Thursday, November 03, 2005
Sneaky Sony BMG Using Hacker's Rootkit Trick 
by Lenka Reznicek [permalink] 
Sony BMG has apparently borrowed a page from the hackers' playbook by using "cloaked" rootkit spyware on its copy-protected CD's. The copy-protected CD surreptitiously installs the rootkit on a user's computer, which can cause a host of problems in addition to its supposedly "legitimate" DRM purpose of preventing unauthorized ripping and duplication. From InformationWeek:
"Most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," [independent researcher, Mark Russinovich] said.

Removing the rootkit is so fraught with possibilities of calamity that F-Secure recommended users don't try it themselves. Instead, [F-Secure's chief research officer Mikko] Hyppönen urged users to fill out a Sony BMG Web form and ask for instructions on how to remove the software. F-Secure has tested the resulting removal process - which relies on the installation of an Internet Explorer ActiveX control - and has confirmed it works. According to one anti-spyware expert, Sony has no excuse for leaning on a rootkit to copy protect its content.

"Rootkits are always malicious," said Richard Stiennon, director of threat research for the Boulder, Colo.-based anti-spyware vendor Webroot. "There's no legitimate use of a rootkit, whose only purpose is to hide code from the operating system." Stiennon is intimately familiar with rootkits, since they're often by spyware writers to disguise some of their nastier work, like password keyloggers.
The obvious simple response is to "just say no" to Sony BMG discs - and those of any other companies who follow suit - and the entertainment giants' efforts at self-protection may backfire once savvy users get wind of their sneaky tactics. If nothing else, more listeners will be tempted to obtain their music through non-retail channels. After all, who'd want to give their hard-earned cash to a company whose strategies are on the level of spammers and identity thieves? To those who say, "it's just business - the record companies have to protect themselves," I respond, "so do I." In light of this, I should just take my chances with the RIAA. ;)