previous page: 2-4-9] How does the Doc-Witness OpSecure CD-ROM work?
page up: CD-Recordable FAQ
next page: 2-5] What's a multisession disc?

2-4-10] What's the Sony BMG rootkit (First 4 Internet XCP)?


This article is from the CD-Recordable FAQ, by Andy McFadden (fadden@fadden.com) with numerous contributions by others.

2-4-10] What's the Sony BMG rootkit (First 4 Internet XCP)?


A "rootkit" is a bit of software that changes the way your system works,
usually for malicious purposes. Sony BMG included one with some audio
CDs released in late 2005.

The software in question is "XCP Content Management" from First 4 Internet
Ltd (http://www.first4internet.com/). It uses a combined audio CD and
CD-ROM format. When placed in a CD-ROM drive on a Windows system, it
uses the autorun feature to install itself. XCP includes anti-piracy
technology that acts to prevent you from copying it, and cloaking
technology to prevent you from seeing it. If you manage to find it, and
try to remove it, it disables your CD-ROM drive.

(As with other technologies of this type, disabling autorun or holding
down the shift key while loading a CD will prevent the copy protection
from loading. Because this protection is difficult to remove you must
be very careful when handling Sony music CDs on your computer.)

This produced a tremendous backlash against Sony BMG. Besides the usual
objections to this sort of thing -- installing software that prevents your
system from functioning normally -- the rootkit could be used by other bits
of adware/spyware to conceal themselves. (It was used by enterprising
game cheats to circumvent World of Warcraft's elaborate anti-cheating
system, and a couple of viruses were using it to conceal themselves.)

After news of XCP became widely known, Sony BMG began offering a software
download on its site that would identify affected systems by removing
the cloaking, but wouldn't remove the rootkit entirely. You could get
the patch by filling out a marketing survey that -- according to Sony's
privacy policy -- could lead to having your e-mail address added to their
mailing lists.

Sony BMG eventually made an uninstaller available, but only if you
made some educated guesses on their web site and jumped through some
ridiculous hoops:

It turned out the web-based uninstaller created security vulnerabilities,
causing yet more problems. Some notes here:

There is some network activity associated with the rootkit. It appears to
be connecting to a Sony web site to look for updated content. There is
some speculation that this could be used for tracking purposes, though
Sony denies that they are doing so.

A class-action lawsuit was filed on behalf of residents of the state
of California (USA) in November 2005, and similar actions were planned

Use of the technology was suspended in November 2005 in response to
public pressure. Later that month, after the various security problems
became prominent, Sony BMG elected to recall all XCP-protected CDs.

News articles:

- http://sfgate.com/cgi-bin/article.cgi?file=/news/archive/2005/11/02/financial/f160614S41.DTL
- http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/11/11/MNGFMFMNV61.DTL&type=tech
- http://www.eff.org/deeplinks/archives/004117.php
- http://blogs.washingtonpost.com/securityfix/2005/11/the_bush_admini.html
- http://today.reuters.co.uk/news/newsArticle.aspx?type=technologyNews&storyID=2005-11-11T183106Z_01_MOL166114_RTRIDST_0_TECH-SONY-COPYPROTECTION-DC.XML&archived=False

Nice summary of the whole debacle:

- http://www.businessweek.com/technology/content/nov2005/tc20051129_938966.htm

List of affected CDs:

- http://cp.sonybmg.com/xcp/english/titles.html
- http://www.eff.org/deeplinks/archives/004144.php

Technical info:

- http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
- http://www.f-secure.com/v-descs/xcp_drm.shtml


Continue to:

previous page: 2-4-9] How does the Doc-Witness OpSecure CD-ROM work?
page up: CD-Recordable FAQ
next page: 2-5] What's a multisession disc?