The Sony XCP Rootkit
November 25, 2005
In March 2005, Sony's BMG music division
began shipping music CDs that included a particularly strong form of digital
rights management (DRM) software called XCP.
These CDs play normally in a standard CD player, but when inserted into a PC
they will attempt to install the DRM software onto the PC.
The software limits the number of copies you can make and prevents transfer
of the music to some music players such as the Apple iPod.
Sony's Dangerous Hide and Seek
In October 2005, Mark Russinovich was doing research into rootkits,
a form of malicious software that attempts to hide itself on a computer
by modifying operating system functions.
For example, a rootkit may change the system file functions so that the
rootkit's own files do not display in a directory.
Russinovich was stunned to find that his own computer
had a rootkit,
and even more surprised when he found out the source was a Sony BMG music CD.
Although Russinovich was the first to publicize the problem, security firm F-Secure was also
investigating the issue
and had been talking with Sony behind the scenes for about a month.
A timeline of other important events is shown below.
Are You Affected ... Infected?
If you played any of the
more than fifty CDs
that Sony shipped with XCP software, and you accepted the license screen that
appeared on your PC after you inserted it in your drive, the rootkit was installed.
Several of PC Pitstop's diagnostic tests detect the rootkit, including
PC Pitstop Exterminate and our full tests.
Removal and Beyond
If you have the Sony rootkit on your system, the first priority should
be to remove it.
However, Sony's own uninstall procedure was withdrawn due to several security
problems of its own.
how difficult it was for him to safely remove the rootkit manually, so manual
removal may not be a good idea until more detailed and well-tested procedures
Several antispyware products including
PC Pitstop Exterminate
can disable and remove the rootkit.
Once you're rid of the rootkit, you may want to send Sony a message that they have
done something very wrong here.
Several different groups are considering legal action against Sony
based on its reaction to the rootkit episode.
The State of Texas has said it will
Several other groups are working on
class action lawsuits.
Was This an "Accident"?
In 2000, facing the threat of Internet-based music downloading through Napster,
Sony VP Steve Heckler
laid out Sony's strategy:
"Sony is going to take aggressive steps to stop this.
We will develop technology that transcends the individual user.
We will firewall Napster at source - we will block it at your cable company,
we will block it at your phone company, we will block it at your [ISP].
We will firewall it at your PC.
These strategies are being aggressively pursued because
there is simply too much at stake.
The [music] industry will take whatever
steps it needs to protect itself and protect its revenue streams."
But that was five years ago, perhaps Sony's view has changed?
If so, it would only be because Heckler's own views have changed.
In 2005, Heckler is now Chief Information Officer at Sony Pictures Entertainment
and no doubt continues to be influential in Sony's views on this topic.
The XCP rootkit is one way for Sony to reach its goal to
control the ripping and distribution of music.
Using the software they can simply "firewall it at your PC".
Sony seems to believe the click-wrap license on the XCP CD trumps a user's
fair-use rights to the CD they purchased.
Fair use may allow you to copy music tracks to an iPod, for example,
but the XCP rootkit does not.
Early November was filled with daily revelations about Sony's XCP rootkit:
- October 31
Russinovich posts his first blog entry
about the Sony rootkit.
- November 1
Security firm F-Secure posts their research
regarding the rootkit.
- November 2
Sony issues a statement on its web site, later removed, that plays
down the danger of the XCP rootkit:
"The protection software simply acts to prevent unlimited copying and ripping
... it is otherwise inactive. The software does not collect any
personal information nor is it designed to be intrusive to your computer system."
The company that wrote the software for Sony,
"This is a legitimate technology that we've been charged to produce.
People who aren't comfortable with the technology can
apply to have the software removed."
("Apply" because there is no uninstaller provided with the CD.)
- November 3
Sony releases a patch
to remove the rootkit aspects of XCP DRM that allow files to be concealed, but it does not remove the DRM software.
They make available an uninstall procedure (now withdrawn) that requires the
user to fill out two web forms, provide an email address, and install an ActiveX control.
On the same day, a program appears
that uses the rootkit to conceal a cheat program in the online World of Warcraft game.
- November 4
Thomas Hesse of Sony BMG provides a memorable quote on
National Public Radio:
"Most people, I think, don't even know what a rootkit is, so why should they care about it?"
- November 6
Mark Russinovich demonstrates that the Sony rootkit does indeed
send information to Sony,
contradicting a claim that Sony made several times in the previous week.
- November 9
Security firm BitDefender announces it has found the first
trojan horse program
to exploit the Sony rootkit's ability to hide files.
- November 10
An official at the US Department of Homeland Security
addresses the Sony rootkit:
"It's your intellectual property, it's not your computer.
In the pursuit of protection of intellectual property, it's important
not to defeat or undermine the security measures that people need
to adopt in these days."
Also, several programs used in XCP are found to contain
open source code.
Ironically, the makers of XCP appear to have infringed on software intellectual property
to build a product that enforces musical intellectual property.
- November 11
Sony announces it will stop shipping
the CDs that have XCP rootkit software.
However, Sony still does not provide a comprehensive list of CDs that include the rootkit.
- November 13
A researcher finds that Sony's uninstaller program has
several serious security holes.
It is left installed on the PC and lets any web page on the Internet reboot your PC
or download and execute code.
- November 16
The US Computer Emergency Response Team (CERT) issues an advisory that users
never install DRM software:
"Do not install software from sources that you do not expect to
contain software, such as an audio CD."
- November 17
In a demonstration of how these incidents should be handled, Amazon.com announces that it will
to customers that purchased CDs with Sony's XCP DRM.
- November 18
Sony finally capitulates.
They provide a complete list
of titles that have XCP DRM,
offer users an exchange
of uninfected CDs or MP3s for the infected ones,
and announce that existing CDs will be removed from store shelves as soon as possible.
Although Sony announced a recall of CDs on the 18th,
they appeared to be in no hurry to get CDs off store shelves.
On November 25, we were still able to find several nearby Target and Best Buy
stores that were selling CDs with the rootkit.