Sony Music CDs Load RootKit. Danger!

By Jon Newton 11/01/05

Sony BMG is now using rootkit-based DRM on some CDs sold in the US.

A rootkit is a set of tools developed to crack a computer system. Normally, malware authors who want to stay hidden use it but, "As far as we know, this system has been in use since March 2005," says F-Secure research director Mikko Hypponen on the company blog.

"We've made some test purchases for Sony BMG records from and can confirm that they contained this technology."

Jon Newton

Hypponen says when a CD is slotted into a Windows-based PC, a license agreement is displayed, "and then it will seem install a song player software".

However, what's really happening is a rootkit is being planted in the system and, "there's no direct way to uninstall it," says Hypponen.

"The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too.

"This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed."

F-Secure has published a technical description on the Sony BMG rootkit, with details on how to distinguish hidden items belonging to the DRM system from potentially harmful malware, it says,adding that F-Secure has a free BlackLight 'Scan for Rootkits' in beta.

You can download it here but, "If you find this rootkit from your system, we recommend you don't remove it with our products," warns Hypponen.

The Sony BMG rootkit DRM system is implemented as a filter driver for the CD drive and, "just blindly removing it might result in an inaccessible CD drive letter, he says. Rather, contact Sony BMG directly to find out how to remove the plant.

"We've test driven this and they will provide you with tools to do this," promises Hypponen.

REVISED @ 8:53AM Pacific:

If you want more - a lot more - on this, "The entire experience was frustrating and irritating," concludes Mark Russinovich on Mark's Sysinternals blog.

"Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

"While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far."

As Henry Skoglund posted in a comment, "I predict that maybe the next time you're purchasing a music CD with similar DRM software on it, you'll never open the package, instead downloading the MP3 files for that album through (illegal) P2P file sharing.

"For some strange reason all DRM software is missing in those P2P downloads, leaving you with just the music to enjoy... :-)"


Jon Newton is the editor of and is a regular contributer to MP3 Newswire. Jon's site is devoted to the politics of digital music and his insights as well as those of his co-writers can be read there. We urge you to explore it.

Other MP3 stories:
iTunes Sells 1 Million Video Files
Fans Picket RIAA and Virgin Records on DRM

The 30GB iPod Video is available on Amazon



Back to