Wednesday, November 16, 2005

Sony BMG's Rootkit Trickery (Criminal?)

I can't remember the last time I bought a new CD--in the US, that is. Between music downloads from iTunes, Calabash, Naxos and other sites, and purchased of used CDs from stores like Academy Music, I've had no reason to set foot in one of the chains like Tower, or even an independent music store, and drop up to $20 on a disc that I probably won't listen to beyond 1-2 tracks or more than a few times (since I'd end up converting my favorite songs to mp3 files and listening to them that way).

But now I'm especially glad I haven't bought any new CDs, especially from Sony BMG, given what's come out about its (ab)use of a secret anti-copy software, XCP, that hides itself using an advanced hacker technique. It turns out that this "rootkit" software, Wired News reports in "The Cover-Up Is the Crime," tampers with the Windows operating system on the most fundamental level, thereby making itself invisible to users and other programs. The article spells out exactly what happens once you play one of the Sony BMG CDs:

Where normal malicious code might be content to choose a deceptive file name, a rootkit "hooks" operating system calls that might reveal its presence, and essentially reprograms them to lie -- like bribing the coroner to conceal a murder.

But that's not all.

And the lie the First 4 Internet code tells is a whopper. Under the program's influence, Windows will deny the existence of any file, directory, process or registry key whose name begins with "$sys$." Russinovich verified this by making a copy of Notepad named "$sys$notepad.exe," which promptly vanished from view.

That means that any hacker who can gain even rudimentary access to a Windows machine infected with the program now has the power to hide anything he wants under the "$sys$" cloak of invisibility. Criticism of Sony has largely focused on this theoretical possibility -- that black hats might piggyback on the First 4 Internet software for their own ends.

How did this come to light? It turns out that Mark Russinovich, a computer security expert with Sysinternals, discovered a rootkit on his Windows-platform PC, and ended up tracing it back to First 4 Internet, a British firm that had contracts its anti-copy software to Sony BMG. A Van Zant Brothers Sony BMG CD, Get Right With the Man (ironically enough) had infected his computer, and perhaps those who've purchased the more than 2 million toxic CDs, on 20 titles (or is it 47?) Sony BMG refuses to identify, according to tech industry sheet The Register. So far DNS hacker Don Kaminsky has found traces of XCP on over a half-million servers, in Japan, the USA, the UK and...Afghanistan. But The Register suggests this is a low-end figure, since some domains, like AOL, have millions of users "but will register with a domain name server just once in a give time frame."

Much of the criticism of Sony BMG has focused on the potential for serious hacking damage the secret rootkits enable. In fact, according to the BBC News, Microsoft considers them "malicious software," and seeks to remove the "spyware" (or "malware"). Sony has promised to provide a new patch that allows antivirus software to view and "pierce...the cloaking function," though its first patch, The Register says,

potentially opens the door for websites to take control of a PC, a Finnish researcher Muzzy has noticed. An ActiveX control installed by First4Internet Ltd, the British company that devised XCP, allows remote systems full access.

Uh oh! Yet Wired News says that the more serious issue is Sony BMG's initial subterfuge, which the computer magazine harshly decries. Indeed, it suggests that Sony BMG may, in its zealotry, have committed a crime:

By deliberately corrupting the most basic functionality of their customers' computers, Sony broke the rules of fair play and crossed a bright line separating legitimate software from computer trespass. Their actions may be civilly actionable.

Sony may even have committed a crime under the U.S. Computer Fraud and Abuse Act, which can carry fines and prison terms for anyone who "knowingly causes the transmission of a program ... and as a result of such conduct, intentionally causes damage, without authorization, to a protected computer." Corrupting Windows so it misreports the contents of a hard drive sounds a lot like "damage," and the click-wrap license agreement on the Sony disk amounts to pretty thin "authorization" -- disclosing only that "this CD will automatically install a small proprietary software program ... intended to protect the audio files embodied on the CD."

Yikes barely captures it. So what now? Sony BMG claims it has suspended making CDs with anti-copy software, despite originally saying it would go ahead and do so with anti-copy code different from XCP. Lawsuits sometimes do make even major corporations change their minds. But given the hysteria among entertainment companies about music downloads, openware and free exchanges of materials, I doubt Sony BMG is going to retreat fully. If it's not XCP, it'll be another Trojan Horse we'll learn about way too late, so matter how much you like Amerie's (pictured above, courtesy of BBC News, Getty Images) "The One Thing," just beware if you're getting it on CD....

1 comment:

  1. At least two class action lawsuits have been filed on behalf of Sony BMG Music Entertainment customers who were infected with the First 4 Internet Rootkit. Users who were infected do not have to wait for a class action to make its way through the courts, they can sue on their own in Small Claims Court.

    For more information about the Sony BMG lawsuits, and about filing a lawsuit in your local Small Claims Court, visit