The Sony XCP Rootkit

by Dave Methvin

November 25, 2005

Sony's Dangerous Hide and Seek

In October 2005, Mark Russinovich was doing research into rootkits, a form of malicious software that attempts to hide itself on a computer by modifying operating system functions. For example, a rootkit may change the system file functions so that the rootkit's own files do not display in a directory. Russinovich was stunned to find that his own computer had a rootkit, and even more surprised when he found out the source was a Sony BMG music CD. Although Russinovich was the first to publicize the problem, security firm F-Secure was also investigating the issue and had been talking with Sony behind the scenes for about a month. A timeline of other important events is shown below.

Are You Affected ... Infected?

If you played any of the more than fifty CDs that Sony shipped with XCP software, and you accepted the license screen that appeared on your PC after you inserted it in your drive, the rootkit was installed. Several of PC Pitstop's diagnostic tests detect the rootkit, including PC Pitstop Exterminate and our full tests.

Removal and Beyond

If you have the Sony rootkit on your system, the first priority should be to remove it. However, Sony's own uninstall procedure was withdrawn due to several security problems of its own. Russinovich has described how difficult it was for him to safely remove the rootkit manually, so manual removal may not be a good idea until more detailed and well-tested procedures become available. Several antispyware products including PC Pitstop Exterminate can disable and remove the rootkit.

Once you're rid of the rootkit, you may want to send Sony a message that they have done something very wrong here. Several different groups are considering legal action against Sony based on its reaction to the rootkit episode. The State of Texas has said it will file suit against Sony. Several other groups are working on class action lawsuits.

Was This an "Accident"?

In 2000, facing the threat of Internet-based music downloading through Napster, Sony VP Steve Heckler laid out Sony's strategy:

"Sony is going to take aggressive steps to stop this. We will develop technology that transcends the individual user. We will firewall Napster at source - we will block it at your cable company, we will block it at your phone company, we will block it at your [ISP]. We will firewall it at your PC. These strategies are being aggressively pursued because there is simply too much at stake. The [music] industry will take whatever steps it needs to protect itself and protect its revenue streams."

But that was five years ago, perhaps Sony's view has changed? If so, it would only be because Heckler's own views have changed. In 2005, Heckler is now Chief Information Officer at Sony Pictures Entertainment and no doubt continues to be influential in Sony's views on this topic.

The XCP rootkit is one way for Sony to reach its goal to control the ripping and distribution of music. Using the software they can simply "firewall it at your PC". Sony seems to believe the click-wrap license on the XCP CD trumps a user's fair-use rights to the CD they purchased. Fair use may allow you to copy music tracks to an iPod, for example, but the XCP rootkit does not.

Rootkit Chronology

Early November was filled with daily revelations about Sony's XCP rootkit:

October 31

Russinovich posts his first blog entry about the Sony rootkit.

November 1

Security firm F-Secure posts their research regarding the rootkit.

November 2

Sony issues a statement on its web site, later removed, that plays down the danger of the XCP rootkit: "The protection software simply acts to prevent unlimited copying and ripping ... it is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system." The company that wrote the software for Sony, First4Internet, says: "This is a legitimate technology that we've been charged to produce. People who aren't comfortable with the technology can apply to have the software removed." ("Apply" because there is no uninstaller provided with the CD.)

November 3

Sony releases a patch to remove the rootkit aspects of XCP DRM that allow files to be concealed, but it does not remove the DRM software. They make available an uninstall procedure (now withdrawn) that requires the user to fill out two web forms, provide an email address, and install an ActiveX control. On the same day, a program appears that uses the rootkit to conceal a cheat program in the online World of Warcraft game.

November 4

Thomas Hesse of Sony BMG provides a memorable quote on National Public Radio: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"

November 6

Mark Russinovich demonstrates that the Sony rootkit does indeed send information to Sony, contradicting a claim that Sony made several times in the previous week.

November 9

Security firm BitDefender announces it has found the first trojan horse program to exploit the Sony rootkit's ability to hide files.

November 10

An official at the US Department of Homeland Security addresses the Sony rootkit: "It's your intellectual property, it's not your computer. In the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days." Also, several programs used in XCP are found to contain open source code. Ironically, the makers of XCP appear to have infringed on software intellectual property to build a product that enforces musical intellectual property.

November 11

Sony announces it will stop shipping the CDs that have XCP rootkit software. However, Sony still does not provide a comprehensive list of CDs that include the rootkit.

November 13

A researcher finds that Sony's uninstaller program has several serious security holes. It is left installed on the PC and lets any web page on the Internet reboot your PC or download and execute code.

November 16

The US Computer Emergency Response Team (CERT) issues an advisory that users never install DRM software: "Do not install software from sources that you do not expect to contain software, such as an audio CD."

November 17

In a demonstration of how these incidents should be handled, Amazon.com announces that it will offer refunds to customers that purchased CDs with Sony's XCP DRM.

November 18

Sony finally capitulates. They provide a complete list of titles that have XCP DRM, offer users an exchange of uninfected CDs or MP3s for the infected ones, and announce that existing CDs will be removed from store shelves as soon as possible.

Although Sony announced a recall of CDs on the 18th, they appeared to be in no hurry to get CDs off store shelves. On November 25, we were still able to find several nearby Target and Best Buy stores that were selling CDs with the rootkit.