Antivirus Firms Take On Sony DRM
With the recent discovery of Sony's "rootkit" DRM shipping on over 20 CDs and the surrounding backlash from consumers online and off, antivirus vendors must now answer a delicate question: should Sony's software be considered malware and forcibly removed? Some say yes.
Technically, Sony's application, which was actually created by First 4 Internet, is not a virus and was not designed with malicious intent. However, the copy protection installs a low-level Windows driver that hides the DRM files and prevents their removal - a technique used by rookits.
This cloaking mechanism could easily be used by hackers and virus writers to hide programs that do real damage, and a trojan horse has already cropped up with such capabilities. Moreover, coding errors in the DRM software have been reported to leave systems vulnerable to crashes.
Some security firms have been quick to classify Sony's DRM as a threat and are releasing tools to remove it. Computer Associates and Sophos are among those proactively responding to customer complaints about the questionable technology and worry about potential vulnerabilities.
"Despite its good intentions in stopping music piracy, Sony's DRM copy protection has opened up a vulnerability which hackers and virus writers are now exploiting," says Sophos technology consultant Graham Cluley.
McAfee has also taken a stance against the DRM. "With the latest DATs, McAfee detects, removes, and prevents reinstallation of XCP," the company said in an advisory. However, McAfee also notes that "this program may have legitimate uses in contexts where an authorized administrator has knowingly installed this application."
Other companies are taking a more measured approach. Symantec said this week that its AntiVirus utilities would detect the presence of the Sony software, but not remove it. Instead, Symantec will direct customers to Sony BMG's Web site, which offers instructions for uninstalling along with a patch to disable the cloaking ability.
F-Secure independently identified Sony's DRM application as a "rootkit," but is not currently offering a removal tool. Like Symantec, F-Secure directs customers to Sony customer support for help.
Microsoft, which recently moved into the security space with the release of Windows AntiSpyware (now known as Windows Defender) and Windows Live OneCare, is still on the fence. "We are evaluating the current situation to determine if any action from Microsoft is necessary," a Microsoft spokesperson said in a statement.
The spokesperson added that Windows Defender and the Malicious Software Removal Tool have established criteria on which to base malware and spyware classifications, while acknowledging Microsoft is "concerned" about the situation.
But Jupiter Research senior analyst Joe Wilcox questioned Microsoft's apparent flaccid response.
"Since Sony's DRM affected Windows, I would refer to Microsoft's definition of rootkit. An October 6 TechNet article calls a rootkit 'a special kind of malware...nearly undetectable and they're nearly impossible to remove.' If Microsoft calls a rootkit malware, then I don't see how there can be any question how antivirus vendors should treat Sony's DRM software," Wilcox told BetaNews.
"More importantly, if antivirus software starts distinguishing between kinds of rootkits, hackers might be able produce even more nefarious types that mimic something like Sony's DRM mechanism and so go undetected and unremoved."
Consumers, however, aren't waiting around for security vendors to protect them. A class-action lawsuit has already been filed against Sony BMG in California, with another expected in New York. The suits claim Sony has violated consumer rights and anti-spyware laws with software that is damaging to PCs.
For its part, Sony says it has been responsive to the situation by posting removal instructions. But Mark Russinovich, who initially discovered the hidden DRM on his computer, disagrees. "The uninstall process Sony has put in place is on par with mainstream spyware and adware," he says.
"First you have to go to Sony's support site, guess that the uninstall information is in the FAQ, click on the uninstall link and then fill out a form with your email address and purchasing information, possibly adding yourself to Sony's marketing lists in the process," Russinovich explained.
"Without exaggeration I can say that I've analyzed virulent forms of spyware/adware that provide more straightforward means of uninstall."