Some Sony music CD's install rootkit

Sony DRM burrows into rootkit code

DRM software included on some Sony CDs includes a monitoring utility that is difficult to discover, almost impossible to remove and offers an easy hiding place for malicious code.

Mark Russinovich, writing in the Sysinternals blog, details how he uncovered rootkit code on his computer that originated from a Sony music CD he owned.

A rootkit installs itself in Windows systems in such a way that it tells the operating system to quite literally blindly accept its activities. As such, any files contained within the rootkit remain invisible from within Windows. Rootkits are increasingly commonly used by virus writers to hide the activities of their code and now, it seems, also major music publishers.

Once a CD protected by Sony’s DRM is played in a PC, an End User Licence Agreement is presented to the user which defines the terms of use of the CD and must be accepted. But it fails include details of the rootkit, and the installation of this code which subsequently occurs happens without the user’s permission.

‘I didn’t find any reference to it in the Control Panel’s Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on [the software vendor’s] site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn’t uninstall. Now I was mad,’ writes Russinovich.

Getting rid of the rootkit proved nigh impossible and caused further problems, according to Russinovich. ‘When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad.’

‘Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files,’ he concluded.

But Finnish security company F-Secure warned that the poorly written code creates a safe-house for malicious software. In his investigation, Russinovich noticed that the rootkit’s ‘cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.’

F-Secure tested this and confirmed the claim. ‘The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has updated antivirus software installed,’ said Mikko Hyppönen, Chief Research Officer.

F-Secure offers rootkit detection in the form of Blacklight beta, available from its website.

Sony has made available instructions on how to remove the code, but has yet to respond to our requests for comment.

Unbelievable. Good thing I don’t buy CD’s anymore.

Here is the original story by Mark Russinovich, complete with screenshots – and 219 comments so far. Pretty big deal, it’s being picked up by popular blogs and newspapers, both online and offline. Bruce Schneier suggests that there’s a lawsuit against Sony in this story.

Yeah this was a pretty stupid move on their part.

They’re like the Charles Foster Kane of electronics companies. I keep picturing Akio Morita on his deathbed with a snow-globe.

If anyone would like to get this crap off their system, here’s the email I got from Sony:

Active-X, pop-ups, a service pack 2? Good grief.

On one hand you have draconian anti-piracy measures that potentially fuck up my computer and, in the cases I’ve tried, prevent my walkman from playing legally purchased cd’s without skipping. On the other hand just grabbing an mp3 file/torrent of whatever music you like is so easy it could probably be done blindfolded and it doesn’t have any technical restrictions save the need to own a computer.

Go Sony! What a push for legal music!

If they charged $1 for plain jane mp3s, I’d buy them.

This is apparently being used to cheat at World of Warcraft.

Here is Mark Russinovich’s follow-up article, again with screenshots. Here are some excerpts:

My posting Monday on Sony’s use of a rootkit as part of their Digital Rights Management (DRM) generated an outcry that’s reached the mainstream media. As of this morning the story is being covered in newspapers and media sites around the world including USA Today and the BBC. […]

Despite a chorus of criticism over Sony not delivering an uninstaller with their DRM software, Sony refuses to admit blame and to make an uninstaller readily available. The uninstall question on Sony’s FAQ page directs you to another page that asks you to fill out a form requesting for uninstall directions to be emailed to you:

Here Mark details the incredibly cumbersome procedure to procure an uninstaller from the Sony website… and then discovers that the “uninstaller” again installs hidden files without warning, apparently due to an oversight:

The download of what should be a small patch is around 3.5 MB because it includes updated drivers and executables for the DRM software that the patch also installs (again, no mention of this is made in the download description).

Interestingly, after installing the patch a new entry showed up in the Windows Add and Remove Programs utility, but it’s only because I checked immediately after I ran the patch that I knew it was related to Sony […] Nowhere up to now have I seen the Sony Player or DRM software referred to as “MediaJam”.

To top it off, the uninstaller is unsafe because it attempts to unload the driver without requiring a reboot:

However, Sony’s uncloaking patch puts users systems at risk of a blue-screen crash and the associated chance of data loss. The risk is small, but I made the point in my last post that the type of cloaking performed by the Aries driver prohibits safely unloading the driver while Windows is running.

And that’s not all! During regular operation, the Sony CD driver “phones home” despite Sony’s assurance to the contrary:

The EULA also makes no reference to any “phone home” behavior, and Sony executives are claiming that the software never contacts Sony and that no information is communicated that could track user behavior. However, a user asserted in a comment on the previous post that they monitored the Sony CD Player network interactions and that it establishes a connection with Sony’s site and sends the site an ID associated with the CD.

Mark confirmed that the software does, in fact, send the music CD’s identifier to Sony’s website, apparently in order to check for updates.

Of course, Sony’s copy protection also does not work on 64-bit Windows systems – the comments list an Amazon review by a customer who had his system nuked by Sony’s clumsy attempt to install the driver!

Blizzard could sue Sony. They have the money now. And they might just win. That would be cool for a game dev to beat up a super-national corp.

Of course with Bnet Blizzard is no darling child of the /. crowd.

It’s an utter fuck-up. If you’ve been rootkitted by Sony, any file on your system prefixed with $sys$ becomes invisible. Scriptkiddies, virus writers, hackers, any moron really, can just piggyback on Sony’s rootkit, name their files $sys$makeazombie.dll and the files are entirely undetectable, but for a rootkit tool, such as rootkitrevealer.

No spyware or antivirus product is capable of seeing or cleaning any files with the $sys$ prefix. Yay Sony.

I’m starting to get annoyed enough by Sony to NOT get a PS3!

And the viruses begin

XCP uses these techniques to install a proprietary media player that allows PC users to play music on the 20 CDs Sony BMG is protecting with this system. The CDs affected are only being sold in the US.

Soon after Mr Russinovich exposed how XCP worked security experts speculated that it would be easy to hijack the anti-piracy system to hide viruses.

Now anti-virus companies have discovered three malicious programs that use XCP’s stealthy capabilities if they find it installed on a compromised PC.

“The development we feared most from Sony’s inclusion of rootkit technology to conceal its DRM software was its use to conceal malicious code,” said David Emm from security firm Kaspersky Labs.

“Unfortunately, it seems our fears were well-grounded.” …

As the news about the viruses was breaking, more legal challenges to Sony’s use of the anti-piracy program were being launched.

At last count six class-action lawsuits have been started against the company.

As the Boycott Sony blog pointed out, the appearance of these viruses could make it much easier for lawyers to argue that the XCP software can cause real harm to a user’s computer.

This should be fun. In my best Nelson Muntz voice possible, while pointing at Sony “Ha Ha”.

If you build it, they will come.

Under a subject line containing the words “Photo approval,” a hacker has mass-mailed the so-called Stinx-E trojan virus to British email addresses, said British anti-virus firm Sophos.

When recipients click on an attachment, they install malware, which may tear down a computer’s firewall and give hackers access to a PC. The malware hides by using Sony BMG software that is also hidden – the software would have been installed on a computer when consumers played Sony’s copy-protected music CDs.

Cunt-bags at Sony deign to their malware from music CDs.

We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at: .

Just to make things even worse, apparently, the web-based uninstaller that Sony provided includes an ActiveX control that opens up a big fat security hole. Way to go Sony!

Cunt-bags at Sony deign to replace their malware infected music CDs that worthless, whining, asshole customers[size=2]*[/size] already bought.


If you’ve been “rooted” and want to take the teeth out of Sony’s rootkit, here’s the simplest method:

1-In the Start–>Run dialogue, type: cmd /k sc delete $sys$aries <enter>

(note that means press the enter key, not type enter) :)


3-Delete C:\Windows\system32$sys$filesystem\aries.sys

That’s it. It still leaves some files on your system, but as far as I know, the detritus is harmless.