Sony DRM Rootkit Hacked, Drawing Lawsuits
By Geoff Duncan
November 10, 2005
Rootkit-like copy protection software on some Sony music CDs is drawing lawsuits, and is now a vector for a Windows trojan.
A new copy-protection scheme Sony BMG has shipped on a selection of music CDs is beginning to draw lawsuits on behalf of music listeners around the world—and, now, reports are surfacing that the rootkit-like software has been hacked to serve as a delivery mechanism for a new Windows virus.
Sony BMG has taken fire in recent weeks for shipping music CD's with XCP copy protection, software the music publisher licensed from First 4 Internet. The software installs itself (on Windows systems only) in such as way as to be nearly invisible to users, and removing the software is almost impossible for any but the most technical computer users. The XCP software was discovered and decloaked by Windows analyst Mark Russinovich, who posted details to his blog at sysinternals.com. Russinovich and others argued the copy protection software goes too far, taking substantial control of users' computer without adequate disclosure, could make Windows unstable, and even pose a security threat. In response, Sony posted instructions on how to obtain a patch to remove the copy protection software, and finally posted the patch itself. Sony's patch, however, has been criticized for creating new problems, including destabilizing Windows systems.
Now, it appears Sony can't catch a break on any aspect of the situation. Computer security and antivirus firm Sophos is reporting today that a new Windows trojan, dubbed Stinx-E, spreads by email and cloaks itself on an infected system by exploiting Sony's XCP copy protection software. Once it infects a system, it runs continually in the background enabling remote intruders to control the computer via IRC channels. Sophos plans to release tools to disable XCP copy protection shortly.
Makers of antivirus software will now face tougher decisions about how to handle the presence of Sony's XCP software. Currently, Computer Associates and Symantec are releasing updates to their Windows security products to detect and remove Sony's copy-protection software (as well as the Trojan exploiting it). Microsoft, which recently renamed its anti-spyware and security offering Windows Defender, hasn't yet taken a stance, but said Wednesday it plans to evaluate the situation using its "objective criteria." Microsoft's anti-adware efforts have, in the past, taken flak for identifying but not removing questionable software installed by its own partners.
In the meantime, legal manueverings have begun against Sony and its copy protection methods. Sony BMG is currently facing three lawsuits over its deployment of the XCP copy protection software, with more filings expected in coming weeks. Attorney Alan Himmelfarb has filed suit in California (PDF) to stop Sony from selling more CDs containing XCP software; the suit also seeks damages on behalf of Californians who have purchases any CDs containing the XCP software. According to the Washington Post, New York lawyer is planning a nationwide class-action lawsuit on behalf of all Americans affected.
The Electronic Frontier Foundation has also begun gathering information from consumers and is considering whether the situation merits a lawsuit. The EFF has also posted a listing of Sony CDs with XCP copy protection (roughly 20), as well as information on how to identify them before use. An Italian digital rights group, Electronic Frontiers Italy, has asked the Italian government to investigate Sony's use of XCP software.