Beware of Trojan Discs (and illegal soapboxes)

In today's IT Blogwatch, we look at various record labels' outrageous behavior, amounting to silently installing Trojan horses on their customers' PCs. Not to mention pictures from the 2005 Illegal Soapbox Derby (don't try this at home, kids)...

Trojans and Rootkits now introduced to PCs by music CDs. Alex Scoble has been following the story: "Do companies not understand that by using these sorts of shadowy mechanisms that they further hurt their efforts not only to stop piracy but to bring consumers to their side of the argument. Good game Sony and others who would follow your example, by treating your customers with an utter lack of respect, you are in fact making an explicit case for said customers to disregard your efforts to protect your works. If Sony's actions aren't yet illegal, they may soon be if our legislatures continue to move to make malware, spyware and adware of this sort unlawful. Even if they are legal, I would certainly brand these acts as immoral and counter to the good of society.

» Mark Russinovich, Sysinternals Blog discovered this and goes into it in great detail: "Rootkits are cloaking technologies that hide files, Registry keys, and other system objects from diagnostic and security software, and they are usually employed by malware attempting to keep their implementation hidden ... the rootkit and its associated files were related to the First 4 Internet DRM software Sony ships on its CDs. Not happy having underhanded and sloppily written software on my system I looked for a way to uninstall it. However, I didn't find any reference to it ... I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall ... The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users ... will cripple their computer if they attempt the obvious step of deleting the cloaked files. While I believe in the media industry's right to use copy protection mechanisms to prevent illegal copying, I don't think that we've found the right balance of fair use and copy protection, yet."

[Your humble Blogwatcher is ashamed to note that this DRM scheme was created by the British company, First 4 Internet Ltd. In this form, it's known as XCP2: "XCP offers a comparatively high level of protection against casual piracy, while working to provide the authorised customer with a quality digital music experience on their chosen platform." XCP1 was used for securing pre-release CDs, but now the labels have started using it for released CDs: "XCP has been in commercial use since 2002 and is actively being used by the four major Record Labels for pre release copy protection. In 2005 XCP will be in use on commercial CDs."]

» J. Alex Halderman, Freedom to Tinker: "The first time an XCP2-protected CD is inserted into a Windows system, the Windows Autorun feature launches an installer, which copies a small piece of software onto the computer. From then on, if the user attempts to copy or rip a protected CD, the software replaces the music with static. This kind of copy protection has several weaknesses. For instance, users can prevent the active protection software from being installed by disabling autorun or by holding the shift key (which temporarily suspends autorun) while inserting protected discs. Or they can remove the software once it's been installed, as was easily accomplished with the earlier SunnComm technology. Now, it seems, the latest innovations in CD copy protection involve making the protection software harder to uninstall ... Normally, programs and data aren't supposed to be invisible, particularly to system administrators; they may be superficially hidden, but administrators need to be able to see what is installed and running in order to keep the computer secure. What kind of software would want to hide from system administrators? Viruses, spyware, and rootkits ... One of the recording industry's favorite arguments why users should avoid P2P file sharing is that it can expose them to spyware and viruses. Thanks to First4Internet's ill-conceived copy protection, the same can now be said of purchasing legitimate CDs ... In case you haven't already disabled Autorun, now might be a good time." [Sound advice there... geddit? Sound advice? Oh never mind...]

» Brian Krebs, Security Fix: "People may differ over what exactly a rootkit is, but the most basic ones are designed to ensure that regular PC monitoring commands and tools cannot see whatever has been planted on the victim's machine. Because rootkits generally get their hooks into the most basic level of an operating system, it is sometimes easier (and safer) to reformat the affected computer's hard drive than to surgically remove the intruder. Sony's anti-piracy program installer pops up when you drop one of these content-protected CDs into your drive. If you agree to install it, there is no 'uninstall' feature. Russinovich was able to use his knowledge of rootkits and the Windows operating system to zero in on the offending driver files needed to run the software. Unfortunately, he found that removing the program also erased the system files that power his CD-ROM drive, rendering it useless ... Russinovich and F-Secure both tracked the rootkit files back to Sony by following text strings buried in the hidden files that pointed to a company called First4Internet, which they later confirmed was the company that produced the software used on the protected Sony CDs."

» Bruce Schneier: "Could Sony have violated the the Computer Misuse Act in the UK? If this isn't clearly in the EULA, they have exceeded their privilege on the customer's system by installing a rootkit to hide their software. Certainly Mark [Russinovich] has a reasonable lawsuit against Sony in the U.S." Interesting comment on Bruce's blog from Milan Ilnyckyi: "The most frustrating thing about this is the way in which it punishes the people who've actually chosen to buy the product. It raises the question of whether there can be an effective and fair technological solution to the problem of copyright violation, or whether the whole concept needs to be revamped in the face of contemporary realities."

» Robert L. Mitchell: "Can you sue the spyware problem out of existence? ... Some good may have come of all this, however. Negative publicity may already be forcing high-profile players to clean up their business models ... One issue with adware and spyware is just how you define it. Some users will willingly put up with adware in exchange for the free software provided. And they should be able to do so ... For the enterprise, however, the concern remains unwanted software in general and eliminating circumstances where the user unknowingly downloads spyware. Large enterprise software vendors such as Microsoft will also increasingly play a role in pressuring adware companies to change their business practices."

» Mike, Techdirt: "What's amusing about the story, though, is the way so many people are acting surprised and outraged by it. How else would you expect the entertainment industry to put copy protection on your computer? Of course they're going to try to hide it. And, why wouldn't they hide it deep within the system using the same techniques as rootkits? People have pointed out for ages that most of these copy protection schemes are no different than other types of malware (installed without you knowing it, prevents your computer from acting as it should, not easily removable, etc.). "

Buffer overflow:

And finally... 2005 Illegal Soapbox Derby

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at Also contributing to today's post: Judi Dey, our very own Antipodean.

Copyright © 2005 IDG Communications, Inc.

Shop Tech Products at Amazon