Yesterday, Windows innards guru Mark Russinovich of Sysinternals wrote of his disturbing discovery regarding one of those newfangled "copy-protected CD's."
(These are music CD's that self-install software on your computer, and then prevent you from doing some of the things you might want to do -- like copy a song for a mix CD. Some artists have spoken out against this freedom-reducing scheme that has been used on their CD's without their consent -- although major record labels working against the interests of artists is nothing new.)
Russinovich discovered that this CD had installed its software in an extremely well hidden way, via something called a "rootkit," which basically interferes with the operating system kernal so that it becomes extremely difficult to detect its presence, or to remove it.
His findings included:
- This hidden software appeared to be poorly written, and was hogging up some of his computer's resources at all times, even when he wasn't playing the CD.
- Its hiding techniques would also have inadvertently made it easy for others to hide software on his machine.
- It took actions that could have resulted in a system crash.
- It tried to disguise itself as a legitimate Windows service.
- It didn't provide a way to remove the software.
- Upon his own manual removal of the software, his CD drive was rendered useless.
These are exactly the techniques commonly used by the most insidious malware (viruses, worms, spyware, etc.), the ones that are so difficult to remove from Windows machines.
And he found that this software had been installed by the CD he'd gotten from Sony.
The End User License Agreement (EULA) from Sony went into none of these details, merely saying that "a small proprietary software program" would be installed on his machine. The EULA actually mentioned removal of the software, even though there was no means provided to remove what he had found.
This is a big deal, and one might expect a lawsuit (class action?) to evolve out of this (putting aside the "Waiver of Trial by Jury" clause in the EULA).
Here's Russinovich's article: "Sony, Rootkits and Digital Rights Management Gone Too Far" (which is quite thorough and very technical).
The wise and careful (who of course already avoid DRM, by not buying protected CD's, or protected audio from the iTunes Store) who scan their machines for malware (with free tools such as Spybot-Search & Destroy and Ad-Aware) might consider adding the free Sysinternals RootkitRevealer tool to their arsenal.
Here's Cory Doctorow of EFF on Why DRM is bad everyone (and here's another critique of his).
Finally, Richard Stallman of The Free Software Foundation: Can You Trust Your Computer?
UPDATE: Sony releases PR "patch" for its DRM malware that doesn't address the problems (Nov. 3, 2005)
UPDATE: Lawsuits against Sony for sneaky DRM, and refuted denials from malware author (Nov. 7, 2005)
UPDATE: Sony's Deteriorating DRM Mess: One Month Later (Dec. 1, 2005)
I download a lot of stuff from itunes onto my mac. Is this really a bad thing? As a freeform supporter, should I be avoiding DRM music?
That whole sony business is bad though. Let's hope a big time lawsuit results. Anybody remember the kid who got in trouble because he figured out if you hold the shift key, the DRM blocker was disabled.
Posted by: Taso Stefanidis | November 01, 2005 at 02:01 AM
It's not "an extremely well hidden way"; a rather idiotic rootkit, in fact. What's hilarious and sad is how a complete beginner (judging by his posts asking for help) wrote a rootkit that will protect (read: cripple) all Sony CDs.
Posted by: Alex | November 01, 2005 at 08:07 AM
PS. I just noticed you require an email address to post. Besides immediately deluging the innocent poster with spam, what else does it accomplish? Have you heard of the "hide the poster's email" concept? (Hint: use a web form if someone wants to contact the poster.)
Posted by: Alex | November 01, 2005 at 08:09 AM
Taso - yes, DRM is bad - you shouldn't be using iTunes. Read the Cory Doctorow article linked in the blog entry for an excellent explanation of the general problem. iTunes is bad because they can change the restrictions at any time _retrospectively_. You could easily lose access to use that music the way you want to in the future. You can already only play it on a very limited selection of players (Itunes, iPods).
There are a host of sites that put out non-DRMed music, like magnatune.com, allofmp3.com, audiolunch.com, mp3tunes.com. The first three will give you oggs as well so you can avoid patent issues too. All but allofmp3 also pay the artists a decent share.
Posted by: Wookey | November 01, 2005 at 08:29 AM
Alex - So the researcher only needed about five different reverse engineering tools (one he wrote himself) to find and remove this malware - but you don't consider that well hidden?
Also, I wouldn't call it idiotic, it's just pared down from what it could have been (and what it will probably evolve into). The malware could have scanned the entire contents of your drive for mp3s from Sony artists, videos of Sony movies, or some budget spreadsheet which shows how much money you spent on electronics last year (i.e. anything!). With some extra code, the program could have reported back to Sony everything that it found at which point they could a) delete what they thought was their property, b) sue you c) cripple your computer (you know, that box that you paid $2,000 for?). And all of this could be legitimately covered by a well crafted EULA that none of us would have read before popping in the CD.
So don't worry Alex, the next one will be better hidden and less idiotic.
Posted by: ChairmanTubeAmp | November 01, 2005 at 12:36 PM
Actually, Russinovich used EIGHT tools to diagnose and identify this malware, seven of which he wrote himself (sometimes with his partner Bryce Cogswell).
I highly recommend the free Sysinternals tools they wrote: I have found many of them completely indispensible for years. I think I run Filemon and Process Explorer at least daily.
I also just found a reference online to someone having found this Rootkit and tracing it back to Sony on Aug. 25, 2005.
Alex: Yes, it's annoying that TypePad asks for an email address. It doesn't make you give a real one. Also, if you create a TypePad account before posting a comment, then your provided email address won't be posted with your comment (instead, a link to your "TypePad profile" will be provided).
Posted by: Kenzo (lastever.org / kenzodb.com) | November 01, 2005 at 01:02 PM
When is the mainstream media gonna pick this up!!
Posted by: Whitehouse | November 01, 2005 at 02:22 PM
If you want the convenience of iTunes without the restrictions of their DRM, you can buy songs and use this tool:
http://hymn-project.org/
Legal disclaimer: I advise that you follow all laws.
Posted by: ChairmanTubeAmp | November 01, 2005 at 03:49 PM
Magnatune is great (lots of audio formats and really supporting the artists). I wouldn't support allofmp3, as that seems like an illegal service which just exists in Russia due to loopholes in the laws there.
IMO, the best site all-around for non-DRM music is eMusic. Tons and tons of indy labels and only about 25 cents a song. It uses a subscription ($10 a month for 40 songs) instead of pay-as-you-go, which is kind of annoying, but it is great overall. I think $1 is too much to pay for a song, especially with DRM...
Posted by: Shawn Fumo | November 02, 2005 at 02:10 PM
allofmp3.com is legal - in Russia. Unblocked loophole(if that's what you want to call it) = legal. If americans in the U.S. own a piece of it or do business with it, they are the ones who have to deal with any s-storm. But there will not any. The world doesn't rotate around the RIAA and the United States government.
Posted by: Omuf Nwahs | November 08, 2005 at 05:25 AM
Class Action Law Firm Investigating Sony CDs:
My law firm is investigating the situation surrounding “rootkits” on Sony-label CDs. In connection with our investigation, we are interested in learning more about the experiences consumers have had with those CDs. I can be contacted at (212) 239-4340 or, by e-mail, at [email protected].
Posted by: Tom Ciarlone | November 14, 2005 at 10:17 AM