Wednesday, November 02, 2005

Play a CD, compromise your computer 

Have you ever wondered why it's such a huge production to remove spyware and viruses, when you'd expect it's just a matter of deleting files?

Part of the answer is that spyware and viruses sometimes reprogram your computer so that it's not your friend any more. Your computer may even refuse to show you that the bad software is installed. The most dangerous kind of concealment is when the bad software changes the core Windows system machinery so that even if you wrote your own program to remove bad software, Windows wouldn't let it work.

Tinkering with Windows like that is dangerous to your system's health. First there's no way anyone can test the altered Windows the way Microsoft tested the original. Second, what happens when you need to update or patch Windows? The updater will open up the insides of Windows and transplant vital organs. If the bad software has been rearranging vital organs then the update will be a disaster.

Software that tampers with the operating system to hide its existence is an old tool of computer intruders and for historical reasons is called a "rootkit".

You can get a rootkit installed by playing a CD. It's part of the "copy protection" on a CD from Sony Music. Sony Music has apparently been doing this since March, according to security firm F-Secure, but it wasn't until just now that someone caught them. According to expert Windows programmer Mark Russinovich's technical analysis, Sony Music has left openings that virus writers could crawl through. Any malicious software could hide inside the cloak of invisibility that Sony Music is sneaking onto people's computers.

I disapprove, if you haven't noticed. If anyone tried to hire me to do what Sony BMG has done I would refuse on ethical grounds.

What can you do if you're infected? There's no convenient removal technique yet for a nontechnical or semitechnical person. Sony offers a removal program which allegedly installs additional software of unknown purpose. You can wait for a removal program from a reputable security firm, or reinstall Windows (ouch!), or try to get your technical friend to tackle it. Hint: don't try to get away with offering a beer, this is at least a beer-and-pizza job.

UPDATE 11/10/2005:

It didn't take the lawyers long to catch on to what was happening. Sony's now on the wrong end of class-action suits in California and New York. Before you say "that's America for you", there's reportedly legal action in the works in Italy. If you read Italian, you might check out the links to the complaint and the press release from The Inquirer.

The Electronic Frontier Foundation analyzes what you "agree" to when you buy one of the Sony CDs. They also have the list of infected CDs.

The security division of Computer Associates has announced a removal tool but I haven't heard how well it works. CA claims that the Sony software reports back what CDs you're playing and interferes with making legal copies of tracks from normal CDs.

How's Sony handling all this? Owning up to their mistake and promising never to do it again? Here's Mr. Thomas Hesse, president of the global digital business division, on NPR via Ars Technica: "Most people, I think, don't even know what a rootkit is, so why should they care about it"?

UPDATE (same day):

Mr. Hesse's question got an answer today. The Register reports that there's already a Trojan Horse program which uses the Sony software to hide itself.

UPDATE: has a list of antivirus software that removes the Sony rootkit.

UPDATE 11/15:


If you run Sony's "uninstaller" it reportedly leaves behind a backdoor program which allows any web site you visit to install and run any program on your computer without your awareness or permission. Here's the Washington Post article about Sony's software. Don't underestimate this problem. Bad guys who run sleazy web pages are almost certainly preparing to crawl in through the back door Sony is cutting into people's computers.

If you've already run Sony's uninstaller, you're only at risk if you use Microsoft Internet Explorer. If you have to use IE and if you don't have a way to uninstall the uninstaller then you could try going into the options dialog and turning off "run controls marked safe for scripting".

Network expert Dan Kaminsky has a map of the Sony infection. He prepared it by looking for traces left by the CD copy protection software "phoning home" without your permission.

UPDATE 11-17-2005:

Here is Sony's list of infected CD's. They say they'll offer exchanges sometime in the future. You might prefer to refuse the exchange and stay in a class action suit instead. Sony has not even hinted at paying for repairs to people's computers.

Some companies and universities have banned Sony CDs from their computers.


Security guru Bruce Schneier asks, why didn't the antivirus companies catch Sony's malware during the year it was shipping? He raises another point I've been wondering about. How many more things like this are there that we simply haven't heard about?

UPDATE 11-21-2005:

Cary Sherman, President of the Recording Industry Association of America, just commented on the scandal in a press conference. Sherman said that Sony's conduct "Seems very responsible to me". The state of Texas is filing suit officially. There's now a web site with information about how to sue Sony yourself in small claims court.


This page is powered by Blogger. Isn't yours?