NEWS FROM THE LAB - Tuesday, November 1, 2005

The "Sony rootkit" case Posted by Mikko @ 11:25 GMT

There's been some recent developments in digital rights management systems (DRM) that have security implications. Some DRM systems have started to use rootkit technology. Rootkits are normally associated with malware but in this case a rootkit is used to enforce the copy control policies of audio CDs!

Some CDs from Amazon

Rootkit is technology that hides software from the user and security software. This kind of technology is normally used by malware authors that want their presence to remain undetected in the system as long as possible. DRM software is not malicious but it has other reasons for hiding from the user. DRM software restricts the user's ability to make copies of a record and for that reason uses technology that prevents removal and modification of the software.

EULASony BMG is currently using a rootkit-based DRM system on some CD records sold in USA. As far as we know, this system has been in use since March 2005. We've made some test purchases for Sony BMG records from Amazon.com and can confirm that they contained this technology.

When you insert such a CD to a Windows-based PC, the record will display a license agreement and then it will seem install a song player software - while it really installs a rootkit to the system. Once the rootkit is there, there's no direct way to uninstall it. The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed.

F-Secure has implemented an anti-rootkit scanner in F-Secure Internet Security 2006. The F-Secure BlackLight scanner is able to detect both this Sony DRM rootkit system and any malware that hides using it.

We've just published a technical description on this rootkit, with details on how to distinguish hidden items belonging to the DRM system from potentially harmful malware.

Blacklight in actionSo: if you've recently used CD releases from Sony BMG that state that they are content protected on your Windows computer, the "Scan for Rootkits" function in our product will detect this program on your system. Same happens with our free BlackLight beta that you can download from our web site.

If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form and ask for directions on how to remove the software from your system. We've test driven this and they will provide you with tools to do this. However, they will install additional ActiveX components to your system while they are doing this so be adviced.