Sony CD's Install Rootkit "Virus" on PC's

[nodoodahs]

http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
http://www.theinquirer.net/?article=27426
http://www.channelregister.co.uk/2005/11/03/secfocus_drm/
http://www.theinquirer.net/?article=27416
http://www.cdfreaks.com/news/12624

"Recording giant Sony BMG has admitted that it has installed cloaked spyware in people's computers in a bid to protect CD content.

[snip]

Sony denies that the component is malicious and compromises user security. So why release a service pack if it is OK and not a breach of security? Sony spinsters say that it is only to alleviate any concerns of users. It has nothing to do with a fear of writs."

"The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files."

"This week, two research groups independently and separately reported that music giant Sony BMG has used software hiding techniques more commonly found in rootkits to prevent removal of the company's copy protection software. A rootkit is software that hides its presence on a computer while controlling critical system functions, and security professionals have lately warned that the addition of the technology to a variety of Internet threats - from bots to spyware - makes the malicious code more difficult to find and remove.

Both antivirus firm F-Secure and security information site SysInternals.com identified the copy protection scheme deployed by Sony BMG as essentially a rootkit. The tactic abuses the trust of the computer user, said Mikko Hippönen, chief research officer for F-Secure."

"Since March 2005, Sony BMG is using a rootkit-based DRM system on some newer audio CDs. This DRM system is a serious hazard to each Windows based PC. Well known websites like F-Secure.com and SysInternals.com are confirming this exposure.

If AnyDVD is installed and active on a PC, this new so-called "Sony DRM Rootkit Virus" has no access to the operating system and the affected audio CD appears unprotected regardless!

"What the heck Sony thought to themselves," SlySoft's CEO Giancarlo Bettini was kidding, "maybe they wanna build their own bot net?".

This "anti rootkit protection" is not a new function of AnyDVD , rather it is the nature of AnyDVD to filter all undesired stuff between a CD/DVD drive and the operating system. It is just one example, how well AnyDVD's option to "Remove CD Digital Audio Protection" is working."
_________________
I haven’t seen a beatin’ like that since somebody stuck a banana in my pants and turned a monkey loose.

[nodoodahs]

http://biz.yahoo.com/ap/051121/sony_copy_protection.html?.v=7

Texas Sues Sony Under Anti-Spyware Law
Monday November 21, 2:17 pm ET
By Liz Austin, Associated Press Writer
Texas Sues Sony BMG Music Entertainment Under Its New Anti-Spyware Law


AUSTIN, Texas (AP) -- The state sued Sony BMG Music Entertainment on Monday under its new anti-spyware law, saying anti-piracy technology the company slipped into music CDs leaves computers vulnerable to hackers.

The lawsuit is over the so-called XCP technology that Sony had added to more than 50 CDs to restrict to three the number of times a single disc could be copied.

After a storm of criticism, Sony recalled the discs last week.

Without asking users, the CD automatically installed the copy-protection program when discs were loaded into a PC -- a necessary step for transferring music to iPods and other portable music players.

Attorney General Greg Abbott accused Sony BMG of surreptitiously installing "spyware" in the form of files that mask other files Sony installed as part of XCP.

This "cloaking" component can leave computers vulnerable to viruses and other security problems, Abbott said, echoing the findings of computer security researchers.

"People buy these CDs to listen to music," Abbott said. "What they don't bargain for is the consumer invasion that is unleashed by Sony BMG."

Security researchers say XCP is spyware because it secretly transmits details about what music the PC is playing. Manual attempts to remove the software, which works only on Windows PCs, can disable the PC's optical drive.

Sony executives have rejected the description of their technology as spyware. A spokesman for the New York-based label did not immediately return a telephone call seeking comment on Abbott's lawsuit.

Sony BMG initially rejected the uproar over XCP as technobabble.

But after security experts discovered that XCP opened gaping security holes in users' computers -- as did the method Sony BMG offered for removing XCP -- Sony BMG agreed last week to recall the discs.

Some 4.7 million had been made and 2.1 million sold. CDs that had XCP included releases by Van Zant, The Bad Plus, Neil Diamond and Celine Dion.

The Texas spyware law allows the state to recover damages of up to $100,000 in damages for each violation. Abbott said there were thousands of violations, and that any money would go to the state.
_________________
I haven’t seen a beatin’ like that since somebody stuck a banana in my pants and turned a monkey loose.

[nodoodahs]

This just keeps getting worse! Amazing to me is that SNE is UP ever since this news broke. You'd think the negative publicity would cause some retail investor negative reaction ...

http://www.washingtonpost.com/wp-dyn/content/article/2005/11/16/AR2005111602242.html

Sony's Fix for CDs Has Security Problems of Its Own

By Brian Krebs
Special to The Washington Post
Thursday, November 17, 2005; Page D01

Consumers who used computers to listen to Sony BMG music CDs containing flawed software were still exposed to potentially crippling security breaches yesterday, experts said, as the company continued to try to fix the problem.

Sony BMG Music Entertainment released a software patch earlier in the week, but experts warned that the fix created as many security problems as the original program, and as of yesterday the company had not come up with a new approach.

Sony BMG has recalled nearly 5 million CDs equipped with the flawed anti-piracy software shipped to retailers over the past eight months -- including titles by singers Neil Diamond, Celine Dion and Ricky Martin. Roughly two weeks ago, security experts showed that the software automatically installed a program that hid all of its files from users and damaged or crashed computers of customers who tried to remove it.

When played on a home computer running Microsoft Windows, the CDs require users to install a special media player and click "agree" on 3,000-word license agreement. But the agreement makes scant mention of what the software, which is designed to prevent people from making unauthorized copies of the music, will do once installed.

For example, experts showed that the anti-piracy software "phones home" to Sony BMG and to the company that created the software, First 4 Internet Ltd., with details of user's music-listening habits. It also interferes with more than 250 programs that could allow copying of the CD contents to a portable media player or backup disc.

Detailed examination of the license agreement reveals no mention of such activity.

Further testing proved that hackers could use the program's file-hiding capabilities to silently embed computer viruses on PCs, prompting Sony BMG to issue a software update that removes that feature. Days later, unknown attackers sent millions of junk e-mails containing a virus crafted to exploit the flaws and seize control of vulnerable computers.

After the virus outbreaks, Sony BMG -- a joint venture of Sony Corp. and Bertelsmann AG -- said it would suspend production of new CDs featuring the copy-protection technology. But after nearly two weeks of relentless consumer backlash, Sony BMG said Tuesday that it would recall all CDs equipped with the anti-piracy software and that roughly 2 million customers who have already bought the discs would be able to exchange them.

Sony BMG spokesman John McKay declined to comment beyond the company's written statement, which apologized to customers for any inconvenience caused by the software and promised additional details about the CD exchange program in coming days.

Hours after Sony BMG announced its buyback, researchers at Princeton University found that even the patch the company released to remove the anti-piracy software contains security problems. The patch leaves behind coding that allows any Web page the user visits to download, install and run programs on the computer. Other research, released Tuesday by Atlanta-based Internet Security Systems, showed that the underlying program itself contained security holes that hackers could use to attack Windows computers running the software.

Sony BMG's latest moves have not erased its legal and public relations troubles. Last week, an attorney in California filed a lawsuit seeking damages for residents who bought the defective CDs, and on Monday, a lawyer in New York filed a nationwide class-action case against the company.

Mark Russinovich, chief software architect at Sysinternals, the security expert whose initial research into the anti-piracy program sparked the controversy, welcomed the class-action suits, saying withdrawal of the software wasn't enough.

"What I'm most concerned about is: If nothing serious happens to Sony that's visible to other companies, then we run the risk of this kind of thing becoming standard corporate behavior," Russinovich said.

The incident raises new questions about how far the music industry can go to defend its works from piracy. The industry loses roughly $4.2 billion worldwide to piracy each year, according to the Recording Industry Association of America. The software was the latest effort by entertainment companies to rely on controversial "digital rights management" (DRM) technologies to reverse a steady drop in sales that the industry attributes in large part to piracy facilitated by online music and movie file-sharing networks such as Kazaa and LimeWire.

Microsoft Corp. also waded into the fracas last week when it labeled Sony BMG's software a threat, saying it would let users remove the program through its anti-spyware program. Starting in December, Microsoft said, it will automate the removal of the software through its "malicious software removal tool," a program designed to help users clean up their computers after virus infections.

Krebs is a staff writer for washingtonpost.com.

Some of the CDs recalled by Sony BMG:
Phantoms, Acceptance
Touch, Amerie
Shine , Trey Anastasio
Suspicious Activity, the Bad Plus
Unwritten, Natasha Bedingfield
To Love Again, Chris Botti
Bob Brookmeyer & Friends, Bob Brookmeyer
The Invisible Invasion , the Coral
The Dead 60s , the Dead 60s
The Essential Dion , Dion
12 Songs, Neil Diamond
On Ne Change Pas, Celion Dion
Manhattan Symphonie, Dexter Gordon Quartet
Broken Valley, Life of Agony
Jeru, Gerry Mulligan
Silver's Blue, the Horace Silver Quintet
The Best of Shel Silverstein, Shel Silverstein
Susie Suh, Susie Suh
Nothing Is Sound, Switchfoot
Get Right With the Man, Van Zant

NOTE: Not all titles listed are affected in all versions of the CD. Discs carrying the First 4 Internet software are marked with the words "Content Protected" on the jewel-case spine, with a label on the back that refers questions to the Web site http://cp.sonybmg.com/xcp . For more information on how to remove this software, visit http://washingtonpost.com/securityfix .
_________________
I haven’t seen a beatin’ like that since somebody stuck a banana in my pants and turned a monkey loose.

[nodoodahs]

FYI Sony has backed off their plans to install this "protection" in their new CD's. If I actually bought music CD's to play on my PC, I would investigate some software to protect me from that type of "protection," anyways.
_________________
I haven’t seen a beatin’ like that since somebody stuck a banana in my pants and turned a monkey loose.

[nodoodahs]

Now the story hits the mainstream. Is now a good time to short SNE just for the "pop" from this hitting the press? Those into speculation, what do you think?

http://www.usatoday.com/money/industries/technology/2005-11-09-sony-usat_x.htm

Some Sony CDs' piracy protection called spyware
By Jefferson Graham, USA TODAY

LOS ANGELES — Sony BMG Music has a firestorm on its hands.
The label, in a bid to combat piracy, contracted with a British firm to copy protect several music CD titles. The problem: Playing the CDs on a PC requires installation of a software program that tech security experts say can be classified as spyware, and that can't be uninstalled without Sony's (SNE) permission.

The blogosphere has been in overdrive this week, as Sony has tried to calm consumers. The software restricts unauthorized copying, but it also contains a hidden file that security experts say can track consumer behavior.

SONY SUED

Sony BMG Music Entertainment has been targeted in a class-action lawsuit in California by consumers claiming their computers have been harmed by its anti-piracy software.

The claim says Sony failed to disclose the true nature of the digital rights management system it uses on its CDs and thousands of computer users have unknowingly infected their computers. The suit, filed Nov. 1 in Los Angeles Superior Court asks the court to stop Sony from selling additional CDs protected by the anti-piracy software and seeks monetary damages for California consumers who bought them. A spokesman for Sony BMG declined to comment.

The suit says the technology cannot be removed without damage to the computer.

— Reuters

"This is spyware, pure and simple," says Sam Curry, vice president of security software maker Computer Associates.

Sony put a downloadable patch on its website to make the formerly hidden file no longer invisible, but that has done little to put out the fire.

In Italy, the Association for Freedom in Electronic Interactive Communications advocacy group has asked the government to investigate Sony's use of the software, known as a rootkit.

Sony says the file is there for copy protection, not to collect information about customers.

Sony says 20 CD titles use this form of copy protection, from British firm First 4 Internet, but it won't say which titles. The Electronic Frontier Foundation, a non-profit civil-liberties group, identifies 19 on its www.eff.org website from artists including Neil Diamond, Van Zant, Celine Dion and Switchfoot.

Most CDs play simply on computers through media player programs such as Musicmatch or Apple's iTunes. But these CDs from Sony BMG aren't recognized by those programs. To play them, users must first agree to Sony's terms and download an included software program.

First 4 Internet CEO Mathew Gilliat-Smith concedes that the software is put on PCs "to make it more difficult for the consumer to find the protection files."

Sony spokesman John McKay says the company "moved very quickly to address concerns" by putting the patch on its website right away, at cp.sonybmg.com/xcp.

But Curry says the patch doesn't solve the problem. The software is still spyware, he says, because the files can't be uninstalled without going through a laborious process. Some bloggers have complained of the software slowing down PCs. "The behavior of this is bad on all counts," Curry says.

Sony BMG says it plans to have all major new releases copy protected in 2006.
_________________
I haven’t seen a beatin’ like that since somebody stuck a banana in my pants and turned a monkey loose.

[nodoodahs]

Maybe it’s my ears, but I never did notice the difference between CD-quality and good vinyl. All this talk about the durability of CD’s, well, let’s see how they sound when they’ve been around as long, and played as much, as my Meat Loaf cassette.

http://informationweek.com/story/showArticle.jhtml?articleID=173402819

Sony Issues Patch As Hackers Pounce On Rootkit Nov. 3, 2005
Sony's patch removes the cloaking technology it's been using for audio CDs--but hackers are already talking about ways to use the rootkit to hide their own illegal code.

http://blogs.pcworld.com/staffblog/archives/001051.html

Is Sony Trying to Kill the CD Format for Music?
Posted by Andrew Brandt
Wednesday, November 02, 2005, 04:32 PM (PST)

By now, you've probably heard the news that Sony, the media giant, has been quietly installing hidden software on PCs, when people buy music albums published by Sony BMG Music, and try to play them on their computers. The software, called Extended Copy Protection (or XCP) uses rootkit techniques similar to those used by viruses, Trojan horse programs, and spyware to hide the fact that it is installed from the user.

The discovery, by security expert Mark Russinovich (whose outfit, Sysinternals.com, makes several free Windows utilities I find invaluable in diagnosing spyware infestations), details how Sony uses commercial software that automatically installs itself when you put a music CD in a Windows PC's CD drive.

Russinovich's own anti-rootkit software, Rootkit Revealer (a free download), as well as the Blacklight rootkit detection utility (made by F-Secure, an antivirus company, free until the end of the year), now detect the software used by Sony, which was licensed from a British firm called First 4 Internet.

The bigger question people have got to ask is, does Sony not respect the integrity of the computers of its customers? This cavalier act of sneaking software onto PCs not only violates our own Prime Directive -- it's our PC, dammit -- but threatens the entire music industry.

After all, if you suspect that a commercial CD will install software secretly, which you won't be able to remove and which, itself, may increase the already-great security problems of your Windows PC, would you continue to buy CDs?

I'll tell you right now, I won't. I'd much rather buy an unrestricted copy of a song electronically, using iTunes, or Rhapsody, or one of the other music services that offer this feature, than take a chance that some music disc will stick some hidden files in my Windows folder, which I can't see or remove.

Sony has dealt itself a serious blow, and the best thing it -- and the rest of the music publishers -- can do right now is condemn this practice, apologize to the customers that were affected, provide a method to get this junk off affected PCs, and make declarations that they will never, ever do this again.

I don't think they will. And if they don't, I simply won't buy CDs anymore. Period. From any publisher. And I recommend that you don't, either. As a fan of music who respects the need for artists to make a living, and a security-savvy PC user, I'm incensed that Sony -- any company -- would think it's OK to do this. It's not. But the only way (I can see) to send that message effectively to Sony BMG executives is to vote against CDs with my wallet.

Sony was crucial in creating the CD format more than 25 years ago. In this age where every purchasing choice we make affects the level of control we have over our PCs, they seem to be committed to killing it.
_________________
I haven’t seen a beatin’ like that since somebody stuck a banana in my pants and turned a monkey loose.

[honeycookie]

Thank you for your post. I really appreciate the warning. I seem to have no choice but to forbid my children from buying any Sony music (even with their own money) for fear of breaking our three computers, which I simply cannot afford to replace.