FAQ: Sony's 'rootkit' CDs

Computer security companies had been predicting such exploit code in the wild for weeks, since an independent developer had exposed the presence of a "rootkit" tool on the Sony CDs. The rootkit technology hid the copy protection from view, but also left open a hole that could hide other software.

Virus writers quickly took advantage of that hole, modifying an old Trojan horse to take advantage of the powerful inadvertent shielding provided by the Sony software.

On Friday, Sony responded to the furore and announced that it will suspend production of CDs that contain this particular copy-protection technology and take a second look at its digital rights management strategy.

Antivirus companies are now offering a range of advice, and confusion remains about exactly what the software does and how dangerous it can be to a PC. Here are the basics that everyone should know about this potentially dangerous issue:

What is on the Sony CDs?
The CDs involved are loaded with a relatively new kind of content protection created by British company First 4 Internet. When a listener puts the album into a computer's CD drive, it pops up a licence agreement. If the listener accepts, it installs the copy protection rootkit onto the hard drive.

The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. The software acts to limit the number of copies that can be made of the CD and prevents a computer user from making unprotected MP3s from the music.

What is a rootkit? Isn't that something that virus writers use?
A rootkit is a powerful piece of software that takes over control of a computer at the most fundamental level. In computer terms, it establishes "root" access, which is similar to administrative access, instead of access for just an ordinary user. It can potentially prevent a computer user from detecting its presence or from performing certain tasks on their own PC.

Like most computing tools, this is not intrinsically a bad thing, but can be abused. Virus writers use these tools to help take over computers and hide the presence of their work.

Is Sony's software a virus or a Trojan horse?
Some aggrieved users may see little difference. Computer security companies do make a distinction between Sony's software and a virus, noting that this was distributed by a legitimate company with a legitimate business interest (even if many people disagree with that business interest).

However, they are deeply critical of Sony's techniques and say that the amount of information given to users about what the software would do to a computer was wholly inadequate, and the lack of an uninstall tool was bad policy.

Computer Associates has labelled the software "spyware," because it also sends back some information about what CDs are being played.

• Related stories

• Alerts

Add your opinion

How Do I Know If I Have It? Anonymous -- 16/11/05 (in reply to #120123365)

Okay, so I have one of the "culprit" CDs and I have burned it to my PC (Windows). How do I know if my machine has created the vulnerability?

According to this report (http://www.eff.org/deeplinks/archives/004144.php), at least one of the CDs is "labeled as XCP, but, oddly, our disc had no protection," I find myself wondering how in the world I check my machine to see if it's there!?

Any suggestions are appreciated!

• Reply to comment
• Report offensive content

How Do I Know If I Have It? Anonymous -- 16/11/05

Okay, so I have one of the "culprit" CDs and I have burned it to my PC (Windows). How do I know if my machine has created the vulnerability?

According to this report (http://www.eff.org/deeplinks/archives/004144.php), at least one of the CDs is "labeled as XCP, but, oddly, our disc had no protection," I find myself wondering how in the world I check my machine to see if it's there!?

Any suggestions are appreciated!

• Reply to comment
• Reply to story
• Report offensive content

Might help Adam -- 18/11/05 (in reply to #120123367)

In internet explorer, this website will attempt to use the ActiveX control that Sony / F4I require you to install to remove the DRM cloaking.

http://www.cs.princeton.edu/~jhalderm/xcp/detect.html

A proof of concept really, they could take other actions like reboot the system etc, at the moment it just uses the IsAdministrator call.

• Reply to comment
• Report offensive content

Easy way to avoid this.... use Linux Tom Sugar -- 20/11/05

Well well well

I'm glad that I use Linux.... in the unlikely event I buy a Sony CD their rootkit would be completely ineffective against my computer.

• Reply to comment
• Reply to story
• Report offensive content

SONY rootkits... Anonymous -- 21/11/05 (in reply to #120123543)

Well, Linux may be impervious to the rootkits, but what are the chances you won't be able to play your purchased CD at all?

A better solution; don't buy Sony music CDs.

• Reply to comment
• Report offensive content

Maybe..but.. Mr brown -- 29/11/05 (in reply to #120123570)

Whiloe I agree with your comment that the most effective way to protest this awful action on the part of Sony is to vote with your wallet and not buy their CD's I would also say that Linux plays EVERYTHING....

It's even trivial to get around the iTunes Apple protection systems...allegedly ;)

With Linux you can play/rip/copy everything on the planet..

cheers!

• Reply to comment
• Report offensive content

easier way to avoid this Anonymous -- 22/11/05

Don't buy cds. It puts you at the mercy of those companies. This is just the tip of the iceberg....
Just imagine what the next piece of malware will do.

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials