I’ve been following the saga unfolding over at Mark’s Sysinternals blog about his recent discovery that his PC suddenly had a rootkit installed on it thanks to a DRM scheme developed by a company called First 4 Internet that Sony BMG is using on copies of a Van Zant CD he had recently purchased. As you may recall I’ve written about rootkits before and how they scare the hell out of me because they make it possible to hide malicious software almost completely so it was quite a surprise to read about how a major company was using of a DRM system that makes use of rootkits to hide itself from users. Mark goes into great detail on how he discovered the rootkit, figured out who it belonged to, what it was doing, and how to get rid of it which, as it turns out, isn’t that easy to do as Sony doesn’t make any kind of an uninstall available:
At that point I knew conclusively that the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on First 4 Internet’s site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad.
I deleted the driver files and their Registry keys, stopped the $sys$DRMServer service and deleted its image, and rebooted. As I was deleting the driver Registry keys under HKLM\System\CurrentControlSet\Services I noted that they were either configured as boot-start drivers or members of groups listed by name in the HKLM\System\CurrentControlSet\Control\SafeBoot subkeys, which means that they load even in Safe Mode, making system recovery extremely difficult if any of them have a bug that prevents the system from booting.
When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad.
Mark got his CD drive back without having to restage his system, but his tech knowledge goes way beyond my own so I’d probably just end up restaging the whole PC to get rid of it. Since Mark first posted his story on his blog the mainstream press has picked up on it and Sony’s had to engage in some serious PR work to head off a lot of angry people out there. Both Sony and First 4 Internet swear that the DRM software does not pose any security risks to your system and couldn’t be misused by malware writers in any way. A claim that is directly contradicted by the fact that some World of Warcraft cheaters are already using it to hide their cheat programs from Blizzard’s Warden anti-cheat software (a bit of software that Blizzard has taken no small amount of heat for themselves).
Sony does supposedly make an uninstaller available, but you have to submit two different forms to request having the uninstaller emailed to you. Something Mark has attempted and still not gotten from Sony as of yet. Sony does, however, make available a 3.5MB patch that removes the cloaking from the rootkit by updating the DRM software to “Service Pack 2.” You don’t have to fill out any forms to get that, they’ll happily just let you download that from their servers. Assuming you even know that you have their crappy DRM software installed on your system in the first place. Which, if you’re not on the skill level of Mark, you probably wouldn’t know unless you happen to own the same CD he does and have played it on your PC.
The point remains that nowhere is it mentioned in the EULA for the CD that Sony will be installing this software on your PC nor is there any information on how to disable or unload it. Nor is it mentioned that the CD sends data back to a Sony web server:
There’s more to the story than rootkits, however, and that’s where I think Sony is missing the point. As I’ve pointed out in press interviews related to the post, the EULA does not disclose the software’s use of cloaking or the fact that it comes with no uninstall facility. An end user is not only installing software when they agree to the EULA, they are losing control of part of the computer, which has both reliability and security implications. There’s no way to ensure that you have up-to-date security patches for software you don’t know you have and there’s no way to remove, update or even identify hidden software that’s crashing your computer.
The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony’s site and sends the site an ID associated with the CD.
I decided to investigate so I downloaded a free network tracing tool, Ethereal, to a computer on which the player was installed and captured network traffic during the Player’s startup. A quick look through the trace log confirmed the users comment: the Player does send an ID to a Sony web site.
Since this second article was posted the folks at First 4 Internet have responded to it with a rebuttal that does a piss poor job of actually defending the product:
First 4 Internet and Sony also continue to argue that the rootkit poses no security vulnerability, repeating it in the description of the patch download. Any software that hides files, processes, and registry keys based on a prefix of letters can clearly be used by malicious software.
First 4 Internet’s final rebuttal relates to my complaint that as part of a request to uninstall their DRM software Sony requires you to submit your email address to their marketing lists. First 4 Internet says:
Except on sites devoted to particular recording artists, we may share the information we collect from you with our affiliates or send you e-mail promotions and special offers from reputable third parties in whose products and services we think you may have an interest. We may also share your information with reputable third-parties who may contact you directly.
Again, the fact is that most users of Sony’s DRM won’t realize that they even have software that can be uninstalled. Also, the comment does not explain why Sony won’t simply make the uninstaller available as a freely accessible download like they do the patch, nor why users have to submit two requests for the uninstaller and then wait for further instructions to be emailed (I still have not received the uninstaller). The only motivation I can see for this is that Sony hopes you’ll give up somewhere in the process and leave their DRM software on your system. I’ve seen similar strategies used by adware programs that make it difficult, but not impossible, for you to remove them.
I’m a fan of Sony products in general, but this nonsense strikes a critical blow to their credibility in my eyes. It’s not so much that I have a problem with them trying to protect their content as much as the dishonest and dangerous methods their using to do it. The First 4 Internet DRM software does introduce a major security risk to your PC whether they want to admit to it or not and there’s no easy way to uninstall it without jumping through hoops and sending all sorts of info to Sony—such as CD title, Artist, your name, etc.—and hoping they make good on their promise to send you an uninstall utility. The fact that this software which removes from you control over a part of your own PC is never even mentioned in the EULA as something that’ll be installed is just outrageous. If it causes problems that lead to system crashes you’d never be able to diagnose them because you don’t even know it’s there.
Sony has caught so much heat over this that the folks over at EMI are preemptively pointing out that their DRM software doesn’t use rootkits and they haven’t even considered using First 4 Internet’s crappy DRM solution:
“The content-protection software that we’re using can be easily uninstalled with a standard uninstaller that comes on the disc. EMI is not using any software that hides traces of the program. There is no ‘rootkit’ behavior, and there are no processes left running in the background,” said an EMI spokesman in a statement.
EMI also said it was not working with First 4 Internet, the U.K. company that created the copy-restriction software for Sony, although it is trialing other content-protection software.
“EMI is not using First 4 Internet technology. We recently completed a trial of three content-protection technologies (Macrovision’s CDS300, SunnComm’s MediaMax and SonyDADC’s key2audioXS), and First 4 Internet’s technology was not one of those tested,” said the spokesman.
EMI was prompted to issue this press release after rumors started to circulate that they and Universal Music Group did use First 4 Internet’s protection scheme. The folks at Universal Music Group haven’t responded to those rumors as of yet.
So this is what it’s come down to in the fight by the content producers to keep you from using their CDs in ways other than they want you to. They’re willing to install rootkits that could open your system up to all manner of security issues and then make it difficult as hell for you to get rid of it to try and stop something that it has no hopes of preventing. A quick search of a bit torrent tracker site or two reveals that Van Zant’s album Get Right with the Man has been available on the file trading networks since pretty much the day it was released.
Again and again it’s the legit purchasers who end up finding themselves being limited in what they can do with that new CD they purchased as well as possibly having their PCs compromised by software they didn’t even know was going to be installed because it was never mentioned in the EULA. Meanwhile the pirates have not only gotten the music for free and can burn as many copies or load it onto their iPods all they want to, but they don’t have to worry that the music they’re illicitly enjoying may end up compromising their PCs in the bargain. You have to wonder if the folks at Sony are trying to stop people being pirates or actively encouraging them to become pirates.
Meanwhile the folks at CNet’s News.com are reporting that a lawyer is already prepping a class action lawsuit against Sony:
“We’re still investigating the case and talking to different people about what happened to them,” Green said on Friday. He plans to argue that under California law, if you buy a copy-protected CD from a music store, you should be informed that a spyware-like utility will be implanted on your hard drive.
Sony has backpedaled a little, saying that the hidden files can be uncloaked. But customers still have to beg for help if they want to uninstall the software.
Still, it may be too late for the entertainment giant to fend off the plaintiff’s bar. One recent court case in Illinois, Soleto v. DirectRevenue, sets a nonbinding precedent that lawyers expect to be invoked against Sony.
In that case, DirectRevenue was sued for installing spyware on Windows computers without obtaining proper authorization from a user. U.S. District Judge Robert Gettleman said the company could be sued on trespass, Illinois consumer fraud, negligence, and computer tampering grounds.
Then there’s a California spyware-related law that says a company may not “induce” anyone to “install a software component” by claiming installation is necessary to “open, view or play a particular type of content.”
Translation: Sony could be in double trouble. Its Windows software is hardly necessary to play music—the disc works just fine on a Macintosh or in an old-fashioned CD player.
Meanwhile, dozens of other states are considering similar laws, each with slightly different wording. So is Congress.
Such legislation probably wouldn’t stop companies from installing this crap on your system, but it should at least mandate that you’re notified during the install process that it’s going to happen and ask for your explicit agreement to it before doing so. Sony has every right to insist that you install whatever they want you to before you can listen to their CDs on your PC, but they should be telling you about it and giving you the chance to say no thanks.
The above News.com article is also interesting because it points out that trying to remove the software without using an official uninstaller from Sony could be considered a violation of the DMCA as well:
In a bizarre twist, though, it’s not only Sony that could be facing a legal migraine. So could anyone who tries to rid their computer of Sony’s hidden anticopying program.
That’s because of Section 1201 of the Digital Millennium Copyright Act, which bans the “circumvention” of anticopying technology.
“I think it’s pretty clear that circumventing Sony’s controls violates the DMCA,” says Tim Wu, a Columbia University professor who teaches copyright law. (Violations of the DMCA include civil fines, injunctions, computer confiscations, and even criminal penalties.)
Wu noted that one possible reprieve might come from last year’s ruling from a federal appeals court in a case dealing with garage door openers—it said no copyright violations were taking place, so no DMCA violation occurred. Then again, another federal appeals court objected to bypassing anticopying technology used in DVDs, which is probably a closer analogy.
So if you weren’t a felon prior to playing that new Van Zant CD you could end up becoming one if you try to remove the DRM software Sony put on your PC. One way or another they’re just determined to make a criminal out of you yet.