Mark Russinovich discovered a rootkit on his system. After much analysis, he discovered that the rootkit was installed as a part of the DRM software linked with a CD he bought. The package cannot be uninstalled. Even worse, the package actively cloaks itself from process listings and the file system.
At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.
Removing the rootkit kills Windows.
Could Sony have violated the the Computer Misuse Act in the UK? If this isn’t clearly in the EULA, they have exceeded their privilege on the customer’s system by installing a rootkit to hide their software.
Certainly Mark has a reasonable lawsuit against Sony in the U.S.
EDITED TO ADD: The Washington Post is covering this story.
Sony lies about their rootkit:
November 2, 2005 – This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.
Their update does not remove the rootkit, it just gets rid of the $sys$ cloaking.
Ed Felton has a great post on the issue:
The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function — they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.
No doubt they’ll ask us to just trust them. I wouldn’t. The companies still assert — falsely — that the original rootkit-like software “does not compromise security” and “[t]here should be no concern” about it. So I wouldn’t put much faith in any claim that the new update is harmless. And the companies claim to have developed “new ways of cloaking files on a hard drive”. So I wouldn’t derive much comfort from carefully worded assertions that they have removed “the … component .. that has been discussed”.
World of Warcraft hackers have confirmed that the hiding capabilities of Sony BMG’s content protection software can make tools made for cheating in the online world impossible to detect.
EDITED TO ADD: F-Secure makes a good point:
A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs.
In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error.
It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS.
Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.
EDITED TO ADD: Declan McCullagh has a good essay on the topic. There will be lawsuits.
EDITED TO ADD: The Italian police are getting involved.
EDITED TO ADD: Here’s a Trojan that uses Sony’s rootkit to hide.
EDITED TO ADD: Sony temporarily halts production of CDs protected with this technology.