2005-11-14

Security Threats on Sony Music CDs

It turns out that for the last year or so Sony-BMG has been shipping
rather dangerous Windows software on many of its music CDs. When the
music CD is inserted into a Windows PC it displays a message informing
you that it wants to install a music player so you can listen to this
wonderfully exciting new form of music CD. And if accepted it installs
a "rootkit" which secretly hijacks some parts of Windows without
informing you.

Firstly, the automatic installation of this Sony software can be avoided
to some extent by disabling auto-run:
http://www.annoyances.org/exec/show/article03-018

Some less technical information on the Sony rootkit from CNet:
http://www.cnet.com/4520-6033_1-6376177.html

EFF's growing list of CDs known to contain the rootkit:
http://www.eff.org/deeplinks/archives/004144.php

EFF breakdown of the legal restrictions Sony imposes on people who
choose to install this software by agreeing to the EULA license:
http://www.eff.org/deeplinks/archives/004145.php

NPR Audio with clips from SysInternals (who discovered the threat) and
Sony BMG President. There is a lovely audio clip of Sony-BMG president
saying that rootkits aren't a threat to anyone because, get this, and I
quote, "most people don't even know what a rootkit is":
http://www.npr.org/templates/story/story.php?storyId=4989260



What the Sony rootkit does

  1. Installs a windows kernel patch that allows arbitrary files to be hidden even from Windows itself.
  2. Replaces the CD drivers with ones that prevents listening to or copying audio CDs. Any program which attempts to access the protected music CD is immediately terminated without prompting or authorization. It maintains an internal list of programs which are commonly used to copy CDs.
  3. Installs a music player program which is allowed to listen to the audio CD and make up to three MP3 files from tracks on the CD. It also allows Windows Media 9 to generate encrypted music files for use with Sony, and a few other, encrypted portable music players.
  4. The music player, somewhat covertly, sends a transmission back to Sony-owned servers each time a a music CD is inserted requesting album art for that specific CD.

Why this is bad and may even be illegal

  1. Sony doesn't explain what the software they install is doing to Windows. In many countries it is a serious crime to modify a computer system without the full consent of the owner. That means fully disclosing to the owner what will be done to the computer system. Instead, the EULA basically states that Sony can do anything they want to your computer and you need to install the software in order to listen to this perfectly normal audio CD. Which simply isn't true. The CD plays fine until after their software is installed. That aside, it isn't within Sony's legal rights to prevent you from listening or in any way using a music CD that you have legally purchased. But it may be within their rights if you were to agree to their EULA license because that may be a binding contract.
  2. The rootkit's kernel patch hides files with names beginning in $sys$. Viruses have already incorporated the Sony rootkit into them. The rootkit makes it impossible for anything to even detect let alone remove a virus using Sony's rootkit. Virus scanners are totally useless against any virus incorporating this technology.
  3. The software installed by the CD is invisible and there's no way to uninstall it. Attempting to do so will damage Windows. Sony's recently announced uninstall procedure is almost impossible to complete and possibly dangerous to even attempt. Some virus scanners (F-Secure, Symantec, Microsoft, et al) are issuing updates which supposedly detect and safely remove the rootkit. In the case of Microsoft, and probably some others, it appears that they may have to rewrite parts of their virus scanners to accomplish this. (ie. This scenario wasn't anticipated by most existing virus scanners.)
  4. The rootkit intercepts low level Windows kernel functions. Unlike the original kernel functions it does not validate any information being passed to it. Therefore, it is extremely easy to cause windows to crash with a blue screen. Meaning, it makes Windows infinitely more fragile than it normally is... Normally, the Windows NT kernel protects the system from crashing but the Sony rootkit is poorly written and bypasses Windows' built-in protections.
  5. Removing the kernel patch itself using normal means either makes Windows totally unable to boot or corrupts the CD-ROM driver so the drive doesn't work any longer.
  6. The music player software appears to incorporate the LAME MP3 encoder in some way. In any case, there's strong evidence to suggest it is built into at least some versions go.exe on the CD. The LAME software is licensed under the LGPL license. If that is true then Sony is not fulfilling the LGPL license requirements in any way. Therefore, they may be violating numerous other people's copyrights in order to supposedly enforce their own copyright. And in doing so they would be breaking federal law in many countries including the US.

Long, technical details (listed in cronological order)

  1. http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
  2. http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
  3. http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html
  4. http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

Alternatives

And the obligatory note that Linux, Macintosh, and other UNIX systems
aren't subject to this sort of insanity because of a very long list of
reasons based on decades of experience and sound judgment on the part of
their respective developers. And, also a note that ordering a stack of
Ubuntu Linux CDs costs precisely $0, postage is even free:
Order free Ubuntu Linux CDs:
https://shipit.ubuntu.com/
Ubuntu Linux:
http://ubuntu.com/

Labels:

- posted by Augur @ 04:11 [Permanent link]