It's been one month since details of Sony's invasive Digital Rights Management rootkit malware came to light. (See my earlier articles: Nov. 1, Nov. 3, and Nov. 7.)
About 9,777 blogs now mention "Sony rootkit", while a web search for Sony rootkit malware yields 13 million results. Here's a messy update on this mess:
Sony hired First 4 Internet (one of whose corporate directors spent 12 years as a Sony director) to build the intrusive digital restrictions management software "XCP", which has been quietly installing itself on about half a million computers over the past year, including military and government sites. Many more Sony CD's install spyware DRM called "MediaMax", made by another Sony-related company, SunnComm.
Some of the bad things the XCP and MediaMax DRM malware do:
- Modifies your OS to hide and embed itself (and helps other malware hide itself). It masquerades as a real Windows service, to make it harder to notice that something bad is running.
- Interferes with your computer's ability to read the audio on that CD, not letting you use your own audio player.
- Silently interferes with any CD-ripping software you might use, even with non-Sony CD's, adding random noise to your copies.
- Secretly "phones home" to send information about you and your listening habits back to Sony (although Sony originally denied this).
- Runs all the time and slows your computer down.
- Can crash your computer, while being difficult to diagnose and repair due to its self-hiding methods.
- Using advanced tools to try to uninstall the software can render your computer's CD drives completely useless.
Some bad things Sony (and friends) appear to have done:
- Snuck the XCP software onto people's computers, providing nothing but a legal jargon license that never actually explained what the software would do, while claiming it could be uninstalled without providing an uninstall mechanism.
- The MediaMax software may install even if the user clicks "Decline."
- Failed to act to protect users after F-Secure notified Sony of the rootkit's hazards on Oct. 4.
- A few days after the bad publicity following Sysinternals' Oct. 31 exposure of the malware, Sony made a patch available that didn't actually remove the DRM or address most of the problems.
- Sony then made an XCP uninstaller available, but only to individuals upon request and only after personal information is provided to Sony. This uninstaller opened even more security holes in people's computers. Sony continued to distribute this flawed uninstaller for three full days after the weaknesses were published before finally withdrawing it from their site (where they still somehow claim that their "patch" fixes the original problems). (Here are someone's manual XCP removal instructions. USE AT YOUR OWN RISK - like you did when you installed the rootkit in the first place, or when you actually chose to buy an RIAA CD.)
- To get an uninstaller for MediaMax also requires requesting one from SunnComm. SURPRISE: This uninstaller ALSO opened computers to a backdoor vulnerability.
- Even with all these weaknesses having come to light, Sony is still encouraging people to install the rootkit malware, and First 4 Internet is still claiming that the cloaking device "does not compromise security," even while the Dept. of Homeland Security has declared it a "security threat," and says that nobody should ever install CD DRM.
- The XCP system itself appears to have infringed various copyrights, via stealing open source code in violation of the GNU General Public License and failing to publish the derivative source code. Some of that stolen code is designed to circumvent Apple's own DRM scheme, which probably places Sony in violation of the Digital Millennium Copyright Act - a damning situation for a member of the litigious RIAA.
- Sony originally claimed only around 20 titles were affected, but subsequently released a list of 52 affected CD's (XCP only - no mention of MediaMax, which affects about 267 ADDITIONAL titles). Meanwhile, Sony assured one blogger to expect that "by the end of fiscal 2005, 100% of Sony BMG titles released will contain this content protection technology. Please assume every one of our CDs are protected in this fashion."
- After claiming they'd done nothing wrong, Sony eventually "recalled" the DRM-infested CD's, yet there they still were on the chain store shelves during the busiest shopping day of the year. There is no refund being offered, nor compensation for harm done by Sony's system - nor even an apology.
The mainstream anti-virus/security companies appear to be ignoring the Sony malware, either because they don't mind cooperating with malware creators when they come from major corporations, or they are afraid that Sony will sue them under the anti-circumvention clause of the DMCA. Either way, the largest anti-virus vendors don't appear to be prioritizing protecting their customers. Generally, when software as harmful and sneaky as this is discovered, anti-virus firms rush out updates, there's a lot of media noise, and some malware author winds up in jail. The rules appear to be different for multinational corporations. Security guru Bruce Schneier asks, Who DO the major security companies really serve?
All this, and the system doesn't even succeed at its one ostensible purpose (preventing unauthorized copying), since anyone in the know can bypass the system, by merely holding down the shift key when they first put the CD into their computer, or by sticking a small piece of tape on the CD (both of which are violations of the DMCA, but otherwise safer ways to listen).
Seven class action suits against Sony are in the works: In California, New York, Texas, Oklahoma, Washington, DC, one by the Electronic Frontier Foundation (EFF), and in Italy.
Here's a great chart that summarizes what the two Sony malware DRM systems do, what's wrong with each of them, and what lawsuits are underway.
Next time, I'm going to write only about the problems with DRM in general. Meanwhile, please read Richard Stallman's The Right to Read - while you still can.
Actually, the biggest vendor of them all, Microsoft, classified XCP as spyware and announced their antispyware tool would be updated to remove it.
Posted by: Mark Weiss | December 01, 2005 at 11:41 AM
Don't be fooled! Read Microsoft's announcement very closely - if their tool winds up doing anything, it will just be to remove the cloaking component of XCP, just like the official XCP patch does. This does not address the majority of the problems with XCP, nor any of the problems with MediaMax, nor any of the problems with DRM in general.
This is yet another PR stunt - Microsoft is VERY, VERY pro-DRM.
Please see my second article: Sony releases PR patch for its DRM malware that doesn't address the problems
Posted by: Kenzo (lastever.org / kenzodb.com) | December 01, 2005 at 12:58 PM
There's also something talking back home in the Sony Soundforge audio editing software. You get newsletters through your email whenever you use the software. Good news is it now gets stuck in my firewall; bad news is i causes gaps in my recordings while it gets stuck!
Posted by: poesboes | December 01, 2005 at 06:20 PM
Right, making no claims about DRM in general, nor do I know anything about MediaMax. Nor do I work for MS nor particularly care for them. And, again, of course they want very much to get an authentication/authorization cut on every bit of culture we consume. However, in this case, isn't the cloaking element (at least partly, since such an invasion has to hide itself) what makes this a rootkit, and what allowed other trojans to hide by naming themselves to match the names of the cloaked files and registry entries? MS AntiSpyware aims to alleviate the security threat, not interfere with the DRM scheme. It is *very* important to understand what all of these companies are doing to monitor us, and how secretive or not they are being, certainly. But it is equally important to be even in doing that, and to focus exactly on the facts of each *particular* case. Paranoia is definitely useful in this space, I don't deny that. But it is equally useful to be able to answer a much narrower question, like "Does MS AntiSpyware remove the *security threat* posed by XCP?" I don't know the answer, but broadening the inquiry to include a great deal of additional context doesn't provide any additional facts. Facts would be: how exactly does this software work, why and how does it pose a security threat, etc. That was the scope of my first post. The scope of "they are trying to install themselves on our computer however they can," while basically true and useful, is much larger. I'm saying, you *also* have to be able to be completely non-hysterical and focus on the humdrum minutiae of engineering and empirical proof. e.g., Russinovich's original series of posts about this are absolutely clinical, and, thus, unimpeachable. Any other tone, and any other presentation that wasn't absolutely authoritative and irrefutable would not have fried Sony's ass. Being pissed off is a motivator, talking about being pissed off is a distraction.
Posted by: Mark Weiss | December 01, 2005 at 11:16 PM
Mark,
I agree, it's important to be clinical and not hysterical. This is why I pointed you to my second article above: Based on Microsoft's press release, it appears that their tool will do the same exact thing that the Sony "patch" did. In the above linked article, I list Russinovich's six major criticisms with Sony's XCP software (MediaMax is not mentioned there), culled from my first article, and point out that Sony's patch just resolves issue #2, not touching the other five.
The fact that Sony's XCP cloaked itself as a rootkit has already caused much of the damage, in that it took security-minded folks all year to discover its presence at all. Now that it's been uncovered and is less of a secret, Sony provides a way to uncloak it. Not hiding it in the first place, or having told people how to uncloak it before an outsider discovered it, would have mitigated much harm.
Reading through article #2, plus my article above, you'll see numerous problems XCP and MediaMax cause. They tie up the computer, they may cause the computer to crash, they interfere with legitimate uses of legitimate tools users may attempt, they secretly leak out unspecified information back to Sony and/or its agents, their installers open machines up to even more vulnerabilities and perform even more snooping on their users... And, Sony is still misleading the public as to the scope and impact of their software.
From the perspective of computer users, these are clearly security threats.
Thanks for this discussion.
- Kenzo
Posted by: Kenzo (lastever.org / kenzodb.com) | December 02, 2005 at 12:09 PM
...and I forgot to repeat other security threats: The harmful programs are difficult to uninstall, and doing so incorrectly can render one's CD-ROM or DVD drive useless.
Posted by: Kenzo (lastever.org / kenzodb.com) | December 02, 2005 at 12:13 PM
It has recently come to our attention that some individuals and companies are offering various instructions and tools to uninstall the XCP content protection software from computers. Please be advised that we have already made available a proper uninstaller at http://cp.sonybmg.com/xcp/english/updates.html. This is the only safe and secure method for removing the protection components of which SONY BMG is aware. SONY BMG assumes no responsibility for use of any other uninstaller tool or instructions.
For any questions about XCP content protection software used on SONY BMG discs please go to http://cp.sonybmg.com/xcp/english/home.html.
Thank you.
SONY BMG
Posted by: SONY BMG | December 08, 2005 at 05:57 PM
What a touching love letter from my friend SONY BMG. They "already" posted an uninstaller - after everyone and their mom complained and several people figured out how to remove it themselves. Also retarded is their reference to their "protection components." They are "protecting" you from using your computer! Do they sell a home security system that can lock me out of my bathroom?
Please be advised that CHAIRMAN TUBE AMP assumes no responsibility if you click on any SONY BMG link.
Thank you.
PISSED OFF CONSUMER
Posted by: CHAIRMAN TUBE AMP | December 08, 2005 at 07:12 PM
It has recently come to our attention that some individuals and companies are offering various instructions and tools to uninstall the XCP content protection software from computers. These people, particularly the Windows expert Mark Russinovich, actually know what they are talking about. Our programmers apologize for creating the uninstaller software at http://cp.sonybmg.com/xcp/english/updates.html that has made our lawyers' lives miserable. We also want to take this time to formally apologize to everyone who has ever bought one of our CDs, copy protected or otherwise. Additionally, it has become clear that SONY BMG lacks the ability to write software and thus we will refrain from doing so in the future.
For any questions about XCP, digital rights management, SONY BMG, or why you should pay $19.95 for a 50 cent CD with two good songs on it, ten bad ones, and a rootkit that installs itself on your Windows PC, please go to:
http://cp.sonybmg.com/xcp/english/home.html
Thank you.
SONY BMG
Posted by: SONY BMG | April 23, 2006 at 03:55 PM