The CDs in question make use of a technique employed by software programs known in security circles as "rootkits," a set of tools attackers can use to maintain control over a computer system once they have broken in.
People may differ over what exactly a rootkit is, but the most basic ones are designed to ensure that regular PC monitoring commands and tools cannot see whatever has been planted on the victim's machine. Because rootkits generally get their hooks into the most basic level of an operating system, it is sometimes easier (and safer) to reformat the affected computer's hard drive than to surgically remove the intruder.
Sony's anti-piracy program installer pops up when you drop one of these content-protected CDs into your drive. If you agree to install it, there is no "uninstall" feature. Russinovich was able to use his knowledge of rootkits and the Windows operating system to zero in on the offending driver files needed to run the software. Unfortunately, he found that removing the program also erased the system files that power his CD-ROM drive, rendering it useless.
Russinovich also discovered that the Sony program drivers are configured to load themselves in "Safe Mode" (a diagnostic mode of Windows that is useful for fixing problems with the operating system), which he said could make system recovery extremely difficult if any of the program drivers has a bug that prevents the system from booting.
The folks over at Finnish anti-virus company F-Secure also spent several weeks trying to unravel the mysteries posed by a user of the company's anti-rootkit software -- Blacklight -- who found suspicious files that were later determined to be installed by the Sony antipiracy program (their detailed analysis of the rootkit program is here.)
Mikko Hypponen, F-Secure's director of antivirus research, said hackers could easily take advantage of Sony's software to hide their own files, even from antivirus software. An attacker would only have to make sure that their file starts with "$sys$", the convention the antipiracy program uses to hide its own files.
"As long as the attacker's file begins with that prefix, it will go undetected by most antivirus programs out there," Hypponen said. He added that installing the Sony program on a machine running Windows Vista -- the beta version of Windows' next iteration -- "breaks the operating system spectacularly."
Russinovich and F-Secure both tracked the rootkit files back to Sony by following text strings buried in the hidden files that pointed to a company called First4Internet, which they later confirmed was the company that produced the software used on the protected Sony CDs.
Hypponen said the only way to uninstall the program in the conventional sense (without running the risk of hosing your system or CD-ROM drive) is to contact Sony BMG directly via a Web form and request removal.
At that point, a real, live person will call you back and ask for all kinds of information about your system, and your reason for wanting to remove the software. You're then directed to a Web page that downloads an ActiveX program (yes, you must be using Microsoft's Internet Explorer to do this), which determines what version is installed and reports that back to First4Internet. Then you get an e-mail containing a link to another site that downloads something that finally uninstalls the Sony program.
I understand Sony's desire to protect its intellectual property, and piracy certainly is a problem. But installing software that opens people up to further security risks and potentially destabilizes the user's computer can't be the best way to address that problem.
In truth, most antipiracy programs created thus far (and this one is no exception) place limits on legitimate users, but usually do little to prevent determined users from getting around the copy protection altogether.
Case in point: Hypponen said he was installing the Sony program on a test computer and decided to do nothing when prompted to click "yes" or "no" for the license agreement (a legal disclaimer that absolves Sony or First4Internet from any liability should something bad happen to your PC from using the software).
Instead, Hypponen decided to fire up an obscure Finnish CD-ripping shareware program (CDDAX) already installed on his machine. To his surprise, the license-agreement text was replaced by a warning that CDDAX had to be closed before the installation of Sony's program could continue.
Ten seconds later, the installer ejected the Sony disc from his disc drive. Still, Hypponen said, he was able to copy all of the songs off the Sony player using the CD-ripping program.
It's unclear what percentage of Sony BMG CDs have this technology on them. Sony says any CDs that contain the software are labeled "Content enhanced & protected" on the front and back of the product packaging. A quick advanced search on Google of Amazon's site turns up more than 24,000 hits for "CONTENT/COPY-PROTECTED CD."
By Brian Krebs | November 1, 2005; 03:08 PM ET | Category: From the Bunker
[source | http://blogs.washingtonpost.com/securityfix/2005/11/sony_raids_hack.html ]
:P Bleh. They really shouldn't be going that far for anti-piracy. Although I guess, having customer support that provides a way to remove the stuff makes it slightly better...