Microsoft to Zap Sony DRM Rootkit

Microsoft adds detection and removal for the controversial DRM "rootkit" into its anti-spyware and anti-malware products.

Microsoft Corp. will start deleting the rootkit component of the controversial DRM scheme used by Sony BMG Music Entertainment.

The software giants Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology.

According to Jason Garms, group product manager in Microsofts Anti-Malware Technology Team, the rootkit removal signature will be pushed out at Windows users through the anti-spyware applications weekly signature update process.

Detection and removal of the XCP rootkit will also appear in Windows Defender, the next version of Windows AntiSpyware when that makeover ships.

/zimages/2/28571.gifSony suspends Rootkit DRM technology. Click here to read more.

"We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool [and] it will also be included in the signature set for the online scanner on Windows Live Safety Center," Garms announced in an blog entry.

Garms said an analysis of the XCP software that ships on about 20 Sony BMG Music CDs led to the determination that zapping rootkit would protect Windows users.

"We are concerned about any malware and its impact on our customers machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems," Garms added.

He said an "a set of objective criteria" was used to make the decision to classify the XCP software for detection and removal by the anti-malware technology.

The Microsoft move comes 24 hours after Sony announced it would stop production of music CDs that use the XCP technology and re-examine its DRM initiative to make sure it has balanced ease of use for consumers with security.

/zimages/2/28571.gifMicrosoft concerned by Sony DRM. Click here to read more.

The XCP technology, created by U.K.-based First 4 Internet Ltd., manipulates the Windows kernel to make it almost virtually undetectable on Windows systems and nearly impossible to remove without possibly damaging the Windows operating system.

The use of the technology blew up in Sonys face after Windows analyst Mark Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at

Last week, anti-virus vendors warned that several malicious threats, including a virus and a Trojan horse program was using the XCP technology to hide on Windows systems.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.