Sony Suspends Rootkit DRM Technology

The company has responded to criticism by announcing plans to temporarily stop producing CDs carrying its invasive DRM software.

Music company Sony BMG Music Entertainment has succumbed to mounting criticism, announcing plans to stop production of music CDs that use a controversial digital rights management technology called XCP.

The company said Friday that it is temporarily suspending manufacture of CDs with XCP, which security experts said used malicious "rootkit" techniques to evade detection on Windows systems.

The company will also re-examine its copy protection initiative to make sure it has balanced ease of use for consumers with security, according to an e-mail statement.

"I think they should have done it right away," said Mark Russinovich, chief software architect and co-founder of Winternals Software LP.

Russinovichs analysis of the XCP technology drew international attention to Sonys dubious copy protection wares.

/zimages/1/28571.gifClick here to read more about the discovery of rootkit-like behavior in Sonys new DRM technology.

He and others said the companys decision Friday to temporarily halt production of new XCP-enabled CDs doesnt go far enough.

"Its a step in the right direction—but a baby step," said Corynne McSherry, staff attorney at the Electronic Frontier Foundation.

"What does [Sony] intend to do about customers and music fans whose computers are already infected [with XCP]?" she said.

Sonys decision followed more than a week of steady criticism of the XCP technology, which shipped on CDs by around 20 Sony BMG artists along with a custom media player that must be used in order to play and make a limited number of copies of the CD on a Windows PC.

Using code written by First 4 Internet Ltd., a U.K. firm contracted by Sony, the XCP technology manipulates the Windows core processing center or "kernel" to make it almost totally undetectable on Windows systems and nearly impossible to remove without fouling Windows, much like malicious programs known as "rootkits."

XCP came to light on Oct. 31, after Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at

Russinovich showed that the XCP program hid files with a name that began with the characters $sys$, rather than looking for and hiding the specific files used by the media player for copyright enforcement.

He speculated that others who gained access to Windows systems with the sterile burning technology on it could also hide their programs simply by assigning them names that began with $sys$.

Russinovich also criticized Sonys poor description of the XCP technology in the user license agreement customers agreed to when installing the media player and showed that First 4 Internets sloppy implementation of the XCP technology could cause Windows systems to crash under certain conditions.

Sony BMG reacted quickly to the criticism, releasing a software patch to disable the DRM software and giving instructions for obtaining a removal program within days of Russinovichs analysis.

However, the patch and removal programs did little to stem criticism of the company by computer security and privacy rights advocates, who charged that the DRM technology exposed customers computers to hackers in the name of protecting copyright.

/zimages/1/28571.gifRead more here about why some say Sonys responses to criticism of its DRM software dont go far enough.

Consumers in California filed a class action lawsuit on Nov. 1 to stop Sony from distributing the CDs, and seeking monetary damages for consumers who had already purchased CDs with the sterile burning technology on it, according to a published report.

Other lawsuits against the company on behalf of aggrieved consumers are in the works, as well, EFFs McSherry said.

Anti-virus and computer security companies have also been adding detection for the XCP technology to their products. And on Thursday, anti-virus companies warned of a host of new threats, including a virus and a Trojan horse program that used the XCP technology to hide on Windows systems.

Sony acknowledged the new computer virus and said the company regretted any inconvenience caused by the XCP technology. The company also said it provided a patch to major anti-virus companies that will "fix possible software problems" and "guard against precisely the type of virus now said to exist." Sony has not disclosed the number of installations of its XCP technology.

However, the actual threat posed by the technology is probably small, Russinovich said.

An informal poll Thursday of network managers at leading colleges and universities turned up only a handful of machines that appeared to have the software installed and that were communicating with Web sites used by the media player program, said David Escalante, director of computer security at Boston College in Chestnut Hill, Massachusetts.

"Im not horribly concerned. Maybe I should be, but Im not," he said.

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Still, Sony BMG needs to reach out to customers who may be running the XCP program, make sure they are aware of the dangers it poses, and help them to remove the software, McSherry said.

The heated discussion of Sonys copy protection technology has also highlighted the ongoing debate about the privacy rights of consumers and those of copyright holders.

"I fully anticipate well see similar problems in the future with other anti-piracy technologies," McSherry said.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.