More on Sony's DRM Rootkit

Here’s the story, edited to add lots of news.

There will be lawsuits. (Here’s the first.) Police are getting involved. There’s a Trojan that uses Sony’s rootkit to hide. And today Sony temporarily halted production of CDs protected with this technology.

Sony really overreached this time. I hope they get slapped down hard for it.

EDITED TO ADD (13 Nov): More information on uninstalling the rootkit. And Microsoft will update its security tools to detect and remove the rootkit. That makes a lot of sense. If Windows crashes because of this—and others of this ilk—Microsoft will be blamed.

Posted on November 11, 2005 at 12:23 PM27 Comments


Erik Carlseen November 11, 2005 12:41 PM

“Sony really overreached this time. I hope they get slapped down for it.”

I just hope that them getting slapped down doesn’t result in new legistlation allowing this sort of nonsense…

It might be good for the EFF, etc., to launch a pre-emptive strike against Sony et al with the Government – using this as an example of the abusive behavior that goes hand-in-hand with DRM. Of course, that would involve a bit of hyperbole (this was more incompetance than malice), but that’s the way business is done in Washington.

Joe Buck November 11, 2005 12:58 PM

This is a great opportunity for EFF fundraising, at Sony’s expense. Time to start a class action suit. Sony’s actions have already caused huge damages: the time of every individual who’s had to deal with repairing their computer systems, the compounded damages caused by viruses and worms that exploit Sony’s cloaking to spread, the people in record stores having to deal with returns and customer outrage, the artists under contract to Sony whose reputations have been damaged. Add it all up, throw in punitive damages, and ask for a billion dollars. It has to be so bad as to terrorize every company. The news has to get out that a company that tries this kind of manuver risks bankruptcy.

And the EFF plus the class action experts can collect a third of the money, and the good guys can plow those funds back into the organization to make it more powerful than ever. Imagine if the good guys had more money to lobby Congress than the bad guys do, and furthermore that the bad guys would be the source of the funds.

Ari Heikkinen November 11, 2005 1:34 PM

It’s almost hilarious what’s happening here. It’s about equivalent to a malicious hacker installing a rootkit to someone’s computers and then when he/she gets caught the hacker just provides a “patch” to remove it in order to avoid a lawsuit.

Another analogy would be a thief raiding someone’s home and when getting caught buying a new door to replace the one he broke to avoid criminal charges.

It’s totally ridiculous if sony gets away with this.

Frank November 11, 2005 2:04 PM

Don’t expect Microsoft to help.

Anybody see a pattern here?

The PRIMARY function of this particular DRM is to prevent transfer to iTunes & an iPod. The real motives for Sony going down the DRM path has less to do with preventing copying, and more to do with preventing consumers from transferring music they purchase (I’m sorry – license) to an iPod.

The fact that it was implemented poorly really doesn’t matter to them. Yet.

Phil November 11, 2005 3:13 PM

Homeland Security is getting into the debate. See

The reference to the scandal over Sony’s anti-piracy software came at a U.S. Chamber of Commerce-sponsored event in downtown Washington on combating intellectual-property theft. At the event, Stewart Baker, recently appointed by President Bush as the Department of Homeland Security’s assistant secretary for policy, made a comment that suggested that some anti-piracy efforts introduced by the industry could have profound and unexpected effects on the security of the nation’s critical infrastructures.

Baker wrapped up his opening comments with the following admonition for the industry:

“I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples’ [and] businesses’ computers are secure. … There’s been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples’ computers that even the system administrators can’t find.”

In a remark clearly aimed directly at Sony and other labels, Stewart continued: “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.

pdf23ds November 11, 2005 3:27 PM

“Baker wrapped up his opening comments with the following admonition for the industry”

Wonderful remarks. I’m sure industry will be inspired and immediately stop doing this sort of thing.

Brian November 11, 2005 3:56 PM

It would be interesting if someone were to make a number of DRM enforcing apps like this one, and put together a demonstration of what life will be like if companies are allowed to go down this path. There should be enough hooks into system calls to ensure rampant instability. Buggy software should ideally appear to crash other “vendors” modules. And, of course there should be complete deadlock, so that no CD player is permitted. There should be enough DRM enforcement that the system slows to a crawl too. By itself, each module should appear “well thought out” and should not have a noticable negative impact on the system. There should be simulated upgrades as well, to ensure that content that’s a few generations old is completely unusable.

Ian Woollard November 11, 2005 4:15 PM

It shouldn’t really be surprising that Sony are over-reaching with a DRM system.

ALL DRM systems are over-reaching!

At the end of the day, there’s always the analogue hole, and before we get to that point, there’s huge digital holes too- todays systems simply aren’t designed to do this; and given the existence of an analogue hole that can’t be filled, IMO todays systems are unlikely to migrate to a point where all the digital holes are filled too, although misguided companies may try.

sward November 12, 2005 1:50 PM

What’s really bizarre about this is the mismatch between the ends and means that Sony employed.

The DRM is clearly intended to prevent any and all copying on the infected PC, with the unstated goal of preventing the tracks from escaping onto the P2P networks. But to accomplish this, it would have to be 100% effective — and it isn’t even remotely close.

And if it is even slightly less than perfect, then it simply has the effect of penalizing PAYING customers, encouraging them to stop paying and get their music by less licit means.

Record industry execs seem to share the same naive belief in magic pixie dust as our “Homeland Security” bureaucrats.

Eby November 13, 2005 11:08 PM

Groklaw had a recent post that points out that the Antivirus companies (Symantec at least) knew of the software as it was developed. Seems to present the idea that they may have purposely not flagged it.

“The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case.”

Original article:

Groklaw overview:

Depressed November 14, 2005 2:55 AM

And there’s more:

“Close examination of the rootkit that Sony’s audio CDs attack their customers’ PCs with has revealed that their malicious software is built on code that infringes on copyright. Indications are that Sony has included the LAME music encoder, which is licensed under the Lesser General Public License (LGPL), which requires that those who use it attribute the original software and publish some of the code they write to use the library. Sony has done none of this.”

Josh O November 14, 2005 11:24 AM

Is this really a “root-kit” though or is this another example of the press picking up a “hacker” sounding term and misusing it to death? My understanding is that a root kit, once installed gives the hacker the ability to remotely access your computer. From what I can find on what this actually does, it seems that it’s most aptly called spyware. I understand that some other viruses have used it as a vector of infection, but so have they IE, and that’s not a root-kit either. I guess if it helps the story gain attention, that’s good, but it’s discomforting to see the public taught the incorrect meaning of “technical” terms (Although this is a sort of colloquial tech term.) Anyhow, I guess it’s Sony’s fault, since they aren’t very upfront about what it does, forcing us to reverse engineer it, so it may very well be a root-kit, even if nobody knows it yet.

Ed T. November 14, 2005 11:30 AM

We have been discussing this on the DShield list — my position (and I think that of others as well) is that since the DRM technology uses “rootkit” techniques to hide itself from the system API, and because it appears to “phone home” when a protected CD is played, it meets the criteria for a rootkit.


Davi Ottenheimer November 14, 2005 8:43 PM

Mark has updated his blog with reactions to Microsoft’s Saturday blog “announcement” that it will detect and remove Sony’s rootkit. Mark also discusses a statement from Sony to NPR that the public probably doesn’t care. F-secure has a soundbite of the exact phrase on their site, if you’re interested.

So now, with the recent Zotob arrests under its belt, will the FBI arrest someone at Sony for trying to profit from cybercrime?

Brad Spangler November 14, 2005 10:57 PM

But wait a minute…

If Microsoft anti-spyware removes this copy protection technology…

Wouldn’t that be a DMCA violation on the part of Microsoft?

I think my head would be explodiing right now, if I didn’t use Linux.

Anonymous November 15, 2005 4:45 AM

Another not about the rootkit. The uninstaller leaves ActiveX component to your machine. A component that is wide open with security holes. On page there is a link which will reboot your computer using the ActiveX provided by sony for uninstallation. Also the ActiveX contains other interesting methods too. “ExecuteCode” for one sounds interesting.

LinuxUser November 15, 2005 8:21 AM

Sony and First4Internet officers deserve what Kevin Mitnick got. Is there any difference? This should not be a class action lawsuit in the US. The U.S. attorney General should send government jack-booted thugs with guns drawn to make 2am arrests of Sony executives and haul them into jail for hacking into computers.

CarbonCopy November 18, 2005 2:06 PM

Actually, why aren’t criminal charges being considered? If you or I distributed tihis code, the FBI would be at your door in hours to confiscate all your computer equipment and data – which you won’t be needing in the Federal prison you would soon be calling home.

Dont_Call_me_late_for_dinner November 21, 2005 4:27 PM

akes me wonder how a company so smart they can put a TV in a watch .. but yet so dumb they still eat with sticks.. to many ppl watchin over big biz to get away with what they are trying to do.. besides in a few weeks some 13 year old would figure out how to crack their code….then what good would it be?

Dont_Call_me_late_for_dinner November 21, 2005 6:22 PM

well said CarbonCopy but you need to remember most good coders on the black side of life cover their tracks.. its not a crime to know knowledge.. just to use some of it.

firefly November 24, 2005 5:36 PM

It’s a case of doing, then denial, then placating….sounds like a recent story of USAA and their phosphorous adventures overseas….O.K…no we did not..O.K we did but hey no one knows so it’s alright……Ho hum…class action

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.