When Vendors Install Malware

By Larry Seltzer  |  Posted 2005-11-03 Print this article Print

Opinion: Sony's quick reaction to the discovery that it installed aggressive malware on its customers' computers doesn't go far enough.

It bothers me when industry is viewed as the enemy, when vendors are assumed to do the worst and that we have to protect ourselves against them.

Some of my best friends are vendors. But episodes like Sony BMGs use of a rootkit for CD copy protection make me understand the mind set. Vendor behavior doesnt get any crummier than this. If its not illegal, it should be.
Unlike some other people, Im not inherently hostile to DRM. Living as I do on the proceeds of intellectual property I can understand wanting to protect it from theft. Like any other software that runs on a users computer, there is a right way and a wrong way to do it.
Sony BMG and their subcontractor First 4 Internet decided to disregard their customers interests and to install malware on their systems without asking. Incidentally, I tried to reach Sony BMG to ask them about this matter and they didnt reply.

Despite Sonys and First 4 Internets assertions to the contrary (Sony states "This component is not malicious and does not compromise security"), analysis from Windows authority Mark Russinovich and parallel testing performed by F-Secure (a security software firm with special expertise in rootkits) show clearly that any other attacker could take advantage of the rootkit functionality to hide their own files and registry entries, and that techniques used by the software run the risk of making the system unusable.

When a vendor installs a complicated program onto your computer its not reasonable for them to disclose every single aspect of it, but of course there is a line between being concise and being deceitful. Not mentioning that you are installing a rootkit is deceitful. Not allowing the user to remove it themselves is also generally understood to be deceitful and characteristic of malicious software. Thus it is with Sony.

As Russinovich shows, the EULA (End User Licensing Agreement) that comes with the software (click here for Russinovichs copy of it) makes no mention of this function of the software or that it will make substantial modifications to the basic functions of the operating system. The EULA actually does imply that the software is removable ("Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted"), in spite of the fact that it is not removable easily by the user without making the CD-ROM drive unusable. If you want to remove the software, the update doesnt really do you any good, unless you know Windows as well as Mark Russinovich—and trust me, you dont. First 4 Internet released an update to their software today that removes the cloaking aspects of the software. In other words, it wont hide files and registry entries beginning with $sys$ after this update. Contrary to some reports, the update wont allow you to remove the software. Interestingly, the update was at first released as an ActiveX control, requiring the use of Internet Explorer, but was later changed to a static executable. Both versions require that you trust First 4 Internet, a company plainly undeserving of trust.

If you actually want to remove the software, the official story is that you are supposed to go to this Web form on the Sony BMG web site and fill it out, and then follow instructions. Uninstalls should be included with the software, which is already big enough, and the uninstall form requires that you provide the artist name, album title, store name and e-mail address for the CD.

Why do they need this information? You can get an idea of why they need it from Sonys privacy policy linked to on the form page. By asking to uninstall the malicious software that Sony put on your system without first asking permission or even disclosing the fact, Sony may send you e-mails about the artist, promotions and special offers. They may share the information with third parties ("reputable" ones) who may also contact you directly.

Blowing off "technical questions" to First 4 Internet, as Sony does in this case, doesnt cut it for me. Nobody, and I mean nobody, buying a Sony CD thinks they are buying a First 4 Internet product. At a bare minimum, Sony needs to say that they will never do this again, and I think they need to clear out the channel.

As a BBC report states, the rootkit may violate British law. Im not so sure about U.S. law, but I know there were states working on laws that this program would violate. The law needs to clamp down hard on this and make it clear that this isnt acceptable practice for legitimate companies. After all, if its OK for Sony to install malware on my computer without telling me, why isnt it OK for anyone else to install malware on my system without telling me? Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel