Curated by: Luigi Canali De Rossi

Saturday, December 3, 2005

The Sony Rootkit Story: Music CDs Hidden Malicious Software Creates Problems For Users While Destroying Sony's Credibility And Reputation

Sponsored Links

Though this is not this morning breaking news, the story of the Sony rootkit still surfs many of the top news headlines as it keeps evolving and revealing more of its nasty nature.

What Sony did, was to include within commercial music CDs a hidden malicious software (a rootkit) with the supposed goal of protecting its own interests and preventing illegal use or copying of the included music.

Photo credit: Sunncomm - MediaMax

The frustrating issue is that this malicious software is run without the user knowledge or consent -- or even against her consent -- and if such rootkit infects your computer through a Sony music CD, you would be exposed to high security risks as any capable hacker could gain access to your computer without your knowledge or ability to detect it.

The ever excellent Cory Doctorow has been posting on Boing Boing an omnibus collection of stories documenting and reporting on this story, providing a uniquely useful set of resources to study and understand what realy went on with this Sony rootkit, and how the details of the story gradually become available.

I think that this is information that no-one should let go by without understanding in full who your traditionally really favourite electronic consumer brand really does to its customers to protect its interests. Over a year ago I reported firsthand what MediaMax had been already doing for a while.

If you don't read and analyze what the Sony rootkit story brought in terms of showcasing how much of a distance exists today between traditional, large consumer good producers, including record and film companies and me and you, the actual users and customers of these goods.

The distance between the brand image created over many years of mass media marketing is slowly beginning to crumble. The image we hold doesn't hold to the company we see acting against us, unanswering our calls for transparency, unlistening to our request for greater use of open standards and interoperability, unable to service and communicate to us as if we were indeed the true precious customers it says we are.

And this is why I am excited to bring you once again the good research and editorial work of Cory Doctorow / Boing Boing who has prepared this excellent chronological compilation of the Sony rootkit story.

If you don't intend to sell yourself into what established content multinationals want to do to your desire and drive to freely share what you buy, go get a good read at this. You'd be sorry if you don't.


Oct 31: Sony DRM uses black-hat rootkits Mark Russinovich, a security researcher, discovers that Sony has been sneakily installing "rootkit"-based DRM on their customers' computers. Rootkits are black-hat hacker tools used to disguise the workings of their malicious software. Removing Sony's rootkit nukes your Windows installation.

Nov 3: Sony releases de-rootkit-ifier, lies about risks from rootkits Sony announces a "service pack" for its rootkit DRM. It deceptively downplays the risks the rootkit presented. It turns out that the remover doesn't actually work, either.

Nov 3: Felten on Sony's rootkit-"remover" Princeton DRM researcher Ed Felten analyzes Sony's rootkit "remover" and concludes that it's a hunk of junk: "they're almost certainly adding things to the system...they're not disclosing what they're doing."

Nov 3: Defeat WoW spyware using Sony's rootkit Warden, a program used by Blizzard to scour World of Warcraft players' system and report on the contents to the company can be defeated with the Sony rootkit. Blizzard claims that Warden only detects a few programs that facilitate cheating, but researchers have found evidence to the contrary.

Nov 4: NPR Interview with Sony President.
This a reference to the NPR interview where Sony BMG Global Digital Business President Thomas Hesse puts his foot in it saying, 'Most people, I think, don't even know what a rootkit is, so why should they care about it?'.

Nov 8: Defend against Sony's rootkit with DRM-ripping software AnyDVD, a DVD-ripping program, advertises that it can also inoculate you against the Sony rootkit.

Nov 9: List of CDs infected with Sony's rootkit DRM EFF releases a partial list of CDs believed infected to infected with Sony's rootkit. Buyer beware -- you're better off buying music from someone else.

Nov 9: Sony's EULA is worse than their rootkit EFF attorney Fred von Lohmann analyzes the license agreement that accompanies Sony's rootkit DRM (that's right, a license to listen to an audio CD!). It is unbelievably outrageous, the kind of thing that makes you want to get a torch and a pitchfork and head over to the nearest Sony office.

Nov 9: Wanna sue the pants off Sony? EFF is looking for people who bought rootkit-infected CDs to join a potential lawsuit against Sony

Nov 10: Sony Music CDs infect Macs, too Mac users shouldn't be smug -- Sony's audio CDs also contain an app that patches OS X's kernel with unspecified restriction-software; though Mac users have to take a few more steps before their computers are compromised

Nov 10: Fantastic screed against the coders who wrote the previous Sony DRM junk This isn't the first time Sony's been caught doing crap like this; the last time around a geek wrote an amazing rant excoriating the coders who helped Sony write its anti-customer malware

Nov 11: Sony will stop shipping infectious CDs -- too little, too late. Twelve days after being caught using rootkits, Sony announces that it will stop shipping rootkit-infected CDs. No recall of the existing rootkits, though -- and Sony doesn't come close to apologizing. Buying Sony CDs is a great way to screw up your PC, but a lousy way to acquire music.

Nov 12: Sony's *other* malicious audio CD trojan Princeton DRM researcher Alex Halderman reports on the other malicious software found on Sony CDs, a Suncomm product called MediaMax. MediaMax is a vicious little bug, which spies on you and reports on your deeds to the mothership.

Nov 12: New Sony lockware prevents selling or loaning of games Sony patents a piece of software that can prevent you from playing a game that's been inserted into one console on another console; speculation is that this is destined for the PS3. Kiss game rentals, loaning and re-sale goodbye. Also, if your PS3 breaks or is stolen, you might as well toss out all your games, they're useless without it.

Nov 13: Sony's malware uninstaller leaves your computer vulnerable A Finnish researcher discovers that the "uninstaller" for Sony's rootkit leaves a ton of crap behind that hackers can exploit -- he can reboot your computer just by getting you to load a web-page

Nov 13: Sony's rootkit infringes on software copyrights There are strong indications that Sony ripped off a Free Software-based library called the LAME Encoder for its rootkit. The LAME Encoder is licensed under the Lesser GPL (LGPL), which was released for free re-use by public spirited programmers who merely requested that they be acknowledged. In Sony's zeal to protect its copyrights, they had no compunction about clobbering the copyrights of those software authors.

Nov 14: Boycott Sony
A call from Dan Goodin over on Wired to boycott all Sony products until they make amends..."

Immunize Yourself Against Sony's Dangerous Uninstaller: Princeton DRM researchers Ed Felten and Alex Halderman explain how to mitigate the security vulnerabilities left behind by Sony's incompetent "uninstaller" program.

List of infected CDs: Sony finally lists the 52 titles infected with the XCP rootkit. Note that Sony initially claimed that fewer than half that number were infected. (Thanks, Kurt!)

US-CERT: Never Install Audio-CD DRM Software. The Department of Homeland Security's Computer Emergency Readiness Team advises that you never install CD DRM: "Do not install software from sources that you do not expect to contain software, such as an audio CD." (Thanks, Kurt!)

Nov 14: Sony anti-customer technology roundup and time-line Roundup of Sony's misdeeds to Nov 14.

Nov 14: EFF to Sony: you broke it, you oughta fix it EFF publishes an open letter to Sony calling on the company to make amends for its misdeeds -- Sony should disclose the risks of its DRM software, it should give customers uninfected CDs, help anti-spyware companies fix the holes, compensate customers for damage to PCs, and package their CDs will full disclosure of any malware contained within.

Nov 14: Sony's rootkit uninstaller is *really* dangerous Following on the November 13 research about Sony's rootkit "uninstaller" leaving your computer vulnerable to attacks like rebooting it by inserting malicious code in a web-page, Princeton researchers Ed Felten and Alex Halderman announces that they have discovered far more serious problems with the software and warn against installing it at all, promising prompt full disclosure (they publish this the next day, along with some instructions for defending yourself if you've run the uninstaller)

Nov 15: Sony begins to recall some infected CDs Sony announces a limited recall of its infected CDs -- they'll take them back from stores, but not from customers (they announce that they'll swap out customers' CDs later in the day)

Nov 15: Sony's spyware "remover" creates huge security hole Princeton DRM researchers Ed Felten and Alex Haldermen publish detailed analysis of the security vulnerabilities created by the rootkit "uninstaller" Sony that provides. Running this software leaves your machine vulnerable to complete takeover by simply embedding malicious code in a webpage.

Nov 15: Sony infects more than 500k networks, including military and government Dan Kaminsky publishes research showing that Sony's DRM has infected over 500,000 computer networks including networks belonging to the military and the government.

Nov 15: Sony disavows lockware patent Sony issues a statement promising not to use technology that locks videogames to consoles.

Nov 15: Latest Sony news: 100% of CDs with rootkits, mainstream condemnation, retailers angry Mini-roundup post. Before Sony recanted, they were sending out emails to their customers proudly promising that 100 percent of their CDs would be infected with rootkits by end of 2005. The Globe and Mail's business section denounces Sony. A tipster at a retailer reports that Sony is pressuring the sales channel to downplay the scope of the threat from its rootkit DRM. Sony and other electronics companies get caught jacking up the wholesale price to online stores, so that their retail price will be the same as those in physical stores.

Nov 15: Sory Electronics: Will Sony make amends for infecting our computers? SORY Electronics -- lovely parody of Sony's logo, reading: "SORY IS THE HARDEST WORD." It's the concept behind a site calling on Sony to really make amends for the infecting of its customers' PCs.

Nov 15: Sony issues non-apology for compromising your PC Sony promises to send you a non-DRM CD to replace your DRM CD. Still no word on how to effectively uninstall their rootkit, and the company downplays the scope of the damage -- just what we need, infected users with a false sense of security.

Nov 16: Katamari/Sony DRM mashup Humor break: Joey De Villa creates "Katamari DRM," showing the wonderful videogame transformed into a game where the objective is to overwhelm the planet with rootkit DRM -- he draws on Dan Kaminsky's excellent visualizations of the 500,000+ networks infected with the rootkit.

Nov 16: Sony waits 3 DAYS to withdraw dangerous "uninstaller" for its rootkit Three days after being notified that its rootkit DRM uninstaller leaves computers in a dangerously insecure state, Sony finally stops advising its customers to use it.

Nov 16: Sony CDs banned in the workplace Companies, educational institutions, and government agencies are banning the use of Sony CDs on workplace computers, due to the security risks that arise from the rootkit DRM. Some orgs go so far as banning audio CDs altogether, since there are plenty of malicious bits of anti-security technology in music from many labels.

Nov 17: Sony still advising public to install rootkits 18 days after the revelation that Sony's CDs contain dangerous rootkits, Sony still has live web-pages advising its customers to go ahead and install their software. (This is still the case as of Nov 22!).

Nov 17: Schneier: Why didn't anti-virus apps defend us against Sony's rootkit? Security researcher Bruce Schneier accuses anti-spyware companies of being soft on Sony because it was released by a giant, sleazy company instead of a small, sleazy company.

Nov 17: Uninstaller for Sony's other malware screws up your PC Some of Sony's music CDs carry a second form of malicious software, a spyware program called Suncomm Mediamax. Princeton researchers Ed Felten and Alex Halderman discover that the uninstaller provided by Suncomm leaves your computer open to complete takeover through simply looking at web-pages with malicious code in them.

Nov 17: Amazon offers refunds for all Sony rootkit CDs Amazon sends an email to everyone who bought a rootkit-infected Sony CD from them and offers a full refund -- now that's how it's done. (On November 21, the US Army/Airforce Exchange Service followed suit).

Nov 18: I HEART Rootkit tees, list of Mediamax CDs, Mediamax installer to be fixed Lovely "I HEART Rootkit" tee shirts for sale. A user discovers a long list of CDs infected with Suncomm's MediaMax spyware. Suncomm vows to update its Mediamax uninstaller, which presently leaves your computer wide open to total take-over simply by looking at web-pages with malicious code on them.

Nov 19: Sony offers MP3s in replacement for rootkit CDs Sony is not only offering to replace infected CDs with CDs that are free from the rootkit DRM (no official word from Sony on whether they'll also be free of the Mediamax spyware) -- they're also offering free MP3s of any music that you bought on an infected CD!

Nov 20: RIAA prez: Lots of companies secretly install rootkits! It's no biggie! The CEO of the RIAA kisses off all the customers who got infected by Sony's rootkit: "How many times that software applications created the same problem? Lots." Uh, really? Lots of companies install rootkits on users' PCs without permission? Apparently this guy doesn't know the difference between "companies" and "criminal organizations"

Nov 20: Latest news on Sony lawsuits A website launches to keep track of news about the lawsuits arising from Sony's use of spyware and rootkits on its music CDs.

Nov 20: Sony insider: DRM is discredited at Sony A high-placed tipster at Sony tells me that the execs who green-lighted DRM at Sony are in trouble, and that the label-heads in Sony are really pissed about the rootkit fiasco, with at least one vowing to swear off DRM forever.

Nov 21: Foxtrot cartoon on Sony's rootkit The Foxtrot comic strip nails Sony in today's syndicated strip.

Nov 21: Texas sues Sony over rootkits -- YEE-HAW! Texas Attorney General Greg Abbott has brought an anti-spyware lawsuit against Sony over its rootkit DRM. He's looking for $100,000 per violation of Texas's anti-spyware laws, plus costs. Ouch. That's gonna be pretty costly.

Nov 21: EFF brings class-action against Sony! My employer, the Electronic Frontier Foundation (a nonprofit civil liberties group) has brought a class action suit against Sony. We're gonna nail them!

Nov 21: Microsoft: Trusted Computing sucks! A senior Microsoft exec says that computer users should never be deprived of control over their PCs; too bad that Microsoft has built so much of its current business on depriving its customers control over their PCs.

Nov 21: Why not update Sony's rootkit with a warning message? Security researcher Ben Edelman suggests that Sony could reach all its infected users by pushing an update to the rootkit that warns them that they're compromised and gives instructions for uninstalling and getting replacement CDs.

Nov 21: Sony's Mediamax spyware gets a new uninstaller The Suncomm Mediamax spyware on Sony's CDs caused embarrassment when it was revealed that using the uninstaller left your computer vulnerable to total compromise by web-pages with malicious code on them. Now Suncomm has issued a new uninstaller, though heaven knows if it's any better.

Nov 21: Protest CD DRM in NYC on Nov 30!
FreeCulture NYC is planning another street demonstration at a Tower Records store in Manhattan against DRM CDs, and have a great flier about the dangers of buying DRM music.

Nov 21: Table compares different kinds of Sony music infections
Sony CDs are infected with at least two different kinds of malicious software, the XCP rootkit and a spyware product from Suncomm called MediaMax. This handy table summarizes the differences and similarities between the two systems.

Nov 22: Library won't buy Sony CDs
The library system in Ann Arbor, MI declares a moratorium on buying DRM CDs from Sony.

Nov 24: Sony rootkit tee: "Why should people care about rootkits?"
These limited-edition tees from F-Secure bear the now infamous quote from Sony BMG president Thomas Hesse: "Most people don't even know what a rootkit is, so why should they care about it?"

Nov 24: Sony rootkit recall makes The Onion
The news of Sony's recall of its rootkit-infected CDs goes even more mainstream and is lampooned in this week's issue of The Onion, their What Do You Think? section.

Nov 24: Rootkit arms-dealer takes website down
First4Internet, the makers of the rootkit DRM that has turned Sony into an infamous villain facing tens of millions in liability, have taken down their website and replaced it with a simple landing page with some contact info.

Nov 27: Pre-history of the Sony rootkit
An old email thread shows the early efforts of the authors of Sony's infamous rootkit.

Nov 28: Sony rootkit author asked for free code to lock up music
An old newsgroup post from a First4Internet programmer offers cash if someone will do his homework for him. Later, code from the free/open source software project LAME (which does some of what this programmer was trying to do) showed up in a First4Internet product.

Nov 28: Programmers on Sony's spyware DRM asked for newsgroup help too
Programmers on Sony's less-known DRM, a piece of spyware called MediaMax from a company called Suncomm, posted messages to newsgroups asking for help with their technology.

Nov 28: Sony CD spyware installs and can run permanently, even if you click "Decline"
We knew that the MediaMax spyware on Sony's CD installs itself even if you click "Decline" when confronted with the "agreement" that governs it. Now we find that the software also runs, permanently, under some common circumstances, even if you never agree to its installation.

Nov 29: Will NY sue Sony, too?
New York Attorney General is making threatening noises over Sony's rootkit DRM, and it looks like he might bring suit.

Nov 29: Sony knew about rootkits 28 days before the story broke
BusinessWeek reports that Sony knew on Oct 4 that its DRM system was built on rootkits and exposed its customers to danger of opportunistic infections from other malicious programs.

Dec 1: No Xmas for Sony protest badge
Gisela has created a "No Xmas for Sony" badge she's using in her email, linking it to Mark Russinovich's account of the Sony rootkit debacle, as a means of convincing people not to buy Sony products this holiday.

Dec 3: How can you tell if a CD is infectious?
EFF publishes a list of indicia that Sony has used to inform customers that a CD carries the MediaMax spyware.

Other stuff:

  1. Sony lied about its rootkit. They said it didn't phone home with information about your deeds. It does. When they were caught in the lie, they said that they didn't pay attention to the information it sent back, so it's OK

  2. Microsoft is building a Sony rootkit-remover into its anti-spyware product

  3. Lawsuits against Sony are already underway in Italy and the US

  4. At least one piece of malicious software that exploits Sony's rootkit has been discovered in the wild

Immunize yourself?
Back in 2002 when it was revealed that you could cause your computer to ignore audio-CD DRM by scribbling on the visible data-sectors on the physical disc? Turns out that a variant on this can also immunize you against Sony's current crop of malicious software.

Keep following the news about the Sony rootkit scandal on Boing Boing.

Read more about MediaMax software and my own personal experience with it, back in October of last year.

Cory Doctorow - Boing Boing -
Reference: Boing Boing [ Read more ]
Readers' Comments    
2005-12-05 21:07:36

Dave Ryan

Nice summary of all that's been going on with this story.

I made a post about the bad business branding end of it here:

I made up a fake cd cover for the post that is for the "Sony Rootkit Collection" as a joke as well...

It's incredible that such a large company would openly take such actions that they had to of known would backfire.

From what I can tell the "company" they hired to develop the code for them just stole the code from the open source and did not give the rightfull credit either.

This shows us that not only is Sony a horrible copany that treats its clients like trash, but that they make business deals with shadey people that steel stuff from hard working people.

Great business branding, aye?

posted by Matthew Guschwan on Saturday, December 3 2005, updated on Tuesday, May 5 2015

Search this site for more with 








    Curated by

    New media explorer
    Communication designer


    POP Newsletter

    Robin Good's Newsletter for Professional Online Publishers  



    Real Time Web Analytics