The Sony Rootkit

Now this is interesting news. Sony BMG have apparently added a "rootkit" to some of their CDs which is ostensibly a digital rights management (DRM) system--in other words, to keep people from copying the CDs. The software is supposed to ensure that the person playing the CD is doing so only on the original CD, and to allow at most 3 PCs to play it. Aside from the Machiavellian aspects, this is ridiculous in today's times IMHO. Unfortunately (for its customers), this software actually installs itself on the PC, hides itself, and then exhibits disturbing behavior that can actually comprimise the PC. The rootkit was allegedly developed by a company called First4Internet (http://www.first4internet.com).

The first behavior is that the design of the rootkit is such that it allows other people to distribute code (generally as an attachment in a SPAM message) that takes advantage of the Sony code--to take over the PC and pretty much do anything they want with it. That's bad...especially since these hacks are already appearing.

The second behavior that's disturbing is that the rootkit actually "phones home" back to Sony when a user is listening to the PC, ostensibly to let them know when a user is listening to the CD. Interestingly, Sony has denied this behavior, although a number of security experts have confirmed this through network monitoring. Interesting--Sony is distributing spyware and denies doing it.

Detecting the Rootkit

There is an easy way to tell if you have the rootkit installed on your system. One of the behaviors of the rootkit is that it automatically hides all files that have $something$ in the name; for example, $canary$.txt . So, you can create a file that conforms to that naming standard, and if it disappears, you've got the rootkit. Some anti-spyware vendors claim to be able to detect it, but I don't have a definitive list of which do and which do not.

You can also try RootKitRevealer, which is a free utility that purportedly can detect rootkits.

Removing the Rootkit

Apparently the only way (at this time, anyway) to remove the rootkit is to go to Sony's website and request the removal software; they will then email a removal link to you. There is, however, a problem--the removal tool, which actually installs yet another program that stays resident on your system (written by the same stellar programmers at First4Internet, it's called CodeSupport) leaves a gaping hole by allowing virtually any Website to download and install software on the PC...and it doesn't verify the source of the program that's being downloaded. Doh! There is a great writeup on the problems with the Sony removal tool here.

Further Reading

There is an interesting blog posting on the subject that goes much deeper than mine here, and you can also just google 'sony rootkit' to find reams of further information on the subject. You also might check out the Security Now! podcast, which is how I first found out about the problem.