Sony BMG Copy-protection software scandal

To stop piracy Sony BMG distributed a rootkit program through CDs which created vulnerabilities in OS which were exploited by malware. Facing criticisms, they released an “uninstaller” which only un-hid the program and introduced further security vulnerabilities.

The Sony BMG CD copy protection rootkit scandal of 2005–2007 concerns deceptive, illegal, and potentially harmful copy protection measures implemented by Sony BMG on about 22 million CDs. When inserted into a computer, the CDs installed one of two pieces of software which provided a form of digital rights management (DRM) by modifying the operating system to interfere with CD copying. Both programs could not be easily uninstalled, and they created vulnerabilities that were exploited by unrelated malware. Sony claims this was unintentional. One of the programs installed even if the user refused its EULA, and it “phoned home” with reports on the user’s private listening habits; the other was not mentioned in the EULA at all, contained code from several pieces of open-source software in an apparent infringement of copyright, and configured the operating system to hide the software’s existence, leading to both programs being classified as rootkits.

Sony BMG initially denied that the rootkits were harmful. It then released, for one of the programs, an “uninstaller” that only un-hid the program, installed additional software which could not be easily removed, collected an email address from the user, and introduced further security vulnerabilities.

Following public outcry, government investigations, and class-action lawsuits in 2005 and 2006, Sony BMG partially addressed the scandal with consumer settlements, a recall of about 10% of the affected CDs, and the suspension of CD copy protection efforts in early 2007.

Copy-protection software

The two pieces of copy-protection software at issue in the 2005–2007 scandal were included on over 22 million CDs marketed by Sony BMG, the record company formed by the 2004 merger of Sony and BMG’s recorded music divisions. About two million of those CDs, spanning 52 titles, contained First 4 Internet (F4I)’s Extended Copy Protection (XCP), which was installed on Microsoft Windows systems after the user accepted an EULA which didn’t mention the software. The remaining 20 million CDs, spanning 50 titles, contained SunnComm’s MediaMax CD-3, which was installed on either Microsoft Windows or Mac OS X systems after the user was presented with an EULA, regardless of whether the user accepted it (although Mac OS X prompted the user for confirmation when the software sought to modify the OS).

XCP rootkit
Main article: Extended Copy Protection
The scandal erupted on October 31, 2005, when Winternals (later acquired by Microsoft) researcher Mark Russinovich posted to his blog a detailed description and technical analysis of F4I’s XCP software that he ascertained had been recently installed on his computer by a Sony BMG music CD. Russinovich compared the software to a rootkit due to its surreptitious installation and its efforts to hide its existence. He noted that the EULA does not mention the software, and he asserted emphatically that the software is illegitimate and that digital rights management had “gone too far”.

Anti-virus firm F-Secure concurred, “Although the software isn’t directly malicious, the used rootkit hiding techniques are exactly the same used by malicious software to hide themselves. The DRM software will cause many similar false alarms with all AV software that detect rootkits. … Thus it is very inappropriate for commercial software to use these techniques.”[10] After public pressure, Symantec and other anti-virus vendors included detection for the rootkit in their products as well, and Microsoft announced it would include detection and removal capabilities in its security patches.

Russinovich discovered numerous problems with XCP:

It creates security holes that can be exploited by malicious software such as worms or viruses.
It constantly runs in the background and excessively consumes system resources, slowing down the user’s computer, regardless of whether there is a protected CD playing.
It employs unsafe procedures to start and stop, which could lead to system crashes.
It has no uninstaller, and is installed in such a way that inexpert attempts to uninstall it can lead to the operating system to fail to recognize existing drives.
Soon after Russinovich’s first post, there were several trojans and worms exploiting XCP’s security holes. Some people even used the vulnerabilities to cheat in online games.

Sony BMG quickly released software to remove the rootkit component of XCP from affected Microsoft Windows computers, but after Russinovich analyzed the utility, he reported in his blog that it only exacerbated the security problems and raised further concerns about privacy. Russinovich noted that the removal program merely unmasked the hidden files installed by the rootkit, but did not actually remove the rootkit. He also reported that it installed additional software that could not be uninstalled. In order to download the uninstaller, he found it was necessary to provide an e-mail address (which the Sony BMG Privacy Policy implied was added to various bulk e-mail lists), and to install an ActiveX control containing backdoor methods (marked as “safe for scripting”, and thus prone to exploits).

On November 18, 2005, Sony BMG provided a “new and improved” removal tool to remove the rootkit component of XCP from affected Microsoft Windows computers.