Digging Out Sony’s DRM Rootkit

It seems part of Sony’s copy-protection scheme for its music CDs is to copy a trick used by virus writers.

That’s the assessment of Mark Russinovich, chief software architect and co-founder of Winternals Software. In a blog entry earlier this week, he detailed the steps taken to keep users from knowing what the CD’s digital rights management (DRM) software protection is doing behind the scenes.

The method employed by Sony on its copy-protected CDs is similar to what malware writers use to cover their tracks when they’ve compromised a computer. Called a rootkit , the application hides the running processes and files used by the attackers to avoid detection and subsequent removal by the end user.

In this case, a rootkit is used to hide the processes used to monitor any copying of Sony music from the CD to the PC’s hard drive, one component of the music company’s media player that comes with its copy-protected audio CDs.

While running a rootkit discovery program on his computer last week, Russinovich discovered a hidden directory, hidden device drivers and a hidden application. After removing the driver used to mask the files, he discovered a previously hidden program running in the background, $sys$DRMServer.exe, that was scanning every running process on the computer.

He then went in and manually deleted the driver files and registry key involved with the program, a process that led to the program disabling his CD-ROM drive. While he was eventually able to delete the necessary files and regain the use of his CD drive, the whole affair left Russinovich with a sour taste in his mouth.

“The entire experience was frustrating and irritating,” he notes in the blog. “Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for un-install. Worse, most users that stumble across the cloaked files with a [rootkit scanner] will cripple their computer if they attempt the obvious step of deleting the cloaked files.”

The End-User License Agreement (EULA) the user accepts when installing the media player software, he notes in his blog entry, states proprietary content protection will be loaded onto the computer until it’s un-installed.

But the problem with the EULA, Russinovich told internetnews.com, is that it doesn’t explain to the end user what exactly is happening on their computer, and that the software will run hidden and consume system resources.

“It’s the whole problem of disclosure,” he said. “There’s not enough information there to make an educated decision whether to accept the EULA or not.”

Officials at Sony were not available for comment at press time.

The software in question, Extended Copy Protection (XCP), is developed by U.K.-based developer First 4 Internet. The program is styled as a security measure to provide comparatively high-level protection for copyright holders while still allowing end users to make limited copies to their PCs.

According to the overview of the technology on the company’s Web site, XCP is used by the record labels for pre-release copy protection and has been in commercial use since 2002.

Mathew Gilliat-Smith, First 4 Internet CEO, defends the product and said the technology has been used on Sony music CDs for the past eight months. Until Russinovich’s blog entry, he hadn’t heard any complaints about the application.

“This is content protection technology and we’re trying to make it difficult to easily just click a button and circumvent,” he said.

What makes this software so flummoxing is the means of its disposal, since there is no un-install option through the media player.

Gilliat-Smith said the un-install instructions can be found on both the software and on the CD documentation, which points to the Sony Web site.

But finding it conveniently is a trick. Removing the software involves finding the un-install Web request form that seems buried on the Sony Web site, filling it out and waiting for removal instructions via e-mail.

Making removal such a hassle also raises a security concern for those who decide not to bother with the un-install process. Doing so could leave them vulnerable to bad guys able to capitalize on this rootkit and use it to hide their own activities.

First 4 Internet officials have already addressed that concern, Gilliat-Smith said, as a result of the attention sparked by Russinovich’s blog.

He said the company will provide a patch to antivirus vendors as an extra precaution. The patch will identify the files used by XCP; if files are hiding behind the software, the antivirus vendors will be able to discover it, he said.

Gilliat-Smith said the company has also been working on the next version of its software for the past few weeks, one that doesn’t use the rootkit method, and is in place now at Sony.

Russinovich, however, said people need to be aware of the risk they’re taking when installing any software.

Lawmakers, the media industry and consumer advocates in general need to sit down in an open forum “to come up with guidelines for what’s fair and ethical,” he said, “and what kind of disclosure there needs to be on [EULAs] when they’re going to be installed.”

News Around the Web