Geek On The Mountain

How scary is this? Sony BMG has something to the tune of 20 CD’s they’ve shipped since march that have a copy protection scheme that functions much like a rootkit and spyware. The software itself is designed to stop you from making more than a certain number of copies of the CD. The kicker is that a second program is also run that serves to hide both programs from the user.

This sounds almost harmless until you take a couple of other things into account. First of all, the software installs itself when you put in the CD and it pretends to install an audio player (a good reason to disable autorun) and fails to make clear what it is actually doing. This is something spyware/malware does all the time. Also, by user, I mean administrator. Once installed, no user on the computer has the ability to see the programs. It actually alters what explorer will show to you. This is a technique used by rootkits, which are programs used to take control of a system. The service for the hiding program even calls itself “Plug and Play Device Manager”….nice.

To make matters worse, there’s no easy way to uninstall the program. Apparently, if you just delete the files, your whole system will crash. And for the real cherry on top, the hiding program doesn’t just allow the copy-limiting program to be hidden. Any file that starts with “$sys$” becomes hidden to the system. This is a security hole that can allow any other program to hide itself. The PR would just be great if a virus went around that exploited that hole…

Obviously, the easiest way to tell if you’ve got it is to just make a copy of a file and then rename it so it starts with “$sys$”. If it disappears, you’re infected.

The register has a couple of articles and Freedom To Tinker offers some good info as well. The anti-virus company F-Secure has a blog that has into on their work as well as a screenshot of the installer. You’ll find a link buried in there somewhere for a way to contact Sony BMG and ask them to provide an uninstaller if you’re infected. F-Secure also has a link to a beta version of their rootkit detector that will find the programs (although you don’t wan’t to use it to remove it, as it will mess things up)

So on the upside, the software itself isn’t harmful or self-replicating or anything like that. On the downside, it leaves a security hole open, installs itself covertly, and of course wastes a small amount of system resources (unless the consumer wants the software, but what consumer would want the software?). The most bothersome thing to me is the hidden nature of the thing. It goes to some lengths to try to take some portion of the control of your computer away from you. I’ve always held the belief that the user should ultimately have control his or her own box. Silly me.

Popularity: 4% [?]