# WARNING: Sony music CDs may install rootkits on Mac



## symphonix (Nov 10, 2005)

There has been a bit of discussion lately about Sony installing rootkit technology on Windows PCs from a number of their recently released discs. The rootkit is to enforce copy-protection, and monitor the usage of these discs. It installs along with the enhanced features on a CD, and an End User Licence Agreement (EULA) appears on trying to access the extra features on the CD, such as videos. This EULA encourages the user to agree to outrageous terms, including allowing Sony staff unannounced remote access to the user's computer to audit files, etc.

Now, it appears that Sony are doing much the same thing for Macs.



			
				BoingBoing.net said:
			
		

> Digging into the "enhanced" content on the disk, he found a Start.app that, when run, shows a license agreement, then asks you for an admin password. On entering this, it installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext."



Until we know a little more about what these rootkits are and how they affect your privacy, security and rights as a consumer, I would advise all Mac and Windows users to avoid using any Sony music CDs in your computer.

*Sources:*
http://www.macintouch.com/#tip.2005.11.10.sony
http://www.boingboing.net/2005/11/10/sony_music_cds_infec.html
http://www.eff.org/deeplinks/archives/004144.php

*Affected CDs (Recent list from EFF.org):*
Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)


----------



## symphonix (Nov 10, 2005)

Looks like Windows users are already seeing their first virus/trojan that uses Sony's rootkit to attack and conceal itself within the system. 

http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

Update: F-Secure are reporting they've already discovered a second variant of the virus. http://www.f-secure.com/weblog/


----------



## Mikuro (Nov 10, 2005)

I, for one, will never again buy anything from Sony Music. Period.


----------



## symphonix (Nov 10, 2005)

Sony's End-User License Agreement said:
			
		

> As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the SOFTWARE) onto YOUR COMPUTER.  The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT.  Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted.  However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.



Mind you, this is as good as not telling people at all. I remember a shareware app a couple of years ago that included the text "By clicking agree, you acknowledge that you have accepted Satan as your lord and god, denying all others." about ten pages down. It was about six months after the product was released before anyone even noticed it.

If you're interested, the EULA is here: http://www.sysinternals.com/blog/sony-eula.htm

Well done Sony. Another brilliant way to punish legitimate customers while doing absolutely nothing to stop piracy. From the people who brought you DVD region codes, haha. The only people who ever get hurt by these things are people who go out and buy the product legitimately. 

And yes, Sony has lost another customer here, in case you haven't already guessed. And I was thinking of buying a PSP ... well, not anymore.


----------



## Captain Code (Nov 10, 2005)

At least this one you could remove pretty easily unlike the Windows one.  Still that's outrageous that they'd do this.


----------



## fryke (Nov 10, 2005)

Maybe Sony wants to promote piracy.


----------



## HateEternal (Nov 10, 2005)

Mikuro said:
			
		

> I, for one, will never again buy anything from Sony Music. Period.



I don't think I'd buy anything from Sony, they are way to restrictive, while you could say the same about Apple, Sony is much worse.

Check out some of the rumors about PS3 games
http://arstechnica.com/journals/thumbs.ars/2005/11/9/1779

All this DRM crap is just going to push people towards piracy. I have heard so many people say that they aren't going to buy Sony CDs any more. Sony has lost money because of their scheme to stop piracy. I wouldn't doubt that after something like this their sales with the DRM software will actually be lower than if they had never done something to stop piracy. They are driving people who would actually buy their CDs to stop buying them. Freakin idiots!


----------



## Perseus (Nov 10, 2005)

Yeah, if human behavior is the way I think it is, people will get angry and just pirate even more. I do not own anything Sony, although their entertainment robots look fun...


----------



## symphonix (Nov 10, 2005)

> At least this one you could remove pretty easily unlike the Windows one. Still that's outrageous that they'd do this.



Really? It installs two kernel extensions. Have you ever uninstalled a kernel extension in Mac OS X? I know I haven't, and I'd be very surprised if anyone else here has. These kernel extensions could do anything from preventing iTunes ripping the CD, to reporting your listening habits to Sony.

It looks like there is a class action lawsuit underway in California, citing Sony as being in breach of the anti-spyware act.

Sony have released an uninstaller for Windows users and issued a press statement to that effect. They have gone out of their way to make the uninstall invasive (you need to advise them of your name and email, as well as what CD you purchased), complex (it requires two email transactions, a confidentiality agreement, another EULA, and runs in an ActiveX control under Internet Explorer only) and hard to discover (it is not listed on their copy-protection FAQ pages, for instance).


----------



## Mikuro (Nov 10, 2005)

symphonix said:
			
		

> Really? It installs two kernel extensions. Have you ever uninstalled a kernel extension in Mac OS X? I know I haven't, and I'd be very surprised if anyone else here has.


I have. Just delete it from the /System/Library/Extensions folder and reboot. You'll probably need to use 'sudo rm' or 'sudo mv' to delete/move it. You can't do it if you don't have an admin password, though.


----------



## ElDiabloConCaca (Nov 10, 2005)

It is ridiculous.  If a plumber left a beacon behind your toilet that reported usage habits, you'd be pretty damn pissed (no pun intended).

I don't want anybody leaving anything that wasn't already here behind, no matter what product or service I already paid them for.  That goes for my bits and bytes as well.

Sony's inclusion of the notice buried in the EULA is on par with the plumber whispering the phrase, "I'm gonna leave this beacon here..." inaudibly drowned out by his bad Tejano music blaring on his dirty, 1978-style boom box.  It's as good as not telling the customer at all.

Most software forces you to click passed several prominent notice screens which reinforce the fact that the company that wrote the software doesn't want you pirating it, not to mention the requirement of having to enter cryptic, long serial numbers with both Os and 0s in them, forcing mistakes so the process is delayed and you can stare at the "The makers of this software don't trust you, so please, verify (once again) that you have paid your dues" screen a little longer.  Why should the fact that they're altering the bits and bytes of my computer be any less important?  They don't want me messing with their bits, and I sure as hell don't want them messing with mine.  Would an option to bypass the installation of the spyware be too much to ask for, just like the ability to opt out of a program installation like PhotoShop because it's not a legitimate copy?

Nothing Sony installs on my computer automatically via an audio CD is considered to be a legitimate copy on my machine.  As far as I'm concerned, it's illegal, illegitimate and pirated software they're trying to install on my computer, because I had to chance to authorize the installation.  If I were huge like them and they were small like me, they'd go to jail.

Besides, the software is automatically installed (at least on Windows machines), and the main product is not something which requires the transfer of data from the optical disk to the hard drive to use (like PhotoShop, or any other application that requires an "installation" before use).  It's a damn music CD -- I pop it in, listen to it, then eject it.  Don't put non-audio-CD-related bits where they don't belong.

Releasing an uninstaller is crap.  That's forcing people to work around your underhanded spit.  Instead, howabout don't do it again -- that would truly right the wrong.

$&!# you, Sony.  Bad move, man, bad move.


----------



## Perseus (Nov 10, 2005)

This is all terribly wrong. I look forward to the outcome of all of this...

This was probably mentioned before, but didn't Photoshop come up with some little file that would send data back to Adobe if a serial number was being used twice? I heard of this.


----------



## ElDiabloConCaca (Nov 11, 2005)

No, PhotoShop never sent any data about serial numbers back to Adobe.

PhotoShop (as well as other programs, like Microsoft Office and QuarkXPress) did do local network checking, where they would check the local network for other machines running copies of the program using the same serial number, and if another copy was running with the same serial number, subsequent copies would refuse to launch.

PhotoShop never "phoned home" with information about serial number usage, though.


----------



## Rhisiart (Nov 11, 2005)

Someone on a previous post recommended using Little Snitch (http://www.obdev.at/products/littlesnitch/). It records how many software programmes ring home from your computer and how frequently. 

I tried it for a while and was astonished at the sheer volume of information being sent from my computer. In the end I stopped using because it got in the way of Skype.


----------



## nixgeek (Nov 11, 2005)

Seems like Sony finally came to its senses....read here:

http://it.slashdot.org/article.pl?sid=05/11/11/1927225&tid=172&tid=158&tid=233

However, I think the damage has been done.


----------



## lbj (Nov 11, 2005)

nixgeek said:
			
		

> However, I think the damage has been done.




So true. Just heard a presentation on the local news that Sony CDs can allow viruses on your computer.  To the average PC user, already beleaguered with adware, spy-ware, and viruses, this news will surely give Sony a black-eye.

And rightfully so.


----------



## Mikuro (Nov 11, 2005)

rhisiart said:
			
		

> Someone on a previous post recommended using Little Snitch (http://www.obdev.at/products/littlesnitch/). It records how many software programmes ring home from your computer and how frequently.
> 
> I tried it for a while and was astonished at the sheer volume of information being sent from my computer. In the end I stopped using because it got in the way of Skype.


Keep in mind that 90+% of those are perfectly innocent. Tons of apps these days automatically check for newer versions at startup (and some have no option to turn this auto-check off). It doesn't mean they're "phoning home". It still bugs me, to be sure (I love my Little Snitch as much as the next paranoid), but you shouldn't jump to conclusions just beause an app tries to establish an internet connection.

There are a handful of apps that will send back personal registration data (iDefrag, for example), but these are few and far between.


----------



## symphonix (Nov 13, 2005)

Just a couple of important updates to this story, both from BoingBoing.

The first states that Sony illegally used software copied from an open-source (LGPL) project to make the rootkit. So, in their efforts to prevent people copying their intellectual property, they're more than happy to rip off other people's work. Story at: http://www.boingboing.net/2005/11/13/sonys_rootkit_infrin.html

The next is that the uninstaller for Windows users actually opens up a couple of vulnerabilities on the system that could be exploited by viruses. So, if you do decide to jump through all those hoops and opt-out, using the uninstaller might do more damage than leaving the rootkit in. http://www.boingboing.net/2005/11/13/sonys_malware_uninst.html



> The ActiveX component that is required for the uninstallation of Sony's DRM system is scriptable by everyone, and allows at least rebooting the system in a trivial fashion (see demo on the site) with a few lines of html and javascript...


----------



## Porce (Nov 14, 2005)

Good to see Sony working hard to promote piracy.

As a side note, if you own one of these CDs and don't want to put it into your computer... all you need is QuickTime Pro, an audio-to-audio cable, and a CD player with a headphone jack.


----------



## rcarring (Nov 14, 2005)

I wonder if holding down the SHIFT key when putting the cd in the PC would make a difference? I had a problem with the last Radiohead release and stopping the autorun feature prevented the CD from installing some copy protection program. I like to know what I am installing rather than have that decision taken away.


----------



## texanpenguin (Nov 14, 2005)

I don't normally care one way or the other about this sort of thing: nine times out of ten a copy-protected disc runs just fine in iTunes on Mac (unless the copy protection makes the disc unusual [a few years ago there was one which had to be circumvented with a permanent marker]).

But this is ridiculous, and I just need to rant. Sony has been whining for years about the problems they're experiencing financially. Their solution is to lock the paying customers out of the full use of their disc in a way that opens them up to attack from viruses and Trojans (technically it IS a Trojan itself). This solution costs a whole bunch of money, too, mind you. They've had to employ a DRM manufacturer to make this technology. Then, as if paying for the DRM support for PCs wasn't enough, they also commissioned the Kernel Extensions to OS X! THESE EXTENSIONS AREN'T INSTALLED UNTIL YOU RUN THE INSTALLER. What a waste of money.

If they want to stop file-sharing, make CDs cheaper, and better. If people can get good music for a reasonable price, they'll gladly pay for it: look at iTMS. And that's DRMed! If they sold CDs in stores for half the price they currently do, they'd sell a heck of a lot more units (but they're kidding themselves if they think people will stop pirating. Often it's a case of not being able to FIND the music you want, either because of cultural or proximity divisions, but the more people leave the File sharing networks, the less people are there sharing music, and therefore the less music there is there to share. When there ends up being like one person sharing the latest such-and-such album at 128kbps VBR MP3, who wants to sit there downloading 20 songs, if they can spend five minutes and get a full-quality CD version for a pittance?


----------



## Quicksilver (Nov 14, 2005)

Sony BMG Australia says locally produced CDs which it distributes do not carry copy protection software that was found to contain malicious code.

More Here  --->


.


----------



## sirstaunch (Nov 15, 2005)

Someone has a big job anyhow

Sony Numbers Add to Trouble


----------



## symphonix (Nov 15, 2005)

According to Slashdot's roundup today, Sony has recalled all its XCP music CDs from stores. A spyware removal company is reporting that the rootkit has infected at least 500,000 Windows computers. And Microsoft have classified it as spyware and are including it in their anti-spyware definitions.

Lets hope Sony learns a lesson from this, and doesn't try it again.

However, they have also just filed for a patent for a new copy protection system (apparently for the PlayStation 3) which will lock each game to a specific console, making it impossible for users to rent out games, play games on a friend's console, trade used games or replace your console if it fails or is stolen (without losing all your games, that is).

I think we'll have to wait and see if Sony are foolish enough to do this.

*EDIT:*  Sony has denied that this patent is to be used to allow PS3 games to be locked to a particular console. Source: http://www.playfuls.com/news_3827.html


----------



## texanpenguin (Nov 16, 2005)

Why? Why does Sony think this is a worthwhile expense to incur? Was the Playstation 2 not profitable enough? How does Sony expect that treating its customers like criminals will regain them the market share Microsoft has been taking from them recently?


----------



## ElDiabloConCaca (Nov 16, 2005)

http://news.yahoo.com/fc/tech/computer_security

It's all done.  They're yanking the offending CDs from shelves, not producing those kinds of CDs anymore, and are offering to replace purchased "bad" CDs with "good" ones.


----------



## Satcomer (Nov 17, 2005)

Well to me it looks like Sony came out of this with egg on their face. Something that I only saw once(on the net) is creeping into my head, if Sony music has done this, what about the new Blue-Ray technology? The promised other side of optical media is not looking so good now. Food for thought.


----------



## ElDiabloConCaca (Nov 17, 2005)

Hmmm... I don't see the connection between Sony-BMG's rootkit and the new Blu-Ray technology... I'm not following...


----------



## Mikuro (Nov 17, 2005)

Apparently someone (I forget who) is trying to get certain DRM mechanisms built into the Blu-Ray standard. However, I think these particular mechanisms are exactly the same ones used in the competing HD-DVD standard. So I'm still pulling for Blu-Ray here.

Correct me if my understanding is outdated.


----------



## ElDiabloConCaca (Nov 17, 2005)

I can understand that -- I highly doubt that Blu-Ray would implement the same kind of auto-installing rootkit that these audio CDs used, though.  Since the Blu-Ray spec isn't finalized (or is it?), I would assume that the DRM would eventually be something along the lines of data encryption (like Macrovision on steroids) rather than the disk containing unencrypted data along with an auto-installing rootkit (like with Sony's Audio CDs).


----------



## gerbick (Nov 17, 2005)

IIRC, it's Sun that's behind the Blu-Ray DRM.  I think the connection that's being attempted to be made is that if Sony Music/BMG will do this to their music CD customers, then they'd do it with the Blu-Ray disks.

Personally... I totally disagree with that assumption.


----------

