (but to legs instead of head, headshot would be too merciful)

    This case shows well ethics and moral of capital and big corporation. Neither they want real competition and balance of demand and supply, what they desire is totalitarian control of market and stranglehold from consumer.

    And that’s why they don’t want anything which would lead to some kind balance, like this.

    And remember that Macro$hits anti-“trustworthy computing” is just continuation of these.



  10. I think shooting people in the head over this fiasco is not only unnecessary, but ridiculously extreme. It’s much more effective to hit them where it hurts most and stop buying CDs have have this crap on them. Not too difficult to do as the EFF has released a list of CDs containing this software on them and places like Amazon actually are putting warnings up on their listings for said products indicating that they have copy protection on them.

    On the plus side, all this outrage is having an effect. Not only is Sony not going to use this protection scheme on their CDs going forward, but they’re yanking existing stock from stores to stop it going any further and offering exchanges to folks who’ve already purchased copies:

    Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

    Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

    “Sony BMG deeply regrets any inconvenience to our customers and remains committed to providing an enjoyable and safe music experience,” the company said. Sony says more than 20 titles have been released with the XCP copy-protection software, and of those CDs, over 4 million have been manufactured, and 2.1 million sold.

    Hit them where it hurts the most and they will listen.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.