Sony BMG incorporated a Digital Rights Management (DRM) system
on the CDs to prevent purchasers making illegal copies. That is not
uncommon. But the nature of the DRM has caused an outcry.
Blogger Mark Russinovich of Sysinternals.com revealed on 31st
October that the DRM is accompanied by a rootkit, a type of
cloaking technology used by hackers to hide files in a computer
system to run processes or access data. Rootkits are often used to
install backdoors to otherwise secure systems.
Russinovich was scanning his system for rootkits when he came
across the Sony application, installed with the DRM that
accompanied a CD purchased on Amazon.com, Get Right with the
Man by the Van Zant brothers. His attempt to remove the
rootkit disabled the CD player of his computer.
Since his first posting on 31st October, the music giant has
faced a storm of criticism from customers and rights groups.
Sony BMG has denied that the software is malicious or
compromises security, but it released a patch to remove the program
from computers. Russinovich wrote last Friday that even the patch
is dangerous, saying it "puts users systems at risk of a
blue-screen crash and the associated chance of data loss."
In California, a class action lawsuit was filed last week.
According to the BBC, another class action suit is planned for New
York residents, while US lobby group the Electronic Frontier
Foundation (EFF) is also considering legal action.
"Entertainment companies often complain that fans refuse to
respect their intellectual property rights. Yet tools like this
refuse to respect our own personal property rights," said EFF staff
attorney Jason Schultz on Wednesday. "Sony's tactics here are
hypocritical, in addition to being a security threat."
In Europe, digital rights group Electronic Frontiers Italy has
asked the Italian government to identify whether Sony BMG has
breached any laws. The DRM is accompanied by an End User Licence
Agreement (EULA); but the EULA does not appear to disclose the full
nature of the rootkit.
Meanwhile, claims have been made that hackers are now using the
Sony BMG rootkit to hide viruses and trojans that subsequently
infect the PC.
According to security firm Sophos, if PCs containing the Sony
BMG copy-protection system then fall victim to a spam email
containing the Stinx-E Trojan, the virus that is downloaded onto
the PC will hide itself under the DRM program.
"Despite its good intentions in stopping music piracy, Sony's
DRM copy protection has opened up a vulnerability which hackers and
virus writers are now exploiting," said Graham Cluley, senior
technology consultant for Sophos.
"We wouldn't be surprised if more malware authors try and take
advantage of this security hole, and consumers and businesses alike
would be sensible to protect themselves at the earliest
opportunity," he added.
