Security firms react to rootkit

Nov 17, 2005

Following a week of extensive public criticism, Sony BMG's problems continued as class-action lawsuits and public letters were released in response to an anti-piracy program found on a number of its music CDs.

XCP (Extended Copy Protection), developed as a means of copy protection for Sony by British software company First4Internet, drew attention from the software industry when Mark Russinovich, chief software architect of Winternals Software, released his findings that the software functioned as a rootkit, or hidden program, that could not be safely removed from a computer's operating system without disabling additional features.

The program, which installs itself without the user's knowledge when certain Sony BMG music CDs are inserted, has been considered dangerous by many security experts. The application runs invisibly within the system and allows other programs to do the same provided the filename begins with a "$sys$" character string.

"Apparently they're trying to hide the rest of the copy protection software from users who were trying to get rid of it," said Edward Felten, professor of computer science and public affairs at Princeton University. "The problem is that it hid more than that software and hid any files, programs and registry entries that started with the prefix. Malicious software could give itself that name and be invisible at that point."

According to Russinovich's weblog of the rootkit discovery, deletion of the XCP program disabled access to the CD-ROM drive.

"The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall," wrote Russinovich. "Worse, most users that stumble across the cloaked files with a root kit removal program scan will cripple their computer if they attempt the obvious step of deleting the cloaked files."

"The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution," Sony BMG said in a statement posted on its Web site last week. "It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system."

Mikko Hypponen, chief research officer of F-Secure, a computer security firm, acknowledged the network functions. The software, which runs a background network function, contacts a pair of Sony servers and reports which audio track is being listened to as well as the computer's hardware identification information.

Hypponen went on to explain how the program has been adapted into a viable means of creating viruses that would be impossible to locate using anti-viral programs. To date, four known instances of the B-Replicant virus family have emerged using the rootkit's technology as a means of hiding themselves within the system. These viruses, which operate over a network, can be used to remotely control an infected computer for malicious purposes such as attacking a Web site with large amounts of network traffic.

Sony BMG has made a removal utility available for download but has come under fire for creating further vulnerability through its use. The utility installs software that may enable the Internet Explorer Web browser to be controlled by a remote host if the user visits malicious Web sites.

"At the personal level, I think Sony is doing stunts like this because they're worried about the market share within mobile devices," said Hypponen. "They used to own the market with the Walkman, which was circumvented in just a few years. One of the functions of the program is that it prevents the music from being moved to an iPod. These files move just fine to a Walkman."

"There's a lot of rhetoric against illegal copying and a lot of pressure on executives to do this, but in that fight, companies go too far. There is zero evidence that this program stops illegal copying," said Jason Schultz, a staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group. "There's so much pressure just to do something that they roll out these technologies without thinking of the customer."

Security firms such as Symantec and F-Secure have updated their clients to detect and safely eliminate the XCP program. Microsoft has also updated its anti-spyware program to remove the underlying code.

To date, Sony BMG has recalled the more than 4 million XCP-enabled music CDs from store shelves and is planning a campaign to replace the 2.1 million that have been sold.

Sony BMG and First4Internet were not available for comment.

Copyright 2005 by United Press International

Explore further: Fueled by oil, agriculture sector welcomes low diesel prices

add to favorites email to friend print save as pdf

Related Stories

TV makers out to ignite market with super high-def

Jan 06, 2015

After several years of sluggish sales, television manufacturers are pegging growth hopes on new technologies that deliver a more immersive and interactive experience and stunningly realistic image displays.

Digital dilemma: How will US respond to Sony hack?

Dec 18, 2014

The detective work blaming North Korea for the Sony hacker break-in appears so far to be largely circumstantial, The Associated Press has learned. The dramatic conclusion of a Korean role is based on subtle ...

North Korea linked to Sony hacking (Update)

Dec 17, 2014

Federal investigators have now connected the hacking of Sony Pictures Entertainment Inc. to North Korea, a U.S. official said Wednesday, though it remained unclear how the federal government would respond ...

Gift Guide: Five fitness trackers offer wide range

Dec 16, 2014

There are several fitness trackers to choose from, varying in what they measure and how easy they are to use. Here are five, ranked from budget to sophisticated, to give you a sense of the range available. ...

Recommended for you

Navy wants to increase use of sonar-emitting buoys

5 hours ago

The U.S. Navy is seeking permits to expand sonar and other training exercises off the Pacific Coast, a proposal raising concerns from animal advocates who say that more sonar-emitting buoys would harm whales and other creatures ...

Standalone wireless info display device an easy fit

11 hours ago

A Latvian team has come up with a good-looking WiFi display device, connecting to the Internet using WiFi, which runs on a high-capacity built-in battery and tracks what's important to you. This is a standalone ...

Technology improves avalanche gear for backcountry skiers

13 hours ago

As outdoor recreation companies increasingly cater to skiers and snowboarders who like to venture beyond the groomed slopes at ski resorts and tackle backcountry terrain, they've put a special emphasis on gear and equipment ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.