FAQ: Sony's 'rootkit' CDs

Sony's copy protection could help hide new viruses on a PC. Here's what you need to know to protect yourself.

John Borland
John Borland Staff Writer, CNET News.com
John Borland
covers the intersection of digital entertainment and broadband.
4 min read
On Thursday, a wave of malicious software appeared in the wild that piggybacked on copy-protection technology installed on hard drives by Sony BMG Music Entertainment CDs.

Computer security companies had been predicting such exploit code in the wild for weeks, since an independent developer had exposed the presence of a "rootkit" tool on the Sony CDs. The rootkit technology hid the copy protection from view, but also left open a hole that could hide other software.

Virus writers quickly took advantage of that hole, modifying an old Trojan horse to take advantage of the powerful inadvertent shielding provided by the Sony software.

On Friday, Sony responded to the furor and announced that it will suspend production of CDs that contain this particular copy-protection technology and take a second look at its digital rights management strategy.

Antivirus companies are now offering a range of advice, and confusion remains about exactly what the software does and how dangerous it can be to a PC. Here are the basics that everyone should know about this potentially dangerous issue:

What is on the Sony CDs?

The CDs involved are loaded with a relatively new kind of content protection created by British company First 4 Internet. When a listener puts the album into a computer's CD drive, it pops up a license agreement. If the listener accepts, it installs the copy protection rootkit onto the hard drive.

The rootkit element of the software is used to hide virtually all traces of the copy protection software's presence on a PC, so that an ordinary computer user would have no way to find it. The software acts to limit the number of copies that can be made of the CD and prevents a computer user from making unprotected MP3s from the music.

What is a rootkit? Isn't that something that virus writers use?

A rootkit is a powerful piece of software that takes over control of a computer at the most fundamental level. In computer terms, it establishes "root" access, which is similar to administrative access, instead of access for just an ordinary user. It can potentially prevent a computer user from detecting its presence or from performing certain tasks on their own PC.

Like most computing tools, this is not intrinsically a bad thing, but can be abused. Virus writers use these tools to help take over computers and hide the presence of their work.

Is Sony's software a virus or a Trojan horse?

Some aggrieved users may see little difference. Computer security companies do make a distinction between Sony's software and a virus, noting that this was distributed by a legitimate company with a legitimate business interest (even if many people disagree with that business interest).

However, they are deeply critical of Sony's techniques and say that the amount of information

given to users about what the software would do to a computer was wholly inadequate, and the lack of an uninstall tool was bad policy.

Computer Associates has labeled the software "spyware," because it also sends back some information about what CDs are being played.

Can I uninstall it?

Even if you could find the hidden copy protection components yourself, computer experts warn against trying to uninstall it without help. Trying to do remove it without official instructions could damage the computer, rendering the CD drive inoperable.

Sony's Web site has a downloadable patch which will remove the ability of the copy protection software to hide from view, but will not uninstall it.

To uninstall the software completely, a user must fill out a separate customer service form on Sony's Web site, asking for instructions on how to uninstall the rootkit software.

How do the new Trojan horses piggyback on Sony's software?

The Sony software hides itself very well on a computer, but allows other software to use the same technique. Essentially it establishes a new rule at the level of the operating system that says any software that starts with the string of characters "$sys$" should be hidden from view.

Virus writers quickly took pre-existing malicious software and put those characters at the beginning of the relevant code, making their work invisible on any computer that had the Sony copy protection installed.

What do the new viruses do?

So far, the ones that have emerged hide themselves, then open a channel to the IRC chat network. An attacker could use that back door to control the computer completely, using it to send out spam, launch attacks on other computers, or many other nefarious tasks.

Will antivirus software stop this?

The problem with rootkits is that they can hide themselves even from antivirus software. However, most of the big antivirus companies are working with First 4 Internet and Sony to break through the rootkit's invisibility and identify anything hidden by the Sony software. That means most antivirus protection will be able to identify and remove the Trojans.

As always, it's important to keep antivirus software updated, or it won't be able to find these new problems.

Do all copy-protected CDs have this problem?

No, the majority does not. Most of Sony's copy-protected CDs use a different technology from a company called Sunncomm, which does not present the rootkit security issues. In other countries, many copy-protected CDs use technology from Macrovision, which also uses a different technique.

Which CDs are dangerous, then?

The Electronic Frontier Foundation is keeping a list of CDs that seem to have the First 4 Internet software included.

If you're buying a CD, look on the back for a little box labeled "Compatible with." If that includes the Web address "cp.sonybmg.com/xcp", then it probably has the rootkit software included.

Is what Sony did legal?

Copy-protection software by itself is perfectly legal. However, at least one class-action lawsuit has already been filed against Sony in California, asserting that it violated state and federal statutes against computer tampering, trespass, fraud and false advertising. Several other lawsuits are expected. Italian consumer groups have also called for criminal investigation and potential legal action, although the discs were primarily distributed in the United States.