Security threats Toolkit

Sony plans patch after DRM rootkit row

Tags:
Cd Security,
Copy-restriction,
Rootkit,
Patch

John Borland CNET News.com

Published: 03 Nov 2005 11:10 GMT

Sony BMG Music Entertainment and a technology partner are working with antivirus companies on a fix for a potential security problem in some copy-restricted CDs.

Earlier in the week, security experts said that anticopying technology used by Sony BMG could be adapted by virus writers to hide malicious software on the hard drives of computers that have played one of the CDs. The antipiracy tool is included on many of Sony BMG's latest music releases, from Van Zant to My Morning Jacket.

Sony BMG's technology partner First 4 Internet, a British company, said on Wednesday that it has released a patch to antivirus companies that will eliminate the copy-restricted software's ability to hide. In consequence, it will also prevent virus writers from cloaking their work using the copy-restriction tools.

The record label and First 4 Internet will post a similar patch on Sony BMG's Web site for consumers to download directly, the companies said.

"We want to make sure we allay any unnecessary concerns," said Mathew Gilliat-Smith, chief executive of First 4 Internet. "We think this is a pro-active step and common sense."

The issue erupted into the public consciousness late on Monday, when computer developer and author Mark Russinovich published a blog detailing how he had found the First 4 Internet software hiding deep in his computer, after he had listened to a copy-restricted CD distributed by Sony BMG.

The anticopying technology included a tool called a "rootkit", often used by virus writers. A rootkit takes partial control of a computer's operating system at a very deep level in order to hide the presence of files or ongoing processes.

Rootkits, while not intrinsically malicious, are viewed with deep suspicion by many in the software development community. They are extraordinarily difficult to find and remove without specific instructions, and attempts to modify the way they act can even damage the normal functioning of a computer.

In the case of the First 4 Internet software, attempts to remove it manually rendered the CD drive of the computer inoperable, Russinovich found.

Several antivirus companies followed Russinovich's news with warnings that the First 4 Internet tools could let virus writers hide malicious software on computers, if the coders piggybacked on the file-cloaking functions.

"For now it is theoretical, or academic, but it is concerning," said Mikko Hypponen, chief research officer at antivirus company F-Secure. "There's no risk right now that we know of, but I wouldn't keep this on my machine."

The patch that First 4 Internet is providing to antivirus companies will eliminate the rootkit's ability to hide itself and the copy-restriction software in a computer's recesses. The patch will be automatically distributed to people who use tools such as Norton Antivirus and other similar programs, Gilliat-Smith said.

The patch that will be distributed through Sony BMG's Web site will work the same way, Gilliat-Smith said. In both cases, the antipiracy software itself will not be removed, only exposed to view.

Consumers who want to remove the copy- restriction software altogether from their machine can contact the company's customer support service for instructions, a Sony BMG representative said.