Network News

X My Profile
View More Activity

Removing Sony's Software? Not Quite

This post is geared toward people who read today's wrapup in The Washington Post about huge security holes in Sony BMG's anti-piracy software and are interested in removing some or all of the broken software from their computers.

That software was crafted to hide its own files and resist any attempt by the user to remove it. However, as several recent Internet attacks have shown, that function could be exploited by computer viruses.

What's more, those skilled enough to uncover and delete the offending anti-piracy software files run the risk of rendering their CD-ROM drives inoperable, or of ending up with computers that repeatedly crash or reboot.

Furthermore, if you haven't already installed the software patch that Sony BMG made available last week in a vain attempt to fix this problem, DO NOT INSTALL IT. Security researchers say it will introduce even more vulnerabilities into your system.

No doubt the first question in readers' minds is: How do I know whether a CD I have purchased includes this corrupted software? At long last, Sony has published a list of CDs that include the offending software. You can tell for sure by checking the copy protection info on the bottom left side of the CD's back cover. Look for an Internet address that ends with the letters "XCP."

If you have played one of these CDs in your Windows-based computer, it is likely that the software has been installed on your machine. (These CDs play just fine in computers powered by Linux or Macintosh operating systems and do not auto-install the offending software.)

First off, if you believe you have Sony BMG's anti-piracy software on your machine, consider using one of several free tools available to remove the underlying software. Most are available only to people who've subscribed to an antivirus service, but as of midnight, Microsoft was offering a new update to its free Web-based "malicious software removal tool" that is supposed to nix the Sony software's file-hiding capabilities.

To get it, fire up Internet Explorer and visit this site, then click the yellow "Full Service Scan" button. If you have not installed Microsoft's Live Safety Scanner, you will be prompted to do so and approve their license agreement. Once the software is installed, select "Quick Scan," and then hit "Next." If it finds any threats when completed, hit "Next" to remove them.

If you have already installed the Sony BMG-issued removal patch, your machine is vulnerable to attackers because the company had not yet -- as of this posting -- released a solution to fix it. Sony said it is still developing a tool to completely remove the anti-piracy software, and that it will make available at some point on its site.

Researchers say the Sony Web page where users can download the removal patch installs a program that remains on the user's PC even after removal tool has done its job. And because of the way the tool is configured, it allows any Web page that the user subsequently visits to download, install and run any code that it likes.

If I were unfortunate enough to have listened to one of these protected CDs and installed this ill-fated patch on my PC, I might be wondering why it has taken so long for Sony BMG, Microsoft and the antivirus companies to come up with easy-to-use software tool that removes this foul program altogether.

But what if you, dear Security Fix reader -- alarmed by news of how this software introduces security threats -- have already run Sony's uninstall "patch"? The short answer is that, at least for now, you are out of luck.  Unless, of course, you routinely use a Web browser other than Microsoft's Internet Explorer (such as Firefox or Opera) which do not rely upon the vulnerable ActiveX component futher exposed by Sony's software. Interestingly enough, the Department of Homeland Security's US-CERT has picked up on this threat, though it makes no mention of using another browser as a solution.

I contacted Sony, Microsoft and Symantec, all of whom were at the time still debating whether or not to issue updates to remove the more serious security holes left behind by Sony's patch program. (Microsoft's update only deals with the original software, not the patch). Sony executives say they will release "shortly" a program to entirely remove its anti-piracy software. Microsoft and Symantec both say they are considering whether issuing an update that removes all of Sony's software is doable.

So  for now, the unfortunates who used Sony's patch must wait it out until some company comes forward with an easy-to-use tool that will get rid of this pest once and for all.

Editor's Note:  See Brian's story in Today's Washington Post: "Sony's Fix for CDs Has Security Problems of Its Own."

By Brian Krebs  |  November 17, 2005; 12:45 AM ET
Categories:  Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Yet Another Sony Flaw Found
Next: Major Internet Backbone Goes Down

Comments

When hackers do exactly this, they get prosecuted and/or sued.

Let's have a class action suit against Sony for hacking & installing malicious software on users' computers. Yes, I'm serious. What's good for the naughty teenage goose, is good for the big multinational gander.

Enough is enough.

Posted by: George | November 17, 2005 2:42 AM | Report abuse

Amen George!

These companies go after people pirating software with a vengance. But the rootkit that Sony put on people's machines actually STEALS copyrighted software as part of its code. Hypocrites!

Then they post a remove tool that makes people's machines vulnerable.

They should be sued BIG class action style.

They have wasted a lot of people's time and money. They shouldn't get away with this corruption.

Posted by: Mandy | November 17, 2005 3:14 AM | Report abuse

Dear Sirs,

If this Sony rootkit and all of its associated programs have embedded themselves so deeply into the operating system, that it renders the computer in question literally an idiot, and its owner incapable of defending himself and said "affected" computer from the "dorks", "twits", and "dudes" that infest the internet looking for something to do besides work for a living; how are we, the uninitiated and un-geeked, supposed to determine the difference between the two? They appear to have about the same interests.........It would appear that trusting Sony-BMG, Microsoft, Norton/Symantec, and other as yet unknowns to cover our dumb butts in a combat zone, is like asking our Democrats and Republicans to give us a clean, honest, up-front government that we can believe in, look up to and be proud of...........Guess what????? It ain't gonna happen !...We could all throw away our computers and cell phones for five years (What an interesting concept.).......Sell our homes and move to New Orleans (I wonder what they'll do for Mardi Gras?).......How about a combat tour or two in some country that has oil deposits (Nice climate - Take the whole family - enjoy meeting new people !).....Like I said, "Ain't gonna happen !".....What you've got are: max'd credit cards, a mortgage payment, car payment, income tax, The Patriot Act, Homeland Security, FEMA, Bird Flu, bad sit-com's, incest, adultery, venereal disease, the worst medical system in the world, street crime, corporate crime, political crime, cyber crime and all the rest of what LIFE is all about nowadays........I find it ironic that we shut up tighter than a clam in winter when the subject is our use of phosphorous (CHEMICAL) and Depleted Uranium (NUCLEAR AS IN RADIOACTIVE) munitions on other countries......BUT go right straight up through the roof over Sony-BMG stuffing a little more useless trash down our throats.....Sony-BMG truly didn't think you would care ....... Too bad you think your government is any different!!

Posted by: Richard Sez...... | November 17, 2005 3:47 AM | Report abuse

Other than the untold millions that Sony will lose from recalling and exchanging these CDs, settling the class-action law suits, and enduring a cataclysmic drop in sales due to the enormous customer outrage (i.e. "I'll never buy another Sony product in my life" crowd), true justice will only occur when the entire executive staff responsible for this train wreck is horse kicked to the curb.

Posted by: Tom | November 17, 2005 4:24 AM | Report abuse

Isn't it about time the music companies realized we aren't buying the music because it is too expensive? If they lowered the price to $5 a CD there'd be a lot less piracy going on. Instead, they want to waste billions creating spyware software. Another example of how corporate america is only thinking about their precious bonus checks and not the long term profitability of their companies. Seems pretty clear from where I'm sitting.

Posted by: Chris | November 17, 2005 7:54 AM | Report abuse

In terms of a lawsuit that would actually result in a change in the law or a change to a company bad business practice for the better you will need a public interest group such as the Electronic Frontier Foundation at: http://www.eff.org/

Most class action lawsuits are filed to recover damages, they (to my knowledge) do not get to the point of actually modifying the law or modifying a bad business practice. Also a great number of class action lawsuits are simply resolved through an out-of-court settlement. In the meantime still boycott Sony. This can be our Christmas gift to Sony.

Posted by: Steve | November 17, 2005 8:18 AM | Report abuse

I like that at the bottom of the list of CDs (and does anyone really believe that's a complete list? Who do they think we are, Red State Voters?) is a link to Sony's Privacy Policy.

I looked, but was unable to find, reference in this policy to "disabling users computers" or "rendering security moot." Perhaps I just wasn't looking hard enough...

Posted by: Gyffes | November 17, 2005 9:23 AM | Report abuse

A Congressional hearing was held yesterday in the Subcommittee on Commerce, Trade, and Consumer Protection of the House Committee on Energy and Commerce. The topic was "Fair Use: Its Effect on Consumers and Industry." The real topic was H.R. 1201, a bill cosponsored by Rick Boucher (D-VA) and Joe Barton (R-TX), which would amend the DMCA to allow circumvention of content protection systems for purposes of fair use. Among other things, H.R. 1201 would presumably remove the threat of lawsuits or prosecution from the security researchers who have been working so diligently to expose Sony and F4I's misdeeds.

Judging by the comments of many committee members, Boucher and Barton have their work cut out for them. While it seems there is an emerging consensus among both consumers and technologists that current DRM systems are flawed at best, many committee members don't seem to be hearing that message, believing instead that DRM systems are working as intended, and that the protections of the DMCA are necessary to the development of a marketplace in digital content. Some members, notably Rep. Blackburn (R-TN) go so far as to call Fair Use little more than cover for thievery.

Of course the Sony fiasco was brought up by several witnesses sympathetic to 1201 (as well as Rep. Boucher himself), but pro-DRM members simply did not want to discuss the episode, with the exception of Rep. Bono, who stated flatly that Sony had provided a patch and therefore the problem was resolved..end of story.

A Webcast of the hearing is available at http://energycommerce.house.gov/108/Hearings/11162005hearing1716/hearing.htm
I recommend that anyone interested in digital rights issues listen in. It will be a real wake-up call for those who believe the tables have turned on the content industry's plans for DRM.

Posted by: Doug Lay | November 17, 2005 9:45 AM | Report abuse

Here is a complete list of CD's with this "technology" on it.

1. A Static Lullaby
Faso Latido
CK92772

2. Acceptance
Phantoms
CK89016

3. Amerie
Touch
CK90763

4. Art Blakey
Drum Suit
CK93637

5. The Bad Plus
Suspicious Activity?
CK94740

6. Bette Midler
Sings the Peggy Lee Songbook
CK95107 CK74815

7. Billy Holiday
The Great American Songbook
CK94294

8. Bob Brookmeyer
Bob Brookmeyer & Friends
CK94292

9. Buddy Jewell
Times Like These
CK92873

10. Burt Bacharach
At This Time
CK97734

11. Celine Dion
On Ne Change Pas
E2K97736

12. Chayanne
Cautivo
LAK96819 LAK96818 LAK95886

13. Chris Botti
To Love Again
CK94823

14. The Coral
The Invisible Invasion
CK94747

15. Cyndi Lauper
The Body Acoustic
EK94569

16. The Dead 60's
The Dead 60's
EK94453

17. Deniece Williams
This Is Niecy
CK93814

18. Dextor Gordon
Manhattan Symphonie
CK93581

19. Dion
The Essential Dion
CK92670

20. Earl Scruggs
I Saw The Light With Some Help From My Friends
CK92793

21. Elkland
Golden
CK92036

22. Emma Roberts
Unfabulous And More: Emma Roberts
CK93950 CK97684

23. Flatt & Scruggs
Foggy Mountain Jamboree
CK92801

24. Frank Sinatra
The Great American Songbook
CK94291

25. G3
Live In Tokyo
E2K97685

26. George Jones
My Very Special Guests
E2K92562

27. Gerry Mulligan
Jeru
CK65498

28. Horace Silver
Silver's Blue
CK93856

29. Jane Monheit
The Season
EK97721

30. Jon Randall
Walking Among The Living
EK92083

31. Life Of Agony
Broken Valley
EK93515

32. Louis Armstrong
The Great American Songbook
CK94295

33. Mary Mary
Mary Mary
CK94812 CK92948

34. Montgomery Gentry
Something To Be Proud Of: The Best of 1999-2005
CK75324 CK94982

35. Natasha Bedingfield
Unwritten
EK93988

36. Neil Diamond
12 Songs
CK94776 CK97811

37. Nivea
Complicated
82876671562

38. Our Lady Peace
Healthy In Paranoid Times
CK94777

39. Patty Loveless
Dreamin' My Dreams
EK94481

40. Pete Seeger
The Essential Pete Seeger
CK92835

41. Ray Charles
Friendship
CK94564

42. Rosanne Cash
Interiors
CK93655

43. Rosanne Cash
King's Record Shop
CK86994

44. Rosanne Cash
Seven Year Ache
CK86997

45. Shel Silverstein
The Best Of Shel Silverstein
CK94722

46. Shelly Fairchild
Ride
CK90355

47. Susie Suh
Susie Suh
EK92443

48. Switchfoot
Nothing Is Sound
CK96534 CK96437 CK94581

49. Teena Marie
Robbery
EK93817

50. Trey Anastacio
Shine
CK96428

51. Van Zant
Get Right With The Man
CK93500

52. Vivian Green
Vivian
CK90761

Posted by: Ann | November 17, 2005 10:42 AM | Report abuse

Thanks to Doug Lay for highlighting the congressional reaction to the Sony debacle. I think Mr. Lay is completely correct that Congress is not going to be a help to the consumer on this issue, as evidenced by the outright false statements made by Reps. Bono and Blackburn. These two, and many other members of Congress, know who butters their campaign-finance bread and will say and do just about anything to protect those money-sources.

Perhaps the only way to reverse this situation would be to take advantage of this moment of consumer outrage and direct it towards the congressional protectors of Sony/BMG. The members who take money from the big media comapnies and give them their legislative protection need to be "outed" for what they are. I hope that the various organizations which are supporting the rights of consumers can incorporate this line of attack into their strategies.

Can anyone here supply more names of Congressional recipients of big-media money?

Posted by: james | November 17, 2005 11:02 AM | Report abuse

Just before this broke I bought a SonyBMG CD. Never look at the music company name, it was just an artist I wanted (Ben Folds - Songs for Silverman). SO I get this home after paying $20 (it is a Dual Disk CD/DVD) and stick it into my Mac. DVD plays fine but the CD skips and won't download into iTunes. God forbid I get to listen to something I paid good money for! I understand they are trying to protect their assets but give me a break. I think it is time to boycott them. I know I will start today.

Posted by: Rich | November 17, 2005 12:00 PM | Report abuse

Anyone have any idea if a class action suit could be filed aginst Sony?

I don't want any money, what I want is to deter companys from loading s/w on my system without my informed consent.

Posted by: Dave | November 17, 2005 1:08 PM | Report abuse

The list of CDs Sony poisoned is just the latest outrage: Who pirates Burt Bacharach to begin with?

Gallows humor, I know, but seriously - these are almost all Geezer titles. Isn't Sony supposed to be protecting Destiny's Child? Fiona Apple? John Mayer? All Sony Artists.

It's as if they were beta-testing on people who were unlikely to notice.

Posted by: Susan W. | November 17, 2005 1:57 PM | Report abuse

To Dave:

There have been at least two class actions filed. One in California and another nationwide action in New York.

You can read about them from my past blog posts.

NY: http://blogs.washingtonpost.com/securityfix/2005/11/sony_faces_anot.html

Calif:
http://blogs.washingtonpost.com/securityfix/2005/11/calif_ny_lawsui.html

Posted by: Brian Krebs | November 17, 2005 2:31 PM | Report abuse

Anyone who installs a Trojan Horse program in someone else's computer is guilty of violating the Federal laws against "unauthorized use of a computer." That is a felony punishable by many years of prison. Sony executives are clearly guilty of this offense, and I for one want to see some prosecutions. It should not be only teenage kids who get jail time for hi-tech shenanigans.

Posted by: Orange | November 17, 2005 4:57 PM | Report abuse

Isn't installing Trojan Horse programs on someone else's computer called "Unauthorized Use of a Computer", which is afelony crime under Federal law?
Sony's surreptitious acts are not qualitatively different from a vandal who breaks into other people's computers and damages things or steals information.
When teenage kids commit those computer crimes, FBI agents kick in their doors, confiscate their computers, and haul t
he kids off to jail. I want to see the same done with the Sony executives and computer programmers who foisted this cr
ime on us.

Posted by: Orange | November 17, 2005 6:33 PM | Report abuse

What's really bugging me the most in this whole stupid scandal is that, besides the junk they put on Windows machines, Sony just managed to get out the only known case of a successful Trojan affecting the Mac platform. But, of course and as usual, who cares about us, we're only a minority, right ?
Is Sony doing anything about it ? No.
Is anybody up in arms about it ? No (except us, the minority).
Our solution is unfortunately the same as Windows users': Do a clean reinstall of the system ... Waste a few hours ...

Posted by: Outraged Mac user | November 17, 2005 9:57 PM | Report abuse

Sony should have put a large label on all 52 CDs stating "Infected with DRM = Dangerous Rootkit Malware"

Posted by: abc | November 17, 2005 9:59 PM | Report abuse

At least two class action lawsuits have been filed on behalf of Sony BMG Music Entertainment customers who were infected with the First 4 Internet Rootkit. Users who were infected do not have to wait for a class action to make its way through the courts, they can sue on their own in Small Claims Court.

For more information about the Sony BMG lawsuits, and about filing a lawsuit in your local Small Claims Court, visit http://www.sonysuit.com

Posted by: Mark Lyon | November 19, 2005 11:12 PM | Report abuse

I have a similar problem when I played Speed of Sound by Coldpaly on my Sony Vaio laptop.
But Speed of Sound is not there on this list.

Posted by: Chetan | December 12, 2005 7:52 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company