New Sony DRM system uses unremovable rootkit

— 6:03 PM on November 2, 2005

Copy-protected audio CDs have slowly but surely become more widespread in the US, despite resistance from certain consumer groups and their own occasional embarrassing failures (anyone got a magic marker handy?) Digital content providers and DRM developers have collectively spent huge sums of money trying to develop better and more foolproof protection systems, but blogger Mark Russinovich has uncovered that Sony's latest DRM scheme does more than just keep an eye on your CD use.

Mr. Russinovich stumbled on Sony's hidden DRM software while he was beta testing the latest version of RootkitReaveler. A rootkit, for those of you who don't know, is a collection of software tools used to hide data from the operating system—or any of the anti-spyware, anti-virus, or security software that might be loaded. The term almost always refers to malware programs, which is what Mr. Russinovich initially thought he'd picked up somewhere.

I'll leave the details of his investigation to his article, but by the end of it he's conclusively demonstrated and proven that the rootkit software in question was distributed by Sony, as part of a DRM package loaded on the new CD by the Van Zant brothers, titled Get Right with the Man. Not only is the Sony rootkit demonstratively buggy and inefficient, but it's also uninstallable by any standard means; it loads itself even while in Safe Mode. As Russinovich points out, this means that any bug in the rootkit software that prevented a boot in normal mode could also prevent Safe Mode from working. Needless to say, the rootkit software package isn't noted anywhere in the "Add/Remove Programs" listing.

The Sony rootkit can be removed, but killing the various drivers and processes associated with it in the Registry and active services simply makes your CD-ROM drive vanish. Mr. Russinovich covers how to reconfigure your system in order to see your drives again, but it involves another round of registry edits and a program capable of editing the registry in System Mode, in order to change certain write-protected keys.

It's easy to imagine how a control-obsessed company like Sony could be sold on a rootkit DRM scheme; the prospect of an invisible, undetectable, and highly sophisticated protection system probably sounded too good to pass up. Unfortunately, it's just more evidence (as if any were needed) that the wrong people are making these sorts of decisions.

Sony's EULA makes no mention of a rootkit-based DRM system and contains no language that would imply such a system was in use. The relevant section of the text reads:

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the "SOFTWARE") onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.
This implies, at least, that the software can be uninstalled without the help of a Windows engineer and several hours of work. I support Sony's right to protect their own published work, but not at the cost of my own system security. Installing a buggy, uninstallable (for all practical purposes), and unrevealed rootkit counts as an imposed security violation, in my book.
Like what we're doing? Pay what you want to support TR and get nifty extra features.
Top contributors
1. BIF - $340 2. Ryu Connor - $250 3. mbutrovich - $250
4. YetAnotherGeek2 - $200 5. End User - $150 6. Captain Ned - $100
7. Anonymous Gerbil - $100 8. Bill Door - $100 9. ericfulmer - $100
10. dkanter - $100
Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.