[ISN] Antivirus firms target Sony 'rootkit'

InfoSec News isn at c4i.org
Thu Nov 10 01:24:12 EST 2005


http://news.com.com/Antivirus+firms+target+Sony+rootkit/2100-1029_3-5942265.html

By John Borland 
Staff Writer, CNET News.com
November 9, 2005

Antivirus companies are releasing tools this week to identify, and in
some cases remove, copy protection software contained on recent Sony
BMG Music Entertainment CDs. The software has been identified as a
potential security risk.

The Sony software, found on several of the company's recent albums, is
triggered by playing one of the CDs in a PC. From the CD drive, the
software installs itself deeply inside a hard drive and hides itself
from view. This cloaking technique could be used by virus writers to
hide their own malicious software, security experts have said.

There is a range of opinion among security companies about how much
risk the software poses, from those who consider it no worse than an
adware pest to those who view it as potentially dangerous spyware.

Symantec said Wednesday that its antivirus software would identify the
Sony software, but would not remove it. Instead, it will point to
Sony's own Web site, where users can get instructions for uninstalling
the software or download a patch that will expose the hidden
components.

"We're trying to reinforce here that we're not talking about a virus,
or malicious code, we're talking about technology that could be
misused," Symantec Senior Director Vincent Weafer said. "We're trying
to work co-operatively."

However, Computer Associates, which has a security division, said on
Monday it had found further security risks in the Sony software and
was releasing a tool to uninstall it directly.

According to Computer Associates, the Sony software makes itself a
default media player on a computer after it is installed. The software
then reports back the user's Internet address and identifies which CDs
are played on that computer. Intentionally or not, the software also
seems to damage a computer's ability to "rip" clean copies of MP3s
from non-copy protected CDs, the security company said.

"It will effectively insert pseudo-random noise into a file so that it
becomes less listenable," said Sam Curry, a Computer Associates vice
president. "What's disturbing about this is the lack of notice, the
lack of consent, and the lack of an easy removal tool."

A Sony representative said the company's technical staff was looking
into the issues identified by Computer Associates, but had no
immediate comment.

The furor over the Sony software comes nearly eight months after the
copy protection technique, created by British company First 4
Internet, was first released on a commercial disc in the United
States.

Computer developer and author Mark Russinovich sparked debate over the
software last week by posting on his blog an account of how he had
discovered the First 4 Internet software hiding deep in his hard
drive. The software used a tool called a "rootkit" to hide its
presence, a technique more typically used by virus writers to hide
traces of their work.

Sony and First 4 Internet quickly released on their Web site a patch
that would uncloak the copy protection software. But CD buyers must go
through a more elaborate process -- e-mailing the company's customer
service department -- to get instructions for uninstalling the
software.





More information about the ISN mailing list