Analysis: Sony BMG copy protection may be stealthy, but is it a "rootkit?"

Austin (TX) - When security software engineer Mark Russinovich was testing last week one of his programs called RootkitRevealer, on a system he normally expects to be free of malicious code, he noticed that it revealed a hidden directory, and several hidden files. Inside were what appeared to be device drivers, with .SYS and .DLL extensions, and one hidden executable .EXE file. These weren't hidden by the normal means - for instance, setting the old DOS "Hidden" attribute - but by cleverly diverting system calls used to identify themselves to Windows.

This started Russinovich on a search through his system for what was doing the diversion, which for him was a trivial matter to accomplish. What he found was a driver embedded in his system's memory, which was diverting all system calls to identify a directory whose listing began with the characters $sys$. Inside that directory - which he could easily open, even though Windows couldn't see it - were files that identified themselves as part of a package published by a company called First 4 Internet, Ltd. With a little bit of research, he discovered that this company produced digital rights management software for Sony BMG.

Russinovich - as many frequent Internet surfers now know - purchased a CD published by an imprint of Sony BMG, that contains its own music player software when inserted in a PC's CD-ROM player. This software enables users to make a limited number of backup copies, and marshals the process of ripping songs so that individual .MP3 files cannot be created. The software involved, called Extended Copy Protection (XCP), and has actually been in use in some form since 2003, however it took a person of Russinovich's curiosity and caliber to discover the extent to which it did what it did.

XCP evidently utilizes a memory-resident driver to prevent a user from bypassing the software that effectively limits the ability to copy or rip songs from CD. This driver is installed in such a way that removal is difficult for the average Windows user - in this case, uninstallation requires nothing short of "Registry surgery." In the Windows System Registry, the driver becomes a link in a chain that is intentionally hard to follow, and deleting the entry simply breaks the chain, which can cause - and in Russinovich's case, did cause - the entire CD-ROM drive to become unusable from Windows.

This wasn't a permanent headache for Russinovich, but very few households or enterprises or even states have access to their own friendly neighborhood Mark Russinovich. In his frustration and concern, he published the story of his discovery, and the long tale of its solution, to his personal blog, in an entry entitled, "Sony, Rootkits and Digital Rights Management Gone Too Far."

One could easily sympathize with the latter sentiment, but it's the one in the middle that touched off the firestorm on the Web this week: Is the XCP software a rootkit?

As we come to understand it, a rootkit is not only a piece of malware that hides itself using techniques similar to those Russinovich discovered, but also opens up a line of communication between itself and a remote host, often using an unmonitored port, somewhere in the vast wilderness of the Internet. This, the XCP software apparently does not do. In fact, there's no evidence that the software does anything other than what its manufacturer claims it does, on its own Web site. It just does so in a manner many may find detestable.

Yet what launched this story into overdrive has been the subsequent headlines of the apparent discovery of a rootkit lurking behind Sony BMG CDs - a discovery which even Russinovich himself, despite his unfortunate choice of blog entry title, did not substantiate or even allege. True, the data which launched his investigation came from his own RootkitRevealer program.

However, out of curiosity, we tried Russinovich's program this afternoon on our own normally secure machines, only to discover a number of directories generated by Firefox, apparently in the creation of Web page caches, that while existing, cannot be accessed through the Windows API. The reasons for this problem, we assume, have to do with the length of the directories' fully qualified names, which surpass the maximum length supported by some Windows API functions. It might be a little more difficult than normal for one of us to cleanse these directories, if we needed to free some hard drive space. Yet we probably would stop short of alleging that Firefox is being used as a rootkit on ours systems.

Again, Russinovich did not make these allegations himself; rather, they were made for him through the propagation of his story. The danger in casting digital rights management techniques as akin to malware without substantive proof is that it diminishes the power of what substantive arguments can be made against the pervasiveness of DRM, using the accurate data we have available - much of it supplied by Russinovich. We don't particularly like the idea of any kind of program running on our computers without our knowledge, without our ability to disable it, and whose purpose is to monitor our usage habits. At the same time, we appreciate Sony BMG's efforts to protect its property, using methods and methodologies about which we should be well-informed, and to which we approve, or at least be given the opportunity to disapprove.

Yet this valid argument loses focus when we cast the object of our discontent in an extreme and negative light, as if our targets must be made huge and impossible to miss, and their characterizations so evil, to ensure that our own arguments contrast against them properly. Hyperbole is a stealth tactic in itself, used most often by individuals uncertain that their own positions will attract enough support on their own merits alone. We should, as a society, debate the merits of DRM, but for what it is and for how it assumes we as consumers do and should behave, rather than as the focus of all evil. Keep in mind that Mark Russinovich located the problem, dissected it, and for his system, solved it. In the absence of hyperbole, there are solutions at hand.