Sony DRM burrows into rootkit code

Where virus writers lead, it seems, major music publishers follow

Matt Whipp
2 Nov 2005

DRM software included on some Sony CDs includes a monitoring utility that is difficult to discover, almost impossible to remove and offers an easy hiding place for malicious code.

Mark Russinovich, writing in the Sysinternals blog, details how he uncovered rootkit code on his computer that originated from a Sony music CD he owned.

A rootkit installs itself in Windows systems in such a way that it tells the operating system to quite literally blindly accept its activities. As such, any files contained within the rootkit remain invisible from within Windows. Rootkits are increasingly commonly used by virus writers to hide the activities of their code and now, it seems, also major music publishers.

Once a CD protected by Sony's DRM is played in a PC, an End User Licence Agreement is presented to the user which defines the terms of use of the CD and must be accepted. But it fails include details of the rootkit, and the installation of this code which subsequently occurs happens without the user's permission.

'I didn't find any reference to it in the Control Panel's Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on [the software vendor's] site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad,' writes Russinovich.

Getting rid of the rootkit proved nigh impossible and caused further problems, according to Russinovich. 'When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad.'

'Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files,' he concluded.

But Finnish security company F-Secure warned that the poorly written code creates a safe-house for malicious software. In his investigation, Russinovich noticed that the rootkit's 'cloaking code hides any file, directory, Registry key or process whose name begins with "$sys$". To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.'

F-Secure tested this and confirmed the claim. 'The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has updated antivirus software installed,' said Mikko Hyppönen, Chief Research Officer.

F-Secure offers rootkit detection in the form of Blacklight beta, available from its website.

Sony has made available instructions on how to remove the code, but has yet to respond to our requests for comment.

Read more about: