Sysinternals Freeware - Mark Russinovich & Bryce Cogswell

Mark's Sysinternals Blog

Sony: You don’t reeeeaaaally want to uninstall, do you?

A few days after I posted my first blog entry on Sony’s rootkit, Sony and Rootkits: Digital Rights Management Gone Too Far, Sony announced to the press that it was making available a decloaking patch and uninstall capability through its support site. Note that I said press and not customer. The uninstall process Sony has put in place is on par with mainstream spyware and adware and is the topic of this blog post.

As I’ve stated several times already, Sony’s rootkit hides the Digital Rights Management (DRM) files from users that have it installed, so users not monitoring the developments in this story are unaware of the scope and intrusiveness of the DRM. The End User License Agreement (EULA) does not provide any details on the software or its cloaking. Further, the software installation does not include support information and lacks a registration option, making it impossible for users to contact Sony and Sony to contact its users.

What if a user somehow discovers the hidden files, makes the connection between files and the Sony CD that installed them, and visits Sony BMG’s site in search of uninstall or support information? Or what about the unsuspecting Sony DRM user that happens to visit the Sony BMG site to look at their other offerings? Will these customers learn about the patch and uninstaller?

See for yourself. Visit and search for the support site Sony has made available to the press. There’s no information on this story anywhere on the front page, no support link, and the FAQ only contains information about Sony’s merger with BMG. The fact that Sony’s announcement was directed at the press and that they’ve made no effort to make contact with their customers makes the patch and uninstall look solely like a public relations gesture for the media.

Sony even gives those users like me that are aware of the “uninstaller” several hurdles to jump over. First you have to go to Sony’s support site, guess that the uninstall information is in the FAQ, click on the uninstall link and then fill out a form with your email address and purchasing information, possibly adding yourself to Sony’s marketing lists in the process.

Then, after you submit the information the site takes you to a page that notifies you that you’ll be receiving an email with a “Case ID”. A few minutes later you receive that email, which directs you to install the patch and then visit another page if you still really want to uninstall. That page requires you to install an ActiveX control, CodeSupport.Ocx, that’s signed by First 4 Internet, enter your case ID and fill in the reason for your request. Then you receive an email within a few minutes that informs you that a customer service representative will email you uninstall instructions within one business day.

When you eventually receive the uninstall email from Sony BMG support it comes with a cryptic link in the form (I’ve modified the link so it doesn’t work) to your personalized uninstall page. Interestingly, the email address has a confidentially notice, which implies to me that Sony has something to hide, and it informs you that the uninstaller will expire in one week.

If you visit the uninstall page from the computer where you filled out the first uninstall form then the DRM software is deleted from your system. However, if you visit it from another computer the page requires you install the same CodeSupport ActiveX control as the uninstall-request page, but then even if the computer has the DRM software installed you get this error:

Besides the obvious question of why there’s not a universal uninstall link, the error also begs the question of how the Sony site knows that the uninstall link is for a different computer? For that matter, why do you have to install an ActiveX control just to fill out a web form and why does that form have to be filled out “using the computer where the software is currently installed”? The email, web page and ActiveX control offer no hints.

I of course decided to investigate. A network trace of the ActiveX control’s communication with the Sony site using Ethereal reveals that the control sends Sony an encrypted block of data:

A Regmon trace of the ActiveX control’s activity when you press the submit button on the Web page reveals that the encrypted data is actually a signature that the control derives from the hardware configuration of your computer:

The uninstall link Sony sends you has your case ID encrypted in the address and when you visit the uninstall page the ActiveX control sends the hardware signature to Sony’s site. If the signature doesn’t match the one it stored earlier with your Case ID when you made the second uninstall request the site informs you that there’s a case ID mismatch.

While I’ve answered the question of how the uninstaller knows if the uninstall link is for your computer, I can’t definitively answer questions like:

  1. Why isn’t Sony publicizing the uninstall link on their site in any way?
  2. Why do you have to tell Sony twice that you want to uninstall?
  3. Why is the email with the uninstall link labeled confidential?
  4. Why does Sony generate a unique uninstall link for each computer?
Sony has left us to speculate, but under the circumstances the answer to all these questions seems obvious: Sony doesn’t want customers to know that there’s DRM software installed on their computers and doesn’t want them to uninstall it if they somehow discover it. Without exaggeration I can say that I’ve analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall.

For those readers that are coming up to speed with the story, here’s a summary of important developments so far:

The DRM software Sony has been shipping on many CDs since April is cloaked with rootkit technology:

  • Sony denies that the rootkit poses a security or reliability threat despite the obvious risks of both
  • Sony claims that users don’t care about rootkits because they don’t know what a rootkit is
  • The installation provides no way to safely uninstall the software
  • Without obtaining consent from the user Sony’s player informs Sony every time it plays a “protected” CD
Sony has told the press that they’ve made a decloaking patch and uninstaller available to customers, however this still leaves the following problems:

  • There is no way for customers to find the patch from Sony BMG’s main web page
  • The patch decloaks in an unsafe manner that can crash Windows, despite my warning to the First 4 Internet developers
  • Access to the uninstaller is gated by two forms and an ActiveX control
  • The uninstaller is locked to a single computer, preventing deployment in a corporation
Consumers and antivirus companies are responding:

  • F-Secure independently identified the rootkit and provides information on its site
  • Computer Associates has labeled the Sony software “spyware”
  • A lawfirm has filed a class action lawsuit on behalf of California consumers against Sony
  • ALCEI-EFI, an Italian digital-rights advocacy group, has formally asked the Italian government to investigate Sony for possible Italian law violations
More on the story here.

posted by Mark Russinovich @ 11:31 AM

Mark did it wipe all the First4 files from your computer, or did the uninstaller still leave traces of it?

How can something so simple be made so complicated.

Heres something to think about. Once the intial patch is applied and the activeX is installed, I am wondering what kind of information is sent to Sony from your machine. It could be possible for them just to make a nice little blacklist of those customers that have removed their DRM. Heck they could use the information to try and pursue these individuals and see their downloading habits ect, there are a number of things that Sony could do with this information. None of which makes me feel any safer.

Again Mark, great work.
Slightly OT, but I did have a good look at that site.

Try turning everything off - Java, JavaScript - images, too. It doesn't exactly "degrade gracefully", does it?

Unsurprisingly, now we know what kind of company Sony is, the site shows a total disregard for the customer, and indifference towards special needs. Frames, flash ... you name it; it's there.

32 errors on the homepage alone.

I wonder how a blind person would cope with this site.

Would it pass Section 508? Is it even legal under access law?
The more I think about it, the more this seems like a worthwhile avenue to pursue.

First, we _should_ ask the question, "How easy would it be for someone with particular needs to get the uninstaller?"

Secondly, let's not forget that Al Capone was eventually brought to justice because of tax evasion.

I suggest that accessibility experts and lawyers need to look into the accessibility both of the site and of the uninstall procedure to ensure that disabled persons are not being illegaly discriminated against.

Courts in most developed nations do not look kindly on such things, and the penalties can be severe:
Perhaps someone should consider making some sort've proof-of-concept to show just how dangerous this DRM crap *could* be. A tame exploit if you will. (Note that I didn't say virus - certainly not something that could propigate, but could only be used by a willing volunteer, and would be easy to remove.)
Right now the level of Sony rootkit "infection" is a bit low for random-attack malware to efficiently expoit it. Is there any way for any malware vendors to tap into either of these communication streams? If this can be done, then suddenly the infection efficiency of the malware would climb to cira 100%.

In other words, even if Sony itself never does anything with this nice pipeline they've installed into our computers, it is certain that some else will, soon.
It's not like you don't have other things to do but I was wondering if you could test to see if the ActiveX control that is installed and apparently required for removal is itself removed after the uninstall is completed successfully? After all, ActiveX is a notorious vector for bad behavior for third parties (aka Sony in this case).
Along the same lines, it is interesting that the installer doesn't require this ActiveX software to add the rootkit. I wonder why it's required to remove it? I would think any functionality needed for the uninstaller could be included in the uninstaller itself (such as the encryption generation) without the need to resort to a separate ActiveX control. Or maybe it is how Sony tracks the unique ID between web sessions?
As I have been following the links in all the various blog, other CD users have reported that their CDs would not work with DRM enabled CDs. This leads me to speculate (paranoia) on a couple of points. What happens if the DRM technologies are incompatible? Even worse, dirty tricks, company A's DRM actually kills company B's DRM.
Why doesn't someone, other than Sony, create an uninstaller. This would quickly propogate around the blogging world and make it available to anyone.
California Department of Consumer Affairs

400 R Street, Suite 1080
Sacramento, CA 95814
(800) 952-5210 (California residents only)
(916) 445-1254 (Sacramento area / out of state)

Or contact your CA legislators

The good news is that right now is when they are thinking about what the bills for the next year should be.
Lets engage in a little reverse engineering on this:

Q: Why isn’t Sony publicizing the uninstall link on their site in any way?

A: Because they want their users to be able to easily locate the uninstaller, so they can easily uninstall the rootkit.

Q: Why do you have to tell Sony twice that you want to uninstall?

A: Just in case you decide, after telling them once, that its all too much bother.

Q: Why is the email with the uninstall link labeled confidential?

A: If everyone knew the link then no one would be able to remove the software. Obviously, and logically (in an reverse way), the less people who can access the installer the more who can actually use it.

Q: Why does Sony generate a unique uninstall link for each computer?

A: This one is easy. A uniquely generated uninstall link, tied to a key generated by your handware, means that Sony can ensure that everyone has used the installer on any and all infected machines. How else would they know?

So there you go, Sony really has put all these hurdles in place for our benefit. Its what consumers want. Just as well that Sony is listening to their consumers otherwise I don't know what we'd all do.
Why doesn't someone, other than Sony, create an uninstaller.

I think the problem becomes one of intellectual property. Whose intellectual property is potentially hurt more by your uninstaller? Whom do you think Sony will go after faster? Mark, who exposed the rootkit, or the guy who builds the uninstaller to remove it?

As has been stated numerous times over the course of Mark's posts, this simply comes down to Sony believing that their intellectual property rights are more valuable (and thus more important) than your intellectual property rights. I really do hope that Sony is taken to task over this, because we really cannot allow any corporation, regardless of their size, to be allowed to get away with this.
What happens if the DRM technologies are incompatible? Even worse, dirty tricks, company A's DRM actually kills company B's DRM.

Never attribute to malice, etc... Unless the companies that are writing these things do interoperability testing, bad things are bound to happen sooner or later.
Actually I dont believe anyone would get into much trouble if they created an uninstaller for this. Because really Sony has no claim as far as their EULA goes for this application(since it is never mentioned). Therefore they have no grounds to charge you with breach of the EULA if you were to create an uninstaller.

Heck if removing files from your computer without using the appropiate uninstaller was a crime then we would all be in serious trouble.
I'm wondering how Firefox users are impacted by this if at all. Since the rootkit requires ActiveX I'm wondering if it would be functional if someone had made Firefox their default browser.
This all Sony DRM issue is by far better reading than any CSI style TV show :).
Thanks Marc for the investigation, just so sad that professional reporters stopped reporting 50 yeas ago, now they just publish press releases with some personal touch added to make it looks like their own story :(

I wonder if some Joe or Jane from New Jersey, or Hans or Greta from Germany, will take the very same DRM rootkit, press their own music disc together with 10 seconds of copyrighted tune "Banging on My Piano", include the same EULA, and give it away ...

Would the FBI and other EU police chase the "criminals"?, will Microsoft offer $$$ to find them? will CNN report?

Makes me wonder ...
Feeling that only way is to boycot Sony, so I will avoid Sony as much as I possible can.
Wayne, it's the uninstaller that requires ActiveX.
Because really Sony has no claim as far as their EULA goes for this application(since it is never mentioned). Therefore they have no grounds to charge you with breach of the EULA if you were to create an uninstaller.

However, the rootkit is a component of the application which you already agreed to install. Underhanded, yes. But enforceable under the EULA? Potentially, as any sub-component of the main application is considered part of the application itself.

Note, I said potentially. Now, IANAL, but I think Sony being able to convince a reasonable person that the end user knew exactly what they were installing (rootkit and all) would be pretty slim. The possibility is there, but it's pretty slim IMHO.
I just got an email from Sony DADC, and even though Sony DADC is different from Sony BMG it might be interesting for some of you. In this email DADC mentions the news about Sony BMG's use of XCP by First4Internet. DADC does not try to dispute nor confirm this. They write that they do not use this copy protection scheme though, instead they use their's, key2audioXS.

- quote begin -
Dear xx. xxxxxxx,

You may have seen recent news articles regarding Sony BMG purportedly using a Copy Control system with the name XCP from a company called First4Internet. This copy control system is said to use a rootkit based DRM system which makes it possible for viruses or other malicious programs ("malware") to use this rootkit to hide themselves on a user's PC. In this way, a virus or other malware may remain undetected even if updated antivirus software is installed.

We would like to clarify that Sony DADC does not produce any discs with the above mentioned copy control system XCP, rather only with our own market proven copy control technology, key2audioXS. Sony DADC's copy control solution is already used on about 50 mill. discs worldwide, with the highest compatibility certified by accredited test laboratories. key2audioXS does not install any rootkit on a user's PC and thus does not facilitate the possibility for "damaging attacksö from the internet. This fact has already been acknowledged by a leading antivirus software company.

For any further information and clarification please do not hesitate to contact our product manager xxxx xxxxxxxxxx
on +xxxxx/xxxxxxxxx.
[email protected]

Best regards
xxxxx xxxxxxxx
Product and Sales Management
Virtual Factory - Copy Control Solutions
For companies using a Snort IDS with updates from Bleeding Snort, a signature update is available depicting the Sony DRM rootkit -
This post has been removed by the author.

Are you sure about that? I thought it couldn't contain the media player not IE. But here is the department you want:

This is the guy tasked with ensuring Microsoft complies with EU requirements:
Cor-pirations at their finest!!!

Review of Sony-BMG's EULA. Electronic Frontier Foundation.
Oop's to much cheap wine I stand corrected.

It's Sans media player not IE.


Also how can Un-installing this be Against ANY-Law . FORMAT C: would be classed as a Felony.
People seem to be focussing on [i]uninstalling[/i] the rootkit ; I think we're jumping ahead of ourselves here. You're not going to uninstall it if you're not aware that you're infected.

Someone ought to write a script to that [i]detects[/i] the rootkit - this would especially be advantageous to home users and people not aware if they've purchased a Sony CD. [Do you recall the labels of the last 5 CD's that you've purchased. I sure don't. And what if friends/family/co-workers have put CD's into your computer?]

This would make non-technically oriented people aware that they have a problem and would be a great way to publicize the crap we're being asked to put up with. The detection program could then refer the infected user directly to the link where he/she can request the uninstall from Sony [if indeed this is worthwhile to do] or could refer the user to a website for further information and perhaps, eventually, a better uninstall script.

The best features of this plan that it doesnt put anyone in legal jeopardy, but it does make it easy for individuals to be certain they are infected - and it immediately directs infected individuals to sources of aid. It can also encourage non-technically oriented indivudals to jump through all the necessary hoops to uninstall by making them aware of how big a security risk this rootkit poses.
The EFF says that the Sony EULA for the rootkitted DRM software effectively says:

*If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.

*You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."

*If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.

*You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.

*Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.

*The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.

*If you file for bankruptcy, you have to delete all the music on your computer. Seriously.

*You have no right to transfer the music on your computer, even along with the original CD.

*Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.

This is so unacceptable I can hardly believe it. Who do these people think they are? It is time to really slap them down.
I ran into this issue yesterday when I purchased the new Neil Diamond (a first for me) disc. I couldn't bring it into ITUNES or more specifically the Windows Media player. So I returned it. I tried the email route and that didn't work. I called Columbia Records in NY (a long distance call) and was pointed to the wrong website. This email dialogue then ensued. (read from the bottom up)

Your ticket 0NNNNN has been Answered

That is correct - they are in error. We are not affiliated with any release by Niel Diamond. Furthermore, to set your mind at ease involving the albums we are affiliated with, we do not employ the use of root kits in our protection package. The recent news and controversy is pertaining to an alternate software vendor used by Sony. We do hope you have luck in getting this removed, and we are sorry we could not be of more assistance.
CLIENT: [email protected]
Song BMG directed me to this site - were they in error?

-----Original Message-----
From: [email protected]
Sent: Tuesday, November 08, 2005 3:18 PM
To: ME
Subject: Ticket Answered: : My Morning Jacket-it Still Moves [029675]

Your ticket 0NNNNN has been Answered

Thank you for contacting us. We appreciate your purchase of this
copyright protected CD and apologize for any inconvenience.

Please note that while this CD may contain copyright protection, it does
not contain our copyright protection.

Thank you.

SunnComm Tech Support Staff

CLIENT: [email protected]
I returned the Neil Diamond CD "12 Songs" I purchased after I learned I
could not rip it to ITUNES (or Media Player) and after the rootkit was

Since I do not own the CD, I would like the software removed. Please let me know how I may do this. Thank you.

I needed to call twice more to Columbia - but eventually got someone in their IT group who pointed me to the Aurora site. In my case, I didn't need to verify anything (for some reason). I did state I didn't own the CD and wanted the rootkit removed. I ran a rootkit finding utility afterwards and I believe everything has been deleted.

Thanks again for the posts. It really is amazing that Windows users only are paying to have malware installed on their systems by purchasing these CDs. You would think the retailers would be applying pressure to Sony as well. Apparently they don't care either.
What are the artists saying about this?
Did that Van Zant band make any comment yet? Are they suing Sony for "hacking" into their fan's computer? Will they make their music available for free over the Internet?
I love you, man. Keep up the good work.
Why are Sony doing this? Here is a theory I've been working on: They have no morals?
Here's something interesting:

When you visit that bad URL it forwards you to

At that URL:

There are no updates!

It doesn't tell you how to uninstall it, if that's even possible!
Others have said it, but this is another argument for getting your music as mp3s from pirate sites - there is less danger doing this than using the latest CDs from the major labels.

So help spread the word: mp3s are less risky than all the spyware/virus/rootkits soon to be available from buying CDs!
># posted by Wayne_Fielder : 2:20 PM, November 09, 2005
>>I'm wondering how Firefox users are impacted by this if at all. Since the rootkit
>> requires ActiveX I'm wondering if it would be functional if
>>someone had made Firefox their default browser.

The rootkit does not require ActiveX to run - it requires ActiveX to be removed. So you can't remove it without using Internet Explorer.
I wonder if software like this (freeware) would prevent this problem from the get-go? Maybe you could copy the music so you don't need their player also.
I wonder if software like this (freeware) would prevent this problem from the get-go? Maybe you could copy the music so you don't need their player also.
this is the real terrorism facing our collective societies today; that of uncaring, profit-driven corporations against all people, regardless of colour, religion, gender, age or geography.

thanks Mark, for your good work.

The onus is now on the rest of us to contribute by making sure the corporate PR machines are unable to silence our dissent.
The solution should be obvious. Do not put one of these "CDs" into a computer running Windows!

The popular GNU/Linux operating system is immune to the rootkit, which takes advantage of the way Windows works. It's a reasonable certainty that somebody you know is already using Linux and your best bet is to ask them. But this is my attempt on a quick guide as to how to do it yourself. Because it's a quick guide, I'm going to concentrate on how to do it through the command line; Linux does have a graphical user interface but it's strictly optional, and power-users prefer typing in commands. It's quicker and it makes us feel like we're bonding with the computer :) Command lines have an undeserved reputation for being complicated, but I'm sure you will agree, this whole procedure is quite straightforward compared to removing Sony's rootkit :)

Go to and download the latest Slax ISO image {it's less than 190MB and will fit onto an 8cm. CD-R!}. Burn the ISO image to a CD-R with your favourite burning software {I don't know Windows but it must have a way to do this, look for something like "burn ISO image" in the menus} and then switch off your PC while the recently-burned disc is still in the drive. Switch back on, and let it boot from the CD {you may need to mess with your BIOS options to do this}.

At the boot: prompt which will appear if the Slax CD is being read right, type
slax copy2ram
{note! you do not have long to do this, but hitting any key will cancel the timeout} and wait for the login: prompt {which means everything is ready and Linux is up and running}. The login and password are rather helpfully displayed on-screen; enter them and you will get the # prompt {standard Unix/Linux superuser prompt}. By this stage you can swap the cd for the music CD you are interested in.
Now type
# cd /mnt
# ls
{the # is meant to be the prompt, so don't actually type it}
/mnt is the directory where -- if you are lucky! -- your hard drive partitions were mounted. The cd command selects a directory, use "cd .." to go back to the next level up. Cursor up and down scroll through previously-typed commands and the TAB key tries to finish off a name if you typed just the first few letters. Note that capital and small letters are treated differently and that spaces and punctuation marks will need a \ in front of them -- and if you are in the UK, the \ will actually be on the # key. Find a sensible directory to save your music files in, or create one with the mkdir command. Then just type
# cdparanoia -B
This will begin extracting the music tracks off the CD as a bunch of .wav files. If you want to convert them to MP3s then enter the following command {all on one line}:
# for i in *wav; do lame -h $i; done
If you want to delete the .wav files immediately after conversion, then use this command instead:
# for i in *wav; do lame -h $i && rm $i; done
You can change to a new directory and extract another CD ..... in fact you can do as many CDs' worth of audio as you can fit on your hard disk.

Other commands you might find useful:

# ls
..... lists filenames in the current directory
# mv filename new_filename
..... changes the name of a file
# rm filename
..... deletes a filename
# cd dirname
..... changes directory
# cd ..
..... changes to previous directory
# cp filename new_filename
..... copies a file
# less filename
..... displays a text file screen-by-screen

When you are done, remove the music CD. Press ctrl+alt+del, reboot Windows, and then do whatever you want with the .wav and maybe .mp3 files you just created. You probably will want to rename them or something.

I'm even going to have a go at making my own Linux-CD which will simply prompt you for the various steps involved.
Simple one, but of most concern to me is this:

Isn't it illegal under British Law (Computer Misuse Act) to amend the operating system of any computer without authority?

If this is the case, and i believe it is, then Sony are not just guilty of computer abuse, but they are guilty of the criminal charge of computer misuse and the Police are duty bound to investigate.

In fact it is possible that all senior executives would need to be rounded up and taken to the local nick for 72 hours to be checked out.

In all seriousness, if Sony have let this one out into the wild then they are guilty of a criminal act and the company that made the rootkit are guilty of conspiracy to cause computer misuse and are also liable for criminal prosecution.

Just a thought...
ajs said...
" The solution should be obvious. Do not put one of these "CDs" into a computer running Windows!

"I'm going to concentrate on how to do it through the command line; Linux does have a graphical user interface but it's strictly optional, and power-users prefer typing in commands. It's quicker"

Why not boot "toram" DamnSmallLinux or
PuppyLinux into Graphical User Interface?
CLI is pretty good for some task but not to any and all tasks...
Another thought is this...

If Microsoft are so protective of their software, why are they allowing a large corporation like Sony to launch a rootkit utility like this that can damage a normally working copy of Windows?

Also, seeing as MS are so keen to show how secure Windows is, how can they justify not putting a security update out that kills and removes this piece of crap software?
This post has been removed by the author.
Great work Mark. Stick it to them.
Just one thing: "A network trace of the ActiveX control’s communication with the Sony site using Ethereal reveals that the control sends Sony an encrypted block of data"
That encoded text is a postback as used in .NET .aspx web pages. It's used to maintain state when submitting information back to the webserver. It enables the client to tell the server what is in the web form, and when the page is given back to the browser (as often happens when one is browsing) then no information is lost.
Excellent sleuthing Mr. Russinovich. I've been following this story for a while, and I am glad I can help spread the word of these criminal business practices to everyone I know. I've been boycotting Sony for some time now, thanks to their first bungle with malfunctioning DVD-ROM drives in the Playstation 2.

Now we have real evidence to their intentions of extorting consumers with cheap and now, invasive products.

Let's hope people really wake up though.
Dear Senator,

I’m writing you to express my concerns about the recent revelation regarding ‘root kit’ software that is being secretly installed on users’ computers when they agree to a misleading End User License Agreement from Sony / BMG.

According to recent research, said software uses the same techniques used by hackers to camouflage viruses, and other forms of mal-ware. Not only that, this software is so poorly written as to open the host system up to other, potentially more damaging attacks.

I work as both a software developer and network administrator for a Central Florida based company which creates applications used by the banking industry. Network security, and software security are an important part of my day to day thinking.

I want you to understand that the security vulnerabilities that Sony / BMG have inadvertently created are the kind that any competent hacker can fly a virtual 747 into.

I hope that you will urge the senate to look into this matter, but more importantly I hope that you will see the need for stronger and clearer legislation to protect users from companies that would use such underhanded techniques.

I urge you to read Mark Russinovich’s web log entries regarding this software, and take heed his expert opinion on this matter.

Here are links to the relevant entries.

I thank you very much for your time and cooperation.


"We've been analysing the backdoor program which uses the Sony rootkit technology. ... When launching, the backdoor copies itself to the Windows system directory as $SYS$DRV.EXE. Using this name makes it possible for the rootkit technology used by Sony to hide the activity of the malicious program."
The artists should consider suing Sony to get out of their contracts with them on the grounds that Sony is attacking their fans.

Surely one of the bands is going to comment on this fiasco sooner or later.
"That encoded text is a postback as used in .NET .aspx web pages. It's used to maintain state when submitting information back to the webserver. It enables the client to tell the server what is in the web form, and when the page is given back to the browser (as often happens when one is browsing) then no information is lost."

I posted the wrong screenshot. I've uploaded the correct one showing the encrypted packet.
@Damian - Great link. Sony will have to react to this and I hope Microsoft steps in to protect it's customers.

Another extract from Damian's above link:

Sony rootkit backdoor program

Yury November 10, 2005 | 14:28 MSK

The first backdoor which utilizes the 'Sony rootkit' was detected today. We've classified this malicious program as Backdoor.Win32.Breplibot.b.

We're analyzing the progam at the moment and will have more information soon. Watch this space.
*waves to Mark*

You're up early. Thanks again for your hard work and expertise.
The coverage of this story on the BBC has been consistently excellent. Today's instalment is "Sony sued over copy-protected CDs":

I guess it helps that the BBC is independent of all the major media conglomerates and RIAA members...
Editor of Dutch webzine WebWereld, Brenno de Winter, has taken some time to take a closer look into Sony's 'Rootkit'. He states: "The spyware that sony installs on the computers of musicfans doesn't seem to comply with copyrights." As it seems, certain pieces of code are identical to LAME, an open source mp3-encoder. An anonymous expert, figured out the CD 'Get Right' by 'Van Zant' contains strings from the library version.c from Lame. He stubled upon: "", "0.90", "LAME3.95", "3.95", "3.95 ". This discovery could imply major consequences for Sony.
Looks like legislation is being considered against Sony. EXCELLENT WORK MARK!!! (bows to hero).,10801,106064,00.html?source=x10
So what if the computer doesn't have an internet connection?
Been following this issue and haven't seen anyone address this question yet:
How would someone without an internet connection (perhaps they use public library computers for email and surfing) uninstall this? Does the installer or CD cover mention anywhere that an internet connection is required to use the disc in a PC? If not, how can SonyBMG require one to remove their software? I'd like to see how they respond to a user in this situation.
I have a friend of mine that has a Sony laptop. He told me that the latest update that he received from Sony caused his CD-Rom to disappear. He said that he spent long hours with Tech support trying to fix the problem, but they couldn't help. Ultimately, a friend of his helped him out.

Do you think this is a result of Sony putting this Rootkit on all "their" computers via updates?
Whose intellectual property is potentially hurt more by your uninstaller?

The don't call it an uninstaller.
The rootkit apparently kills Vista Beta1 completely. There are hundreds of thousands of these dangerous discs already in circulation, and they will remain in peoples collections for decades to come. Microsoft will have to break compatibility or specifically blacklist this driver and prevent its installation, or thousands of people are going to find their machines mysteriously made unbootable for years to come.
Symtantec also declares this "rootkit" as "SecurityRisk". And Sony still claims this piece of shit to be safe and sound, it does not even compromise systems.
@zeh_: Yes you could start a GUI, but why would you want to? You know exactly what you want to do -- navigate to a directory, extract the audio from a CD and maybe MP3-ify it. I personally find it's a lot less fart-arsing about just to do all this the easy way. Anyway, you're not telling me that there's a quicker way to do the equivalent of
for i in *wav; do lame -h $i && rm $i; done
in any GUI. Unless you include the time taken to learn the art of one-line shell scripts, but I just gave you the script; and if you follow the instructions precisely, it will work. And it would have taken longer to explain how to do it in a GUI.
Then don't call it an uninstaller.

That was a bit quick...

What if the uninstaller was called a tool to back up and restore your OS's hooks 'n' filters? Not specifically aimed at XCP, but a nice and handy tool for all Windows owners that, by mysterious coincidence, happens to safely remove XCP as well.
McAfee should now be able to remove the rootkit feature in Sonys DRM.


"With the latest DATs, McAfee detects, removes, and prevents reinstallation of XCP. Please note that removal will not impair the copyright protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP ( ). System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself."

This will probably mean that the DRM will still use to much CPU-power, and phone back to Sony ?

you might want to publish these lists of CDs containing the rootkit:

Note that these are not just obscure b-grade music groups. Among them are:

Natasha Bedingfield
Ricky Martin
Celine Dion
Neil Diamond

i.e. Top 10 performers with 6-digit record sale numbers.
Can someone confirm that the rootkit software is NOT installed if you decline to accept the EULA?

Given the underhand nature of the software, and the fact that it's sole purpose is to prevent you using your existing media players to play the CD, I'd be quite surprised if they didn't install the DRM software anyway, whether you decline the EULA or not - after all the software has to run to even present the EULA in the first place.

(I have a machine that I've recently replaced, that I could test this on, but I don't have any of the infected CDs in my collection, and I'm not going to buy one!)
First backdoor exploiting the Sony rootkit out in the wild:
Fuzhi wrote:

"This will probably mean that the DRM will still use to much CPU-power, and phone back to Sony ?"

It's a decloaker that doesn't address the DRM.
"Can someone confirm that the rootkit software is NOT installed if you decline to accept the EULA?"

The software does not install if you reject the EULA and the CD ejects. The CD is not visible to Windows Media Player or ITunes.
If McAfee are leaving the DRM software in place, then they are NOT uninstalling XCP - they are only uncloaking it! The DRM software is still redirecting system calls to the CD drive, and is still using deliberately misleading process names.

You'll still be "rooted" even if XCP is uncloaked.
Mark, I have two questions if you have time....

#1. Does Sony's new service pack (Service Pack 2a) perform a "safe" decloak of the rootkit?

#2. Does Sony's uninstaller completely remove the copy protection software from your computer?

I'm just curious because I know that I will run into an "infected" computer eventually.
Mark said: "The software does not install if you reject the EULA and the CD ejects. The CD is not visible to Windows Media Player or ITunes."

??? I'm confused. A number of people have claimed that disabling autorun will prevent the "infection" from occurring. Others have claimed that the CD works fine in Linux and on Macs, which suggests that it's a standard Red Book CD. If there is no software installed, how can WMP or iTunes be prevented from seeing the disc?

Is it simply that the EULA stub keeps running, and blocks access until you reboot the machine?
>#1. Does Sony's new service pack
>Service Pack 2a) perform
>a "safe" decloak of the rootkit?


>#2. Does Sony's uninstaller
>completely remove the copy
>protection software from your

It appears to, yes.
" If there is no software installed, how can WMP or iTunes be prevented from seeing the disc?"

Its not clear why the Audio portion of the CD are not visible from within Windows. It appears to be a Windows driver incompatibility with the CD.
QUESTION: Does anyone have a link to all artists on the Sony/BMG label?

I refuse to buy (or even listen to) music created by artists represented by Sony/BMG moving forward.

Life's too short (and good music too plentiful) to support a company that acts this disrepectfully.
This post has been removed by the author.
Mark said: "Its not clear why the Audio portion of the CD are not visible from within Windows. It appears to be a Windows driver incompatibility with the CD."

Ah. I was under the impression that disabling AutoRun was all that was required to stop XCP from preventing Windows users using this CD as they do most other CDs.

I was under the impression that the anti-copy methods used in other techniques that involve the deliberate introduction of errors, so that a "CD" no longer conforms to Red Book standards was "OS Neutral", targetting the drive hardware. I'm surprised that it's possible to make a CD that Windows can't read that other OSs can, without modifying Windows.

More to the point, if they can do that, why do they need to install OS hooks at all? After all, requiring you to use their Media Player wasn't a problem for you.

That makes any possible claim that the installation of a Rootkit is required for DRM purposes even more obviously bogus.
"It appears to be a Windows driver incompatibility with the CD."

They boasted that XCP "wrapped around the audio transparently to standalone players" for whatever that's worth... so apparently they are gaming the Windows drivers.

Wouldn't that break with Longhorn?

Thus this emphasis on keeping their hooks in the users system?
Mark, thanks for revealing this intrusion.
I have a question Roxio is able to copy the CD. Does this mean that the rootkit has been installed even though the cd has not been played with the included player software ?
Mark, thanks for revealing this intrusion.
I have a question Roxio is able to copy the CD. Does this mean that the rootkit has been installed even though the cd has not been played with the included player software ?
Why don't you just cut off the "homephone" crap by using a personal firewall and NOT grating internet access to the SONY music player process....?
This post has been removed by the author.
>QUESTION: Does anyone have a link
>to all artists on the Sony/BMG

BBC NEWS have a news report on the Class Action Lawsuit; it has a list of affected CDs halfway down the page:

For the lazy, here is that list:

Trey Anastasio - Shine
Celine Dion - On ne Change Pas
Neil Diamond - 12 Songs
Our Lady Peace - Healthy in Paranoid Times
Chris Botti - To Love Again
Van Zant - Get Right with the Man
Switchfoot - Nothing is Sound
The Coral - The Invisible Invasion
Acceptance - Phantoms
Susie Suh - Susie Suh
Amerie - Touch
Life of Agony - Broken Valley
Horace Silver Quintet - Silver's Blue
Gerry Mulligan - Jeru
Dexter Gordon - Manhattan Symphonie
The Bad Plus - Suspicious Activity
The Dead 60s - The Dead 60s
Dion - The Essential Dion
Natasha Bedingfield - Unwritten
Ricky Martin - Life
It's all about copy protection! Sony makes you bend over backwards to uninstall their DRM software to prevent people from uninstalling/reinstalling the software to allow another 3 copies of the CD to be made.
Just looking over my last comment, anyone else find some of the names somewhat ironic:

Celine Dion - ***On ne Change Pas***

Our Lady Peace - ***Healthy in Paranoid Times***

Van Zant - ***Get Right with the Man***

Switchfoot - ***Nothing is Sound***

The Coral - ***The Invisible Invasion***!

***Life of Agony*** - Broken Valley

***The Bad Plus*** - ***Suspicious Activity***!

Natasha Bedingfield - ***Unwritten***
Sophos also identifies the new trojan exploit. I love their name for it Troj/Stinx-e
# posted by ajs : 8:49 AM, November 10, 2005
"@zeh_: Yes you could start a GUI, but why would you want to?"

If one is a windows user, perhaps clicking
on an icon or a menu is what is expected.
Reading The Fine Manual of a cryptic
command line isn't the "windows way".
“It’s a tempest in a teapot,”

“It’s benign content protection. It’s not malware, it’s not spyware—it’s innocent.

“We understand what the concern was, but there was no intent. We reacted as quickly as we could, took responsive issues. And now, hopefully, we move on.”

Mathew Gilliat-Smith, CEO of First 4 Internet
have you seen the NYT article on this?
Finally, the New York Times has recognized this story as news worthy. See the link below. I have long complained that the NY Times, LA Times, and PCMagazine appear to refuse to cover DRM issues from the consumers viewpoint.
Looks like Johny and I were looking at that article at the same time. But he got his in first. Good job.
this is a pretty big movement. i think highly of sony electronics but i really do hate their business practices. why do they have to make everything proprietary? well anyway i hope this gets a lot more press because unless it hits them where it hurts (their wallets) nothing is going to get done.
by the way really job well done on uncovering this fiasco. top effort
Mark, like a lot of other people I've been following this story from your initial post, and I want to tell you thanks for exposing these fraudulent activities by Sony, and for fighting The Good Fight in general.

We all appreciate the heads-up on this one 'Dr Russinovich.'

(couln't resist that one, not after seeing it on BBC) ;)
Just thinking...

The IA community has been preaching for years now about appropriate disclosure of vulnerabilities. I would state that this disclosure is defiantely inappropriate... but then again, that 30/60/90 day window after contacting the vendor is to allow them time to fix the problem. Since Sony is denying there's a problem, something tells me that while this may seem inappropriate, that it's called for. This whole story looks like it could stand as a good dissertation for the PhD canidate out there on the topic of ethics ;)

Good read! (and I'm not buying the CD's)

Sophos releases a removal tool for both trojans (One of which they are calling Sony's).
I just read all the artciles... good job, and I for one will not be buying those CD's either. Sports radio suits me just fine on my drive home from work!
I do not know why they keep saying it is only 20 cd's.

20 is the list of the ones they have found so far.

As far as I know sony has not made public a list of the cd that contain their "virus", so append to that list "A Tribute to Luther Vandross" from a "small" recording co. "J Records" owned by Sony.
(as i mentioned in a previous comment)

Glad to see some lawsuits going on.

I wonder what purpose does it serve to annoy your own costumers, with a copy protection mechanism that works only in windows machines?, that won't stop the real pirates, the ones that make a lot of money selling copies of any CD.

it is just plain stupid

but what can we expect from a company that does not think in what the people want.
their list of failures just keep getting bigger and bigger: betamax, minidisc, attra files, memory stick, SACD, rootkits, etc, etc.

Thanks to Mark
Depending on how many clients Moe, Larry and Curly have ("First4Internet")

They and any of their clients who use these methodologies had better Speak Now, or Forever Open Their Wallet because now that they know the exposure of this, including many trojan exploits now, to not inform THEIR customer base, well......
According to the XCP-Aurora web site press releases:

From the press releases:

HOUSTON--(BUSINESS WIRE)--Aug. 9, 2005--Sterile burning content protection technology pioneered by First 4 Internet (F4i) has been utilised by Texas based Upstairs Records on its latest album by Lil Rob, "Twelve Eighteen".

Fontana Distribution, part of Universal Music Group and distributors for Upstairs Records Inc., are encouraging the independent records labels they distribute to use content protection on their CDs. "Twelve Eighteen", featuring the hit song "Summer Nights", carries the same content protection currently being used by Sony BMG.

First 4 Internet's XCP2 sterile burning technology has been used on over 30 new album releases since February 2005.
As I stated in an earlier thread, this copy protection scheme is not limited to Sony. Sony has many subsidiaries that are using the scheme as well. BMG, RCA, Arista, Epic, EMI to name a few. I'm sure there are more.

If you quit buying any music that is on a Sony owned label, you may find yourself listening to a lot more indie (independent label) music, which in itself is not a bad thing...
I read somewhere that EMI does not have the same one as Sony it is different . How different I do not know.

what I wanted to say is that you can Add, Santana's newest cd -just released- to the list of protected cd's.

Here is Sony new slogan

Santana great music in his newest CD.

too bad It's a Sony
First4Internet SELLS the technolgy for this, they made this Root-Kit, there are many more customers who use this besides Sony Companies, who are they, and what products is this embedded in they sell?

Thanks for exposing this, just thinking of how many other "big" companies might be using similar products is kind of chilling...

I recently rented a movie (Are we there yet) and noticed it was from Sony Pictures Home Entertainment. So, I checked to see what's on this DVD and it ends up there's 3 executables on the DVD and one of them has had its name changed from the original "player.exe".

Is this thing also "infected"? WOW!
Raise awareness at your workplace!

Here's a good template to send to your company's IS department (I did):

The IS Department may want to inform the company's users of spyware installed by copy-protected Sony music CDs, which also is a conduit for viruses:

Does our company have any policy against Sony music CDs now that they distribute spyware? Also, apparently spyware/anti-virus software has difficulty detecting the Sony malware and the viruses that it can hide. Do we know if our spyware/antivirus software detects and/or cleans up this problem yet?

It would be helpful if the IS Department could send out a bulletin on this situation to our company's users, since the infection vector (commercially-purchased music CDs) is a new one that most users would never suspect.
According to the Sony EULA for these CD's your NOT allowed to use them in the workplace, go figure, maybe because they knew you could INFECT your company computers already, read the EULA, o kidding.
Apple Macintosh users be warned. I've been seeing some rumours that these rootkit CDs also include some software that installs on Macs. This would make Sony the proud publisher of the first spyware to appear on Mac in over 10 years.

A quote from BoingBoing: "Digging into the "enhanced" content on the disk, he found a that, when run, shows a license agreement, then asks you for an admin password. On entering this, it installs two kernel extensions, PhoenixNub1.kext and PhoenixNub12.kext."
Somebody BUZZ me when the first release of the Key-Logger DVD's from First4Internet is released, Will

All I want for Christmas......
Is my FRICKEN Computer back!
Forgive me if someone else has already said this, but if you finally get the DRM uninstalled, if you EVER put that CD in your computer again it'll uninstall itself. And with the 10 day expiration of the uninstaller you'd have to go through the whole process again!
Mark was interviewed on CBC Radio 1 this evening on As It Happens (the link is to tonight's show, the interview is at "...Part 2..." between times 07:45 and 14:15). Lead interviewer Mary Lou Finlay sounded a bit bemused.

This show is a big deal. It has a large listenership across Canada, on NPR in the US, and world-wide on short wave. The show is a Canadian institution, founded by Barbara Frum, mother of the Bush speechwriter who invented the "Axis of Evil".
Oops, trying again on that As It Happens link at
In "Sony aims at pirates - and hits users", By Matt Bradley in the 10Nov05 edition of the Christian Science Monitor we have the following: "According to First 4 Internet CEO Matthew Gilliat-Smith, the rootkit application could create a secret backdoor for hackers." Could be a misquote, but its still on their site after 24 hours.

An interesting backgrounder is "We will block Napster at source – Sony exec", by Tony Smith on The Register, all the way back on 23Aug00. A Sony VP is quoted as saying: "We will firewall Napster at source - we will block it at your cable company, we will block it at your phone company, we will block it at your [ISP]. We will firewall it at your PC."
Sony comments on napster are real cute.

If you look deep enough. Who now owns about 25% of Napster. Yep you've guessed it SONY.
First off, I'm very impressed with all this work Mark, the press, and many others have done to bring out this story.

Another story I'd like to get the goods on is Sony-BMG's other little anti-piracy sideproject: corrupting files on P2P networks. They employ a company called Media Defender, whose website has gotten more and more sparse in the last 6-8 months. It used to have some quotes here and there about protecting kids from harmful files and yadda yadda, but never actually stated what they do, or had more than just that one page.

I work in the music biz. I wouldnt know this if people hadn't told me. They were apparently very successful in corrupting 60-70% of the files they were gunning for on most of the usual P2P haunts; limewire, slsk, and all those random ones popular in colleges now. They also claimed to have success in corrupting torrents.

As I understand it, their basic plan of attack is what I understand to be a "SYN-flood" on any user they identify as trying to download one of the files they're protecting. They establish as many connections as possible, which are either sending a corrupt file or just transferring very slowly, to tap out the number of connections on the client's home machine.

Is that really legal?
That SYN Flood technique is used by some company to try to corrupt torrents of HBO content.

I guess they figure DOS attacks on people who are breaking copywrite laws are justified... or at least they figure they're safe from litigation.
Is there any chance that Spybot will include protection/uninstall feature against this rootkit? After all, it's its job.
Did Spybot's author contact you, or did you contact them?
Sony 'Sorry' Well sort of almost..well maybe not .

First Virus was Faultly , but you'll be glad to know that issuse been fixed now. Works like a charm

/Sarcasm mode
Search term "Sony Virus" at Trend Micro returns a strange result:
Item 8 - BKDR_BREPLIBOT.C - Description and solution

Also in Australian Press by Razor here
"Sony BMG faces digital-rights seige
Robert Lemos, SecurityFocus 2005-11-10

The criticism of music giant Sony BMG Music Entertainment and its surreptitious copy protection software went up an octave this week as attorneys and law firms readied nearly a half dozen legal complaints against the company on behalf of consumers. "


The latest Steve Gibson podcast is covering Sony's rootkit DRM again:

"Leo and I follow-up on last week's discussion of the Sony Rootkit debacle with the distressing news of "phoning home" (spyware) behavior from the Sony DRM software, and the rootkit's exploitation by a new malicious backdoor Trojan."
The story has finally been picked up by CNN:
There is a good side to all this Sony DRM snarl-up though.

I'm learning great new things which is always useful :-)

Thanks Mark - very well written article's, gave me the incentive to start reading your Windows Internals book (which is fascinating) and I've started reading more on the technology behind Windows rootkits.

I always work on the theory I won't talk about something until I can begin to understand it :-)

Thanks again!
Funny that the CNN story starts with the setup that there are "bastard virus writers" piggybacking on Sony's evil plot. Better late and better twisting the story? not for me, I quit using CNN as my news source long long time ago ...
This is all really depressing but on a lighter note.. Every time I read an article or any reference to Mark as "Dr Russinovich"...
This silly song comes to mind (my tweaked version to Palmer's song)! LOL

"Doctor, doctor give me the news!
I've got a bad case of SONY BLUES!
No fix is gonna cure my bitch!
I've got a bad case of SONY BLUES!"

Just going to "" wants to install the ActiveX rubbish from First4Internet.!
An interesting snippet I'd like to point out from the Computer Associates article.

These CDs install the pest XCP.Sony.Rootkit, which is a trojan that opens security vulnerabilities through rootkit functionality.

Thank you Computer Associates for labeling this software for what it really is. Hopefully other companies will come to this realization as well and anti virus programs will be upgraded with the capability to remove this malicious code from our computers.
I would suggest that ALL people in the US who read this, take the opportunity to visit:

This month, the public are able to post comments which will be considered in the review of DMCA next month. Everyone should take the opportunity to post protest about DRM techniques being used. Judging by the amount of noise this Sony rootkit issue has raised, I expect if enough people post to the comments section below:

They will be forced to listen and act on consumer concerns.
Sophos has posted a cleanup tool at .

I don't have a known infected machine to test yet as I don't buy a whole lot of CDs.
So, I jumped through all the hoops, and the multiple emails, and I finally downloaded and ran the uninstaller yesterday afternoon. This morning, I notice that Media Jam still shows up on my machine. When I attempt to remove it, I get the "it's already been uninstalled error" message. Anyone else notice this? And now, has it really been uninstalled, or is this more shoddy coding?
This post has been removed by the author.
To summarize information from several posts above, there seems to be quite a difference between Computer Associate's XCP.Sony.Rootkit response and McAfee's XCP.
John M wrote:

"...there seems to be quite a difference between Computer Associate's XCP.Sony.Rootkit response and McAfee's XCP."

And so far all fixes are just decloaking, which is quite understandable given the DMCA.

It seems that it will require a legal finding against Sony before that next step can be taken, at least in the US.
Security Fix - Brian Krebs on Computer Security at the Washington Post just posted about the Department of Homeland Security becoming concerned about this. See DHS Official Weighs In on Sony.
Check out this Reuters article:

"Sony BMG pulls CD software"
Fri Nov 11, 2005;jsessionid=GM1U2EYWJ4PYACRBAEOCFFA?type=technologyNews&storyID=10253253

Congratulations Mark! Your efforts really are making a difference.
Here's a better link to the Reuters story:
This is yet another reason I don't buy music anymore.
Sony to Stop Controversial CD Software
Washing Post Article (Partial)

By Ted Bridis
The Associated Press
Friday, November 11, 2005; 2:02 PM

Stung by continuing criticism, the world's second-largest music label, Sony BMG Music Entertainment, promised Friday to temporarily suspend making music CDs with antipiracy technology that can leave computers vulnerable to hackers.
Washington Post Article (Partial)

European Group Battles Copy-Protected CDs

The Associated Press
Thursday, November 10, 2005; 8:49 PM

BRUSSELS, Belgium -- The music industry should stop criminalizing customers and limiting their freedom in the battle against piracy, a European consumers' group said Thursday.
H'mmmm. I just occurred to me. Sony is discontinuing, at least temporarily, this technology. However, there is no mention in the news release of recalling these CDs and providing customers with new CDs. Until these CDs are vaporized, they are a threat.
I've been following this story, but haven't actively examined what occurs when running the uninstaller/ActiveX control. That being said, the __VIEWSTATE field in the postback may just simply contain the control values to be decrypted by ASP.NET on their server. I believe there are some ViewState utitlies out there that can help you view the contents to see if Sony is passing back anything underhanded. I'm all for bringing them down, but in this case the encrypted postback contents may simply be part of the ASP.NET architecture.

Eiher way, I hope this inflicts serious financial damage on them. Enough is enough.
This is now the top story on!
Great analysis as always.
Not only have you dissected the problem and your solution so well you probably have also saved yourself a ton of money that you would have to otherwise give your lawyers to help you in a deposition. :)
To those having trouble playing their XCP protected discs in Windows after bypassing the autorun/player:

I don't have a copy of one of these discs for testing but I understand that they are multisession.

I would expect Windows to default to the data session - session 1.

Try right-clicking on the CDROM drive and selecting the CD Audio session. Then just fire up your favourite player...

Please post a confirmation in consideration of others if this works. Thanks


Sony / F4I still have not responded to claims that XCP contains LAME LGPL code.

If bad publicity keeps up- they will have to recall these discs. I'm suprised that they haven't fired F4I already and attempted to transfer all of the blame to them.
Brian Krebs at the Washington Post already has another blog article Sony Suspends Use of Anti-Piracy Software. Also, Sony DRM has been at the top of Google News Sci/Tech (but invisible in Business and Entertainment) all day.
Sony should not only be forced to recall all the dodgy CDs, but make an uninstall CD available for free to anyone who requests it, worldwide.

Not every PC with a CD ROM is connected to the internet, and their dubious uninstall procedures are a real pain anyway.

Another thought: do you think the pirated versions of the CD have the rootkit software removed?

In the meantime I hope all the AntiVirus companies make sure their AV software is able to detect these Sony CDs when they are inserted into the user's PC, whether the software is already installed or not.
Looks like CNN is FINALLY reporting the same AP article here:

Link to full article found here:
>Another thought: do you think the >pirated versions of the CD have the >rootkit software removed?

It all depends whether the pirate version was ripped using an entire disk image, or merely copied the individial tracks (say on a mac or linux machine).

If the hypothetical disk was copied 'at-once' using an image then, yes, the copy protection rootkit will also be duplicated.

If the tracks were merely ripped and compiled in a burner (like iTunes) then, no, the copy protection would probably not survive the process.

Theoretically, at least, that should be the way it works.
The webcast video was not available earlier but it's online now:

You'd better be listening, Sony!
"It's not your computer"
Update on the Apple Mac DRM measures
Does First4Internet get to continue to market their "Commercial Root-Kit" to other companies? What other companies have purchased it from them?

Do you care? Do You Want to KNOW?

This little blog's on the front page of CNN right now. The Internet has done great things!


[email protected]
The piracy issue is an important colophon to this debate:

Sony's DRM rootkit is designed to impede "casual piracy" ( and, therefore, will do absolutely nothing to hinder the organised mass-copying that career criminals use.

Professional pirates use pro-audio copying devices that don't recognise any of the SCMS protection algorythms that are encoded in digital media to prevent consumers using the digital outputs on commercial DVD players etc.

So, once again, the DRM *kit targets the 'little guy' and leaves the criminal gangs free to do what they want.
It seems to me that Sony has defined a process to download the uninstaller that could be used as legal identification.

Since this would in essence target everyone who knew about the rootkit via the various blogs, you might consider this a counter legal move to be used in the future. Everyone in the class action must identify their computer. Is this enough to bump you from the class?

In Mark's first article he mentioned that Win 64 was immune to rootkits. Just completed moving my primary work to a Win 64 machine.

Mark, thank you for your diligence.
And what might be the outcome of the lawsuits?
If (and I hope not) the courts find in favour of SonyBMG, then they will have found a new, legal way of spreading spyware, backdoors, trojans, etc, and the distribution medium won't be the internet, it will be the good old-fashioned "floppynet". People, carrying the files on disk, from one computer to the next. What's worse, the consumer will BUY the software!
I pray for the future that this is not the outcome.
I wrote my local high tech newspaper and my Senator and Congressperson and as a resident of "Silicon Valley" I was expecting total outrage from all. Man what a letdown, they only seemed to copycast other sources. Keep blogging on this or it may be swept under the rug.

Thanks Dr. Mark.............


Sony ceasing production of copy protected cds!
I bought Botti's "To Love Again" CD. About 1/2 way home from BB I decided to try it in the car CD player...ERROR. When I got home I tried it in my system ....ERROR. Then I made the mistake of trying it in one of my backup computer system (thank God my main computer was being used by the wife at that moment). This machine has been in the family for 5 years, stable as hell, and as reliable as any Win98SE machine can be. With in seconds of the CD tray closing and the SD spinning up I saw that something was installed and the ASPI layer was updated... all happen too fast for me to react. In last than 30 sec of that CD hitting the OS I got the BSOD. Hours of trying to revive the "old friend" failed. I tried everything with no luck. Was I pissed. You bet. Did I lose some things that I would still like to have... yes. Will I ever purchase a SONY CD again ... F' NO. I can't believe that they do this crap to people who purchase the music when there are guys standing on the street in every major city in the US (forget China) and sell copies for 2$. I hope that SONY is made a real example of in the music industry... they almost single handedly destroyed it.
Why don't we just create an uninstaller that safely removes their rootkit?

Beyond the potential DMCA backlash such a tool may generate, what other obstacles lay in our way?

I see it is stated that the Aries.sys device driver hooks the system calls so it can hide files and registry keys beginning with $sys$, but does it also protect those registry keys? If I understood the description of the cloak, it still allows access to the keys if you know of them, but only blocks them from being enumerated making them invisible. If this is the case, would it be possible to safely remove the Aries.sys cloak driver by first setting the Start key to disabled (4), reboot, and then proceed to removing the remaining traces?

Mark, and others,

I'm trying to find out more about the DRM CDs that Sony didn't stop shipping today--the CDs using SunnComm's Media Max technology.

Sony has at least one other copy-protection system in place, on a different set of CDs. That second system is called Media Max, and is made by a company called SunnComm (

I spoke with SunnComm earlier today; they assured me that Sony is not abandoning SunnComm's DRM technology. Sony's press release today specifically mentions the XCP DRM technology, not the Media Max technology.

It remains to be seen whether SunnComm's DRM technology will prove to be as dangerous as the XCP technology Sony has been employing.

This second set of DRM technology, available on Imogen Heap's "Speak for Yourself" and Foo Fighters' "In Your Honor," actually installs "kernel
extensions" onto Macintosh Computers. Luckily, the current version of Media Max is incompatible with Mac OS 10.4 (it only affects 10.3.9 and previous versions), but a kernel extension is the Mac equivalent of a rootkit. Is that correct?

I don't know how SunnComm's DRM technology effects Windows machines; it may be less egregious than the Mac version. Either way, Sony is not
changing course or even changing tactics regarding DRM--they just dropped a particular version of the technology.

As long as Sony continues to ship CD's using SunnComm's DRM technology, they will remain vulnerable to public outrage and lawsuits. Meanwhile, they may just make possible the first Mac virus.

Does anyone have more information on SunnComm's DRM software? Is anyone like Mark (or Mark himself) examining what SunnComm's software does, and how it compares to First 4 Internet's DRM technology?
Here's what I emailed Andy Lack today:

Dear Mr. Lack,

I am sure you are receiving plenty of email right about now, so I'll keep this terse. Your company's decision to ignore the personal property and privacy rights of your customers is abhorrent. I understand the need to protect your ip rights, but the approach approved by one of your overzealous subordinates is clearly misguided. You are clearly alienating your customer base; which may be the worst thing you could possible could do. In addition, with the public outrage, I would imagine you are also curtailing Congress' interest in passing new legislation to further your cause.

I, for one, am not going to purchasing any copy protected music from your company; and I will be sharing that fact with the artists who partner with you.

Have a nice day,

Chuck Williams
Tonight, McAfee antispyware detected XCP on my computer. This was expected as I already knew that I had infected my computer with either the Black Rebel Motorcycle Club's CD Howl or KT Tunstall's CD Eye to the Telescope. Both have a logo in the gutter of the CD case with either "Content Protected" or "Copy Controlled." I purchased and played these CDs on my computer before I read Mark's blog.

When I expanded the flagged XCP program, it lists C:\WINDOWS\system32\services.exe. When I click on the "Tell me more" button, McAfee opens this URL:

After reading this descripion, I am still unclear if I should "remove" or "trust" this flagged XCP program until an approved removal tool is tested and suggested as the right course of action by this blog. I just don't trust F4I or Sony anymore...

Anyway, when I right click on services.exe, this is what I see:

File version: 5.1.2600.2180
Description: Services and Controller app
Copyright: Microsoft Corporation. All Rights reserved.

This doesn't appear to be a file I want to remove.

Please help a semi-Windows challenged dude to make the correct choice...

BTW, for anyone interested, you can become a plaintiff in litigation against Sony.

Milberg Weiss Bershad & Schulman LLP
One Pennsylvania Plaza
New York, New York 10119
phone: (212) 946-9408

You can join in by filling out this form:

Finally, just a note, I really like the music on both CDs and I’m really bummed that Sony screwed us over…
"Sony Customer Survival Kit" from Ed Felten, Professor of Computer Science and Public Affairs at Princeton University:
Well, me thinks its finally gonna hit home for good ole Sony. This link will take you to an article where the Office of Homeland Security tells Sony "it's your intellectual property but its not your computer"

Score one for the good guys!!!!!!!!!!!!
Afraid I'm a little less sanguine about Sony's decision to "temporarily suspend" production of DRM protected CDs.

For one, they haven't come clean and said that in future their copy protection mechanisms will leave the systems of end-users intact.

Don't get me wrong. Its been fun watching Sony squirm as this story has snowballed.

The trouble is, I don't think this is over by any stretch of the imagination.

However, before we steel ourselves for the upcoming challenges, its important to frame the issues.

Companies have a right to use technology to protect their Intellectual Property, no one should argue with that.

But the protection technologies should be limited to the media that contains the copyright material. It should not interfere, intercept, or, in any way, change or alter, the computers and hardware that are used to listen to the material.

If anything that is what we've been fighting about. A line has been drawn. Its up to us to keep our eyes on that line, in future, to make sure it's not overstepped.
Does this have any effect on Macintoshes, or is there a version of this infection for the Mac and OS X?

Is this another reason to buy a Mac?

The new Dave Matthews CD, ironically titled 'Stand Up' has Sunncomm software that it installs. I remember not being able to get it into itunes on the PC, but got it into iTunes on the Mac...

What are the ramifications of the sunncomm software?

I don't mean to start/restart a jihad over the religious significance of the windows/mac choice, it's just great that reduced market share seems to have its advantages...
Thank you Mark. You are the best.
Something that had to be said. I for myself have a dozen Sony/BMG CD's bought so I supported Sony quite a long time during my life. But if this continues I am going to never ever buy any Sony/BMG CD again. It gives me a headage: The people that suffer from stuff like that are the COSTUMERS, not the illegal-download-community. I believe that they will always find a way.
I didn't find a post here yet of Symantec's First4 Removal Tool posted on Symantec's site 11/11/05. I'm thinking this maybe the clean way to rid your system of this Trojan Horse rather than playing games with Sony's uninstall sequence...
OneEyedGeek wrote:

"I didn't find a post here yet of Symantec's First4 Removal Tool posted on Symantec's site 11/11/05. I'm thinking this maybe the clean way to rid your system of this Trojan Horse..."

Except that it's not a removal tool.

Like all other options so far
it's a decloaker. The system remains rooted, with the kernel of the OS rewritten to suit Sony... and nobody else.

Now, decloaking is good, and is definitely needed, but the core problem remains: Sony owns your computer.

And short of risking the CD drive disappearing, or jumping through internet hoops at Sony's beck and call, there is nothing the average user can do about it.
Well, I will not buy anything with the stamp Sony on it for a very very long time(if ever again). And I don`t mean only CD`s. It is a bit sad consider I have been pleased with their other products for some years now. But this just tipped me over. I think Sony should wake up soon, this will affect more than only their music proffits.
This post has been removed by the author.
Regarding the Macintosh question ...

From what I've read about the Mac Kernel Rootkit, it asks you to enter your Administrative Password. This is not surprising since admin passwords are default on Macs.

If you have a Mac and you insert one of these CDs and get a prompt for your admin password, just click cancel. You wont be able to listen to the CD, but neither will your kernel be patched.

So far the details about the Mac issue are sketchy.

Also I'm not sure "market share" has anything to do with Windows receptivity to spyware/malware.

Linux and Unix have a greater market share when it comes to internet infrastructure (something you'd imagine malware would covet) and neither of these platforms has the same bother with Viruses.

My theory regarding the Windows fixation by malware/spyware writers is to do with the nature of the OS, and the NATURE of the windows user-base.

If you own a Linux server or a networked Unix machine you are likely to be versed in the techniques virus/malware use (opening attachments, suspicious downloads etc). You need to be!

On the other hand Windows, having the lion-share of the Desktop market, and being an OS that prides itself on being user-friendly, does not require the majority of its users to know anything more beyond pointing and clicking (or "pointing and grunting").

The user friendly environment protects users from knowing anything about the underlying architecture, and therefore blinds the "common user" to the possibilities that miscreants use to infect their machines.

Malware attacks the lowest common denominator, preys on the weak. A properly patched Windows box in the hands of a user who has taken the time to understand the possible weakpoints (all OSes have them) is as secure as the next machine.

Sadly mass marketing, and user friendliness do not encourage users to go beyond the pretty pictures.

I use Macs, Windows and Linux. I used to be derisive of Windows. While there is still much to dislike, from a granularity point of view, I no longer reckon that there is anything fundementally weak about it's security: the weakness is in it's user-base (this blog excepted, of course).
"What are the ramifications of the sunncomm software?"

Apparently, it installs two kernel extensions on Mac OS X. I'm not aware of the full significance of that, but it's a totally unnecessary thing to do and not likely to do anything for the stability of the machine. It needs looking into further and should, in any case be stopped, as a valid Phillips Red Book CD will play in the software that ships with the machine without no stinkin' kernel extension.

"I don't mean to start/restart a jihad over the religious significance of the windows/mac choice"

Of course, such a discussion has no religious significance, because it is about technology not religion. Nevertheless, I submit it's heartening to see that people are not too intimidated by political correctness to use the word "jihad" in a negative context. ;-)

Frankly, users of Windows, OS X, Linux (or any other OS) need to know about software that might impact on their machine's security, privacy, or stability. Consequently, I hope the possible threat to Mac users here, even though there are fewer of them, gets more attention in the media that it has so far.
OK, so XCP2 is dead except for the million or so unrecalled pseudo-CDs bought or in the pipeline. But free-market unregulated DRM and the DMCA are alive and well. So a year from now I buy an Algerian CD with selected readings from Sayyid Qutb's Fi zilal al-Qur'an, and when it is loaded into my PC it installs a next-generation DRM shim requiring administrator access. Then nobody, not me nor Mark, can inspect it to confirm it hasn't just subscribed me to [email protected] without my permission. Let's hope somebody out there is going to inspect and certify these things.
This post has been removed by the author.
2 things:

- Has anyone tried recoverying from a backup created while the computer was under the influence of XCP/F4I/Whatever? Will the Backup Utility actually back up these hidden files and device drivers and restore them? or will restoring from these backups images with an ASR disk render the CDROM drives broken?

- Did everyone who installed this software player have driver signing turned off? Or did you have to acknowledge that you were installing unsigned drivers?

If not then there are two possible issues.

1) Drivers can be installed/overridden/bypassed in such a way as to bypass the driver signing check. Would this not indicate that driver signing is essentially useless?

2)Whoever signed these drivers felt that they were WHQL quality. What value does WHQL signing have if this kind of driver gets certified? Who signed this driver, and what kind of certification testing did it pass when it breaks in so many ways?
Thanks to Mark for its invaluable work. It is pleasant to see someone always understanding hardware registers and IRQ serving routines.

Now, one word on CERI COBURN who seems to be the bad soul behind this poorly designed software.

After reviewing some of its posts on many forum, I may state that it is a SHAME that such JUNIOR PROGRAMMER should be allowed to design a sensitive piece of software directly injected in the OS kernel. As the CEO of a software firm acting in real-time field I would not allow such a sub-average programmer to work on system services.

I also think that consummers just need to stop buying DRM protected disks.
As Robert mentioned above, I was subject to a failed attempt to install SunnComm Media Max DRM by playing a recently purchased new CD by Santana's - "All That I Am". I run Server 2003 at home and assume this DRM software is not comaptible. When I played the CD, I received an error that Media Max failed to install. I hope this turns out to be another kick in the butt for Sony!
I've read with interest everything this blog and its commentaters have had to say about SONY, as well as many of the links they have helpfully provided. I wonder at these things. Don't we ever learn from our mistakes? This has all been done before...

I cut my teeth on Altairs and Wangs, but really learned micro-computing from an original Apple II. It was a hacker / hobbyists dream come true.

Even in those simpler days, copy protection was an issue. All the games had it. It slowed us down a little, but never stopped us for long. Everytime they'd come up with a new way to _stop_ us, we'd find a new way to make our copies anyway. It sometimes felt like we were on a merry-go-round. Who was following who?

Then came the CP/M machines, whose crowning glory was the new IBM PC with it's CP/M compatible DOS, and a new kind of user came on the scene - business people with only one interest in their computers: Getting work done. Getting work done without hassels, without complications and as easily and efficiently as possible. Copy protection didn't help do that. Programs like Lotus 123 that used it, started encountering customer resistance. The protection didn't stop hackers from making as many copies as they wanted, it just punished honest folks trying to earn a living. It didn't stand. The message seemed to be heard loud and clear that using copy protection cost the software makers more business and money than it protected. We thought that lesson was learned forever. I guess not.

Back in June or July, I checked out some music from the library to listen to on my computer while I was working. It's a great way to sample artists I'm not familar with, a kind of try before I buy approach. I can remember being surprised when one of the CD's asked my approval on a EULA. I read it over. Didn't sound too bad, although I wasn't crazy about the notice that a small program would remain behind, and I did debate if my home office machine counted as a "business" machine, but it was from a reputable company (SONY) and if it gave me any trouble, I'm not afraid to purge it from my registry....

I don't know if my regular listenware could see it, or if I could have copied it - I didn't try either, but playback with it's built-in player seemed fine.

Two weeks later, my power supply blew, and took my motherboard with it. By now, I had returned the bad seed-dee to the library, along with the rest of them. The motherboard was under warranty, so it took a couple of weeks to put everything back together again. I added a new hard drive and cd-rom drive (a SONY!) at the same time, and made the new drive my boot drive. After installing WinXP Home on it, I hooked both it and my old drive up together on a friend's machine and, copied EVERYTHING over. My friend also made a ghost of the original.

What I got for my trouble was a very unstable system that locked up continually, especially if I was using listening software that could also rip. It was getting to be a real pain-in-the-arse, to the point that I finally decided to rebuild my Windows setup from scratch. I had already overwritten my original drive's contents, so I backed up my full C: drive into a folder on the old drive, but I did this from within the tainted environment. I have checked - none of the $SYS$ files were copied over. It took me just over a week to get everything running again smoothly. One week after that, Mark showed me just how fat and happy and lazy I have gotten in my old age. I didn't used to EVER have Autorun turned on!

So, here's my dilemna: I have never bought one of these monstrosities, but have nonetheless lost a week or two's wages to it! Do I qualify for inclusion in the law suit? (And should I have possibly been burdened for life from a junkware/malware program that came with a LIBRARY item?) I'm hoping my friend still has the ghost image he made, but he is out of town, and I haven't been able to check.

SONY, are you listening? I will not only refuse to buy any of your music products any more, I won't even check them out at the library again. (That way I won't know what I'm missing to miss it.) I'm also removing this otherwise fine cd rom drive that I find hard to be quite as proud of these days, and sending it to the shooting range. Shame I won't be there to see the results!

Your honest customers are your gold mine. When you cause a cavein, where will you make your money? The only people you have hurt with this are people who will now no longer support you financially. The so called "casual" copiers you are trying to stop tend to be kids without sufficient funds to buy much - so you really aren't losing much there - and hackers who love the challenges you give them, and laugh at you openly as they work their way around your poorly planned defenses. They will ALWAYS solve the puzzle, and as long as you maintain ANY resemblance to red book audio, there will always be a way to rip your seedy music. The only people you hurt with this are the people who will now hurt you back by staying away in droves.

I hope the other publishing houses learn from the past. Just because they can do DRM, doesn't mean it's good business to do DRM. As long as people can buy the two or three tracks from a CD that they really want for a dollar a pop on line, and not have to pony up $15 for the full package, you will be seeing fewer sales of cd's. It isn't because there are more dishonest people, it's because they don't have to buy the whole farm to get the milk and eggs they want. Lower the cost on your CD's, and improve the quality of the content, and people WILL buy them in enough quantity to put you back in the market standing you hope for. Insist on twenty year old pricing and marginal quality, or even great content with shoddy DRM schemes, and we'll be telling our kids about great companies we once knew that they've never heard of.

"Choose your fate...."

Mark - fabulous site! I look forward to reading it all, and am very impressed with the tools I have already tried. Even though this wasn't at all what I was googling for when I found you, I am glad I looked!
"1) Drivers can be installed/overridden/bypassed in such a way as to bypass the driver signing check. Would this not indicate that driver signing is essentially useless?"

Yes, the drivers are unsigned and installed in such a way that Windows never checks for a signature. Note that my ctrl2cap keyboard filter driver also gets installed without a signing check because of the same loophole. Vista will close the hole.
ATTN: Mark

The other Sony DRM is also spyware, apparently. If you agree with this guy's findings you should make note of it in your blog (even though it's not your regular style), just to get him some publicity.
Hi Anonymous, that link would be to "Sony Shipping Spyware from SunnComm, Too", Saturday November 12, 2005, by J. Alex Halderman at site Freedom to Tinker. Halderman says "... MediaMax doesn’t resort to concealing itself with a rootkit ..." so his concern seems to be different from the main issue here (spyware having been something of a sideshow).
Mark seems to have won another fan. Microsoft Zapping Sony DRM 'Rootkit', By Ryan Naraine,, November 12, 2005.

"The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology."
The uninstaller is practically a backdoor and I have a proof!

It exposes lots of interesting methods, scriptable by anyone, to the user. Check out my proof-of-concept reboot link from my research page:
Finally! Microsoft's Malicious Sofware Removal Tool will deal with this:
Why is it that Nobody seems to want to deal with the NON Root-Kit aspect of this First4Internet code?

No Government Agency, that I am aware of would be allowed to insert a filter, that would INTERCEPT any/all communications from/to your PC to CD Drive without a WARRENT!

This would include the FBI as well as Homeland Security.

So, Cloaked, un-cloaked, your system was re-configured and without your permission an ILLEGAL "Wire-Tap" was installed on your computer, and without your permission.

What if someone changed a HOST file so that when this called "HOME" it called them? what of they could respond as if they were Sony?

Does this thing call HOME for ANY CD inserted?

Backup CD's, Sensitive Data.

There are TWO parts to this software:

ONE is an ILLEGAL "Wire-Tap" installed between your computer and your CD Drive, what are it's capabilities, what commands can it receive, what can it send HOME?

We need to RIP apart this software to show the public just what it can/could do!

Lets Talk about BOTH Portions, the Root-Kit, and the Filter, that even after this is un-cloaked remains on your system, intercepting EVERY byte of data from/to your CD drive from/to your computer.
Sorry for the Typos, in the above post, should preview first.

Damian, if you read in more detail, Microsoft states they will only remove the "Root-Kit" portion of this.

Which means the 'Wire-Tap" filter between your CD drive and the PC still remaims, as is.
Hello Mark
One can mess around with the software, but the kernel is sancrosanct!
I'm sure there is a huge law-suit between Microsoft and Sony brewing up here....
Thanks for the stellar work, keep it up!

pirated versions of the song containing virus will be circulating from computer to computer forever damaging computers of those who chose to illegially download music. This should be very good for sonys business
Mark, thanks for the work.

We can all help to force a recall of these CD's by filing complaints with the FTC. This should be treated no different than a defective product or drug and the government should force a recall of this potentially damaging product.
pirated versions of the song containing virus will be circulating from computer to computer forever damaging computers of those who chose to illegially download music. This should be very good for sonys business

The trojan/rootkit is actually on the discs produced by Sony, and isn't in the songs themselves. Anyone with sufficient computer skills can bypass the rootkit-DRM installation and rip the songs cleanly.

Ironically, by doing what they have done, Sony has now made it much safer for people to download Sony/BMG music online, than to buy it from a store.

I don't see any plausible scenario in which this incident will be good for Sony's business.
The New York Times posted a very careful article on its IHT website earlier today: "Sony BMG learns hard lesson in war against 'casual piracy' of CDs", By Tom Zeller Jr. The New York Times, SUNDAY, NOVEMBER 13, 2005. Thus the early definitive story in the "Newspaper of Record". Interestingly, a featured quote is given to Professor Felten of the Freedom to Tinker site.
If you want your infected system
brought back to the way it was before you played the sony disk
it can be done with a couple of lines of dos
but only if you have made copys of two folders " windows and the documents and settings "folders
before the sony disk was at the dos prompt
md c:\win
xcopy c:\windows c:\win /e/c/q/h/k

then md c:\docs
and save the documents and settings folder to it

then when you want your system fixed/restored or whatever you boot to the dos prompt and rename the windows folder wintrash
ren c:\windows wintrash
do the same for the documents and settings folder
ren c:\docum~1 doctrash

now you rename the win folder windows and rename the doc folder documents and settings.
then finish up by making new copys of both the windows folder and the documents and settings folders for future restores
then boot up to windows and delete the wintrash
and doctrash folders.

this fix works on winxp "it will even
unwind back the 30 days to activation clock"
if you have win98 then its even easyer
do as above but with only 1 folder "windows"
One of the funniest and potentially most damaging things that could arise from this issue, is the LAME copyright infringement issue.

Sony are part of MPAA and RIAA, both groups lobbied congress to pass laws that would set a maximum penatly of 150 000 USD -PER INFRINGEMENT- for vicarious copyright infringement.

Since Sony have published that they have shipped 4.3 million CDs with this copy protection on (which is believed to infringe on the copyright for LAME mp3 encoder) this could cost them a further:

$645 000 000 000.00 USD in maximum damages for vicarious infringement.

So they law they lobbied to get put in place, could now come back and destroy them as a company whilst pumping over 600 billion USD into the open source community. Imagine how much development that could fund?
Ok, now that you've gone to Sony's website and used the F4I update to expose the DRM, and supposedly uninstall Sony's rootkit, are you any safer?

Initial reports seem to indicate that the uninstaller ActiveX controll is scriptable and leaves a lot of scriptable functions floating around that could be exploited by rather rude people. In Sony's perfect world, we're too dumb and happy to care whether this is possible.

For more info...
Slightly OT :
I wonder if some other Sony eccentricities are related to other kinds of "copy protection" malware (yes, it's a malware).
I'm a unhappy owner of Sony Network Walkman NW-E99, a digital Player which can only play Sony's ATRAC format or MP3s converted by a special slow and inefficient program called MP3FileManager.
On the CD there are drivers to install and a software called Sonicstage which rips the CDs in ATRAC format...... Isn't it possible that there are other rootkits around ?

We are issuing an alert to the real estate industry (1.2 million members in USA) globally through their associations. The NAR members purchase a lot of CDs and commonly can be found playing them through a CD drive and are thus likely a target demographic.

First 4 Internet has been advised of this intent via an e-mail letter and a fax transmission.

We are working on creating an open-source tool to remove this malware.
Suggestion: Attack Sony at the state level through the consumer affairs or attorney's general offices.

Here in WA, we have a consumer protection division of the AG's office.

What we need is a comprehensive, well structured, complaint to file. Mark, your posts on this subject for the basis for a complaint from a technical perspective, but we need also to know exactly what laws are violated.

If Sony is now licensing instead of selling it's music product, there may not be a basis for complaint, except through the fact that Sony is making this change in a way that's invisible to the consumer.

As far as installing malware, I'm not sure what laws are violated there either, unless it's not addressed in the EULA.

I'm not a lawyer, but I'm willing to file a complaint in WA if I can get help structuring one properly.

Any thoughts?

The first known hint of the Sony rootkit seems to have been a thread started 12Aug05 at CastleCops titled "Hidden files and directories - DRM or trojan?". Full marks to "jgk4cfc" for perhaps the first sighting! Anyone know an earlier? Arthur Nonamiss had this link in a comment on 01Nov05.
ZTree Anticloaking Software

I believe that ZTree, the fantastic file management software available at, should be able to see through the cloaking.


C:\Documents and Settings\UserID\Local Settings\Temporary Internet Files

there are a series of directories

| |-C1EF8LIZ
| |-ESDFN2L7
| |-ETP27MD4
| |-GL2N8D2B
| |-LB7VT1CE
| |-MRK5CT69
| |-OPIJ89MN
| |-QJY7AHM3
| \-SRBVM4X5

that Windows Explorer can't see but which ZTree can. You can change to these directories via Explorer if you enter the full path in the Address field in the same way as discussed in the SysInternal blog for the Sony DRM directories.

This leads me to believe that ZTree should be able to see the directories created by the Sony DRM software.

If this is so, ZTree could be used to hunt for and deal with such threats.

More information about ZTree is available at the ZTree Unofficial Home Page at and more particularly on the ZTree Forum at

As an aside, in case you don't know, when you open an attachment in Outlook it is extracted to the OLKnn directory. If the user changes the attachment and then saves it but then doesn't save the change to the email you may be able to recover the document from the OLKnn directory.

Andrew Watson
"Microsoft Corp. will start deleting the rootkit component of the controversial DRM scheme used by Sony BMG Music Entertainment.

The software giant's Windows AntiSpyware application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology."

source eweek

It is very important to NOTE that this will ony remove the "Root-Kit" componant of this software.

There is also a Filter which now sits between your CD Drive and your PC which INTERCEPTS ALL traffic from/to your PC from/to your CD Drive, for ALL CD's.

It is also known that this componant can "CALL HOME" however all of its capabilities are currently NOT known.

I refer to this as the "Wire-Tap" which seems to NOT have receivied as much attention as the "Root-Kit" portion of this and we should all be aware of this.
@ Andrew Watson:

I have a 15 year old DOS program called LIST.COM created by Vernon D. Buerg, this program can list the IE temporary directories and others, albeit names are compressed to 8.3 style. If I recall old DOS Norton Commander did basically the same. There are other programs, for DOS and Windows.

This is one of the ways rootkits are found: list all files using very low level instructions and compare if high level Windows API is blind to some files and directories.

But why not use tools specifically anti-rootkits? like mark's RKR, or F-Secure's Blacklite (at least while it is free), or IceSword (for advance users only)?

If you use program to list files and directories, then you must know what files/directories to look for, today we are looking for $sys$, but tomorrow there will be another name, and later another name, etc.
I believe what Andrew came upon is Windows' built-in file/folder hiding. I don't believe it should ever be on, so to turn it off:

In Explorer goto Tools menu
Folder Options
click the View tab
click "Show hidden files and folders"
uncheck "Hide extensions for known file types"
and uncheck "Hide protected operating system files" (click YES)
click Apply

After this, you can see the folders/directories in Explorer.

Btw, this has nothing to do with Sony's, or any other, DRM.
Zoverlord said:

"It is also known that this componant can "CALL HOME" however all of its capabilities are currently NOT known."

Mark's Blog Friday November 04 2005:

"This screenshot shows the command that the Player sends, which is a request to an address registered to Sony for information related to ID 668, which is presumably the CD's ID[.]"

"I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."

Surely this has legal privacy issues (unless the EULA exempts Sony) as understood in California v Greenwood (1987):

"Whether something is constitutionally protected as "private" (in cyberspace as well as the physical world) is therefore determined by a two-prong test. Did the individual do something to demonstrate that he or she personally had an expectation of privacy (subjective prong), and is that person's expectation of privacy one that society believes is reasonable (the objective prong)."

Quoted from, Digital Evidence and Computer Crime, Eoghan Casey (2004) Elsevier Academic Press.

Like I say I haven't read the EULA to see if there is anything that undercuts this, but I'd say that listening to music in your own home demonstrates an expectation of privacy, and not an unreasonable expectation at that.
This post has been removed by the author.

I dont think that it's being missed even though it has received less of our attention. IMHO it's the law-breaking of messing up a computer and rendering it useless that got the attention it rightfully deserves and I hope this is kept up until all of the cards have been played.

The fact that it is intercepting data is nothing unusual. Anyone with a virus scanner active / firewall active etc. is suffering the same fate too. G/mail scans through all of your emails etc.. What makes these companies any more or less 'trustworthy' than Sony? All say that they do not collect information but how can we really know?

The fact that the hidden files have been revealed in theory fixes the "hidden" virus threat. Although you can still catch any virus, it cannot now remain hidden behind the Sony veil.

The fact that the CD drive has now been limited by the Sony driver and attempts to remove the driver will cause a loss of the drive altogether, supposedly requiring technical support.. well that's the next problem we need to work on... IMHO.
This whole mess educated me a lot very fast.

Now I have found that consumers are fighting back in general against RIAA produced or distributed products.

RIAA RADAR lets you search every album you are thinking of purchasing and if it is clean, spend your money and support the artist. If the album does not pass then boycott that CD release and cause the RIAA members and the RIAA itself financial hardship.

We may have no guns, but we have something more powerful! We have our money we can take away from the companies that continue to view the consumer as a criminal and think they can dictate what we can and cannot do with the music we purchase.

I'm not asking you to read the manual. I'm asking you to type something in verbatim at a prompt.

Surely you aren't afraid of a keyboard? I mean, I know I don't know much about Windows, preferring real computers to toy ones as I do, but I thought you still had to type things occasionally.

Or is having your computer hijacked a price worth paying for not having to interact with it the traditional way?

"I believe what Andrew came upon is Windows' built-in file/folder hiding. I don't believe it should ever be on, so to turn it off"
"uncheck "Hide extensions for known file types""

Good points, but I'd just like to extend this awareness a little.
For the REALLY paranoid, this still doesn't show you all extensions. If the registry key contains the value "NeverShowExt" for an extension, it still won't be listed, even with the above "Hide" tick-box unchecked.
There are plenty of pages on this, just google for "NeverShowExt". This is a long-time tactic of Viruses to hide their true nature (e.g. the "SHS" file type, see McAfee on
I've seen on other forums mention that the rootkit part of this software bundle INSTALLS itself BEFORE you ACCEPT the EULA.

Can anyone confirm this.
Sharpy wrote:

"I've seen on other forums mention that the rootkit part of this software bundle INSTALLS itself BEFORE you ACCEPT the EULA. Can anyone confirm this"

That's not this
Sony-sponsored malware, that's the other Sony-sponsored malware ;)

The cloaking rootkit Prof. Russelljohnsonovich
stumbled across is F4I's XCP DRM package that Sony put on *some* of its CDs.

What you are speaking of is Sunncomm's Mediamax, a different DRM that Sony uses on *other* of its CDs.

And yes... reports from indicate that Sunncomm's
Mediamax does indeed install
its malware before it even offers an EULA... and leaves the malware installed and running even if the user declines the EULA

And Sunncomm's
Mediamax is the DRM that will
also try to rewrite a Mac's
kernel extensions if given a chance.

Try to use Sunncomm's name a lot when discussing their malware... it drives their shills nutso in their painfully obvious attempts at damage control regarding blog articles and reader comments here and elsewhere ;)
Sunncomm...Is this the same Sunncomm that somewhere on it's (thats Sunncomm )website ,tells you the best way of removing it's (Sunncomm again) DRM is to write to APPLE and ask them to open ITUNEs up to Sony (Sony BTW use Sunncomms DRM on some of their Audio Disks)Because sony got beat out again.

No I'll not list sony's failures..Betam...Whoa almost slipped up there.

Anyway back to Sunncomm Waiting for your response Sunncomm.
Yes--the Federal lawsuit has been filed!!!

Here's the filing:
This is the new Sophos detection and disabling tool for the Sony-BMG XCP software:

(it disables part of it at least, anyway -- and without addding more sh!t unlike the '''disabler''' from $ony-BM)
As a part of that Federal class action lawsuit filing, it mentions that they don't know the true size (or members) of the class. However, that should be easy to find - just supoena the log records from Sony's server that has the IP address from all discs that have "phoned home". In addition, it should force Sony to release a full list of all discs that have this DRM on them.
OK: maybe a lawyer should backstop me on this, so please correct me if I'm wrong....BUT.

If we accept that Sony and F4I and Sunncomm are all committing marginal acts by these rootkit and undesired software offerings is one thing. If I'm not mistaken....If you use the disk, there is some kind of implied consent...BUT if you return the disk and receive a refund, you give up the right to any use of ANY installed software from that disk on your computer.

Their software is left on your computer after you return the disk. And further, without considerable special knowledge or a reformat, it will stay there.

Given that the RIAA, Sony, Sunncomm and F4I, and anyone of good conscience would surely be aware, by NOT removing this software, that immediately makes the end-user a criminal, without participation. BUT gets better. By not supplying an intelligent and complete uninstaller, that makes the various corporations guilty at least aiding and abetting software piracy of their own software. Further, because the scope of the individuals culpability is within the range of reasonable abuse, no court will waste it's time on such a matter in the case of an individual.
BUT what I believe is that in fact, due to this abandonded software, wanted or not....and due to the THOUSANDS of cases involved, I believe we may find that Sony are some of the worst software pirates in the world today, as anyone who returns their Copy Protected /DRM yada disk and receives a refund is no longer a legal user/owner of that software, and in failing to provide a remover, Sony has either participated or abetted this act.
With a little legal stretching, Sony may well have to participate as witnesses against themselves in a class action/mass prosecution software piracy case until many different countries digital rights/copyright protection laws.

What I'm most worried about is that reading all these posts has got me worried I might start understanding Sony's press gobbley-gook soon. Sigh.

peace. If we can make this that will be interesting...and fun.
ok guys it is really easy to copy sony's misic to an mp3 ..... use their own program to rip them and there is nothing they can do to stop it...... yes it is true ... most of you probally dont know but sony owns the right to a program called sound forge all you need to do is place one of those pesky copywrited disk in to a cd player and go get a cable from raido shack and hook it up between the phone out on the cd player and the line in on your computer use sony's own program to defet their own copywright software that they probally spent a nice bit of chump chage on. wa-la no more copyright from sony.

i am sorry but sometimes when you try to get to technacal simplicty rulz.

ohh and buy the way you can download sound forge from sony and then find a crack so you dont have to pay the $70 bucks that they want to charge for it

rock on and enjoy this new info
As a sysadmin, has anyone seen a good scanner that I could run on all 600 workstations at my location?

If you have AnyDVD installed on your system, all this invasive and idiotic DRM crap is disabled BEFORE it gets a chance to infest your baby. That alone is worth the nominal price of a ticket on the AnyDVD express.

On another note, I've never been a big fan of Sony, having worked with them many years in the electronics and computer businesses I've managed or owned. This is just icing on the cake. The demons will be having snow ball fights before another cent of my money goes into a Sony product.
Well... to answer questions about installing a kext (kernel extension) in Mac OS X, it is pretty much the equivalant of a Windows rootkit. A kernel extension is a way of dynamically loading something into the OS X kernel, which is the very core of the OS. If you threw the kernel off badly, Mac OS X would probably lock up and crash, depending on the situation. In the worst cases, think of this analogy: you're removing the foundation from under a house.
Sony should be sued until it ceases to exist. Secret installation of rootkits or rootkit components are unacceptible in any application at any time. This is an simply an outrage. Spyware-scumware now sonyware.
Okay I'm gonna let my total ignorance free my thought process (lovely rationalization for being superstitious isn't it?). My guess is that Sony is actually COLLECTING information via the "uninstall" process. The "double gateway" will later be used to serve as proof of consumer CONSENT (when taken in tandem with the EULA that's recently been dissected in various forums). I.E. we gave him two chances to decline and he still gave us the evidence....

My guess: THEY'VE ALREADY SPIED ON YOU and the uninstall process is your chance to hand over the evidence on a silver platter with your John Hancock attached to free them up legally.

How does one get rid of this thing without Sony's help?
RIAA...Making P2P a viable solution for your music needs for over 10 years.
RIAA...Making P2P a viable solution for your music needs for over 10 years.
No great surprise, all this. Sony used to call themselves 'those nice Sony people' in their TV ads from Trinitron days. They made good gear, then, professional and domestic. Some kind of rot took hold around 1990, and their home stuff went very low-end. I bought a £120 audio recorder which had serious design deficiencies, and when I wrote to them their UK agents were rude and aggressive even by Brit standards. Howard, Devon UK.
Hi, Mark: Only a comment from the Pirate Point Of View: "If it can bleed, it can be killed"... (No, that one is from Schwarzenegger on "Predator"...). If a CD can be played, the music can be copied... so I don't know why they have pushed the technology so far, that can be broken by a $6.00 6-feet 1/8" Stereo cable... And Sony pays top-salaries to do stupid things... (BTW: I am cancelling my membership from the BMG music club, even when the root-kit thing hasn't hit me). Music downloads hasve proven a best way for me... I can get around the UNWANTED TRACKS!!!
Nice Work Mark. All of this just leaves me to wonder if there is any DRM crap on any of Sony's DVD's / Home PC's / Or if there will be any to do with the PSP or The Playstation 3.

By The Way, I had a sony CD that was apparantly copy protected (This was early 2005 I think), And wanted me to install the media player. (Different install now so can't check.). FreeRip ( ripped this no problem. It was Ultravox's Greatest Hits.

And as I don't have any sony DRM Discs (I stopped buying most sony products for other reasons early this year), I think using ISObuster would work, As in can detect different tracks on a disc, And can copy raw data and extract wave data from cd's.

hey mark. first of all, thanks for all the info on this. i have a question though. I downloaded and ran the patch after following a link that was in an email from (where i bought the cd [Wakefield - Which Side Are You On?]). Does that patch get rid of all the problems because i think it was the cd that made my drives act real funny. Also, i have the tracks ripped onto my computer. Would i need to completely delete those too or anything like that? Please email me back with any info you have. thanks a lot
Sony not only doesn't care about their customers, but actually goes out of their way to be malicious to their customers. Ask anyone who's ever played one of their games, such as Everquest (particularly bad history with that one). I know I'll never buy any product Sony has had anything to do with ever again.
Post a Comment

<< Home

This page is powered by Blogger. Isn't yours?

RSS Feed



Full Blog Index

Recent Posts

Sony’s Rootkit: First 4 Internet Responds
More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
Sony, Rootkits and Digital Rights Management Gone Too Far
The Bypass Traverse Checking (or is it the Change Notify?) Privilege
Registry Junk: A Windows Fact of Life
Multi-platform Images
The Case of the Intermittent (and Annoying) Explorer Hangs
Unkillable Processes
Running Windows with No Services
The Case of the Periodic System Hangs


03/01/2005 - 03/31/2005
04/01/2005 - 04/30/2005
05/01/2005 - 05/31/2005
06/01/2005 - 06/30/2005
07/01/2005 - 07/31/2005
08/01/2005 - 08/31/2005
09/01/2005 - 09/30/2005
10/01/2005 - 10/31/2005
11/01/2005 - 11/30/2005
12/01/2005 - 12/31/2005
01/01/2006 - 01/31/2006
02/01/2006 - 02/28/2006
03/01/2006 - 03/31/2006
04/01/2006 - 04/30/2006
05/01/2006 - 05/31/2006
07/01/2006 - 07/31/2006

Other Blogs

Raymond Chen
Dana Epp
Aaron Margosis
Wes Miller
Larry Osterman
Bruce Schneier
Larry Seltzer