November 1, 2005

Sony Music CDs surreptitiously install DRM Trojan horses on PCs

Posted by David Berlind @ 8:56 am

Reports are beginning to turn up around the Web that discuss how certain CDs from Sony Music come with a Trojan horse-based digital restrictions management (DRM) technology that surreptitiously installs itself as a rootkit on Windows PCs.   When software surreptitiously installs a rootkit, it's usually doing so to cover its tracks — a technique commonly associated with malware such as viruses and Trojan horses.  Rootkits generally latch themselves onto the foundation or "roots" of an operating system in a variety of ways that not only prevent their detection, but also their extraction.  According to the Wikipedia's definition," a rootkit is often used to hide utilities used to abuse a compromised system."

In a scary entry on his Sysinternals Blog posted yesterday (Halloween), Mark Russinovich provides an incredibly detailed account (many screen shots) of how his testing of the latest version of RootKitRevealer (a utility for exposing any installed rootkits) led to his own shocking discovery — that a rootkit had been surreptitiously installed on his own system. Wrote Russinovich of his surprise, "Given the fact that I’m careful in my surfing habits and only install software from reputable sources I had no idea how I’d picked up a real rootkit, and if it were not for the suspicious names of the listed files I would have suspected RKR to have a bug."

Upon further investigation Russinovich traced the installation to his usage of a Sony BMG music CD (Vant Zant Bros. Get Right with the Man) that he purchased through  The CD's listing page on says the CD is copy protected, but makes no mention that the copy protection is enforced by way of surreptitiously installed software.  According to some additional information regarding copy protection on Amazon's site:

This product limits your ability to make multiple digital copies of its content, and you will not be able to play this disc or make copies onto devices not listed as compatible. Content/ copy protected CDs should allow limited burning, as well as ripping into secure Windows Media Audio formats for playback with most compatible media players and portable devices. In rare cases, these CDs may not be compatible with computer CD-ROM players, DVD players, game consoles, or car CD stereos, and often are not transferable to other formats like MP3.

In rare cases? DVD players? Car CD stereos? Is Sony BMG nuts? This is another DRM trainwreck just waiting to happen. In the Berlind household for example, CDs are played exclusively through the central 6-disc DVD player that's a part of our whole-home theatre system. I can't imagine buying a CD only to learn it doesn't work.  By the way, have you ever tried to return a CD after you open it? (maybe the "R" in DRM should be for "Ripoff"?).

According to Russinovich, when played on a computer, the music can only be played using playback software that comes packaged with the CD (the implication is that usage of the media player is what resulted in the surrepititious installation of the rootkit).  Near the end of his thorough investigation Russinovich identifies at least one major problem that could result from Sony's employment of DRM in this fashion:

The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files.

Another question that comes to my mind is, given the way rootkits intercept certain system level functions, what will happen when some other music label uses a rootkit that's different from the one used by Sony BMG. For example, if I already have one rootkit on my system that's intercepting specific system level functions and another CD installs a different rootkit that attempts to intercept the same system level functions (essentially overwriting the first rootkit), will that interfere with my ability to listen any of my  DRM-protected CDs? 

Russinovich isn't the only one who discovered the problem.  ZDNet reader Barry Ritholtz pointed me to his own account (see DRM crippled CD: A bizarre tale in 4 parts) of an encounter with a DRM protected CD (also from Sony): Morning Jacket's Z.  In his tale of DRM woe, Ritholtz points out another restriction that turned up in with the CD's Digital Restrictions Management technology. In what I'll refer to as the third trainwreck of DRM, he can't transfer the music to his iPod (I suspect that the same barrier to transferring music to the iPod will also prevent transfer to a Microsoft PlaysForSure-compliant device, but am not sure).  Ritholtz then discovers that the artists (Morning Jacket) aren't exactly on-board with this idea and points to their official statement regarding the application of DRM technology to their music:

We at ATO Records are aware of the problems being experienced by certain fans due to the copy-protection of our distributor. Neither we nor our artists ever gave permission for the use of this technology, nor is it our distributor's opinion that they need our permission. Wherever it is our decision, we will forego use of copy-protection, just as we have in the past. 

Z isn't the only band that's upset with the latest DRM developments.  Last month, reported how a member of the band Switchfoot whose DRM-protected CD debuted at No. 3 on The Billboard 200 was equally disappointed.  Said Switchfoot guitarist Tim Foreman, "We were horrified when we first heard about the new copy-protection policy…. It is heartbreaking to see our blood, sweat and tears over the past two years blurred by the confusion and frustration surrounding new technology."

Even more demonstrative of the control points afforded to any market leading or dominating solution, the CNN story goes onto describe how Sony BMG is aware of the problems when it comes to transferring music from its DRM-protected CDs to iPods and is "urging people who buy copy-protected titles to write to Apple and demand that the company license its FairPlay DRM for use with secure CDs."  Even though Apple's Fairplay may not have a monopoly yet, the company is behaving very monopolistically, an issue I discuss in another blog entry that I posted today.

What's even more ironic about the application of copy protection to music CDs is how the record label is now providing a workaround to defeat it. In Part IV of his personal saga, Ritholtz provides the text of a workaround that was sent to him via email.  Of course, workarounds from the same people who applied the copy protection in the first place beg the question, why bother?  

In response, Ritholtz is apparently doing more than declaring inDRMpendence as I have been urging ZDNet's readers to do.  He taking the economic punishment I'm suggesting one step further by refusing to buy some of Sony's other products: namely a notebook and a big screen.  Now if only the rest of us could follow suit….