This is an extract from a CNET Newsletter.

Quote :
"It was a grand experiment that failed miserably: As a means of copy-protecting its music, Sony employed a piece of software from First4Internet. But the technology, as used by Sony, did two bad things: First, it hid itself on computers by using root-kit technology; and second, it opened a remote access connection that called out to Sony (or one of its agencies). This exposed users' computers to worms that took advantage of the stealth technology.

Sony has agreed not to put root-kit technology on future music CDs as a means of protecting its copyrights. But this story is far from over. There are at least two lawsuits pending. There are also viruses poised to take advantage of already-infected PCs worldwide, the number of which may be much higher than anyone previously thought. Worse, Sony's fix for the problem may not be any more secure than the original root kit.

In case you missed it
Here's how users get stuck with the Sony root kit: When they first inserted certain CD titles from Sony BMG onto a desktop or laptop PC, a brief End User License Agreement flashed on the screen before they could listen to the music. Most people just agreed to the EULA so that they could get to the music. But by agreeing, they also consented to having additional software installed on their computer. That software, produced by First4Internet, hid itself and opened the remote connections.

By definition, that's a root kit. The problem with root kits is that they are well known to criminal hackers (crackers), and they are all but invisible to most off-the-shelf antivirus apps available today. The infected Sony CDs have been out in the world since last spring, but researchers such as Mark Russinovich at SysInternals and more recently, antivirus vendor F-Secure began wondering whether virus writers would soon exploit this in some fashion.

Exploited
They did. Word of the Sony root kit surfaced in the first week of November, and starting on November 10, several viruses began to appear. Breplibot.c is one of several that attempted to go undercover using the Sony root kit. While a serious threat nonetheless, coding errors (perhaps because the criminal hackers worked in great haste) prevented the malicious part of the code from activating.

There is now hard data available
Now that Sony has agreed to stop producing CDs with a stealthlike DRM software embedded, one would think the threat would go away. It won't. Security Researcher Dan Kaminsky, a frequent speaker at Black Hat, has done some fascinating research into Domain Name Service servers and the related security threats potential to them. Recently, Kaminsky posted what the Sony root kit might mean in terms of sheer numbers of people infected. The data isn't good from a security standpoint.

Kaminsky started with a very basic premise: Sony has a root kit; all root kits phone home; phoning home requires a DNS query; DNS queries are cached. From this simple theory, Kaminsky was able to query roughly 3 million Domain Name Service servers to find traces or signatures of Sony root kits calling from their desktop and laptop PC clients back home to Sony (or some other agency) host servers. He didn't find a few thousand, nor a hundred thousand. Kaminsky found roughly 568,200 DNS servers that have signatures of the Sony root kit calling home. He states that from this figure, he can't conclusively determine how many hosts that translates into--only Sony and First4Internet know that number.

"0wned" by Sony
Kaminisky has translated his data into a satellite image of Earth; here's a graphic of Sony-owned North American PCs.
http://dw.com.com/redir?oid=4520-3513_7-6388181-1&ontid=3513&siteid=7&edid=3&lop=txt&destcat=&destUrl=http%3A%2F%2Fwww%2Edoxpara%2Ecom%2Fplanetsony%5Fusa%2EJPG

As mentioned, Sony has stopped production of music CDS and has offered to replace CDs already purchased with CDs sans DRM software, but the company has yet to state how it proposes to remove the remote-access Trojans from the roughly half-million infected PCs.

Also, the patch, offered by Sony, apparently causes more harm than good. Finnish security researcher Muzzy reported that in removing the First4Internet root kit, new ActiveX code is installed. The new code, called CodeSupport, doesn't restrict itself to Sony or First4Internet; instead, someone could write an exploit for CodeSupport that directs new traffic to a cracker's domain. First4Internet is apparently aware of this and may soon offer a fix to its patch.

But wait, there's more
While First4Internet's root kit has enjoyed the lion's share of media, there's a secondary software package used by Sony to protect its assets, SunComm's MediaMax. The site Free to Tinker has reported that MediaMax uses spywarelike behavior, although it does not hide itself the way the First4Internet software does. And security company ISS is reporting new vulnerabilities for those still infected with the original Sony root kit.

Looking ahead, what would happen if rival companies started installing root kits on consumer's PCs--say, you buy one CD from Sony and another from Warner. According to F-Secure's blog site, in order for any root kit to hide itself, it must interface with the operating system kernel on a very low level, one that leaves no room for error. But what happens if you buy CDs from two competing manufacturers? Installing one root kit on top of another could lead to a very unstable situation. I say could, because this is all theoretical at this point. News.com has collected a variety of "what this might mean" stories regarding the Sony root-kit fiasco here.

I suspect we'll see more exposure of business practices like this in the near future. Antivirus companies are getting better at finding and exposing root kits, and brand-name vendors may find themselves, like Sony, having to answer for their past actions. Perhaps someday vendors will understand that my PC is a temple, and I (and only I) decide what should be running on it."

------------------
Willum

Update.....(Extract from 'The Register' 22/11/05 )

Sony BMG has endured a public-relations and legal nightmare after it emerged digital rights management (DRM) software installed on some of its music CDs (First4Internet XCP program) created a handy means for hackers to hide malware from anti-virus scanning programs.

Under pressure, Sony has been forced to recall discs loaded with the technology and create an exchange program for consumers. The music label still faces class action lawsuits by users who allege that their PCs have been damaged by the technology.

Now analyst house Gartner has discovered that the technology can be easily defeated simply by applying a fingernail-sized piece of opaque tape to the outer edge of the disc. This renders session two — which contains the self-loading DRM software — unreadable.

"The PC then treats the CD as an ordinary single-session music CD, and the commonly used CD 'rip' programs continue to work as usual. Moreover, even without the tape, common CD-copying programs readily duplicate the copy-protected disc in its entirety," Gartner (which is at pains to say it doesn't endorse the use of rip technology) explains.

So Sony's DRM technology is not going to prevent tech-savvy home users - much less pirates - from copying CDs to their heart's content even though it loads "stealth" software onto the PCs of the less informed. "After more than five years of trying, the recording industry has not yet demonstrated a workable DRM scheme for music CDs," Gartner concludes. It reckons the music industry will abandon attempts to encumber CDs with DRM software and refocus its efforts on pushing legislation to require that DRM technology be integrated into PCs.

Placing adhesive tape on the edge of a CD may make it unbalanced and could cause damage to the disc or (worse) the drive, as it spins at high speed. A better option, might be to disable the Windows Autorun feature.
More Information from Sony here : http://blog.sonymusic.com/sonybmg/archives/111505.html

There is a list of 'Infected' CDs here : http://cp.sonybmg.com/xcp/english/titles.html

------------------
Willum

[This message has been edited by Bill Norrie (edited 11-22-2005).]

Amazing.
DonM