Sony, rootkit and the fifth power

Michał Piotr Prągowski

Over half a million infected computers, an international scandal and numerous legal suits - the aftermath of Sony BMG putting spyware on audio CDs. The scandal was revealed on the Web by network security experts, once again proving the speed and effectiveness of this method of communication.

It all happened very quickly. On October 31, the first mention of the Sony rootkit appeared on Mark Russinovich's blog (see Frame On the Net), and within a few days the whole world was aflame with outrage. On November 10, Kaspersky Lab published information of the first detected worm to use the Sony rootkit, and several days later the multimedia giant temporarily withdrew all its CDs protected using the controversial Extended Copy Protection technology (XCP), officially to analyse it for security and user convenience. The Internet community was left with a bitter after-taste, but also with something far more important: the realisation that if they speak up loudly and unanimously, they will be heard.

You probably remember the story as well as I do. Russinovich, editor of Windows IT Pro and software engineer at Winternals Software, detected an unidentified rootkit on his PC and through painstaking deduction traced it to its makers - a company called First4Internet. The malware in question was built using XCP technology that First4Internet sold to various companies. Sony BMG Music used XCP with an integrated rootkit and its was through a Sony CD that Russinovich's PC was infected. After that, all hell broke loose, and the headlines spoke of the Sony rootkit and the Sony BMG rootkit saga.

Tragedy of errors

The list of Sony's rootkit sins is a long one. To start with, software included on Sony BMG music CDs modifies Windows so as to hide the activities of a spyware program from the user. The program gathers user information and sends it to Sony, threatening user privacy by calling home. Worse still, until the issue was spotlighted by world media (and even for some time afterwards), the Sony rootkit could not be removed without endangering system stability. The first Sony embarrassment in the weeks that followed was that the first official patch did not actually remove the spyware, but merely made it visible to the user. Another embarrassment came on November 4, courtesy of Sony BMG's Thomas Hesse, who in an interview for NPR stated that most people don't even know what a rootkit is, so why should they care about it? This stunning statement was snapped up by computer security experts and enthusiasts, and the F-Secure team even brought out T-shirts quoting the Sony manager verbatim.

The plot continued to develop like a bad TV series. Baffled customers were long kept waiting for an official list of CDs containing the dangerous software (see Frame On the Web). When Sony finally provided a web-based uninstaller for the rootkit, it turned out that running it left the system vulnerable to attack from the Internet - and critically vulnerable at that. The buggy uninstaller left Windows full of holes that allowed potentially any website to install and execute arbitrary code in the system. Hard to think of a more serious security issue.

Van Zant sunk by the rootkit

Van Zant, the band whose record was the source of infection for Mark Russinovich's PC, is now in serious trouble. Although the country-rockers have absolutely no connection to Sony's actions, users have almost unanimously condemned their album. Customer ratings on Amazon.com left little doubt - one star out of five. As of this writing, the average from 250 votes has risen very little over one.

Interestingly enough, some of the most negative comments include apologies to the band, explaining that the one-star rating does not relate to the music but rather to the rootkit and Sony's actions. Indeed, many Internet users are still calling for a boycott of Sony products.

Regardless of the reasons, Van Zant are in trouble: not only is nobody going to buy their record, but even the group's fans are more likely to download the album via P2P to avoid the risk of infection.

How XCP works

• Any XCP-protected CD is multisession, containing both traditional unprotected audio data and software making use of Windows' autoplay feature.

• After the CD is placed in the drive, software is installed without the user's knowledge or consent (though correct installation requires administrator privileges). However, if the user skips autoplay by holding down [Shift] after inserting the CD, protection software will not be installed and the CD will be treated just like an unprotected one, for example allowing the audio data to be copied. In other words, protection can be easily bypassed, rendering the whole scheme useless.

• The software includes two malicious applications: a rootkit and a spyware program. The rootkit hides all files, processes, directories, registry entries and other system objects whose names start with $sys$ (the method does not work in recovery mode). The spy app resides in a directory hidden by the rootkit. When a CD is played, the program connects to Sony servers and sends information about the record being played and the user's IP.

• Once installed, the spyware continuously monitors processes running in the system (eating up 1-2% of processor time), locates programs for copying audio CDs and disrupts their operation by inserting noise into the data being copied, regardless of whether or not the CD is copy-protected.

• There is no easy way of uninstalling the software. Removing it causes system failure to prevent CDs from being played.

• The rootkit indiscriminately hides all objects with matching names, so it could well be used to hide third-party malware, such as worms, viruses and trojans.

• Some of the software components were named so as to resemble vital Windows components (such as Plug and Play drivers).

• The rootkit uninstaller supplied by Sony merely reveals the hidden files and does not actually remove any components with spyware functionality. Accessing the uninstaller requires the user to register at the Sony website, supply their private information and install an ActiveX control on their system. The control is very badly written, and executing it leaves the system open to arbitrary code execution by malicious parties - the user need only visit a specially crafted website for an intruder to gain full control of their system.

Illegal copyright defenders

The whole Sony rootkit affair has also brought the international media giant at least two other reasons for embarrassment. As reported by Wired's Dan Goodin, the popular audio-to-MP3 converter CDex has no problems at all with Sony BMG records. Sony's DRM software relies on the CD autoplay feature, so if the user holds down the [Shift] key after inserting a CD, the rootkit and spyware will not be installed and the record will effectively be unprotected, allowing it to be copied at will. It therefore seems that the software is not only harmful to users, but also completely ineffective for its intended purpose.

Numerous reports also suggest that Sony BMG has most likely violated licensing terms for the MP3 LAME encoder. According to Wedle DeWinter Information Solutions, the rootkit includes parts of LAME code, which is distributed on the Lesser GNU Public Licence. Legally using LGPL-licensed code requires the source to be made publicly available, for example by supplying it in an open source library. The copyright note should also mention that the software in question includes LGPL code. However, Sony (or a Sony partner) failed to do this and simply supplied users with executable code on CD. Recent years have seen a number of suits forcing companies to release source codes due to licensing violations related to LGPL and similar licences. The supreme irony in Sony's case is that the corporation has always stressed its concern for copyright protection.

Breplibot was the first, others followed

As soon as Mark Russinovich published information on the rootkit scandal, it immediately became obvious that sooner or later someone would try to use the rootkit for their own evil purposes (potentially far more harmful than the original software). Less than two weeks later, on November 10, Kaspersky Lab reported the sighting of the first known worm to exploit the XCP scheme. The pest was classified as Backdoor.Win32.Breplibot.b. Soon afterwards, reports of mass Breplibot mailings started coming in - the worm spreads through infected e-mails, usually entitled Requesting Photo Approval and containing the attachment article_december_3621.exe.

The Register reported an interesting use for the rootkit found by World of Warcraft crackers, which exploits the fact that the rootkit hides processes with specific names. Changing the name of a cheat program to $sys$programname allowed WoW cheaters to hide it from the scanner used by Blizzard Entertainment and thus avoid detection.

Seattle-based security expert and renowned hacker Dan Kaminsky used DNS snooping to check how many DNS cache servers were queried for the address that Sony spyware sends information to. His estimate was that over 568 thousand DNS cache servers received queries directly related to the rootkit. The results were published on the Doxpara Research website (see Frame On the Web). As of this writing, the number of infections is not precisely known, but it likely the actual number far exceeds Kaminsky's estimates. Again, it is only a matter of time before the Sony rootkit is exploited by smarter Breplibot mutations or other viruses.

Delayed reaction

The initial results were a shock to Bruce Schneier, widely considered one of the world's top authorities on IT security. Schneier stressed that the scale of the problem is comparable to the Blaster, Code Red or Nimda outbreaks. In an article in Wired magazine, Schneier criticised antivirus companies for their unhurried reaction, plainly stating that the rootkit should have been detected much sooner. Indeed, even after Russinovich's blog entry had caused a massive stir in the IT community, rules for detecting the rootkit were only added to antivirus products several days or even weeks later. Removal methods came even later. Only two companies received Schneier's deserved praise for their swift reaction: Sysinternals and F-Secure.

Schneier's critical remarks also targeted Microsoft. As already mentioned, XCP makes malicious modifications to the Windows operating system, in certain cases causing the system to fail or reboot. It would have been reasonable to expect Microsoft to care for the security and user comfort of their own products, yet the Redmond giant did not announce plans to create a security update to protect from the rootkit until November 13 - a full two weeks after Russinovich's initial publication.

Admittedly, few could have anticipated an epidemic of malware spreading through ordinary audio CDs, but Schneier stresses that the infection's non-Internet origin is no excuse for security experts - after all, who else is supposed to detect such threats? The scale and progress of the problem is highly alarming, especially as computers infected to the soothing sounds of music included hosts on governmental and military networks - and maybe not just U.S. ones.

EFF at Sony's throat

The number of detected issues and Sony BMG's arrogance can be expected to end as most users would wish, and as would be in their best interests. The corporation has been sued by numerous organisations, mainly in the U.S., including the Electronic Frontier Foundation (EFF) - probably the most influential organisation protecting rights and freedoms on the Internet. One of the foundation's board members is law professor Lawrence Lessig, author of the well-known book Free Culture.

EFF has brought out heavy artillery against Sony BMG, with charges ranging from limiting consumer rights to use purchased music, through spying on user preferences and installing hidden software without the user's consent, to illegal use of processing power on the user's computer (the program always uses 1-2% of processor time, even if an affected CD from Sony BMG is not being played). However, the most serious charges involve requiring the user to accept an overly restrictive licence agreement in order to play a music CD and threatening the consumer's intellectual and material rights by supplying a rootkit that third parties can exploit for attack.

The Electronic Frontier Foundation has also turned its eye to MediaMax software, included on over 20 million Sony BMG music CDs. The EFF claims this software also infringes user rights by installing itself even if the user selects no on the licence agreement and providing no uninstall feature. Furthermore, the software sends out information about the user's musical preferences, even though the licence agreement explicitly states that no such operations will be performed. All in all, it seems that Sony BMG is in deep - very deep.

The fifth power - that's us!

The whole affair has another very interesting aspect: the power of blogging as a new medium of conveying socially relevant information has once more been demonstrated. Bloggers go where journalists cannot, or at least get there before the media can - research conducted by the Pew Internet & American Life Project has shown that eight out of ten U.S. journalists read blogs, which have effectively become guides to Internet life for traditional media. A symbol of the new fifth power that is born before our very eyes.

The power of blogs as a means of communication is best demonstrated by the Sony rootkit affair and Mark Russinovich's blog. Some commentators have pointed out that vague information about dangerous flaws in XCP software appeared earlier on several discussion forums, yet it was took Russinovich's blog entry to get the issue out into the real world and cause a global stir. It is therefore high time for everyone wishing to disseminate valuable information, even if it is unpopular and highly specialised (as is the case with software security flaws) to realise the great power they have at their disposal. Networks of interconnected blogs and news sites based on RSS feeds have effectively created a new kind of people's journalism, which is not only more specialised, but frequently faster than traditional media - independent Internet transmissions from New Orleans after hurricane Catrina had passed were just one example.

Netizens must be active and aware not only wherever something important is going on, but especially when someone is trying to silence them, for whatever reason. Such attempts are not uncommon, as the authors of websites about new presidents in certain countries or websites that publish software vulnerability information have found out. The root of the problem is actually the same, as is the remedy: social cooperation for a just cause. Howard Rheingold, philosopher, sociologist and Internet visionary, author of The Virtual Community and Smart Mobs, is convinced that wireless technologies are ushering in a major social revolution. One case he quotes is that of demonstrations in the Philippines in 2001 which lead to the removal of president Estrada from office, and whose participants used SMS's to coordinate their gatherings.

Conviction and cooperation

As it turns out, connections between committed netizens can be just as powerful, even without the use of mobile technologies. True, the Sony rootkit case has not as yet lead to any removals, although calls to boycott Sony and its products have been heard on the Internet. It is reassuring to know that not everything is determined by technology - a gut feeling that what we're doing is right is much more important. Blogs, news sites and newsgroups soon took up what Mark Russinovich originally presented in his solid and professional manner.

By taking responsible action, we can all bring the attention of the media not only to the issues we deem important, but also any attempts to silence us. Let us hope that the Sony rootkit saga will be brought to a happy ending in the form of huge financial compensations for organisations and individuals. While it would definitely be a warning to other corporations that would gladly feast on our privacy, let's be realistic: the battle for privacy is and will be a continued struggle. The better we cooperate and the more effectively we share information, the better for us all.