Mark Russinovich recently discovered that Sony's content protected CDs will install, without warning, a rootkit on your PC. Rootkits hide themselves, prevent detection, and in some way, alter the usage of your computer. You can read more about it At the Registry (http://www.theregister.co.uk/2005/11/01/sony_rootkit_drm/) and at Mark's discussion linked from The Registry here (http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html)

The rootkit will alter how the CD drivers work and could possibly limit your ability to write files to disc. Trying to uninstall the kit can cause some components to be disabled. The potential exists that you could possibly lose the ability to create content that is in no way related to any Sony materials and there are no major telltales on why that has happened.

Mark Russinovich is one of the leading OS internals folks around (He and David Solomon are the kings). Mark also notes that besides underhanded, the app is very poorly written. :p

I had this issue and had to wipe my entire machine to byte zeros in order to remove it, DIE SONY!

nice post! i wonder if proper virus/spybot type of monitoring software would stop this from installing?

I think it would if you trained it. Maybe to look for rootkit extensions or something along those lines.

There's gotta be a lawsuit in this.

nice post! i wonder if proper virus/spybot type of monitoring software would stop this from installing?
At the moment, no. Cisco Security Agent may, but that is not an over-the-counter solution.

There's gotta be a lawsuit in this.

I was wondering the same thing.

Here's some more info on this issue...

http://news.yahoo.com/news?tmpl=story&u=/nf/20051103/bs_nf/39083
http://biz.yahoo.com/ap/051102/sony_copy_protection.html?.v=5

Hi all
Following the previous threads, it appears Sony have posted a fix at
http://cp.sonybmg.com/xcp/english/updates.html. Thought I'd post it up here to save people trawling! Pity Sony don't stick to producing cameras - they're quite good at that!!! ;-)

http://www.breitbart.com/news/2005/11/10/D8DPSA288.html

I hope they bleed Sony good over this.

http://seattletimes.nwsource.com/html/businesstechnology/2002608438_paul07.html

Hardly a week goes by that I don't hear from a friend or colleague with a monumental Windows problem. I tell them I'm glad to help, on one condition: Next time they buy a computer, they agree to consider a Macintosh. A year ago, after a particularly trying week of spyware, adware, viral attacks, lock-ups and reboots, I changed my primary computer to a Mac.

I appreciated your warning on this. This article just came up on the home page for my email. I'm not sure if it's the cause of the problem you mentioned above or not, but good news to prevent this from happening in the future if it is. To bad all of the old CD's willl still remain in circulation though -

"Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers."

From what I read in your post above the hacking was not the concern in this forum, but the "antipiracy technology" may have been affiliated with the "root kit" you mentioned above.

http://news.yahoo.com/s/ap/20051111/ap_on_hi_te/sony_copy_protection

Hi all
Following the previous threads, it appears Sony have posted a fix at
http://cp.sonybmg.com/xcp/english/updates.html. Thought I'd post it up here to save people trawling! Pity Sony don't stick to producing cameras - they're quite good at that!!! ;-)
This is actually not a fix. It is not an uninstall. It just exposes the materials in the rootkit.

As of last week, there is now an exploit in the wild that will take advantage of the rootkit and use it to hide its operation. As of last week, both Symantec and Microsoft had included the signature for the kit in their anti-virus/anti-spyware tools. I do not know if that includes innoculation or uninstall. Because the rootkit add low and high filters (sub-classes the CD - a special driver that intercepts any calls to and from the CD device), and those directories in the registry can vary, they may not have included an uninstall yet.

Edit - added link http://www.cnn.com/2005/TECH/internet/11/10/sony.hack.reut/index.html

http://biz.yahoo.com/fool/051114/113199454317.html?.v=2

Increasingly, music companies like Sony's Sony BMG arm are treating their customers like criminals who borrowed rather than purchased their products. Meanwhile, look out, this newest development points to the ways that the recording industry is going on the offensive -- it appears that the industry has moved on from tackling peer-to-peer networks to attack what they call "casual piracy"

The affected CDs (according to the meda) are to be returned for a Copy-protectionless copy of the disc. Guess the people who did get the virus in their computer would have to reinstall everything and format the Hard drive!

The affected CDs (according to the meda) are to be returned for a Copy-protectionless copy of the disc. Guess the people who did get the virus in their computer would have to reinstall everything and format the Hard drive!
I have found notes in MS support groups saying that Microsoft's next version of the Malicious Software Removal Tool (http://www.microsoft.com/security/malwareremove/default.mspx) will remove it. MS' Anti-Spyware should now detect it and may remove it or soon will. I know that Symantec AV Version 10 now does signatures on it (no specific removal kit.) This Sophos kit should too http://www.sophos.com/support/disinfection/rkprf.html

I have not tested any of these methods, but do not have an infected machine to test with either (we actually talked about buying a CD to test with - my group does strategy security work).

http://businessweek.com/technology/content/nov2005/tc20051117_444162.htm

But some industry execs admit privately that the Sony rootkit brouhaha has shown that there are some lines that content creators simply can't cross. The industry learned a similar lesson in 2003, when Senator Orrin Hatch (R-Utah), then-chairman of the Senate Judiciary Committee, wondered aloud whether the tech trade could build a computer that would explode if it was used to illegally download music tracks.

I'm assuming if one uses a Mac, it's not an issue, right?

Yes - the "root kit" is a Windows thing. Of course somebody may be doing something nasty on OS X as well, and we just haven't found out about it yet ;-)

What's especially galling is that real pirates, people copying CDs for commerical gain, can get around any of these copy protection devices by making at most a miniscule investement. Play the CD and re-record the audio coming from the S/PDIF or an AES/EBU digital output or even loop analog audio out back into an analog input, something easily done with any pro-quality audio interface and a lot of consumer grade soundcards, then remaster from the recorded material. (And remember AES is like S/PDIF but strips out the copy-protection bit from the data stream so any player or audio interface that has it should work as the digital signal source.) So what if you aren't making a bit-for-bit copy of the disk - most people who purchase discs where pirates usually distribute don't have either the hearing or the playback equipment to tell the difference. (Look at how many people are blissfully unaware that their mp3's are Especially in this forum I'll bet 90% of the people reading this have the necessary hardware and software to copy those discs with impunity, copy protection or no, with very little if any noticable generational loss. And if it's a personal copy you're making to have a disc to take with you in the car or to a party while leaving your expensive original safely at home, well, I'll guarantee you any losses you do incur will be obscured by the background noise of your listening environment.

I can understand the recording companies desire to prevent people from copying and posting music online but even there I wonder how much impact it really has on record sales. There's no doubt there's a lot of it posted illegally. But the real question is how many people who have downloaded it or copied a friend's CD would have purchased the CD had it not been available online and there I have my doubts. I'm sure there's some erosion but I wonder how much there really is. I suspect in many cases those people who are downloading and burning or copying would just wait for their tunes to come around on their favorite radio station's playlist or simply do without. Yes, we've all heard how sales are declining but whether that decline is *caused* by copying or other competing market factors are more important remains to be seen. Perhaps the teen market is more motivated to spend their money of other alternative pastimes like video games and will listen to DL'd music if it's available but otherwise would just listen to the radio.

http://biz.yahoo.com/ap/051118/music_copy_protection.html?.v=3

"The biggest mistake the labels are making is, they're letting their lawyers make technical decisions. Lawyers don't have any better understanding of technology than a cow does algebra," Leigh said. "They insist on chasing this white whale."

Here's a list of the Sony CD's that use the XCP copy protection:

http://cp.sonybmg.com/xcp/english/titles.html

I'm assuming if one uses a Mac, it's not an issue, right?
Um, actually, it is. See this article: Sony's DRM Rootkit Comes in Mac Flavor, Too (http://www.security.ithub.com/article/Sonys+DRM+Rootkit+Comes+in+Mac+Flavor+Too/165172_1.aspx)

Of course somebody may be doing something nasty on OS X as well, and we just haven't found out about it yet

Well there ya go....

How does that Microsoft Removal Tool work? I know that I downloaded it recently but I couldn't find it in my programs. Where is it located in my PC?

All of this anti-copy encryption software is useless if someone just connects the audio output from an external CD player to the inputs of a recorder. I guess Sony's software only prevents burning from the source disc with burning software in a PC.

How does that Microsoft Removal Tool work? I know that I downloaded it recently but I couldn't find it in my programs. Where is it located in my PC?

The Microsoft Windows Malicious Software Removal Tool is downloaded once a month through Windows Update (make sure Windows is set to automatically download and install critical updates, or else be sure to check frequently for critical updates yourself), at which time it scans for and removes malicious software.

So, if it does find something, does it notify you or just do its thing silently?

So, if it does find something, does it notify you or just do its thing silently?
According to Microsoft, "When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed." Find out more at the Malicious Software Removal Tool (http://www.microsoft.com/security/malwareremove/default.mspx) Web page.

http://news.yahoo.com/fc/tech/computer_security