Sony Rootkit May
Cause PC Problems
Nov 20, 2005
5 Star Support Security Specialist
Sony BMG introduced a new copy restriction scheme on their music CD’s in
2005. From what I can tell, this began with the company’s new music releases
in roughly March of 2005. I fear most computer users are unaware of this,
and so have decided to write this paper alerting to the fact.
While Sony CD’s play just fine on all standard audio devices and standard CD
players, the problem occurs when they are played on a Windows based PC. This
is not to include all Sony CD’s, but the more recent ones that indicate they
contain DRM (Digital Rights Management) software or copy protection
software, and require installation of an included “Player” software included
on the CD. Sony indicates the new copy protection software is designed to
limit copying of their music CD numerous times. When one of these new music
CD’s is played on a Windows based PC, the software included (read imbedded)
on the CD forces playback through a bundled media player, and restricts how
many copies can be made from Windows.
Wondering how this could be enforced, the copy restriction measures were
first looked into by Mark Russinovich of Sysinternals. His analysis of the
CD and the software it contains revealed what he calls a ‘root kit’ and
hidden files and folders with such names as “essential tools”. Herein lies
the problem. When one of these new CD’s is played on a Windows based PC, the
rootkit software is installed in the background, without your consent or
knowledge, while you are simply installing the required player software and
listening to the CD. Mark blew the whistle on this whole scheme about 2
What, you may ask, is a root kit? A root kit generally refers to a form of
malware used by crackers to gain control of a system. Root Kits in general
have several common characteristics: they find their way into a system
uninvited, they try to remain undetected, they modify and add to system
registry entries, and they are very difficult to remove. A root kit is
designed to gain control of the system it is installed in at the root level,
thereby gaining a system level ownership of the computer. It can intercept
system library routines and reroute them to its own routines, or replace
system executables with its own, or both.
The Sony root kit creates its own hidden directory and installs its own
device drivers, and then reroutes Windows system calls to its own routines.
It intercepts kernel-level API’s (Application Program Interface), and then
attempts to disguise itself with a cloaking technique. This is how it
controls how many copies of the CD can be made on a Windows based machine.
Keep in mind that a root kit is, in reality, a modification to the operating
system that can control operation of the computer at the root level in a
number of ways. The problem is made more dangerous when you consider that
the computers’ operation is now no longer totally yours. All this has
happened without your knowledge or consent, simply by installing “required”
software and playing the CD in your computer. Yes, when attempting to play
the CD for the first time there is a window opened that indicates a player
program needs to be installed from an administrator privilege log-on. It is
labeled as an “Advanced CD Installer” in most cases, but how many users are
really going to read all the information in the EULA (End User Licence
Agreement), let alone understand it? There is certainly no information
regarding a root kit, what it is, or what it can do once installed. By all
appearances, it is simply an installation of song player software needed to
play the CD. After all, all you want to do is listen to the new CD you just
purchased, right? I can’t begin tell you how dangerous I believe this is.
The DRM software being used on these CD’s was developed for Sony by First 4
Internet Ltd., a British company. Both Sony and First 4 claim no wrong doing
in any of their actions, and claim that the rootkit poses no reliability or
security threat. One of Sony’s executives was quoted as saying “users don’t
know what a rootkit is, and therefore, don’t care.” Without the user’s
consent, the computer with the rootkit installed also informs Sony every
time in plays a “protected” CD. Trust me Sony, I care.
The problem this creates worsened as this year progressed. The cloaking
technique used by Sony is crude from a code standpoint. Writers of
vulnerability code have already discovered this, and there are several forms
of malware Trojans circulating the Web attached to crawlers that are looking
for PC’s with this root kit installed so they can install themselves and
hide within it. If they find you while you are in the Internet, and they
install themselves, you can be in for more problems. Once hidden in the root
kit, a Virus or Trojan can go easily undetected by scans from anti-virus
software even if fully updated. It just can’t find the malware.
This DRM software has been out for about 8 months now, and is bundled on at
least 20 different CD titles. So, what does the PC user do about it? The
answer is rather complex. Advanced users who own root kit detection software
are able to detect the presence of this software on their systems. On of the
more popular detection programs is available from F-Secure, and it is
included in their Internet Security 2006 program. It easily detects the
presence of the root kit. F-Secure, however, does not recommend removing the
root kit with its’ products. I recommend the same, no matter whose product
you might use. The problem is this DRM system is implemented as a filter
driver for the CD drive. Removing it may easily result in removal of access
to the CD drive as well. I am aware of reports that indicate removal
attempts have resulted in the drive letter disappearing altogether, and no
means of getting Windows to recognize the drive again, even in the BIOS.
Again, you must remember that installation of this root kit has modified the
operating system at the root level.
Your next choice is to contact Sony BMG on the Web and ask for instructions
on removing the rootkit. They have a link on their site: “INFORMATION ON XCP
CONTENT PROTECTION” that will take you to a page with a form, a Sony
disclaimer and disclosure, and other information, as well as the removal
process they have made available.
But I do not recommend you use it. This is a multi-step process during which
your computer’s identity is sent to Sony, and an ActiveX control is
installed and used in the uninstall process. This bothers me, as the only
thing actually being accomplished is the disabling and removal of the driver
that implements the rootkit cloaking. Sony has made its patch available to
commercial anti-virus companies as well. The installation of further
software (ActiveX control) as part of the removal process also bothers me
greatly, and I’m not the only one. Mark Russinovich says the same thing, and
has looked at the AV cleaners available. He says they work the same way
Sony’s patch behaves – the cloaking driver is unloaded from memory, which
introduces the risk of a blue screen system crash.
The best recommendation I can make at this time is to disable the driver for
the whole thing by deleting the rootkits registration from Windows. Mark has
written a simple command that will accomplish this:
Open the Run dialog from the Start Menu
Enter the following: cmd /k sc delete $sys$aries
Reboot the computer
This will disable the Aries driver that runs the rootkit when Windows boots.
My other recommended choice is a small file available from SOPHOS in the UK
that will also disable the rootkit. The tool is designed to detect and
disable the Sony DRM cloaking copy protection technology, as well as
detecting and disabling other Trojans that may have already found their way
into a system. The Trojans already taking advantage of Sony’s cloaked DRM
technology rootkit are known to SOPHOS as Troj/Stinx variants E and F. The
Sony rootkit is classified by SOPHOS as Troj/RKProc-Fam. This file is
available from the following link:
You are looking for a link on this page listed under Windows disinfector for
standalone Windows computers. The file you want to click your mouse on is:
RKPRFGUI where you open the file and run it. This file can also be saved to
disk for running at a later time. To disinfect multiple computers, you can
save the file to a floppy disk, write protect the disk, and then run it from
This is all I recommend doing for the time being. Hopefully in the near
future a stand alone .exe file uninstaller will be made available from Sony
or Microsoft or both to deal with the whole issue properly and safely in
order to restore computers with this rootkit installed to proper operation.
Then your computer will become truly yours again.
If you wish to read Mark’s entire blog on the subject, complete with
updates, it is available at:
Look for the link to Marks Blog on the left side of the main page.
Sony has indicated it has “temporarily” suspended use of the rootkit DRM
technology in production, and is recalling CD’s from vendors with the
software on them at this time. My main concern for the future is the word
“temporarily.” I am also left to wonder if and when the use of this form of
technology will resume, and by whom? I can’t believe Sony is the only one to
have thoughts along this line.
My final caution is to beware of ANY additional software included on ANY CD
from ANYBODY. If it were mine, I would refuse to install it on my system and
return the CD to the vendor for a refund. I strongly recommend you do the
5 Star Support Security Specialist
Update: Nov 21, 2005
In the above paper regarding
Sony’s root kit, I mentioned that Sony had made available a patch to
uninstall the DRM software, and that I recommended you not use it because it
not only does not remove the software, it installs an ActiveX control as
well. I have learned that the Sony patch was written by First 4 Internet,
the same company that wrote the DRM software and root kit to begin with. You
will also recall I stated their software was crude from a code standpoint.
Here the story continues and contains yet another reason not to install the
Sony patch in your computer.
In a recent alert from SANS regarding vulnerabilities, The Consensus
Vulnerability Alert Vol. 4 No. 46 dated 11/18/05, item 05.46.14 discusses a
new vulnerability discovered by researchers at SANS and Qualys. The
vulnerability is titled First 4 Internet CodeSupport Uninstallation AxtiveX
Software Remote Code Execution. In this alert, the report states the
uninstallation software is an ActiveX control called CodeSupport, and that
it is susceptible to a remote code execution vulnerability due to a failure
of the application to properly verify the source and validity of executable
code prior to executing it.
This means, my friends, that installation of Sony’s patch only installs yet
another vulnerability in your computer. An ActiveX control is used to run or
execute code in your system. The one written by First 4 Internet as a patch
for Sony does not check the signatures of the code for either the source or
its validity. No digital signature of any kind is required. This means it
will run whatever it is sent, by whoever sends it. All that has to be done
is access the ActiveX control, and it will run whatever you give it. This is
a very serious security issue, and represents vulnerability at least as big
as the original root kit. A cracker could write vulnerability code of any
kind, set it up to run in the background, tell it to look for the correct
ActiveX control, and the rest happens automatically. All made possible by
the root kit patch programmed with the same sort of crude and sloppy code as
the original software. All you would need to do is be on the Internet at the
wrong time and you loose again. Please, do not install this patch.
When a totally acceptable, stand-alone uninstaller is made available for
this whole mess, I will let you know by means of a future update. Until that
time comes, please use either the command line code from
Mark Russinovich, or the
file to disable the root kit.