Offers Refund for Rootkit DRM-Carrying Sony CDs

The online retailer pulls the affected CDs from its stock on request from Sony, and offers an unprecedented refund.

Online retailer Inc. is notifying customers that it will replace CDs that contain copy protection software from Sony BMG, citing security concerns.

In e-mail messages sent to customers who bought one of more than fifty CDs with the controversial XCP copy protection, told customers that they can receive full refunds for the CDs, even if they no longer qualify for a refund under Amazon.coms return policy.

The announcement followed a request by Sony for to stop selling the XCP-enabled CDs, which use stealth techniques to hide from users.

Sony BMG has also created a Web page allowing customers to use UPS (United Parcel Service of America Inc.) to return the CDs to the company for a refund or to exchange for a copy without the XCP software on it. declined to say exactly how many CDs with the XCP technology it had sold, but the number is likely in the thousands, according to company spokesperson Patricia Smith.

Customers who received the affected CD within the last 30 days were sent a link to the Web site where they could report the disc as "defective" and return it for a full refund.

Customers who received the CD more than 30 days ago were given a mailing address to send the affected CD to.

"Typically we dont allow returns after 30 days. However, in this case, were going to make an exception," Smith said. "We want to do whats right." made the decision to offer a full refund on its own. Smith said she was not aware of an arrangement with Sony BMG to get reimbursed for the returned merchandise.

/zimages/6/28571.gifClick here to read more about Sonys decision to suspend use of its rootkit-like DRM technology.

The refund program may be a first for, Smith said. "Im not aware that weve had to do anything like this in the past, and Ive been here a while," she said. has not received many requests for refunds or redress from customers who purchased the CDs. The copy protection software is only an issue for customers who want to play the Sony CD on their computers, but doesnt affect users who only play CDs on CD players, she said.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Last week, Sony issued an apology to customers for the inconvenience caused by the XCP software and said it would institute a consumer exchange program and remove the unsold CDs from retail outlets.

Sony has been under intense pressure to do something about the XCP technology since Oct. 31, when Windows expert Mark Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at

Russinovich showed that the XCP program was almost totally invisible to Windows users, employing techniques akin to malicious "rootkit" programs to hide files with names that began with the characters $sys$. He speculated that others who gained access to Windows systems with the sterile burning technology on it could also hide their programs simply by assigning them names that began with $sys$.

/zimages/6/28571.gifRead details here about a Trojan horse program exploiting the Sony DRM.

Within days, malicious code writers took up the idea, spamming out Trojan horse programs and releasing viruses that used the $sys$ naming convention.

Russinovich also criticized Sonys poor description of the XCP technology in the user license agreement for the media player and showed that the implementation of the XCP technology could cause Windows systems to crash under certain conditions.

Those allegations were followed by class action lawsuits in California and New York for compromising the machines of customers who install Sonys media player and XCP copy protection software.

In other developments, software experts have identified elements of open-source software in the XCP program, and a huge security hole in a removal program for XCP, both developed by First 4 Internet Ltd., a firm based in Oxfordshire, England.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.