The Sony software, found on several of the company's recent albums, is triggered by playing one of the CDs in a PC. From the CD drive, the software installs itself deeply inside a hard drive and hides itself from view. This cloaking technique could be used by virus writers to hide their own malicious software, security experts have said.
There is a range of opinion among security companies about how much risk the software poses, from those who consider it no worse than an adware pest to those who view it as potentially dangerous spyware.
Symantec said on Wednesday that its antivirus software would identify the Sony software, but would not remove it. Instead, it will point to Sony's own Web site, where users can get instructions for uninstalling the software or download a patch that will expose the hidden components.
"We're trying to reinforce here that we're not talking about a virus, or malicious code, we're talking about technology that could be misused," said Symantec Senior Director Vincent Weafer. "We're trying to work co-operatively."
However, Computer Associates, which has a security division, said on Monday it had found further security risks in the Sony software and was releasing a tool to uninstall it directly.
According to Computer Associates, the Sony software makes itself a default media player on a computer after it is installed. The software then reports back the user's Internet address and identifies which CDs are played on that computer. Intentionally or not, the software also seems to damage a computer's ability to "rip" clean copies of MP3s from non-copy protected CDs, the security company said.
"It will effectively insert pseudo-random noise into a file so that it becomes less listenable," said Sam Curry, a Computer Associates vice president. "What's disturbing about this is the lack of notice, the lack of consent, and the lack of an easy removal tool."
A Sony spokesman said the company's technical staff was looking into the issues identified by Computer Associates, but had no immediate comment.
The furore over the Sony software comes nearly eight months after the copy protection technique, created by British company First 4 Internet, was first released on a commercial disc in the United States.
Computer developer and author Mark Russinovich sparked debate over the software last week by posting on his blog an account of how he had discovered the First 4 Internet software hiding deep in his hard drive. The software used a tool called a "rootkit" to hide its presence, a technique more typically used by virus writers to hide traces of their work.
Sony and First 4 Internet quickly released on their Web site a patch that would uncloak the copy protection software. But CD buyers must go through a more elaborate process -- e-mailing the company's customer service department -- to get instructions for uninstalling the software.
This rootkit has already been exploited by at least one trojan in the wild.
Why would I buy a CD that slows my system, makes it unstable, makes my CD drive disappear, and bypassses my anti-virus software - why of course I would buy it because it contains a robust exploit that has been undetected out in the wild for eight months now, and is distributed widely.
If anybody wants to know why it would be safer to get your music via peer-to-peer networks, Sony just provided a very good reason.
Network admins: Be afraid. Be very afraid. The rootkit hides any files starting with "$SYS$" from the operating system, and you cannot remove it easily. It is dropped from a music CD, the type staff would bring into work, quite innocously, to listen to in the background while doing their work or a meal break. It phones home to Sony, and can be exploited to take over systems. The 'antidote', available from Sony after giving out your email details and receiving a code specific to that machine actually installs a further 13Mb rootkit which pervades the machine even worse, and still phones home to Sony.
The media and anti-virus response to what is a very nasty piece of software has been underwhelming.
Shame Sony, shame.
Further reading, a list of infested music CDs, and a detecter at http://www.technutopia.com/forum/showthread.php?t=1321