Update on Sony's RootKit Software

The furor and problems caused by Sony’s hidden rootkit installations on unsuspecting user’s computers (see my blog on 11/4/05) continues to grow. As you may recall, the Sony software is installed automatically (without asking or telling) when a user puts one of their recently recorded music CD’s in his or her computer to play. It hides itself on hard drives using a powerful programming tool called a "rootkit." Sony did it to prevent music from being copied. But the tool leaves a “back door” open behind it, allowing other software, including viruses, to be deeply hidden behind the rootkit cloak.

Now, the first wave of malicious software written to piggyback on Sony BMG Music Entertainment CD copy protection tools has been spotted online, according to computer security companies. The first version of a Trojan horse spotted yesterday, aims to give an attacker complete remote control over an infected computer, but didn’t work well. But over the course of the day, several others emerged that apparently fixed the early flaws.

As one security analyst put it, "This is no longer about digital rights management or content protection, this is about people having their PCs taken over."

Sony's use of the rootkit software has sparked a firestorm of criticism online and off over the company's techniques, highlighting concerns that remain over record labels' increasingly ambitious attempts to control the ways consumers can use purchased music.

Last week, a legal firm in Los Angeles filed a class action suit against Sony BMG in Los Angeles federal court, asserting that the company had violated state and federal statues on unauthorized computer tampering. The company's actions also constituted fraud, trespass and false advertising, the suit contends. Similar suits are also being contemplated both nationally and internationally.

Meanwhile, several antivirus companies are releasing tools to identify, and in some cases remove, copy protection software contained on recent Sony BMG Music Entertainment CDs. Symantec said its antivirus software update will identify the Sony software, but would not remove it. Instead, it will point to Sony's own Web site, where users can get instructions for uninstalling the software or download a patch that will expose the hidden components.

However, Computer Associates, which has a security division, said it had found further security risks in the Sony software and was releasing a tool to uninstall it directly.

In other related news, The Electronic Frontier Foundation (EFF), a cyber-rights group, said it has identified 19 Sony CDs containing a rootkit application that disguises the company's invasive copy-restriction technology. They also said there may be more.

If you would like to learn more about how rootkits works, here is some selected reading:

http://en.wikipedia.org/wiki/Rootkit
http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci547279,00.html
http://www.vnunet.com/vnunet/news/2144149/rootkits-turn-professional

Update:

Minutes before I sent this blog to be published, Sony BMG Music Entertainment announced that it will suspend production of CDs with copy-protection technology that has been exploited by virus writers to try to hide their malicious code on PCs as outlined above. The company also said it is not halting production of discs that contain other additional copy-protection technologies.