Are copy-protected Sony BMG music CDs bad for your computer health?

First, the good news: The Sony BMG protection scheme everyone’s upset about has no effect on Mac OS X or Linux systems — the CDs function as ordinary audio CDs. (Yet another reason to get off Windows.)

If you persist in using Windows, you should know that the copy protection scheme employed on Sony BMG’s music CDs for the past eight months can wreak havoc with Windows PCs and can’t be easily uninstalled.

Blood, Sweat, and Tears in the Blogosphere

The blogosphere perked with excitement about the Sony BMG protection scheme, and the blog entry Sony Music CDs surreptitiously install DRM Trojan horses on PCs by ZDNet‘s David Berlind set the tone:

Reports are beginning to turn up around the Web that discuss how certain CDs from Sony Music come with a Trojan horse-based digital restrictions management (DRM) technology that surreptitiously installs itself as a rootkit on Windows PCs. When software surreptitiously installs a rootkit, it’s usually doing so to cover its tracks — a technique commonly associated with malware such as viruses and Trojan horses.  Rootkits generally latch themselves onto the foundation or “roots” of an operating system in a variety of ways that not only prevent their detection, but also their extraction.

For the outstanding play-by-play investigation into how this rootkit came to be installed, see Sony, Rootkits And Digital Rights Management Gone Too Far by Mark Russinovich. Mark traced the rootkit to Sony BMG’s protected CD Get Right with the Man by the Van Zant brothers. His summary:

Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

The cloaked code intercepts and redirects low level Windows system calls, forces the audio through a custom player provided on the music CD, and restricts the number of CD burns you can make. It was developed by First 4 Internet, a British firm that has deals not only with Sony BMG Music Entertainment but also with Universal Music Group, Warner Music Group and EMI.

The moves with First 4 Internet are part of a larger copy-protection push by Sony BMG that also includes SunnComm and its MediaMax technology. While SunnComm has been Sony BMG’s primary partner on commercial releases, First 4 Internet’s XCP has been used on prerelease CDs by record labels; Sony BMG is the first to commercially deploy First 4 Internet’s XCP. News of this agreement appeared in Reuters and was picked up by CNET U.K. in the report Sony tests technology to limit CD burning.

Within days of Berlind’s blog entry above, the blogosphere went agog. According to Berlind’s entry Sony offers removal and replacement for rootkit DRM:

As if news of the underhanded technique wasn’t bad enough for Sony BMG, the situation spiraled even further out of control when it became apparent that Russinovich’s exposure of the rootkit’s details may have given hackers the hall pass they needed to treat the rootkit as a back door entry point into “infected” systems. 

A fair question to ponder is how much damage has this done to Sony BMG’s reputation, and how costly is it for Sony BMG to react within days of the blog posting to provide a way to remove the Trojan horse rootkit.

Yo-Yo Ma! How Do You Get Rid of This?

Sony BMG will help you step-by-step, but only if you supply them with information using this uninstall request page. Alas, you need to use Internet Explorer with ActiveX to use this method. Avoid this if you can, until Sony fixes it later this month.

You can also find a downloadable uninstaller on the XCP Support Software Updates page, which displays a First 4 Internet copyright notice but little else. It includes the following notice:

This Service Pack removes the cloaking technology component that has been recently discussed in a number of articles published regarding the XCP Technology used on SONY BMG content protected CDs. This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers.

What appears to be the same update is available from this Sony BMG page.

The cavalier attitude expressed in the update notice — “This component is not malicious and does not compromise security. However to alleviate any concerns…” points to a larger problem: indifference to PC users’ needs. The component does indeed compromise security — you should be concerned. According to Sony to patch copy-protected CD by John Borland of CNET News.com:

Rootkits, while not intrinsically malicious, are viewed with deep suspicion by many in the software development community. They are extraordinarily difficult to find and remove without specific instructions, and attempts to modify the way they act can even damage the normal functioning of a computer.

In the case of the First 4 Internet software, attempts to remove it manually rendered the CD drive of the computer inoperable, Russinovich found. Several antivirus companies followed Russinovich’s news with warnings that the First 4 Internet tools could let virus writers hide malicious software on computers, if the coders piggybacked on the file-cloaking functions.

Sony BMG considered the security concerns to be old news. According to the CNET News.com report Sony CD protection sparks security concerns:

In any case, First 4 has moved away from the techniques used on the Van Zant album to new ways of cloaking files on a hard drive, said Mathew Gilliat-Smith, the company’s CEO… “I think this is slightly old news,” Gilliat-Smith said. “For the eight months that these CDs have been out, we haven’t had any comments about malware (malicious software) at all.”

But its a Tenacious D-RM…

What Sony BMG does not seem to understand is that it is fanning the flames of discontent in the blogosphere with this update — it supposedly removes the DRM protection but actually does not.

Andrew Orlowski in Sony to offer patch for ‘rootkit’ DRM points out that the patch that Sony will offer doesn’t remove the rootkit — it just removes the cloak, making them visible:

Sony’s decision to offer a ‘patch’ that fails to remove the DRM code suggests it isn’t too concerned by the howls of outrage heard this week from sophisticated PC users. And with this level of apathy, the music giants will be emboldened to try these techniques again. And again.

According to this report in Freedom to Tinker:

The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they’re not just taking away the rootkit-like function — they’re almost certainly adding things to the system as well. And once again, they’re not disclosing what they’re doing.

If you have tried to remove the rootkit, please respond to this topic with your observations.

Another Reason to Avoid the System of a Downer

It is interesting to note that the Sony DRM scheme does not install any Trojan horse into Mac OS X — the CD plays normally. The software that plays the disc in Windows does not work in OS X. In fact, you can rip the music directly into iTunes without any problems.

For Windows users, Sony’s DRM scheme makes it difficult to rip CDs and listen to them with an iPod. It is primarily designed to put pressure on Apple to open the iPod to other music services, rather than making it dependent on the iTunes Music Store for downloads. It is really not about copy protection, as it penalizes only people who would time-shift music (to play it on a portable player) or format-shift it (transfer the music from one format, such as audio CD, to another, such as MP3). It does not affect music piracy, because it would take only one individual to break the copy protection for the CD and put the music on the Internet.