WARNING: Sony music CDs may install rootkits on Mac

[symphonix]

There has been a bit of discussion lately about Sony installing rootkit technology on Windows PCs from a number of their recently released discs. The rootkit is to enforce copy-protection, and monitor the usage of these discs. It installs along with the enhanced features on a CD, and an End User Licence Agreement (EULA) appears on trying to access the extra features on the CD, such as videos. This EULA encourages the user to agree to outrageous terms, including allowing Sony staff unannounced remote access to the user's computer to audit files, etc.

Now, it appears that Sony are doing much the same thing for Macs.

Digging into the "enhanced" content on the disk, he found a Start.app that, when run, shows a license agreement, then asks you for an admin password. On entering this, it installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext."

Until we know a little more about what these rootkits are and how they affect your privacy, security and rights as a consumer, I would advise all Mac and Windows users to avoid using any Sony music CDs in your computer.

Sources:
http://www.macintouch.com/#tip.2005.11.10.sony
http://www.boingboing.net/2005/11/10/sony_music_cds_infec.html
http://www.eff.org/deeplinks/archives/004144.php

Affected CDs (Recent list from EFF.org):
Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

 

[symphonix]

Looks like Windows users are already seeing their first virus/trojan that uses Sony's rootkit to attack and conceal itself within the system.

http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/

Update: F-Secure are reporting they've already discovered a second variant of the virus. http://www.f-secure.com/weblog/

 

[Mikuro]

I, for one, will never again buy anything from Sony Music. Period.

 

[symphonix]

As soon as you have agreed to be bound by the terms and conditions of the EULA, this CD will automatically install a small proprietary software program (the “SOFTWARE”) onto YOUR COMPUTER. The SOFTWARE is intended to protect the audio files embodied on the CD, and it may also facilitate your use of the DIGITAL CONTENT. Once installed, the SOFTWARE will reside on YOUR COMPUTER until removed or deleted. However, the SOFTWARE will not be used at any time to collect any personal information from you, whether stored on YOUR COMPUTER or otherwise.

Mind you, this is as good as not telling people at all. I remember a shareware app a couple of years ago that included the text "By clicking agree, you acknowledge that you have accepted Satan as your lord and god, denying all others." about ten pages down. It was about six months after the product was released before anyone even noticed it.

If you're interested, the EULA is here: http://www.sysinternals.com/blog/sony-eula.htm

Well done Sony. Another brilliant way to punish legitimate customers while doing absolutely nothing to stop piracy. From the people who brought you DVD region codes, haha. The only people who ever get hurt by these things are people who go out and buy the product legitimately.

And yes, Sony has lost another customer here, in case you haven't already guessed. And I was thinking of buying a PSP ... well, not anymore.

 

[Captain Code]

At least this one you could remove pretty easily unlike the Windows one. Still that's outrageous that they'd do this.

 

[fryke]

Maybe Sony wants to promote piracy.

 

[HateEternal]

I, for one, will never again buy anything from Sony Music. Period.

I don't think I'd buy anything from Sony, they are way to restrictive, while you could say the same about Apple, Sony is much worse.

Check out some of the rumors about PS3 games
http://arstechnica.com/journals/thumbs.ars/2005/11/9/1779

All this DRM crap is just going to push people towards piracy. I have heard so many people say that they aren't going to buy Sony CDs any more. Sony has lost money because of their scheme to stop piracy. I wouldn't doubt that after something like this their sales with the DRM software will actually be lower than if they had never done something to stop piracy. They are driving people who would actually buy their CDs to stop buying them. Freakin idiots!

 

[Perseus]

Yeah, if human behavior is the way I think it is, people will get angry and just pirate even more. I do not own anything Sony, although their entertainment robots look fun...

 

[symphonix]

At least this one you could remove pretty easily unlike the Windows one. Still that's outrageous that they'd do this.

Really? It installs two kernel extensions. Have you ever uninstalled a kernel extension in Mac OS X? I know I haven't, and I'd be very surprised if anyone else here has. These kernel extensions could do anything from preventing iTunes ripping the CD, to reporting your listening habits to Sony.

It looks like there is a class action lawsuit underway in California, citing Sony as being in breach of the anti-spyware act.

Sony have released an uninstaller for Windows users and issued a press statement to that effect. They have gone out of their way to make the uninstall invasive (you need to advise them of your name and email, as well as what CD you purchased), complex (it requires two email transactions, a confidentiality agreement, another EULA, and runs in an ActiveX control under Internet Explorer only) and hard to discover (it is not listed on their copy-protection FAQ pages, for instance).

 

[Mikuro]

Really? It installs two kernel extensions. Have you ever uninstalled a kernel extension in Mac OS X? I know I haven't, and I'd be very surprised if anyone else here has.

I have. Just delete it from the /System/Library/Extensions folder and reboot. You'll probably need to use 'sudo rm' or 'sudo mv' to delete/move it. You can't do it if you don't have an admin password, though.

 

[ElDiabloConCaca]

It is ridiculous. If a plumber left a beacon behind your toilet that reported usage habits, you'd be pretty damn pissed (no pun intended).

I don't want anybody leaving anything that wasn't already here behind, no matter what product or service I already paid them for. That goes for my bits and bytes as well.

Sony's inclusion of the notice buried in the EULA is on par with the plumber whispering the phrase, "I'm gonna leave this beacon here..." inaudibly drowned out by his bad Tejano music blaring on his dirty, 1978-style boom box. It's as good as not telling the customer at all.

Most software forces you to click passed several prominent notice screens which reinforce the fact that the company that wrote the software doesn't want you pirating it, not to mention the requirement of having to enter cryptic, long serial numbers with both Os and 0s in them, forcing mistakes so the process is delayed and you can stare at the "The makers of this software don't trust you, so please, verify (once again) that you have paid your dues" screen a little longer. Why should the fact that they're altering the bits and bytes of my computer be any less important? They don't want me messing with their bits, and I sure as hell don't want them messing with mine. Would an option to bypass the installation of the spyware be too much to ask for, just like the ability to opt out of a program installation like PhotoShop because it's not a legitimate copy?

Nothing Sony installs on my computer automatically via an audio CD is considered to be a legitimate copy on my machine. As far as I'm concerned, it's illegal, illegitimate and pirated software they're trying to install on my computer, because I had to chance to authorize the installation. If I were huge like them and they were small like me, they'd go to jail.

Besides, the software is automatically installed (at least on Windows machines), and the main product is not something which requires the transfer of data from the optical disk to the hard drive to use (like PhotoShop, or any other application that requires an "installation" before use). It's a damn music CD -- I pop it in, listen to it, then eject it. Don't put non-audio-CD-related bits where they don't belong.

Releasing an uninstaller is crap. That's forcing people to work around your underhanded spit. Instead, howabout don't do it again -- that would truly right the wrong.

$&!# you, Sony. Bad move, man, bad move.

 

[Perseus]

This is all terribly wrong. I look forward to the outcome of all of this...

This was probably mentioned before, but didn't Photoshop come up with some little file that would send data back to Adobe if a serial number was being used twice? I heard of this.

 

[ElDiabloConCaca]

No, PhotoShop never sent any data about serial numbers back to Adobe.

PhotoShop (as well as other programs, like Microsoft Office and QuarkXPress) did do local network checking, where they would check the local network for other machines running copies of the program using the same serial number, and if another copy was running with the same serial number, subsequent copies would refuse to launch.

PhotoShop never "phoned home" with information about serial number usage, though.

 

[Rhisiart]

Someone on a previous post recommended using Little Snitch (http://www.obdev.at/products/littlesnitch/). It records how many software programmes ring home from your computer and how frequently.

I tried it for a while and was astonished at the sheer volume of information being sent from my computer. In the end I stopped using because it got in the way of Skype.

 

[nixgeek]

Seems like Sony finally came to its senses....read here:

http://it.slashdot.org/article.pl?sid=05/11/11/1927225&tid=172&tid=158&tid=233

However, I think the damage has been done.

 

[lbj]

However, I think the damage has been done.

So true. Just heard a presentation on the local news that Sony CDs can allow viruses on your computer. To the average PC user, already beleaguered with adware, spy-ware, and viruses, this news will surely give Sony a black-eye.

And rightfully so.

 

[Mikuro]

Someone on a previous post recommended using Little Snitch (http://www.obdev.at/products/littlesnitch/). It records how many software programmes ring home from your computer and how frequently.

I tried it for a while and was astonished at the sheer volume of information being sent from my computer. In the end I stopped using because it got in the way of Skype.

Keep in mind that 90+% of those are perfectly innocent. Tons of apps these days automatically check for newer versions at startup (and some have no option to turn this auto-check off). It doesn't mean they're "phoning home". It still bugs me, to be sure (I love my Little Snitch as much as the next paranoid), but you shouldn't jump to conclusions just beause an app tries to establish an internet connection.

There are a handful of apps that will send back personal registration data (iDefrag, for example), but these are few and far between.

 

[symphonix]

Just a couple of important updates to this story, both from BoingBoing.

The first states that Sony illegally used software copied from an open-source (LGPL) project to make the rootkit. So, in their efforts to prevent people copying their intellectual property, they're more than happy to rip off other people's work. Story at: http://www.boingboing.net/2005/11/13/sonys_rootkit_infrin.html

The next is that the uninstaller for Windows users actually opens up a couple of vulnerabilities on the system that could be exploited by viruses. So, if you do decide to jump through all those hoops and opt-out, using the uninstaller might do more damage than leaving the rootkit in. http://www.boingboing.net/2005/11/13/sonys_malware_uninst.html

The ActiveX component that is required for the uninstallation of Sony's DRM system is scriptable by everyone, and allows at least rebooting the system in a trivial fashion (see demo on the site) with a few lines of html and javascript...

 

[Porce]

Good to see Sony working hard to promote piracy.

As a side note, if you own one of these CDs and don't want to put it into your computer... all you need is QuickTime Pro, an audio-to-audio cable, and a CD player with a headphone jack.

 

[rcarring]

I wonder if holding down the SHIFT key when putting the cd in the PC would make a difference? I had a problem with the last Radiohead release and stopping the autorun feature prevented the CD from installing some copy protection program. I like to know what I am installing rather than have that decision taken away.