In response to the ongoing Sony BMG Rootkit case these resources provide information for consumers concerned about computer security and music purchasing choices. Some Sony BMG music CDs install secret software known as XCP.Sony.Rootkit intended to stop CD piracy. The software is reportedly distributed on more than 2 million Sony BMG Audio CDs and it is estimated more than 500,000 versions of the program have been installed worldwide.
UK-based corporation First 4 Internet Ltd is the developer of the XCP software which presents a potential security risk and alters the system configuration without asking for clear permission. BitDefender report the first trojan using Sony DRM has been detected and more malicious hacking exploits are likely to ensue now the workings of XCP have been exposed. The First 4 Internet website shows future development plans involving content distribution and the reach this technology will have. Here’s their press release for Universal Music Group using XCP.
Currently only Windows-based computers are affected and interaction of multiple DRM software installations can cause problems or degrade system performance in unpredictable ways. Apple Mac users should be aware of a SunnComm developed DRM codebase that installs kernel extensions without the user’s knowledge.
The following resources cover three main areas relating to corrupt CDs:
- Where to find lists of potentially dangerous and problematic "copy-protected" music CDs.
- How to avoid CDs corrupted with invasive DRM technologies and covert anti-piracy software.
- Rootkit information, detection, and removal.
According to Thomas Hesser, president of Sony/BMG’s Global Digital Business.
Listen to the NPR webcast Sony Music CDs Under Fire from Privacy Advocates 1m:50s
For inside news of the Sony Saga, drink from the source: Mark’s Sysinternals Blog
Sony XCP Announcements and Homepage provides product information and CD exchange/returns programs.
Identifying corrupted CDs and reporting problem products
If you discover a problem CD you can alert others by posting information online. There are many ways to do this including: blogs (comments), forums, social bookmarks, email etc. If you want to know which music CDs compromise your privacy, computer or device compatibility, the following lists are available:
Sony’s Official List of CD’s Containing XCP Content Protection Technology 52 album titles and the item number which can be found on the spine of the CD.
EFF: Are You Infected by Sony-BMG’s Rootkit? has a list of CD titles confirmed to contain the XCP bug. Tips for recognizing identifying marks on corrupt CD products are given (See pics below). Memeorandum tracking of this item.
EFF Collecting Stories, Considering Litigation for people residing in either California or New York to report cases where the Sony-BMG Rootkit has caused harm.
Boycott-RIAA provides a list of corrupt CDs including known and suspect products. Partly compiled using data from Fat Chuck (see below).
Campaign for Digital Rights has a comprehensive list of Known Bad CDs focusing on corrupt audio discs, aka "Copy-Protected CDs" in the UK and elsewhere. The list hasn’t been updated since January 2005 but is still useful considering the CDs are still in circulation.
Fat Chuck Bad Cds is an open list of corrupt CDs and the labels making them. The list focuses on bad CDs in the United States and provides links to corrupted CD resources in other countries. It appears not to have been updated for some time.
"These are the music CDs that:
Prevent you from copying it for personal use or from playing it on computerized devices (computers, DVD players, game consoles, MP3 players, consumer CD duplicators, car CD players and more)."
There’s an online form that allows anyone to Report a Corrupt CD.
Sony Rootkit CD Providers original post with some further information via /.
DRMd CD List second post created to maintain the list via /.
List of Sony CD’s that are "Enhanced" and "Copy Protected" with the XCP (Extended Copy Protection) that provides a Rootkit.
Search Amazon for Corrupted CDs
Purchasing and downloading non-DRM music online
There are many independent digital music stores to choose from online. The market is extremely competitive with new services coming online continuously. Here are some of the more established digital music distributors providing music from independent artists and record labels worldwide.
Audio Lunchbox is an independent digital music store with no DRM restrictions. Downloads are compatible with all portable music players and come in high quality mp3 and ogg vorbis formats.
Bleep offers high quality fully compatible mp3 files with no DRM or copy-protection built in.
emusic online music store that offers songs in unprotected mp3 format, with no restrictions and complete flexibility to burn CDs, transfer to MP3 devices and make multiple copies for personal use.
Live Downloads sells live recordings of bands mastered directly from the soundboard. Shows are available in non-DRM mp3 and FLAC formats.
Magnatune an independent netlabel selling music downloads and CDs at a price you decide starting from $5 per album upwards. Wav, mp3, and FLAC file formats are available with no copy-protection or DRM..
Podsafe Music Resources a comprehensive list of safe, legal music services free to download and share.
At the time of writing there is no full uninstall application provided by Sony which means attempts to remove the Sony Rootkit manually are difficult and may be dangerous. The Sony patch also presents security issues and is problematic. Until antivirus firms provide the necessary tools you can use these resources to learn more about the nature of the Sony Rootkit, methods of detection and immunization.
Sony’s DRM Rootkit: The Real Story an interesting write-up by Bruce Schneier that provides some insight as to why security companies have been slow to recognize the problem and the politcs of the corporate security business. There’s a good linked outline of events that followed news of the rootkit discovery.
"The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us."
Computer Associates : XCP.Sony.Rootkit – Spyware Encyclopedia pages for the pests which relate to Sony BMG’s rootkit-based Digital Rights Management software, which is being distributed on audio CDs.
Povides an overview of XCP.Sony.Rootkit Extended Copy Protection (XCP) including details of the installed components, music player, Sony patch, disabling auto-run in Windows registry. Category Trojan/Spyware.
How to turn off Autoplay in Windows XP (prevents CDs from starting programs automatically)
- Click Start, Run and enter GPEDIT.MSC
- Go to Computer Configuration, Administrative Templates, System.
- Locate the entry for Turn autoplay off, Right-click on it and then click ‘Properties’.
Immunize Yourself Against Sony’s Dangerous Uninstaller tools to detect and immunize against Sony’s patch, an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. There is another potential security threat in CodeSupport.
Mark Russinovich shows how to delete the rootkit’s registration from Windows so that it won’t activate when Windows boots.
Microsoft Anti-Malware Engineering Team are adding a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware Beta. Detection and removal of the Sony rootkit component will also appear in Windows Defender when its first public beta is available. The signature will be included in the December monthly update to the online Microsoft Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.
Sophos Resolve Tool an application that can be run online to detect and disable the Sony DRM cloaking copy protection technology. A Sophos survey of 1,501 respondents revealed 98% of business PC users say Sony DRM copy protection is a security threat.
Sysinternals Freeware : RootkitRevealer (190 KB) free utility for detecting Rootkits. Close all programs/background applications and don’t touch the computer during the scan.
Sysinternals Forum for help and info about using RootkitRevealer. Worth reading before you install.
Wikipedia: Rootkit information and links for Rootkit tools generally.
For a more extensive list of computer health and safety resources see PC Help.
DRM and Copy Control Information
Sony’s End-User License Agreement (EULA) what the user agrees to when installing the CD.
The Digital Rights Management Dictionary has an alphabetical list of terms, technologies, companies, and related information.
Wikipedia: Copy Control information and related links.
Wikipedia: Digital rights management information and related links.
Boycott Sony simple click and post online petition.
Boycott-RIAA campaigning to end the RIAA monopoly.
Recording Industry Association of America (RIAA) Wikipedia knowledge and links.
RIAA Members List the trade group that represents the U.S. recording industry.
RIAA Radar a search tool for determining if an album is released by an RIAA member.
Sony BMG Labels list of links to each company.
Sony Boycott Blog news and thoughts about Sony DRM and anti-customer behavior.
Who Owns What? lists subsidiary companies of the big music corporations.
Updates: Some changes have been made to the original post as more information has been made available. The main aim of the post is to provide information that will help prevent the installation and spread of XCP software that poses a risk to computer security and functioning.
Click pictures to enlarge identifying marks and URL on CD packaging: http://cp.sonybmg.com/xcp/