November 11, 2005 11:55 AM PST

FAQ: Sony's 'rootkit' CDs

(continued from previous page)

given to users about what the software would do to a computer was wholly inadequate, and the lack of an uninstall tool was bad policy.

Computer Associates has labeled the software "spyware," because it also sends back some information about what CDs are being played.

Can I uninstall it?

Even if you could find the hidden copy protection components yourself, computer experts warn against trying to uninstall it without help. Trying to do remove it without official instructions could damage the computer, rendering the CD drive inoperable.

Sony's Web site has a downloadable patch which will remove the ability of the copy protection software to hide from view, but will not uninstall it.

To uninstall the software completely, a user must fill out a separate customer service form on Sony's Web site, asking for instructions on how to uninstall the rootkit software.

How do the new Trojan horses piggyback on Sony's software?

The Sony software hides itself very well on a computer, but allows other software to use the same technique. Essentially it establishes a new rule at the level of the operating system that says any software that starts with the string of characters "$sys$" should be hidden from view.

Virus writers quickly took pre-existing malicious software and put those characters at the beginning of the relevant code, making their work invisible on any computer that had the Sony copy protection installed.

What do the new viruses do?

So far, the ones that have emerged hide themselves, then open a channel to the IRC chat network. An attacker could use that back door to control the computer completely, using it to send out spam, launch attacks on other computers, or many other nefarious tasks.

Will antivirus software stop this?

The problem with rootkits is that they can hide themselves even from antivirus software. However, most of the big antivirus companies are working with First 4 Internet and Sony to break through the rootkit's invisibility and identify anything hidden by the Sony software. That means most antivirus protection will be able to identify and remove the Trojans.

As always, it's important to keep antivirus software updated, or it won't be able to find these new problems.

Do all copy-protected CDs have this problem?

No, the majority does not. Most of Sony's copy-protected CDs use a different technology from a company called Sunncomm, which does not present the rootkit security issues. In other countries, many copy-protected CDs use technology from Macrovision, which also uses a different technique.

Which CDs are dangerous, then?

The Electronic Frontier Foundation is keeping a list of CDs that seem to have the First 4 Internet software included.

If you're buying a CD, look on the back for a little box labeled "Compatible with." If that includes the Web address "cp.sonybmg.com/xcp", then it probably has the rootkit software included.

Is what Sony did legal?

Copy-protection software by itself is perfectly legal. However, at least one class-action lawsuit has already been filed against Sony in California, asserting that it violated state and federal statutes against computer tampering, trespass, fraud and false advertising. Several other lawsuits are expected. Italian consumer groups have also called for criminal investigation and potential legal action, although the discs were primarily distributed in the United States.

Previous page
Page 1 | 2

12 comments

Join the conversation!
Add your comment
ROTFL
I've been reading about this story since it hit the net and one of the fears that people had with sony's method of installing DRM using a rootkit was that it could be used by virus/trojan/malware writers to hide their programs. They said it couldn't happen.

About two days later, someone used their software to hide a cheat program for the warcraft mmorg. Now, someone wrote a trojan that uses it.

On top of that, california is organizing a class action suit against them, not to mention that their protection only works under windows. Using linux or a mac allows you to rip the music cds anyways, so what was the whole point to it all?
Posted by thedreaming (573 comments )
Reply Link Flag
The point...
...was to really tick off their customer base, which they have succeeded in, admeribly. Furthermore, you can rip the music on a Windows PC without the software ever running by holding down the shift key or turning off autorun. In fact, people have done just this. You can still download the songs off the P2P networks, so really, what was the point? Punishing your paying customers for playing the CD on their computers?
Posted by Maelstorm (130 comments )
Link Flag
Can the Sony rootkit really be uninstalled?
I keep reading, over and over, that to fully uninstall this rootkit, you need the "official" Sony instructions, which you have to jump through many hoops to obtain. What is totally unclear to me is whether such instructions really exist, and whether anyone has sucessfully removed the rootkit following them. Why is no one talking about this? I would think if there really were such instructions, people would have posted them all over the Internet by now. And that news organizations would be commenting on them. What's up with this???
Posted by Dwaine (20 comments )
Reply Link Flag
Info From RootKit Discoverer
here's great, technical info from the guy who originally "discovered" the sony rootkit on how his own uninstall has been going:

<a class="jive-link-external" href="http://www.sysinternals.com/blog/2005_11_01_archive.html" target="_newWindow">http://www.sysinternals.com/blog/2005_11_01_archive.html</a>

i believe that's the most recent post, but click some of his links to see how this whole issue has evolved.

mark d.
Posted by markdoiron (1138 comments )
Link Flag
No.
The most common procedure for dealing with rootkits is to backup data, fdisk, format and re-install.
One can't be sure everthing is removed or properly repaired. Many rootkits alter system critical files and/or the master boot record.
In most instances the above procedure is faster than what is essentially fishing in the dark in an effort to figure out what the rootkit or the script kiddie, who now has root on your system, has done.
I think Sony has already proven they can't be trusted, so don't. I've not downloaded the uninstaller, because I don't trust them to run ActiveX scripts on my computer. What type of spyware do they need to install to uninstall the rootkit/spyware they've already installed.
Posted by Muddleme (99 comments )
Link Flag
ONCE BITTEN TWICE SHY!
Mark Russinovich, at systernals.com successfully unintalled this trojan malware, most normal user(s), are going for the good old hard way, via the old harddrive wipe and clean, and system reinstall from uninfected backups. As for F4i,the creators of this malware, the alleged uninstaller, was in reality a decloaking device, and merely reinstalled a vissible updated form of this infamous DRM and created more system instability problems. The old saying "once bitten twice shy" should always be applied in the case of SONY, in view of the total lack of ethics and morals in supplying this junk windows malware on an audio cd! What next for the user of the upcoming SONY Bluray user, play once then pay per view in perpetuity?
Posted by heystoopid (691 comments )
Reply Link Flag
That's the easily available online patch...
What you are referring to is the patch that uncloaks the DRM stuff. This is apparently easily available via a direct download link on the Sony web site. However, Sony supposedly offers a method to completely uninstall the entire DRM software. But you apparently have to do an online form that asks for lots of info, and jump through some other hoops, before they will give you that procedure. At least that's what I've read. I've even read that people have done all that. What I haven't read is whether, after going through all that, anyone has actually gotten this removal procedure, and whether it works. Early on, there was speculation that First4 was having trouble coming up with a removal scheme that could properly work in the real world. That's why I'm curious as to whether they have, or are people still waiting for this?
Posted by Dwaine (20 comments )
Link Flag
Here's what you need to know to protect yourself.
You've gone round and round without telling people what they need to do to protect themselves so I will, quit purchasing Sony products.
Everything you should know about rootkits, including Sony's.
<a class="jive-link-external" href="http://en.wikipedia.org/wiki/Root_kit" target="_newWindow">http://en.wikipedia.org/wiki/Root_kit</a>
Posted by Muddleme (99 comments )
Reply Link Flag
Someone from Sony should end up in jail!
What Sony did is clearly criminal, and someone from Sony has to pay the price and go to jail! Being rich doesn't give them the right to damge other people's property. What they did is not diifferent from what others do by inviting you to a website that installs a trojan horse when you click a link. In both cases you want to get something, you implicitly agree to something by clicking a link or a button, and something is installed on your computer that is different from what you agreed to, changes your system internals in a way that may cause unpredictable failure, and in both cases info about your activity is sent to a third party that hopes to financially benefit from using that info. If it were a teenager script kiddie he would go to jail. If it were a spammer using your computer to send spam and not damaging your computer in any way he would go to jail. But if it's a rich Sony exacutive that decided it's OK to use this technique because Sony is a "respectable/legitimate" company, are the same laws not applicable? What makes them more "legitimate" than any other cracker? An example should be set in this case by making sure whoever was in charge of this operation goes to jail! It is unacceptable that just because a company is rich it would be allowed to deliberately cause damage without being punished like any other criminal!
Posted by hadaso (468 comments )
Reply Link Flag
re: Someone from Sony should end up in jail!
I still hate the fact that Sony has taken Microsoft's place as the jerks of the tech community. Just think about how much M$ knows about us. Nobody knows how their software works but them, and we are expected to trust them. Personally, I don't care about a little program attempting to prevent piracy. I do agree that they shouldn't obtain any personal info, and a security threat due to the program isn't good either. I'm just saying that we need to stop blaming individuals for this stuff. Every company that tries to protect their software probably has done or does something of this nature. We need to be arguing about not knowing how Windows and other major pieces of software actually work, and if they contain anything of this nature. My guess is absolutely, positively, YES they do contain software that we aren't paying for...Although, I am sure they are well hidden, and until stuff like Windows is open source we will never know, because Microsoft has money. As far as someone getting fired...I doubt it. Not for this anyways. This wasn't one person's choice I'm sure. Plus, another company made it and didn't research it enough. Sony is guilty of that too, but they didn't make it...
Posted by Hobo453567 (26 comments )
Reply Link Flag
Sony RootKit Ridiculous
I have a hard time believing that Sony has not come up with a way, for all of us who are infected by the TROJAN, to fix the problem! I have been a life long customer of Sony and now that they have proven to be a lackluster Conglomerate in the field of Technology. I may just have to find someother manufacturer to buy from. Thanks for screwing up my computer!
Posted by LC612 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.