RealTime IT News

Sony Recalls Rootkit-Plagued CDs

Sony BMG is recalling the copyright-protected music CDs that have been causing no end of grief to the company.

The recall comes in the wake of a large number of security issues surrounding the use of Extended Copyright Protection (XCP), a digital rights management (DRM) application created by U.K.-based First 4 Internet, and the applications used to remove the software.

Customers of some 50 different Sony titles bearing the protection scheme will be able to mail in the affected CDs in exchange for a CD without the copyright protections on them, officials said in a statement posted to the Web site Wednesday.

Security experts discovered that Sony music CDs with the copyright protection in place contained a rootkit , a method often employed by malware writers, which cloaked the scanning of end-user computers to determine if they were copying tunes.

The music giant blames First 4 Internet and commiserates with its customers over the security concerns created by the software.

"We share the concerns of consumers regarding these discs, and we are instituting a program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection," the statement read. "We also have asked our retail partners to remove all unsold CDs with XCP software from their store shelves and inventory."

Sony officials were not available for comment on how many CDs the recall entails or whether it would continue using modified XCP software with upcoming CDs. A fact sheet on the recall states the company is "re-examining all aspects of our content protection initiatives."

An official at First 4 Internet said the company is not making any comments at this time.

Sony has been doing its best to minimize the damage in public perception caused by the discovery of a rootkit in its copy-protected music CDs and the ensuing furor over security issues related to its software patches, but the hits just keep coming.

The beleaguered music giant is finding out that while some technologies are great for the company and make it relatively easy to, say, hide the scanning of running processes on a PC, other technologies can bite back.

That's the case of the work conducted by Dan Kaminsky, a noted DNS expert who took the data from DNS queries from Sony's rootkit and then mapped them on a digital globe Tuesday.

It seems that First 4 Internet's DRM software also contacts Sony's Web servers to announce its presence. Each time that connection is made, Kaminsky noted in his blog, it leaves a footprint in name servers that can be tracked through a technique called DNS cache snooping.

Kaminsky discovered that at least 568,200 name servers contained entries related to the rootkit. While the method doesn't translate into exactly how many end-user computers are affected, since multiple users can go through one name server, "at that scale, it doesn't take much to make this a multi-million host, worm-scale incident," he wrote.

He then used the IP addresses of the name servers and mapped them using the libipgeo and IP2LOCATION applications, showing a DNS spread that covers more than half the U.S. Mapping data shows widespread use in Asia and Europe, as well.

Sony has been slow to acknowledge the outcry caused by its content protection scheme. While the first report of the rootkit appeared on the Web Oct. 31, it wasn't until Nov. 8 that the company put out a patch -- labeled a Service Pack -- to address the Extended Copy Protection (XCP) technology used by First 4 Internet.

The Service Pack, however, didn't remove the copy-protection portion of the software; it only removed the rootkit part that was cloaking its actions. The actual uninstaller comes from a Web-based tool customers get after filling out a Web form request at the Sony site.

And according to two computer scientists at Princeton University, the uninstaller itself is buggy and creates a severe security hole.

Ed Felten, Princeton professor of computer science and public affairs, and J. Alex Halderman, graduate student, said that the uninstaller, an ActiveX control called CodeSupport, will remove Sony's copy-protection software from the computer as intended.

However, the program remains on the user's computer and will accept downloads from anyone, as it doesn't verify whether the code is coming from Sony or First 4 Internet.

"It allows any Web page you visit to download, install and run any code it likes on your computer," they wrote in their blog Tuesday. "Any Web page can seize control of your computer; then it can do anything it likes. That's about as serious as a security flaw can get."

On Tuesday, the company suspended distribution of its uninstaller while it works on a replacement. A statement on the page asks customers to return to the site over the next few days.