DRM Software Uses Root-Kit Techniques

Sony BMG music CDs tap 'sterile burning'.

New digital rights management technology shipping on music CDs by Sony BMG Music Entertainment artists employs stealthy, root-kit-style techniques to hide from users, according to a security expert.

The technology, which Sony BMG has dubbed "sterile burning," manipulates the Windows kernel to make it almost totally undetectable on Windows systems. Furthermore, the DRM files are almost impossible to remove without fouling Windows systems and could be used by malicious hackers to hide their own programs, according to Mark Russinovich, chief software architect at Winternals Software LP, an Austin, Texas, company that makes administrative software tools.

A Sony BMG spokesperson in New York acknowledged last week that the root-kit-style features are part of DRM technology that began shipping with CDs earlier this year but referred technical questions about the technology to First 4 Internet Ltd., the Banbury, England, company that developed it.

Russinovich discovered the Sony BMG root-kit technology after scanning his own computer with a tool called RootkitRevealer that he developed. Russinovich, an authority on root kits, was shocked by the discovery. "Given the fact that Im careful in my surfing habits and only install software from reputable sources, I had no idea how Id picked up a real root kit," he wrote on his blog last month at systinternals.com.

After discovering the program, Russinovich began a detailed analysis of it that turned up the name of First 4. Russinovich said he believes the software was installed on his system by a copy-protected CD of music by Sony BMG duo Van Zant, which he recently purchased from Amazon.com Inc.

Through a detailed analysis of communication between the media player installed from the Sony BMG CD and the root-kit files, Russinovich determined that the root-kit files were installed with the media player and communicated with it.

Russinovich was reluctant to discuss the details of how the DRM software works, citing fear of prosecution under the Digital Millennium Copyright Act. However, he said the root-kit features help enforce the sterile burning limits on copying Sony BMG music files.

The Sony BMG spokesperson said the sterile burning and root-kit technology is intended to act as a "fence" or "speed bump" to users who want to try to go beyond the limit of three copies on the companys DRM-protected music.

Like other so-called kernel- mode root kits, the Sony BMG DRM software interacts with the system service table, a core component of the Windows kernel that coordinates interactions between instructions from different Windows applications and the kernel. By "hooking" the Windows kernel in this way, kernel-mode root kits can intercept communications between the kernel and the Windows API, filtering or distorting the instructions and information that is sent from the kernel.

For example, the Sony BMG DRM software did not appear in the Windows Explorer list of programs or the Windows registry, where information on installed programs can typically be viewed, Russinovich said.

Root-kit technology is well-established and is not, in itself, malicious, said Mathew Gilliat-Smith, CEO of First 4. "Root-kit detection programs have made root kits more high-profile in the media, but this technology has been around for a long time and is used widely by anti-virus and other information security companies," Gilliat-Smith said.

That said, First 4 officials dont consider their technology to be a root kit, but part of a copy protection system designed to balance security and ease of use for the CD buyer, he said. Sony BMG began using a version of First 4 technology called XCP in March, Gilliat-Smith said.

However, the Sony BMG root-kit files developed by First 4 are unsophisticated and could introduce other problems on systems that use the Sony BMG DRM technology, Russinovich said.

For example, the root-kit features are designed to hide any file on a Windows system with a file name that begins with the characters "$sys$," not just the files used by the Sony BMG sterile burning technology. That feature could be used by malicious hackers to hide their own attack programs on computers using the Sony BMG DRM technology, simply by following the $sys$ naming convention, Russinovich said.

The root-kit files also interact with Windows at a very low level and fail to account for certain conditions that could cause the files to overwrite areas of memory, crashing applications that use that memory or even crashing Windows altogether, Russinovich said.

Finally, removing the Sony BMG DRM software is extremely difficult. Because it is hidden from Windows, there is no entry for it in the Windows Control Panel and no easy way to determine where or how it is installed on Windows. Users, such as Russinovich, who are sophisticated enough to find the files and try to delete them will find that Windows can no longer detect the CD drive attached to their system, Russinovich said. Remedying that requires other subtle manipulations of Windows.

"The average user would not be able to remove [the Sony BMG DRM] without losing ... the CD [drive]. Even a sophisticated user would have trouble," Russinovich said.

First 4 developed a new version of the stealth features that respond to many of the questions Russinovich raised in his analysis, including the $sys$ and stability issues. Those features will be available in new Sony BMG CDs, Gilliat-Smith said. Its unclear whether users with the existing DRM technology will be able to upgrade to the new features. But Sony BMG offers a downloadable removal program for the copy protection software, the spokesperson said.