November 11, 2005 11:55 AM PST
FAQ: Sony's 'rootkit' CDs
- Related Stories
'Bots' for Sony CD software spotted onlineNovember 10, 2005
Are these the Sony rootkit CDs?November 10, 2005
Antivirus firms target Sony 'rootkit'November 9, 2005
EMI: We don't use rootkitsNovember 7, 2005
Sony's antipiracy may end up on antivirus hit listsNovember 4, 2005
Sony to patch copy-protected CDNovember 2, 2005
(continued from previous page)
given to users about what the software would do to a computer was wholly inadequate, and the lack of an uninstall tool was bad policy.
Computer Associates has labeled the software "spyware," because it also sends back some information about what CDs are being played.Can I uninstall it?
Even if you could find the hidden copy protection components yourself, computer experts warn against trying to uninstall it without help. Trying to do remove it without official instructions could damage the computer, rendering the CD drive inoperable.
Sony's Web site has a downloadable patch which will remove the ability of the copy protection software to hide from view, but will not uninstall it.
To uninstall the software completely, a user must fill out a separate customer service form on Sony's Web site, asking for instructions on how to uninstall the rootkit software.How do the new Trojan horses piggyback on Sony's software?
The Sony software hides itself very well on a computer, but allows other software to use the same technique. Essentially it establishes a new rule at the level of the operating system that says any software that starts with the string of characters "$sys$" should be hidden from view.
Virus writers quickly took pre-existing malicious software and put those characters at the beginning of the relevant code, making their work invisible on any computer that had the Sony copy protection installed.What do the new viruses do?
So far, the ones that have emerged hide themselves, then open a channel to the IRC chat network. An attacker could use that back door to control the computer completely, using it to send out spam, launch attacks on other computers, or many other nefarious tasks.Will antivirus software stop this?
The problem with rootkits is that they can hide themselves even from antivirus software. However, most of the big antivirus companies are working with First 4 Internet and Sony to break through the rootkit's invisibility and identify anything hidden by the Sony software. That means most antivirus protection will be able to identify and remove the Trojans.
As always, it's important to keep antivirus software updated, or it won't be able to find these new problems.
No, the majority does not. Most of Sony's copy-protected CDs use a different technology from a company called Sunncomm, which does not present the rootkit security issues. In other countries, many copy-protected CDs use technology from Macrovision, which also uses a different technique.Which CDs are dangerous, then?
The Electronic Frontier Foundation is keeping a list of CDs that seem to have the First 4 Internet software included.
If you're buying a CD, look on the back for a little box labeled "Compatible with." If that includes the Web address "cp.sonybmg.com/xcp", then it probably has the rootkit software included.Is what Sony did legal?
Copy-protection software by itself is perfectly legal. However, at least one class-action lawsuit has already been filed against Sony in California, asserting that it violated state and federal statutes against computer tampering, trespass, fraud and false advertising. Several other lawsuits are expected. Italian consumer groups have also called for criminal investigation and potential legal action, although the discs were primarily distributed in the United States.
12 commentsJoin the conversation! Add your comment