Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

Sony: No More Rootkit - For Now

There have been several significant developments in the Sony DRM story since my last post. The first is that, despite Sony’s and First 4 Internet’s claims that their rootkit poses no security risk, several viruses have been identified in the wild that exploit the cloaking functionality provided by the rootkit. Besides F-Secure and Computer Associates, most antivirus companies were slow to label the Sony rootkit as a risk. But the discovery of viruses that use the rootkit to hide files has caused many to identify and disable the rootkit in their latest scanning signatures. My guess is that they were waiting for an actual security threat to shield them from a potential problem with Sony. For example, Microsoft initially responded cautiously when questioned about its position on Sony’s use of rootkits, but Jason Garms, a member of the Microsoft Windows Defender team (formerly Microsoft Antispyware), announced in the Windows Defender blog this weekend that Microsoft is also releasing signatures and a cleaner for the rootkit.

While I’m glad that the viruses have resulted in continuing media coverage of the story, the viruses being discussed in the media are not really the primary security issue. The viruses simply take advantage of the Sony rootkit if it’s present, but could just as easily install their own rootkit to hide their presence on the system. If a user activating the virus, which is transmitted as an email attachment, is running with administrator privileges, the virus can install a kernel-mode rootkit just as powerful as Sony’s. But even if the virus is activated from a non-administrator account it can install a less powerful, though still effective, user-mode rootkit. The bottom line is that it’s not rootkits themselves that are the problem; it’s the inability to manage the objects that they hide that creates security, reliability and manageability problems.

I’m not the only one that realizes the dangers of rootkits, especially those bundled with commercial software. On Friday, the US Chamber of Commerce co-sponsored a conference in Washington, D.C. on combating intellectual property theft. The conference concluded with a panel that included major representatives of the entertainment and technology industries such as the chairman and chief executive officer of the Recording Industry Association of America (RIAA) and Stewart Baker, the assistant secretary for policy in the Department of Homeland Security. Baker concluded with a comment aimed squarely at Sony: “It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.”

Unfortunately, there has been some confusion with regard to the level of cleaning that antivirus (AV) companies are providing for the rootkit. Some articles imply that AV companies remove all of the Sony DRM software in the cleaning process, but they are in fact only disabling and removing the Aries.sys driver that implements the rootkit cloaking functionality. Unfortunately, all of the AV cleaners I’ve looked at disable it improperly by unloading it from memory - the same way Sony’s patch behaves - which as I noted previously, introduces the risk of a system crash. While they post disclaimers on their web sites to that effect, they should use the safe alternative that I described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots:
  1. Open the Run dialog from the Start menu
  2. Enter “cmd /k sc delete $sys$aries”
  3. Reboot

Perhaps the biggest news in the story last week is Sony’s first public response since one of their executives stated in a National Public Radio interview, “users don't know what a rootkit is, and therefore, don't care." Mid-day Friday Sony announced, with the hope that press coverage wouldn’t last through the weekend, that it would temporarily cease production of CD’s containing First 4 Internet’s XCP technology, the software that utilizes the rootkit. They have also finally added a link on the Sony BMG web site, under the News section, to the decloaking patch and uninstall link:

It’s a small first step on Sony’s part. Sony still makes no admission of guilt, though by this time I’m sure that legal exposure prevents them from doing so. In addition, the use of the word “temporarily” disturbs me. Are they just waiting for the media attention to fade before starting up again?

More importantly, Sony is making no effort to withdraw existing CDs that are already on the market and the uninstall process is still spyware-like with its use of an ActiveX control during the request for uninstall and actual uninstall. ActiveX controls are a commonly-used attack vector for malicious web sites and one of the blog comments from the last posting by Matti Nikki points out that the First 4 Internet control contains scriptable methods that can be activated without the user’s knowledge or consent. His site demonstrates how he can reboot your system using one of the methods. The control exports 22 scriptable interfaces, as seen here in a screenshot of Type Library Explorer from iTripoli, and the shoddy nature of First 4 Internet’s other code gives me little confidence that there aren’t vulnerabilities that could be used by malicious site to gain control of systems on which the control is installed.

I’ve said it before, but obviously need to say it again: Sony needs to make the uninstaller freely available as a standalone executable download so that users can choose to safely and easily discontinue use of this nefarious software.

posted by Mark Russinovich @ 4:49 AM

I've read that First 4 Internet is working on a new XCP that doesn't use a rootkit. I'm pretty skeptical though. In the mean time I'll just skipout on buying from Sony. There seems to be a large group of the world who is also doing this just google Boycott Sony.
Thank you for taking the time to publish such an informative article regarding Sony's DRM. I hope Sony will learn from this experience and remember to keep their consumers in mind in future attempts to control their intellectual property.

Great work!
ActiveX functions named 'InstallUpdate' and 'ExecuteCode' don't exactly give me good vibes. Has anyone investigated whether these are exploitable?

This rabbit hole of Sony's is getting mighty deep.
I love your column.
Wanted to tell you that you have a typo in the beginning: claoking.


Also, as Matti Nikki mentioned on his website, Go.exe (a part of XCP2) contains some strings that might indicate that it contains code from LAME (an open source MP3 encoder). If so, Sony/F4I is infringing copyright themselves.

'Serendipity' has taken a closer look and discovered that it also contains some tables similar to LAME, but has been unable to identify any code in Go.exe that use those tables nor any code matches between Go.exe and LAME.

I think Sony's Actions are disgraceful regarding this matter as they didn't think about SysAdmins or Programmers like yourself, who understand and care what is istalled on their computers.

By trying to Protect their CD's(which is understandable to a point, but they have gone too far...) They have opened a loophole for Viruses, Hackers and Malware, which I thinks is very short sighted
No one have good answer why this very same virus, generally speaking, being spread by Joe or jane or Hans or Olga, would have the FBI after them seeking jail terms.

Can virus writer flash EULA in front of you and he/she is now legit?

How come the most powerful special interst groups in the world are MPAA and RIAA? Are they important to national security? Are they helping world hunger?
What kind of "rootkit" can one install on a windows machine if they belong to the "Users" group (not power users) of a win2k/XP PC? Sony's "DRM" fails to install in my tests, but this rootkit needs to patch system functions so that is to be expected, I'd hope it'd take Admin rights to do that... How much data can one hide with very little rights?

And about you "contracting" the rootkit yourself... I understand, you were probably doing routine maintenance, or some other admin required privilege on your pc, and decided to listen to a CD... and inadvertantly got root'd.
I heard about this story, but I never though it was that big! Maybe they want to promote the download of mp3 as a safer way :P

Sony is now at the bottom of my list. Really, really bad move...

But thanks to inform us :D
First of all let me be the n-th million person to personally thank you for breaking the news on Sony's (and First4Internet's) rootkit shenanigans.

Secondly Mark could you kindly outline some methods of detecting commercial music CDs containing DRM, in particular those that contain no warning whatsoever? I understand that it is still possible for malicious music CDs (and they are malicious, regardless of the IP rights of these CD's producers) to silently install DRM on an XP machine even with autoplay off, but is there any way to detect and/or prevent that? Other than switching to GNU/Linux, of course...

I'm asking these because most of Indonesia's major local acts publish under the Sony BMG Indonesia label, and to this day I have yet to find any of their published CDs with any 'copy-protected' label whatsoever.

I'd love to boycott Sony, but I haven't bought any music CD myself in well... ages and as others have outlined in previous comments this is not limited solely to Sony music CDs.
"How come the most powerful special interst groups in the world are MPAA and RIAA? Are they important to national security? Are they helping world hunger?"

You know what they say about bread and circuses.
keep up the great work Mark. i've been following this very closely and it's such an eye opener when i tell people what sony tried to pull.
Mark, Thanks for the info. Any comment on the other software Sony is using? MediaMax by SunnComm.

Thank you!
Dude, so LOUD!...

In general a good idea... A sharp drop in PS sales over the next month or two might be just the wake-up call Sony needs...

Thank you very much for covering and exposing this situation. Sony has truly stepped over the line.

You have done a great job to the world by making certain the public is in the know.

Oh yeah, and another big thank you for the cool tools on and the tools you sell at winternals.

Thank you for providing a place to keep up-to-date on the progress of this debacle. I commend your writing skills and knowledge in regards to the subject matter.
Thank for your time investigating this Sony(F4I) DRM. Realy good job done. Keep it up.
Why should anyone expect that Sony is the only one to do this?

The company in the best position to perpetrate this kind of activity is MICROSOFT.
There is another report on Sony DRM protection that includes spyware:
Sony Shipping Spyware from SunnComm too

"What few people realize is that Sony uses another copy protection program, SunnComm’s MediaMax, on other discs in their catalog, and that this system presumably is not included in the moratorium. Though MediaMax doesn’t resort to concealing itself with a rootkit, it does behave in several ways that are characteristic of spyware."

To summarize, MediaMax software:

Is installed onto the computer without meaningful notification or consent, and remains installed even if the license agreement is declined;

Includes either no uninstall mechanism or an uninstaller that fails to completely remove the program like it claims;

Sends information to SunnComm about the user’s activities contrary to SunnComm and Sony statements and without any option to disable the transmissions.

Mark, what do you think?
Washington Post Article
Brian Krebs on Computer Security
Sony Faces Another Class-Action Suit

Sony BMG is facing yet another class-action lawsuit stemming from the controversy over its anti-piracy software, this time from a New York attorney who filed a federal case that could potentially include consumers in all 50 states
This is the new Sophos detection and disabling tool for the Sony-BMG XCP software:

(it disables part of it at least, anyway -- and without addding more sh!t unlike the '''disabler''' from $ony-BM)
While it is good news that another class action lawsuit has been filed, we need to consider two points.

First, the purpose of the class action lawusit is usually limited to recovering damages. Usually these lawsuits are settled out-of-court and do NOT result in the offending company actually changing its bad business practices for the better or overturning the underlying law.

Second, To change corporate behavior and to overturn DRM we need to have a consumer orientated special interest group, such as the Electronic Frontier Foundation ( up the challange.
This post has been removed by the author.
I posted this in another thread, but I think it bears repeating. Microsoft is the other villian in this drama. Their system design, which pretty much requires you to be logged on as an administrator in order to install software, is what enables people like Sony and the other malware writers to pull these tricks. There is no reason whatsoever to require that application level software be installed on a system using administrator level authority. That's plain STUPID with a capital "S". Does anyone know well Vista is going to address this?
Saw a very concise guide on how to remove the rootkit and how to detect if you have it here:

How to remove the Sony DRM Rootkit

He credits you guys which led me here! Great work.
Dear Mark:

I tried the safe alternative that you described a couple of posts ago, which is to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots. The a window popped up saying "'sc' is not recognized as an internal or external command, operable program or batch file". Is there something I'm doing wrong?
This post has been removed by the author.
Electronic Frontier Foundation issued the following letter "An Open Letter to Sony-BMG" to request corrective action. Please see the link below.
Thank you so much for your articles.

I would like to see more about how the copy protection works and whether or not it's just the software that forces it's way onto your system (and that's IT).

Honestly, I've yet to see a CD I can't rip to my hard drive.

Linux anyone? It just proves how much they want to control and how sloppy they are about it.
Sony doesn't have any way of dealing with removing the software from a machine not connected to the internet. I asked them. Here is their response:

I apologize that you have an issue with our uninstall request form. Our online uninstall requires that an Internet Explorer ActiveX uninstall tool be installed and pop-up windows be temporarily enabled. At this time this online process is the only removal tool currently available.

TIP: Should Sony BMG decide to release a non-ActiveX Internet
uninstall process, it would be posted on our FAQ site at:

Thank you for the opportunity to be of assistance.
This post has been removed by the author.
This post has been removed by the author.

Can you please check out this post? It appears that the "developers" at First 4 are so "lame" as to not even purge the tags from the code they plagiarized under the open source GNU license. Is it possible Sony BMG is so dumb as to purchase technology from these idiots?

"Spyware Sony seems to breach copyright
Posted on Thursday, November 10 @ 11:44:47 CET by brenno
link to page
GNU / GPL (Copyleft) The spyware that Sony installs on the computers of music fans does not even seem to be correct in terms of copyright law.

This article is a translation of this article I wrote for Webwereld.

It turns out that the rootkit contains pieces of code that are identical to LAME, an open source mp3-encoder, and thereby breach the license.
This software is licensed under the so called Lesser Gnu Public License (LGPL). According to this license Sony must comply with a couple of demands. Amongst others, they have to indicate in a copyright notice that they make use of the software. The company must also deliver the source code to the open-source libraries or otherwise make these available. And finally, they must deliver or otherwise make available the in between form between source code and executable code, the so called objectfiles, with which others can make comparable software.

Sony complied with non of these demands, but delivered just an executable program. A computerexpert, whose name is known by the redaction, discovered that the cd "Get Right With The Man" by "Van Zant" contains strings from the library version.c of Lame. This can be conluded from the string: "", "0.90", "LAME3.95", "3.95", "3.95 ".

But the expert has more proof. For example, the executable program go.exe contains a so called array largetbl. This is a part used in the module tables.c of libmp3lame.

This discovery can have far-stretching consequences for the music giant, who claims only to protect copyrights. Previously, judges in Germany already forced various companies to release source code to the public and to deliver the goods necessary for compiling. It is also possible to demand financial compensation for damages.

Meanwhile, Other details are also becoming clear. The Electronic Frontier Foundation complains that the spyware makes the legal listening to the music on iPods impossble. The organisation is busy making a list of cds containing the hidden software and publishes this on her website.

Various calls to SonyBMG remained unanswered despite promises to call back."
Regarding previous post about LAME, if you want to find LAME code from the CD as well, you only need to look as far as "ECDPlayerControl.ocx". Although there are 4 files total on the CD (including those compressed in XCP.DAT) that have LAME statically linked against them, it appears ECDPlayerControl.ocx is the only one that actually uses LAME.
This post has been removed by the author.
“It's very important to remember that it's your intellectual property -- it's not your computer. ...”

I love that and it sums up all this crap the RIAA and MPAA (and any software maker) are trying to pull.

All this licensing stuff is the biggest bunch of bogus stuff I've ever heard.

It's funny how a person can't "reverse engineer" their sotware without going to court, but it's OK for THEM to do it to us.....????

I built my computer, thierfor it's "propritery" and here they go messing with it.

Why is this not a CRIMINAL act?!?

Civil rights goups should bust them down a notch or 3 with some civil suits, and I think some presure should be brought to bear for criminal chrages.
I had problems viewing a Sony/Universal Pictures rental DVD on my computer some weeks ago. I recently contacted Sony/Universal Pictures in Sweden about this problem, after a colleague informed us about the discussions regarding the new "anti-copying" software on CDs in the U.S.

The sales manager at Sony/Universal Pictures contacted their London office and verified that there is a new "anti-copying" protection on their DVDs (only in Europe?) that might make it impossible to view their films on certain DVD players on computers.

I am using my computer to see digital TV and films. The new Sony film I could not see on my computer (the trailers worked fine) did not work well with either the new (bought this autumn) Sony DVD player/burner or an older Asus DVD player.

I also learnt that the Sony "anty-copying" protection (spyware) on CDs this far only applies to Sony CDs sold in the U.S.

Is it the same "anty-copying" protection (spyware) used on Sony CDs that is being used on their DVDs?
Why is no one discussing the problems experienced with Sony/Universal Pictures DVDs?

In the Christmas holidays I am replacing the Sony DVD player/burner on my PC with that of some other producer and re-installing my whole PC. Then I will not play any Sony CDs or DVDs on it until they have removed their "PC harming" softwares. Who will repay users for all this extra work with their PCs caused by the Sony softwares?
USA Today Article: "Sony to pull controversial CDs, offer swap"
In regard to the question by kelly o: 'a window popped up saying "'sc' is not recognized as an internal or external command' - SC.EXE was added in XP - if you're on Win2000, you don't have it built in, however it's in the Win2000 Resource Kit (which is not a free download, unlike the Win2003 Server Resource Kit tools).
Both First4Internet and Sony have created the same EXPERIENCE as I have using ANY Airport since 911, but on a Virtual Level and in my own personal space while using my own personal property.

I now have no JOY looking forward to using ANY CD/DVD for any Media experience, on any system I own.

Additionally I now have great trepidation even contemplating inserting any CD/DVD which may or may not require ADMIN privilege.

The Concept of allowing Auto-Run to be enabled on any system I own is now something of a past memory.

Never would I have thought that a respectable international company would be the cause for me to quarantine any and ALL Media devices from my systems.

The risks are too great to presume that any media player that requires Admin privileges to install so that I might somehow enjoy the media it contains, could not somehow expose myself or others using my systems to great personal harm by forcing me to lose my privacy and possibly placing myself and others who use my systems one step closer to Identity Theft by using such software.

In some ways I feel like I have just virtually removed a very large portion of features ("Which was part of how I chose my systems at purchase time") so that I can implement my own personal form of Homeland Security to insure my personal property is safe from companies who feel that "Virtual Terrorism" is justified under the auspices of DRM.

Both of these companies REFUSE to provide a list of clients and/or media this technology is currently being used with.

Both of these companies refuse to admit the Full capabilities of what this software did/does/can do.

Both of these companies have publicly made many statements that have been proved to be false regarding what this software cannot do.

We ALL need to remember that Terrorism does not by definition require a use of violence!



"The unlawful use or threatened use of force or violence by a person or an organized group against people or property with the intention of intimidating or coercing societies or governments, often for ideological or political reasons."

These actions are Nothing short of Virtual Terrorism the possible exposure of our personal data currently retained on both private as well as government systems just by this software being present on any of these systems cannot be called anything less.
Both First4Internet and Sony should also be working on or releasing a STUB of some kind that should STOP a re-infection by using any of these CD's which are in the "Wild" already.

If they are not working on something like this they are being very irresponsible, it should be easy to make something that will NOT allow this to cause a re-infection when these CD's are inserted anytime in the future.

This should be done, because only the "Root-Kit" portion is being un-cloaked by other companies.
If anyone can answer this for me I would greatly appreciate it!!!!

I plan to update my Windows2000 operating system with doing so, will this eliminate the rootkit that Sony has installed onto my hardrive?
I just want to say thanks with all the rest for the information and especially the FIX! My son actually asked me about installing this software when the request popped up (I guess all of the 'lectures' about safe computing worked!). I installed it so I could see what was happening, and so he could get the songs (paid for) onto his iPod. Not only did the method SONY sent NOT work to get the songs onto his iPod, my PC really took a hit.

It has taken me hours of time to try to find out what had happened to my PC. Spyware runs, registry cleaners all seemed to miss this and my PC was really bogged down.

Last night I tried the one line registry fix and my machine went from taking 7-8 minutes to shutdown to about 1 minute!
This whole affair brings to mind the Wheatus album 'Suck Fony'

PS Nice one Mark well explained
Sony’s Web-Based Uninstaller Opens a Big Security Hole; Sony to Recall Discs Tuesday November 15, 2005 by Ed Felten and Alex Halderman

Halderman and Felton write:

"The consequences of the flaw are severe. It allows any web page you visit to download, install, and run any code it likes on your computer. Any web page can seize control of your computer; then it can do anything it likes. That’s about as serious as a security flaw can get."
Its not much of a surpise that Sony/First4 have botched the uninstaller, and in a way that seems even more cack-handed that the originial kit.

If we are to believe that the rootkit was designed over a long period of time, was tested and secured (scoff), before release, AND they still managed to make a sous ear of it.

What are we to expect the same "coders" are going to produce under duress?

It shows that this blog obviously had Sony in such a fangle that they just spasmodically make the uninstaller available without giving it any thought.

No, thats not right. They did give it thought. In their attempt to isolate the issue, they made the uninstall process take place over ActiveX, rather than proliferate an uninstaller anyone could use.

Did the uninstaller prompt any of you for an admin password?
Sophos have done a nice poll:

98% of business PC users say Sony DRM copy protection is a security threat
Only 2% say it is a fair way to fight music pirates
Though the focus, for now, is on Sony-BMG CDs; Sony does sell computers (Viao) with pre-installed software. Does anyone know if these computers are sold pre-infected??????????? Guilt by association.
To "kelly o" and "david solomon": sc.exe is avaliable in a few places aside from purchasing the Windows 2000 Resource kit:

It's also avaiable in the Windows Platform SDK, which is a free (but big) download.
Watching Sony respond to this situation has been extremely dissapointing for me. I currently own many Sony products and I am hoping (wishing and praying actually) that Sony will change course so that they will not deserve to become the target of a boycott. I have been a fan and major customer of Sony for most of my adult life, but I am not blind. I see that Sony has not been profitable for some time, and to an outside observer it looks as though they are becoming increasingly desperate and are making more and more decisions that seem unwise and rushed. I think that you are doing the right thing with this blog. Hopefully pressure from the gadget buying public will cause Sony and other corporations to act more responsibly and value the consumer more.
Sony DRM infection removal vulnerability uncovered
Tool is worse than original infection

"It seems the 'cure' from Sony involves downloading an ActiveX control called CodeSupport. This is a signed control that lets just about anyone download, install and execute arbitrary code on your machine.

See a problem? See a big problem? To make matters even funnier, the uninstaller, supposedly anyway, leaves this control on your machine. So, the Sony uninstaller is not a total uninstaller, it leaves a hole you can drive a truck through on your system, silently of course."

Sony rootkit DRM: how many infected titles?
Intrepid blogger starts counting

"Sony says that only 20 titles, which it refuses to name, contain the XCP virus - software which attacks music piracy by attacking your PC. But is it being economic with the actualité?
Click Here

Reg reader Geoffrey McCaleb has found no fewer than 47 titles containing Sony's DRM rootkit. They are spread across several sub-labels owned by Sony-BMG, so it looks like a little finessing is going on."

Sony pulls infected CDs from shelves
No love if you have one already though

"The official reason is that there is an exploit running around, so it is making a half-hearted attempt to make things right. Now, this one fails the simplest logic test, if it was concerned about users, wouldn't it recall it from them? This does nothing to protect people who have already been injured by Sony software, but it does do a lot for Sony."
Researchers: Sony Patch Opens Huge Security Hole

"The Sony Web page where users can download the removal patch installs a program that remains on the user's PC even after removal tool has done its job, Felten said. And because of the way the tool is configured, he said, it allows any Web page that the user subsequently visits to download, install and run any code that it likes."
As to
>More importantly, Sony is making no effort to
>withdraw existing CDs that are already on the market

Amazon says it's treating the XCP CDs as defective merchandise and will offer a refund with shipping.

[Sony is] instituting a program that will allow consumers to exchange any CD with XCP software for the same CD without copy protection. We also have asked our retail partners to remove all unsold CDs with XCP software from their store shelves and inventory.
I didn't even buy it and I got, I played my brother-inlaws Van Zant cd on my laptop, so I got their great software for free. Lucky Me. I will follow your instructions and delete the "Aries dir."
I didn't even buy it and I got, I played my brother-inlaws Van Zant cd on my laptop, so I got their great software for free. Lucky Me. I will follow your instructions and delete the "Aries dir."
I didn't even buy it and I got, I played my brother-inlaws Van Zant cd on my laptop, so I got their great software for free. Lucky Me. I will follow your instructions and delete the "Aries dir."
I didn't even buy it and I got, I played my brother-inlaws Van Zant cd on my laptop, so I got their great software for free. Lucky Me. I will follow your instructions and delete the "Aries dir."
Sorry for the extra copies OOOOPs
Mark: Here's a few thoughts to ponder.

Sony got caught - but what about newer technology that may be based off this - and not so easy to detect in the future. You are very knowledgable in technical areas, but many others are not so tech-savy.

Sony may be the first one, but I wonder how many other companies have done it already, or have learned from Sony's mistakes and are programming around the errors that they made?

Sony is also a well-known company. I wonder how many other smaller companies that distribute software are doing the same thing.

What does this really mean in the bigger scale of software development.
Nice to see that the recording industry does not back Sony in this case.

“It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days.”
all jokes about activeX asside, it's been found sony's activeX installer DOES lave your machine very vulnerable :

Betanews, Sony Rootkit Fix Brings More Trouble

Dan Kaminsky has also tacked how many infected machines there are :

DoxPara Research, Welcome To Planet Sony

a slightly more readable article on it for some perhaps, based on kaminsky's discovery is on :

Wired News, Sony Numbers Add Up to Trouble
Just thought this was worth posting actually, from the wired article :

""If the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 USC 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony any time soon.

"The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime."

In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existence back to Sony, along with as-yet-unknown information about the compromised computers. "
If anyone wishes to express their displeasure in person: -

Name & Registered Office:
Company No. 03885544
The official UN-installer is UN-available for now...


November 15th, 2005 - We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days. Thank you for your patience and understanding.
it appears the pressure has worked.

Sony has now recalled all the CDs affected by this rootkit. They will replace any CD purchased and are removing unsold CDs from stores.

See a news article such as

Good work, Mark. ;)
XCP has spread far and wide as a manual virus!
What will the future bring?
On one hand we'll have Windows Vista which as an operating system will better protect itself against modification.
On the other hand we will be in the brave new world of 'trusted computing' which I'm currently reading up on.

The firestorm continues to rage in the media..

BBC: Sony recalls copy-protected CDs

"No detailed figures have been given by Sony for how many CDs are protected with XCP or how many have been sold.

However, work by respected net expert Dan Kaminsky found that more than 500,000 networks have at least one machine on them using XCP. "

The Register: Sony pulls rootkit DRM CDs

"Sony remains committed to releasing all CDs next year with some form of copy restriction measures.
Click Here

How many people have been infected with XCP? DNS hacker Don Kaminsky investigated by querying DNS servers with the address XCP uses to 'phone home', and found traces on over half a million servers.

Of these 217,296 were from Japan, 130,519 from the USA, and 44,421 from the United Kingdom. And one from Afghanistan."

The Inquirer: Governmental TLAs annoyed at Sony
National Security + Rootkit = Fun fun fun

""IF THERE IS ONE thing you don't want as a corporate entity, that is the governmental TLAs (Three Letter Acronyms) mad at you. Sony is in the unenviable position of having at least one involved in 'national security' type work a little more than livid at them."
Governmental TLAs annoyed at Sony"
Not to get biblical here...

Talk about David and Goliath!

"In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security."

That's not hard to do, you just need to know where to look. Autorun should be disabled on government systems based on NSA guildlines, DISA STIGs and various other local or command guidance, but that's not to say it's done. Viruses do happen unfortunately and it would be interesting to see if anyone detected that on a government system. Although that would likely be classified if it did occur... But I'd be curious.
This morning my technical support staff tried to upgrade my PC to XP 2 and it crashed terribly. About 1/2 hour ago, I learned about this rootkit problem and I had had the Sony Botti CD in my PC a couple of weeks ago. THUS my question...does anyone know for sure if there is a relationship between this rootkit and the SP2 upgrade crashing???? L.
This post has been removed by the author.

Thanks for the great work with all the detail needed to bring this issue to light.

I would recommend that much of this information needs to be reduced to layman terms as far as how the software works (install, operation and lack of uninstall) and the ramification it has on all computers.

The purpose of this document would be for all concerned user to sign and send a copy to their senators and congress person. Since everyone in Congress is not a computer expert, most if not all can understand issues like PC viruses. Unfortunately, most will not understand the requirement for an uninstall much less a standalone version of it.

If such a letter existed, I would be sure to send my copy to my representatives as well as ask others to do the same. Perhaps we can use this to educate Congress about the need to protect computer uses whether it is a malicious hacker or a large corporation. And perhaps this letter would be appropriate for other countries as well.

With Congress's shoot from the hip attitude about passing laws for high profile issues in this country (Terri Schivo, sexual predator laws, etc.), this one might actually deserve that kind of attention.

Thanks and congrats. Watched it all from start to finish(?)

It was fascinating to see which combination of tools you used to expose this.

You mentioned the Tivoli Typelib viewer tool: I downloaded and have used it, but please be aware there's a small but very misleading bug in the current release you link to (as at 19 Nov 05 15:20 UK time).

Tivoli say they are looking at it (cursor keys used in Typeinfos listbox fails to update the Members listbox) and hopefully will fix it soon.

Thanks again
Just to say that Tivoli have now fixed this bug (15:40 UK time : good going, guys) - so you may wish to delete this and my previous message.

Either way, thanks for doing what you did. Excellent work. Top Chap.
Very nice job, Mark.

I have a question though: why weren't/aren't you equally angered or outraged by MS "activation" on Window's XP.

It seems to me that both the motivations, implementations, and effects are very similar. Both the Sony Rootkit (SR) and MS Activation (MSA) add user risk by attempting to obscure some portion of your system. I would judge the risk from MSA to be much greater, albeit much later in time (so most people haven't thought about it yet, although the Massachusetts ODF people are starting to, I think). Judging from the way MS withdrew support for NT4 (before NT was even reasonably bug free, security wise), the opportunity to get XP activated by MS will end at some point, at which time you WILL lose all access to your data when you do your next hardware upgrade (unless you want to pay MS for it's new offering at that point, which may or may not meet your needs and may or may not be compatible with your data). Both SR and MSA install stuff on your computer whose primary purpose is to obscure details of your system from you, and whose intent is to put some portions of your system outside of your control. For the SR, presumably only material obtained under a DRM agreement is involved, but for MSA, all of your data, which may be worth millions of dollars to you, is involved.

I don't really want to chide you all that much - you have done us all a great service for a long while, and in doing so, I know that it is important for you to maintain a good working relationship with MS. But, I would argue, the most important thing that an OS does is to give us access to our data, and I would hold that nothing, ever, should be placed in an OS that puts our data at more at risk than it needs to be. I understand MS's desire to "protect" it's "IP," but somehow, protecting the a paying customer's investment in his data (which may have incalculable value) should not take a back seat to preventing someone, somewhere (who will very likely not buy XP anyway, if he cannot steal it), from "ripping off" a $150 or so copy of XP.

Anyway - think about it - the two situations are much less different that many would have us believe. MSA has been the trigger point to migrate me from MS to Linux, and, if you think about it, it should also be the trigger point for most other people who accumulate data of any significant value.
The main point that I see in all this is that the ultimate result here is that I am more likely to seek out musical recordings which are already converted to mp3/ogg/etc, than I am to risk purchasing a physical disk which may or may not work the way I need it to or may compromise my system(s). So in Sony's shortsighted attempt to limit profit loss by theft they are applying penaly in advance to the consumers who are PAYING them.
" bill_meister said... "

"So in Sony's shortsighted attempt to limit profit loss by theft they are applying penaly in advance to the consumers who are PAYING them. "

I couldn't agree more . I personally made the mistake of buying the SONY Mini Disc and well that was my calling. After that experience with SONY i never have and never will purchase a SONY product again let alone trust them on anything that is software based.

For whatever it's worth i have also been following the DRM issue on the NEW DVD format wars and i will not be supporting Sonys & Companys BLUE ray Specification .
I suggest you all read up and get your self informed on it.

Power to the People
As someone who makes his living from the creation of software I fully understand the need to protect intellectual property. However, this latest stunt from Sony is despicable and I hope it costs them a lot of money in the courts.

I think there is a case for them to pay for any consequential loss incurred; some users will not have the technical skills to remove the software and may need the services of a specialist company. Obviously after being the victim of this abuse, users can’t really be expected to trust the perpetrator of this crime to fix it. So they would need to pay for a suitable anti virus solution and they would need to pay indefinitely to keep this updated to avoid any future viruses written to use Sony’s exploit. Users may also consider claiming for lost time in the research, investigation, analysis and implementation of the solution to the Sony rootkit. Surely Sony should be forced to replaced the CD’s for legitimate CD’s that contain just the music that each client contracted to purchase.

Any judge considering this case needs to consider the cost of viruses this link

shows that a single virus like slammer costs close to 1 billion dollars and Sony's is worse because different viruses can be written using the Sony exploit.

The Sony exploit shows an incredible arrogance on Sony’s part, the decision to implement this rootkit must have been made at a very high level certain in the knowledge of the potential dangers. I find it incredible to think that Sony could treat it’s customers with such contempt.

The problem with the whole music and film industry is that they have simply failed to understand why people illegally copy their CD’s and DVD’s. Yet will a little lateral thinking the whole problem of copyright theft could be obliterated almost overnight.

The problem is a simple one; GREED. Sony and others have the right to sell their products at any price they choose but if users can purchase an empty CD for 20c or less in their local store, this does make one wonder what price Sony pays. So is it any surprise then that many people feel ripped off when asked to pay up to $30 for a CD, the same issue applies to DVD’s.

The solution for Sony and other companies is not DRM or rootkits, the solution is to simply drop the retail price of current album CD’s and DVD’s to $2 and $5 respectively. I am not talking about old titles, I mean new releases, oldies, compilations – everything. This price should also be the same worldwide to prevent grey importing.

Consider the impact of this for a moment:

Customers at every level would buy many many more CD’s and DVD’s with their disposable income and people could start collecting again.

Pirate copiers would be put out of business, after all why would any customer take the risk of buying a dodgy CD or DVD if they could buy the bona fide product for a very low price.

The internet users also would not waste the time in the downloading and producing their own bootlegs CD’s if they could just buy them for two dollars. Never mind wasting days downloading and authoring DVD’s.

The legitimate download site could still operate but again at much lower levels, for 10c a song, people would be flocking to create their own compilations for reasons of affordability and convenience.

The record companies would do very well; I am convinced that they would sell at least 10 times their current levels. Distributors and music stores would also benefit as long as their margin percentages were kept the same as they are now.

The artists would also benefit, they would not only benefit from the increased sales but also from increased exposure as more customers would try out their albums because they were affordable.

Surely this pricing strategy has not escaped the record companies, surely they can see the goodwill this would generate and how it would wipe out piracy. I guess we will just have to wait until they can see sense, meanwhile, I hope we do not have to put up with any more crazy stunts like the Sony debacle.
You are an inspiration to me! It is great to see someone that not only has such a great talent for figuring how how something works but then the interest to know it's a violation of privacy and a major infringement but th nuts to bring blow it up for the whole world to see. Great stuff,
-Mark E.
You are an inspiration to me! It is great to see someone that not only has such a great talent for figuring how how something works but then the interest to know it's a violation of privacy and a major infringement but th nuts to bring blow it up for the whole world to see. Great stuff,
-Mark E.
Ironically, it's now safer to play pirated MP3 files on your PC than to purchase and play the original Sony CD!
Since I had played my wife's Natasha Bedingfield "Unwritten" on my machine, I expected it to be compromised. Running the removal command gave
[SC] OpenService FAILED 1060:
The specified service does not exist as an installed service

This suggests I am clear. I took a look at the CD (UK bought), and there is nothing to indicate copy control, but there is a little box which indicates that it is PC compatible but not compatible with a MAC or others. There is also a link to a which is a polite corporate rant against piracy.

I will now check every CD for indications that it is PC compatible but not MAC and threat it as a good indication that it installs hidden software.
Thank you Mark. It was outstanding. I also would like to point out to everybody that Windows does not require Admin privileges to install programs. In fact as sysinternals tools it might not require install at all. It is up to individual programmers and companies to require Admin privileges. So the right question would be: why software companies, including Microsoft do demand those privileges when installing their product. The second question would be why users blindly give it to them.
To zappo69:

While I agree in principle with your comments, I couldn't disagree more with your pricing: WTMWB (what the market will bear) applies here, and $2 CD's would barely break even if the retailer took no profit from it. It costs about $2 to produce a CD by the time you pay for the materials, artists, art design, publishing, shipping, etc. (I wonder how much more per platter SONY paid for all the bad PR of DRM? If we have any say in it, that cost will be going up!) At the minimum, CD's need to go for between $5 - $10 in order for the content provider and retailer to make any money at all (which they should).

DVD's are priced depending on how well the movie did in distribution: The better the movie did, the cheaper the DVD. While this seems backwards, it is based on a simple formula: If the movie did well, than it has already paid for itself, and the DVD's don’t cost that much in production and material costs, so they are basically just gravy. If it bombed, then they still need to recover their original investment, and with the expectation that fewer people will buy the DVD, it will come out with a higher price tag. If it does sell well, then the price will come down as the film breaks even, and then starts to make money. Many movies don't actually make money until the DVD comes out. (A classic example of a movie that bombed until the after market was "The Wizard of Oz" – When it was released, it didn't break even, let alone make any money until many years later when it became an annual television "Special Event".) A $5 DVD would mean that the high quality of visual entertainment we have become accustomed to would be limited to only the most obvious potential hits (say another Star Wars film), since there would be no way to guarantee a recovery of investment. Honestly, due to the difference in production costs, DVD's are not nearly as badly price-mismatched as CD's are.

Please understand, I am NOT against SONY and others making a profit on their intellectual property, or getting what the market will bear (WTMWB) for it. I just see the drop in CD sales as an indication of more and more people deciding that they can't afford the current pricing. The big companies see this as a battle with piracy, but it is really an indication of WTMWB.

My original complete response to your comment went on much too long to be a proper comment, so I made a blog with the full content of my thoughts on this. If you are interested in the full thing, go to
This whole story shows us exactly what DRM really is. It's evil and should be avoided by any means. This acronym has to be read properly as Digital Restrictions (not "Rights") Management, because restrictions, and not rights, are what DRM is really about.
If you buy a book, you have the right to copy it for your own use, for your family and/or relatives - that's the fair use. You have the same right to do it with music and movies, but the record and movie companies with their copy-protection schemes are forcefully restricting this right - by any way, even by destroying the data on your computer; it means nothing to them.
The big businesses have the strength to enforce something on consumers - the consumer is always in the weaker position as he/she depends on the business. Therefore, the law should protect the weak ones from being abused by the strong ones, and not the opposite! Protection of your consumer's rights should be ALWAYS more important than protection of "intellectual property" of big businesses. But the current copyright law, allowing use of DRM and similar techniques, is doing exactly the opposite - it protects the big, strong businesses from the weak consumers. Do the businesses really need such a protection? Or do they simply want to exploit the consumers, get all the money out of them?
Always when I buy a CD, I check carefully the cover to see if it's copy-protected (the copy-protected discs are in fact not CDs, as Philips said that they are not standards-compliant and have no right to use the registered mark "Compact Disc"). If it is, I never buy that disc. I think all people should do so, then the record companies will eventually get the idea that the consumers don't want restrictions on what they can do with the music/movies they paid for, and stop using copy-protection.
I think that in the case of copy-protected discs and videos using pirated copies is a morally better solution. The companies that use copy-protection are doing bad things, and we have the right to protect ourselves when someone is doing bad things to us. Let's buy the regular, unprotected CDs, but when it comes to protected ones, better wait until someone makes a pirate copy, get that copy and listen to it. If it were possible, we could send some money directly to the artist, bypassing the record company ;-)
The sc doesn't seem to exist on win2K systems though it was on XinXp. Where does it come from?
This is a direct link to the Sophos removal tool - the previous one given is a torrent:
It probably cost Sony-BMG at least half a million dollars to get that flawed software onto their CDs, they have alienated thousands of customers, have to replace untold numbers of 'defective' CDs and still have numerous lawsuits to settle - final cost could run into millions -- and the funny part is that the copy protection could be defeated with a simple piece of tape along the outer edge of the 'protected' CD

Hopefully other music companies will learn the futility of copy protection and not follow Sony's example.

Would someone please wake up whoever holds the title of "General Counsel" at Microsoft?

Excuse me, but as a commercial software developer, if someone wrote an "add-in" that modified my executables, I'd be screaming bloody murder!

I would have suspected that they would have loaded up a new 787 chock-a-block full of pointy-headed lawyers and aimed at New York within 24 hours!

So someone at MS is calling it Spyware... Someone at Microsoft needs to read the Microsoft Windows and SDK Development Kit ELUAs.

I can guarantee you that when the Microsoft legal team negotiates with you, you won't have to payoff a couple of class action vultures a million and dish out a few of hundred kibbles to end-users. You'll have a limp for life.

3 downloads?! Whoo hoo! Par-tay! They sure learned not to mess with us! Look, the only way to make them pay attention is to file criminal charges and get big judgements where justified.
I wonder what Cher is making of all this?

I'd hate it if one of my ex-husbands got into so much bother...
And I was only trying to find out why my CD drive stopped working! Great Blog. CD drive still doesn't work though.

Didn't really realise until last year that Sony make a habit of being difficult. My DV cam uses a Micro MV format nothing reads, especially my Mac. Their advice... buy a Sony PC. Hmmm.

Even their attempt at digital music encoding assumed we would all stop using MP3 over night.

I do love my PS2 though. Sorry.

If you have some spare time, fancy popping over to London and 'investigating' my CD-ROM drive?

Keep up the good work!

Mark, Thanks for the info. Any comment on the other software Sony is using? MediaMax by SunnComm.

First off Mark Kudo's and thank you. I am one of the millions of users thanking you. Secondly, many of your other posters are correct. Loosing money to these media gigants is the only thing that will make them listen. If you are goliath and have billions of dollars, why should you listen? I personally am through with Sony products. Thanks again Mark!
Wow -- well done old boy! Thank you for taking the time to investigate this so thoroughly! Hats off to you!
What most people don't realize is that DRM is starting to be accepted by other software as well. There is a portion within each music file that looks for the DRM software, if it's not installed, it then looks for the "License" and installs it. I've found this in Winamp and iTunes. Watch out Pod'ers!!
Incredible work Mark. I'm going to send a link to this blog to everyone I know.

Then I'll be heading downstairs to the basement to unpack my trusty old turntable.

Let's see if Sony can put a tracer on my vinyl!

Looks like there's only one solution for all of us...
...go back to vinyl. Pull out the old records and dust of the turntable.
I'm impressed, Mark! Your ethics as well as your coding skill is outstanding! Normally, I like Sony's product idea, but this stunt is giving them bad marks in my book.

Keep up the spirit, and thank you for your work!
Usually I would say Sony rules but this time IT only s...s. :(
Thanks for your work and the information Mark ! :)
If you have installed the Sony DRM software (XCD or MediaMax 5) between certain dates you may be entitled to remedy. There is now a link on the SonyBMG website to the class-action settlement website:
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

RSS Feed



Full Blog Index

Recent Posts

Sony: You don’t reeeeaaaally want to uninstall, do you?
Sony’s Rootkit: First 4 Internet Responds
More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
Sony, Rootkits and Digital Rights Management Gone Too Far
The Bypass Traverse Checking (or is it the Change Notify?) Privilege
Registry Junk: A Windows Fact of Life
Multi-platform Images
The Case of the Intermittent (and Annoying) Explorer Hangs
Unkillable Processes
Running Windows with No Services


03/01/2005 - 03/31/2005
04/01/2005 - 04/30/2005
05/01/2005 - 05/31/2005
06/01/2005 - 06/30/2005
07/01/2005 - 07/31/2005
08/01/2005 - 08/31/2005
09/01/2005 - 09/30/2005
10/01/2005 - 10/31/2005
11/01/2005 - 11/30/2005
12/01/2005 - 12/31/2005
01/01/2006 - 01/31/2006
02/01/2006 - 02/28/2006
03/01/2006 - 03/31/2006
04/01/2006 - 04/30/2006
05/01/2006 - 05/31/2006
07/01/2006 - 07/31/2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer