Sony Rootkit Strikes Sour Note

[Tux of Borg]

Sony Rootkit Strikes Sour Note

From Mary Landesman,

 

November 1, 2005

 

If you've purchased a Sony-labeled music CD since March 2005 and used it on your PC, chances are it installed a rootkit that can be easily exploited by virus writers. By following a very trivial naming convention, virus writers can leverage the Sony rootkit to hide their viruses from antivirus and security scanners.

 

The rootkit installed by Sony was first reported by Mark Russinovich of SysInternals, after he discovered it during routine tests of SysInternals' RootkitRevealer software.

 

Mark was understandably skeptical when he first discovered the tell-tale signs of the rootkit on his highly protected system, "Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit."

 

Tracking the source

Using a variety of SysInternal tools and technical know-how, Mark was able to track the rootkit to that seemingly reputable source - a Sony-labeled CD purchased from Amazon.com. Ironically, the CD that had installed the rootkit was aptly named "Get Right with the Man" by the Van Zant brothers. The Amazon.com listing for that CD does note that it is a "Content/Copy-Protected CD", but Amazon simply describes "Content/Copy-Protected CD" as:

 

"This product limits your ability to make multiple digital copies of its content, and you will not be able to play this disc or make copies onto devices not listed as compatible. Content/ copy protected CDs should allow limited burning, as well as ripping into secure Windows Media Audio formats for playback with most compatible media players and portable devices. In rare cases, these CDs may not be compatible with computer CD-ROM players, DVD players, game consoles, or car CD stereos, and often are not transferable to other formats like MP3."

 

The Sony licensing agreement (EULA) also minimizes the impact:

 

"This CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted."

 

Detecting and removing the rootkit

The EULA gives the impression the rootkit can be removed or deleted. Not only can it not be easily or automatically removed or deleted, it is not even possible to detect without special tools. To detect the presence of the Sony rootkit, use SysInternals RootkitRevealer or F-Secure's BlackLight.

 

While RootkitRevealer and BlackLight can detect the presence of the Sony rootkit, they should not be used to remove it. Trying to do so may result in the CD drive becoming inaccessible or the rootkit persisting. To remove the Sony rootkit, Sony requires filling out a web form, providing purchasing and demographic details along with an email address, after which Sony will presumably email the necessary instructions.

 

Preventing the Sony rootkit

To prevent the installation of the Sony rootkit, avoid purchasing Sony-labeled music CDs or don't listen to them on your PC.