Attack targets Sony 'rootkit' fix

Websense's security labs reported that it has discovered several Web sites designed to exploit security flaws in a rootkit uninstaller program issued by Sony BMG Music Entertainment. As reported earlier, some Sony CDs deposit rootkit-like code onto people's computers that leave them open to attacks.

Websense has uncovered only a couple of Web sites set up to attack flaws in the initial uninstall program, and the damage they cause appears to be minimal so far. One of them, hosted in the United States, simply restarts infected computers.

"It's someone trying to make a point," said Dan Hubbard, senior director of security and technology research at Websense. "They could have done a lot worse."

Sony became embroiled in controversy earlier this month after the record label was discovered to be distributing secret code similar to a rootkit with certain music CDs as a copy-protection mechanism. Sony BMG recalled millions of these CDs on Tuesday, after viruses exploiting flaws in the rootkits began to appear.

The company also released programs to uninstall the rootkits, but the initial Web-based version has its own set of flaws, Princeton University computer science professor Ed Felten wrote in his blog Tuesday.

In the case of the U.S.-hosted malicious site, the attacker may have compromised the site without the owner's knowledge, Websense's Hubbard said. The site appears to be associated with Canada's version of the American Idol TV show. Websense also found the following message in the site's malicious code: "Sony DRM Christmas Gift." DRM stands for digital rights management, a type of copy-protection technology.

"Any user who has downloaded and run the Sony uninstaller program is susceptible to this attack," Websense said in a statement.

A Sony BMG representative did not immediately respond to inquiries about the alert.

However, in response to concerns about the security of its uninstall software, Sony has removed the program from its Web site, and promised to release another version soon.

"We currently are working on a new tool to uninstall First4Internet XCP software," the Sony site now reads. "In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days."

The flaw in Sony's uninstall software was based on an ActiveX progam installed on hard drives, which allowed Web sites to run malicious code automatically in the Internet Explorer Web browser. Some security experts are advising people who think they might have used Sony's uninstall tool to use the Firefox Web browser, which does not support automatic ActiveX controls.

Princeton computer science professor Ed Felten and researcher Alex Haldeman have created a page that tests whether a computer might be at risk as a result of running the uninstall tool.