Nov 2nd 2005

Security Now 12

Sony/BMG's Rootkit DRM

I've posted Security Now! Episode 12 early to cover a breaking story on rootkits being installed by Sony BMG CDs.
Records live every Tuesday at 4:30pm Eastern / 1:30pm Pacific.
The Sony/BMG DRM rootkit was first discovered by F-Secure and widely publicized by Mark Russinovich of Sysinternals in his blog. The Sony DRM hides itself by modifying the Windows kernel, names itself "Plug and Play Device Manager" to confuse users, consumes CPU resources whether running or not with sloppily written code that does things like querying the file size eight times per scan, scanning every two seconds, and, worst of all, allows any hacker to easily hide files on your system.

Sony's license agreement is vague about what it's installing and implies that it can be easily disabled. It cannot.

Use Sysinternals' Rootkit Revealer or F-Secure's Blacklight to find the rootkit - look for $sys$ - but don't remove it or you'll loose access to your CD-ROM drive. Sony is now offering removal instructions that point you to the XCP Aurora web site and Service Pack 1 containing "fixes and workarounds."