Guard against Sony's surreptitious rootkit

Sony BMG has made headlines after the discovery of the clandestine rootkit included on many of its CDs. What's all the commotion about? In this edition of Security Solutions, Mike Mullins delves into this contentious issue.

More than nine months ago, Sony BMG began distributing select CD labels with copy protection software. After a user inserted the CD into a Microsoft Windows computer, a dialogue box would open, informing the user that he or she needed to install a special player, or the CD would not play through the computer's CD player.

What Sony BMG and First 4 Internet (the creator of the application) failed to disclose was the true nature of the application—a "rootkit" designed to hide and protect the software on the user's computer. The discovery of this rootkit has caused an outcry in the industry, particularly thanks to certain characteristics of the application. Let's take a look at these attributes:

  • It stays hidden: The application employs cloaking technology, and you'll only find a vague reference to the application when you open Task Manager and look at the running processes.
  • It's always on: Even if there isn't a copy-protected CD present, the software is constantly running.
  • It installs without the user's knowledge: The real purpose of this program is not to allow you to listen to music—it's to spy on your activities.
  • It requires system-level privileges: You must have administrative rights to install the software because it modifies the Windows operating system.
  • It's difficult to remove: Trying to manually remove the program could lead to completely disabling your CD-ROM drive.

This sure doesn't sound like a simple music player—it sounds suspiciously close to spyware, which the industry has been actively fighting over the past few years. However, while similar, there is a difference. Let's take a closer look.

The rootkit only installs on Windows-based machines; the copy-protection software doesn't prompt for installation on Linux or Macintosh machines. Once installed, the application opens up a backdoor, which hackers can then use to steal personal information, launch attacks on other computers, and send spam.

In fact, Trojan programs, which exploit the software's ability to hide files from both users and antivirus programs, have already emerged in the wild. In addition, several antivirus makers have predicted that exploitations of this program and similar technology will increase sharply.

Meanwhile, Sony BMG has apologized for any inconvenience, and the company has issued a patch and removal instructions, which may cause their own set of security problems. Microsoft has also announced plans to update Windows AntiSpyware and the Malicious Software Removal Tool, as well as the online scanner on Windows Live Safety Center, to detect and remove the Sony BMG software.

Of course, the issue at hand is not really about this particular piece of software—it's about the practice of installing such software without users' knowledge or understanding. This type of behavior isn't malicious—it's criminal.

Once a program installs and becomes invisible, users will likely never update that program again. Music CDs should contain music; they shouldn't be launch vehicles for black hats.

In addition, this debacle also highlights one of the most pervasive problems on the Internet: patch management. Patch management—not only of the operating system, but underlying programs and add-ons—is incredibly difficult to manage on a large scale without heavy emphasis on standardization. If a home user can't remember to patch his or her copy protection software, how can an administrator of 100 machines remember to patch the 10 to 20 percent of corporate machines that have the software installed?

Final thoughts

If you've recently purchased a Sony BMG CD, it should go without saying that you'd better check your machine. If you find that the Trojan is present, go to Sony BMG's Web site, and get the directions for removal.

In the future, I suggest shopping elsewhere for your music needs. Remember: Companies take notice when consumers vote with their wallets. Viruses, Trojans, malware, and a host of other problems will always exist—but they shouldn't come included with a CD purchase.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Editor's Picks

Free Newsletters, In your Inbox