Sony cripples computers to protect it's music

On October 31, it was revealed by researcher Mark Russinovich that Sony's audio CD's contained a form of spy/malware called a rootkit.

I wasn't going to write about this intially because most of it has been rehashed in the popular press already. But the events have taken such a turn for the worst after the response of Sony to the mess they created that I cannot be silent.
Sony admitted that most CD's it sold over the recent years contain software to prevent them from being copied on Windows-based PC's (reports from consumers list arround 40 infected titles).

This software, created by First4Internet installs without the consent of the user and hides it's presence by hiding the files it has installed and runs itself when you boot your PC. Any attempt to remove it leaves the victim computer without the use of the CD-ROM drive or completely dead in the water. This software remains active, even after removing the CD from the drive and it has now been revealed that it even transmits data back to Sony and First4Internet without the consent or knowledge of the user.

Most conventional media and even AV/Software companies are carefull in their wording, calling this program rootkit-like or spyware-like. This is very untrue. This program is spyware containing a rootkit. It fits all the requirements to be called that and quite frankly, to the end user, it does not matter if it is intended to prevent copying or to connect to rogue irc channels.

This is a piece of software that damages your system and puts your security at risk without your consent. It is not only immoral, but also illegal in most countries (criminal prosecution is already on it's way in Italy) and for the sake of our future security, I hope that Sony is prosecuted to the fullest extend allowed by the law for doing this.

But, the saga continues...
Many media report that Sony offered a removal tool soon after the discovery. This is also untrue. Sony offered a decloaking tool that made the software visible, it did not remove it and any attempts to do so still resulted in a damaged system.

Not only this, but the removal tool requires Internet Explorer to work because it relies on a signed ActiveX component. This component, called CodeSupport, remains on your system after running the decloaking tool is run. It is signed, so it is trusted by your system to do a lot of things, including downloading and executing code from any site that requests it. This makes your system vulnerable to remote automated attacks.

Now let's look at the situation again:
The original copy protection software installs on your system without your consent and opens you to several avenues of attack. This deservers a moderate security rating with high impact because it may render your system unusable.
It transmits data back to both Sony and First4Internet, so on infection your privacy is already compromised, this warrants a critical rating.

The decloaking tool adds the ActiveX component to your system that can be remotely exploited and allows full control of your system. This deserves the highest security rating, it is critical and has the highest severity possible.

So, Sony exposed its customers to two critical vulnerabilities, all with malicious intent.
Yes, the goal is to protect their music form copying (which is not malicious in itself). But to reach that goal, they maliciously turned your own computer in a device that works for them. They put other people's systems at risk to reach their goal and deliberatly tried to hide their actions (the rootkit), worse yet, those people payed for the product that causes the damage. Who pays for the cleanup costs of this infection? Who pays for the reinstall of your system and possible lost data because of this? That's right, the same people who payed for the CDs: that is you, the consumer.

What makes this infection worse then infections like MyDoom or Zotob is that it was created by a major corporation who apparently thinks this is a valid tactic to protect it's music. Your system was not compromised because some cracker wrote a program in his attic for fun or spite. It was funded by people in suits driving expensive cars. It was written by people that get a sallary for doing this. In the end, it was written using the money of people who buy CDs from Sony.

-- Update Wed Nov 16 12:34:46 UTC 2005
So, what should happen now. I would hope for the following things to happen, but I doubt they will because Sony is a mega-corporation which automaticly mean the law applies less to them.

1# Sony is forced to pay the cleanup cost of the infection they unleashed. This includes replacing each and every copy of infected discs with a clean one ore refund the customers AND the full cost of cleaning up infected systems and networks.

2# The executives at Sony and First4Internet that decided to create this malware are found and arrested under the same laws and conditions that creators of other malware like Zotob where caught.
Many people may disagree with this, but the fact remains that these people commited criminal offenses by breaching the security of numerous computer systems. The reason for doing this is not important, unless we are going to give the same break to crackers who write malware for an 'ethical' cause.

-- Update Thu Nov 17 15:45:24 UTC 2005
In an interesting twist, it seems that the playback software on the Sony CD's, you know, the one protected against the evils of piracy, is in itself pirated from an Open Source (GPL) program. So much for morals...

Written by Guy Van Sanden
Licensed under a creative commons Attribution-NonCommercial-ShareAlike license.