When Vendors Install Malware

Opinion: Sony's quick reaction to the discovery that it installed aggressive malware on its customers' computers doesn't go far enough.

It bothers me when industry is viewed as the enemy, when vendors are assumed to do the worst and that we have to protect ourselves against them.

Some of my best friends are vendors. But episodes like Sony BMGs use of a rootkit for CD copy protection make me understand the mind set. Vendor behavior doesnt get any crummier than this. If its not illegal, it should be.

Unlike some other people, Im not inherently hostile to DRM. Living as I do on the proceeds of intellectual property I can understand wanting to protect it from theft. Like any other software that runs on a users computer, there is a right way and a wrong way to do it.

Sony BMG and their subcontractor First 4 Internet decided to disregard their customers interests and to install malware on their systems without asking.

Incidentally, I tried to reach Sony BMG to ask them about this matter and they didnt reply.

Despite Sonys and First 4 Internets assertions to the contrary (Sony states "This component is not malicious and does not compromise security"), analysis from Windows authority Mark Russinovich and parallel testing performed by F-Secure (a security software firm with special expertise in rootkits) show clearly that any other attacker could take advantage of the rootkit functionality to hide their own files and registry entries, and that techniques used by the software run the risk of making the system unusable.

When a vendor installs a complicated program onto your computer its not reasonable for them to disclose every single aspect of it, but of course there is a line between being concise and being deceitful.

Not mentioning that you are installing a rootkit is deceitful. Not allowing the user to remove it themselves is also generally understood to be deceitful and characteristic of malicious software. Thus it is with Sony.

As Russinovich shows, the EULA (End User Licensing Agreement) that comes with the software (click here for Russinovichs copy of it) makes no mention of this function of the software or that it will make substantial modifications to the basic functions of the operating system.

The EULA actually does imply that the software is removable ("Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted"), in spite of the fact that it is not removable easily by the user without making the CD-ROM drive unusable.

If you want to remove the software, the update doesnt really do you any good, unless you know Windows as well as Mark Russinovich—and trust me, you dont.

First 4 Internet released an update to their software today that removes the cloaking aspects of the software.

In other words, it wont hide files and registry entries beginning with $sys$ after this update. Contrary to some reports, the update wont allow you to remove the software.

Interestingly, the update was at first released as an ActiveX control, requiring the use of Internet Explorer, but was later changed to a static executable. Both versions require that you trust First 4 Internet, a company plainly undeserving of trust.

If you actually want to remove the software, the official story is that you are supposed to go to this Web form on the Sony BMG web site and fill it out, and then follow instructions.

Uninstalls should be included with the software, which is already big enough, and the uninstall form requires that you provide the artist name, album title, store name and e-mail address for the CD.

Why do they need this information? You can get an idea of why they need it from Sonys privacy policy linked to on the form page.

By asking to uninstall the malicious software that Sony put on your system without first asking permission or even disclosing the fact, Sony may send you e-mails about the artist, promotions and special offers. They may share the information with third parties ("reputable" ones) who may also contact you directly.

Blowing off "technical questions" to First 4 Internet, as Sony does in this case, doesnt cut it for me. Nobody, and I mean nobody, buying a Sony CD thinks they are buying a First 4 Internet product. At a bare minimum, Sony needs to say that they will never do this again, and I think they need to clear out the channel.

As a BBC report states, the rootkit may violate British law. Im not so sure about U.S. law, but I know there were states working on laws that this program would violate.

The law needs to clamp down hard on this and make it clear that this isnt acceptable practice for legitimate companies.

After all, if its OK for Sony to install malware on my computer without telling me, why isnt it OK for anyone else to install malware on my system without telling me?

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

28571.gif

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

More from Larry Seltzer