Viruses exploit Sony CD copy-protection scheme

[Geoffcin]

SAN JOSE, Calif. (AP) - A controversial copy-protection program that automatically installs when some Sony BMG audio CDs are played on personal computers is now being exploited by malicious software that takes advantage of the antipiracy technology's ability to hide files.

Full story;

http://www.mercurynews.com/mld/mercu...y/13134753.htm

[Woochifer]

Oh great! Looks like another Pandora's Box has been opened. Thank you soooooo much Sony!

I heard about Sony disclosing the flaws with (and existence of) that copy protection scheme last week. It's pretty insidious to start with because the copy protection works by installing a hidden program on your PC that allows you only to make a certain number of copies of a particular CD before blocking it. Problem with the program is that it had a feature that would disable your CD drive if you tried uninstalling it, and the flaw uncovered last week was that it could disable the CD drive even without trying to uninstall the hidden copy protection program. Sheez, so NOW we got virus writers piggybacking on and expanding upon that flaw! Congratulations Sony, your piracy paranoia has now created a malware tool that virus writers are only beginning to exploit and spread.

[Geoffcin]

Sony BMG is facing a class action suit from Californian consumers who claim the music giant's rootkit DRM technology damaged their computers and breaks three separate Californian laws.

The suit asks the court to stop Sony selling any more CDs containing the rootkit and seeks compensation for damage already done. Some Sony audio CDs include software which will secretly load itself if the CD is played on a computer. The suit was filed 1 November in the Los Angeles Superior Court by attorney Alan Himmelfarb, according to Reuters.

A second case has been started in New York on behalf of anyone who's bought one of the CDs.

Sony is also facing possible action from the Electronic Frontier Foundation in Italy - the lobby group has filed papers with the Italian authorities alleging Sony is guilty of "illicit acts".


http://www.theregister.co.uk/2005/11...d_for_rootkit/

[Geoffcin]

If you thought XCP "rootkit" copy-protection on Sony-BMG CDs was bad, perhaps you'd better read the 3,000 word (!) end-user license agreement (aka "EULA") that comes with all these CDs.

First, a baseline. When you buy a regular CD, you own it. You do not "license" it. You own it outright. You're allowed to do anything with it you like, so long as you don't violate one of the exclusive rights reserved to the copyright owner. So you can play the CD at your next dinner party (copyright owners get no rights over private performances), you can loan it to a friend (thanks to the "first sale" doctrine), or make a copy for use on your iPod (thanks to "fair use"). Every use that falls outside the limited exclusive rights of the copyright owner belongs to you, the owner of the CD.

Now compare that baseline with the world according to the Sony-BMG EULA, which applies to any digital copies you make of the music on the CD:

If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."


If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.


You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.


Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.


The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.


If you file for bankruptcy, you have to delete all the music on your computer. Seriously.


You have no right to transfer the music on your computer, even along with the original CD.


Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

So this is what Sony-BMG thinks we should be allowed to do with the music on the CDs that we purchase from them? No word yet about whether Sony-BMG will be offering a "patch" for this legalese rootkit. I'm not holding my breath.

[Geoffcin]

http://www3.ca.com/securityadvisor/n...aspx?cid=76345

[Geoffcin]

AMSTERDAM (Reuters) - Music publisher Sony BMG said on Friday it would stop making CDs that use a controversial technology to protect its music against illegal copying.

"As a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology," it said in a statement.

Full story;

http://today.reuters.co.uk/news/news...archived=False

[MikeyBC]

I heard today also that sony is refusing to disclose the titles of the cd's that have the XCP technology, looks like I wont be buying any of sony's cd's untill they do...I need to know beforehand what goes into my computer.
I know company names should be capitolized but this is how much respect for sony I have right now.

[jocko_nc]

You make a great arguement, Geoffcin, but it is not going to come out that way. Whatever "agreement" they put in the fine print in meaningless. The fact that you bought a CD from Sony does not give them the right to damage your equipment. No number of disclaimers can change the fact that they are responsible for their product. Same thing as though their CD's were defective and caused, perhaps, fires. No way their liability is limited. This was hardly an accident, it was intentional. There was malice.

That copy protection scheme probably fits the legal description of malware or even a virus somewhere, Sony has big problems with this one.

Add Microsoft to the list... Once again, their products are not secure.

jocko

[nightflier]

That copy protection scheme probably fits the legal description of malware or even a virus somewhere, Sony has big problems with this one.

So doesn't that fall under the umbrella offense of "terrorism"? If so, a corporation should be held to the same legal standard as that pimple-faced teenager writing a virus.

Of course the US Senate will probably propose a new addendum, like they did when gun manufacturers were about to be subjected to the same DMCA legislation that busted P2P software companies like Grokster. So Sony will probably skate out of this one too. Makes you wonder; when will the public finally say ENOUGH already?

I know that this is an incendiary line of questioning that's going to irritate some people (any Sony spooks on this board?), but let's call it what it is, folks.

[Lensman]

I've been following these developments closely and with some dread. Sony doesn't yet have a reputation as an evil corporate giant, but they might be heading down that path. You know their software's bad when Microsoft considers it malware: http://news.com.com/Microsoft+will+w...3-5949041.html

[StanleyMuso]

if this effects older operating systems or only the latest? I have 2 older computers, one running Windows 98 and the other 2000. Am I safe?

[jocko_nc]

What do you think Sony would do If I did some contracting work in their headquarters, say some carpet work, and left behind some electronic bugs that they did not expect? Of course, my Offer of Sale said additional, unrelated work may be done at my discretion. Buyer beware?

jocko

[Lensman]

if this effects older operating systems or only the latest? I have 2 older computers, one running Windows 98 and the other 2000. Am I safe?

All the information I've seen so far indicates rootkits only run on WinNT-based systems. So your Windows 98 system should be okay, but your 2000 PC could be affected.

For anyone interested, NPR's Morning Edition did a story a little while back on Sony's debacle with soundbites from the guy who discovered the flaw and Sony officials refuting the software as a problem. Here's a link to the four-minute audio clip:

http://www.npr.org/templates/story/s...toryId=4989260

[StanleyMuso]

Could this piece of malicious nonsense be sidelined by passing a digital stream from the digital output of a DVD or CD player directly to the computer instead of using the computer's CD player?

I presume that the DVD/CD player would not recognise a computer code or program, and just pass the digital music stream. Now I must admit that I don't know much about computers, so I could be barking up the wrong tree.

[nightflier]

Could this piece of malicious nonsense be sidelined by passing a digital stream from the digital output of a DVD or CD player directly to the computer instead of using the computer's CD player?

I presume that the DVD/CD player would not recognise a computer code or program, and just pass the digital music stream. Now I must admit that I don't know much about computers, so I could be barking up the wrong tree.

Funny, I was thinking the same thing. I have a Tascam CD writer sitting next to my computer and since the rootkit is a software program (as opposed to an audio stream), there is no way to transmit that over a digital link (at least not the one that Sony programmers wrote). Consequently, an analog Stereo/RCA stream is just as safe.

It's clear that Sony was targeting people who use their computers to listen to CD's probably assuming that most of them copy music illegally. I wonder if it would affect anything with a hard drive, like digital jukeboxes, hard drive DVD recorders, and iPods when connected by firewire/USB? If so, that would really be underhanded. I will now have to get a virus/adware/spam scanner for my iPod too. Cha-ching, more software I get to "license."

[Geoffcin]

BOSTON - The fallout from a hidden copy-protection program that Sony BMG Music Entertainment put on some CDs is only getting worse. Sony’s suggested method for removing the program actually widens the security hole the original software created, researchers say.

Full story;

http://www.msnbc.msn.com/id/10053831/

[Woochifer]

As if it couldn't get worse! The problem with this rootkit, even if Sony puts out a software fix that works, is that it provides a whole new platform from which virus and malware attacks can originate. Sony might have not have written this program with bad intentions, but now that the Pandora's Box has been opened, it's inevitable that others with more malicious goals can now exploit this new tool that they've been handed.

[dean_martin]

Here's info on the recall. I haven't checked the link in the article, but to be an effective recall you should be able to identify the relevant titles. Sony may be using a consumer inquiry method (ask them and they will tell) rather than just providing a list of titles.

November 16, 2005
CD's Recalled for Posing Risk to PC's
By TOM ZELLER Jr.
The global music giant Sony BMG yesterday announced plans to recall millions of CD's by at least 20 artists - from the crooners Celine Dion and Neil Diamond to the country-rock act Van Zant - because they contain copy restriction software that poses risks to the computers of consumers.

The move, more commonly associated with collapsing baby strollers, exploding batteries, or cars with faulty brakes, is expected to cost the company tens of millions of dollars. Sony BMG said that all CD's containing the software would be removed from retail outlets and that exchanges would be offered to consumers who had bought any of them.

A toll-free number and e-mail message inquiry system will also be set up on the Sony BMG Web site, www.sonybmg.com.

"We deeply regret any inconvenience this may cause our customers," the company said in a letter that it said it would post on its Web site, "and are committed to making this situation right." Neither representatives of Sony BMG nor the British company First 4 Internet, which developed the copy protection software, would comment further.

Sony BMG estimated last week that about five million discs - some 49 different titles - had been shipped with the problematic software, and about two million had been sold.

Market research from 2004 has shown that about 30 percent of consumers report obtaining music through the copying and sharing of tracks among friends from legitimately purchased CD's. But the fallout from the aggressive copy protection effort has raised serious questions about how far companies should be permitted to go in seeking to prevent digital piracy.

The recall and exchange program, which was first reported by USA Today, comes two weeks after news began to spread on the Internet that certain Sony BMG CD's contained software designed to limit users to making only three copies. The software also, however, altered the deepest levels of a computer's systems and created vulnerabilities that Internet virus writers could exploit.

Since then, computer researchers have identified other problems with the software, as well as with the software patch and uninstaller programs that the company issued to address the vulnerabilities.

Several security and antivirus companies, including Computer Associates, F-Secure and Symantec, quickly classified the software on the CD's, as malicious because, among other things, it tried to hide itself and communicated remotely with Sony servers once installed. The problems were known to affect only users of the Windows operating system.

On Saturday, a Microsoft engineering team indicated that it would be updating the company's security tools to detect and remove parts of the Sony BMG copy-protection software to help protect customers.

Researchers at Princeton University disclosed yesterday that early versions of the "uninstall" process published by Sony BMG on its Web site, which was designed to help users remove the copy protection software from their machines, created a vulnerability that could expose users of the Internet Explorer Web browser to malicious code embedded on Web sites.

Security analysts at Internet Security Systems, based in Atlanta, also issued an alert yesterday indicating that the copy-protection software itself, which was installed on certain CD's beginning last spring, could be used by virus writers to gain administrator privileges on multi-user computers.

David Maynor, a researcher with the X-force division of Internet Security Systems, which analyzes potential network vulnerabilities, said the copy-protection feature was particularly pernicious because it was nearly impossible for typical computer users to remove on their own.

"At what point do you think it is a good thing to surreptitiously put Trojans on people's machines?" Mr. Maynor said. "The only thing you're guaranteeing is that they won't be customers anymore."

Some early estimates indicate that the problem could affect half a million or more computers around the globe.

Data collected in September by the market research firm NPD Group indicated that roughly 36 percent of consumers report that they listen to music CD's on a computer. If that percentage held true for people who bought the Sony BMG CD's, that would amount to about 720,000 computers - although only those running Windows would be affected. (Consumers who listen to CD's on stereo systems and other noncomputer players, as well as users of Apple computers, would not be at risk.)

Dan Kaminsky, a prominent independent computer security researcher, conducted a more precise analysis of the number of PC's affected by scanning the Internet traffic generated by the Sony BMG copy-protection software, which, once installed, quietly tries to connect to one of two Sony servers if an Internet connection is present.

Mr. Kaminsky estimated that about 568,000 unique Domain Name System - or D.N.S. - servers, which help direct Internet traffic, had been contacted by at least one computer seeking to reach those Sony servers. Given that many D.N.S. servers field queries from more than one computer, the number of actual machines affected is almost certainly higher, Mr. Kaminsky said.

Although antivirus companies have indicated since late last week that virus writers were trying to take advantage of the vulnerabilities, it is not known if any of these viruses have actually found their way onto PC's embedded with the Sony BMG copy protection software.

Mr. Kaminsky and other security and digital rights advocates say that does not matter. "There may be millions of hosts that are now vulnerable to something that they weren't vulnerable to before," Mr. Kaminsky said.

For some critics, the recall will not be enough.

"This is only one of the many things Sony must do to be accountable for the damage it's inflicted on its customers," said Jason Schultz, a lawyer with the Electronic Frontier Foundation, a digital rights group in California.

On Monday, the foundation issued an open letter to Sony BMG executives demanding, among other things, refunds for customers who bought the CD's and did not wish to make an exchange, and compensation for time spent removing the software and any potential damage to computers.

The group, which has been involved in lawsuits over the protection of digital rights, gave the company, which is jointly owned by the Sony Corporation and Bertelsmann, a deadline of Friday morning to respond with some indication that it was "in the process of implementing these measures."

Mr. Schultz said: "People paid Sony for music, not an invasion of their computers. Sony must right the wrong it has committed. Recalling the CD's is a beginning step in the process, but there is a whole lot more mess to clean up."

[Geoffcin]

If they had been allowed to get away with this what next would be in store for consumers?

[nightflier]

As if it couldn't get worse! The problem with this rootkit, even if Sony puts out a software fix that works, is that it provides a whole new platform from which virus and malware attacks can originate. Sony might have not have written this program with bad intentions, but now that the Pandora's Box has been opened, it's inevitable that others with more malicious goals can now exploit this new tool that they've been handed.

Actually, that's already happened. There is a new exploit out that uses the Sony rootkit as its basis. Fortunately it's not "out in the wild" as virus companies like to put it.

The more important problem is whether virus companies should define this type of software as an actual "virus." I am much more worried that virus companies will not do so for fear of being sued by bigger companies like Sony (sort of like they rolled over when they started getting sued by spyware/malware companies like Gator).

This emphasizes the point that Sony should bear responsibility to set an example for other companies. This should not be tollerated or swept under the rug. The question is not "if" it will happen again, but "when." And who knows what the damage will be then?

[Geoffcin]

If Sony BMG was hoping that the controversy surrounding its copy-protected CDs was going to die away, it was reckoning without infamous hacker Jon Lech Johansen, better known as DVD Jon.
It seems that the XCP software from UK company First4Internet that Sony had been using to prevent unauthorised copying of its music CDs, until it agreed to recall some 4.7 million discs, contains code 'infringing the copyright of several open source projects', Johansen notes in his blog. This includes code that he himself wrote for VLC, a free cross-platform media player.

Full Story;

http://www.pcpro.co.uk/news/80271/so...ringement.html

[nightflier]

Wonder if this could be made into law:

"PROGRAM WILL SHED LIGHT ON DOWNLOADS
A new initiative is designed to give computer users the information they need to avoid downloading software that includes ad programs or other pieces of code that they do not want. The Trusted Download Program, created by America Online, Yahoo, CNET Networks, Verizon, and Computer Associates, will offer a certification program for companies that offer downloads. Rather than determining what should or should not be allowed in a download, however, the certifications simply require vendors to disclose exactly what the products do and what other components, such as adware or spyware, are included. Users are then given the opportunity before downloading any software to see that information. Before the software can be downloaded, users must explicitly agree to the indicated components of the download. Consent is then required again before the software can be installed. Clear instructions for uninstalling the software must also be provided. CNET, 15 November 2005 http://news.com.com/2100-1029_3-5954668.html"

If Sony wants to treat music as software, then they any software included with their CD's should include a certificate. In my book, any software that doesn't follow clear installation and unistallation rules is simply a virus, whether it's called adware, copy-protection, or anything else.

Is anyone suing Sony yet?

[gonefishin]

No matter if Sony knew all the details of this program or not...they should still be responsible for the program that they sought out to go on their music CD's. The program does offer the services that they wanted...but now they may not be happy with degree that it goes to (only after public displeasure).
Even if they didn't know exactly what they were getting...this software performs the objective they were after. It's not as though this little program was piggybacked onto something else they were buying. They should have been more aware of the product they agreed to.
Sony should be dealt with accordingly.

Further...if the theives out there copying music illegally would start to be prosecuted and properly fined this wouldn't be as much as a problem for Sony and other labels.

I say Sony should be fined for their malicious program on some of their CD's with compensation going to anyone (or company) who did occur problems which couldn't be resolved with the patch. Further...The theives who are continuing to practice illegal copying of audio CD's. Hold them accountable as well.

On one last note...I'm sure the criminals breaking the law will continue to make illegal music CD's long after the problems that this program has brought us are long gone.

dan

[Lensman]

"Along with lawyers, prosecutors, and furious fans, artists are joining the backlash against the label for slipping a hidden, anti-theft program into users' computers."

The article also shows some only results on how ony artists' sales have been impacted.

http://www.businessweek.com/technolo...gn_id=rss_tech