A Look Back at the Time Sony Put Rootkits on People’s Computers

by Gary Chapman



The year was 2005, MySpace was one of the largest sites online, YouTube just started and one of the most common programs on people’s computers was for file sharing; Napster, Kazza or Limewire. 

At the beginning of 2004, 532 lawsuits were filed against people for downloading their music from one of these applications. According to a Pew Research Center poll, 27% of internet users regularly download music illegally. So, the great minds of Sony BMG decided to prevent people from copying CDs. How did they do it, you might ask? By putting DRM that worked like a rootkit.

First of all, what is a rootkit?  

According to Malwarebytes, a rootkit is, “a malicious type of software that provides root-level, privileged access to a computer while hiding its existence and actions.” Root-level is the highest part of the computer, permissions wise, where the parts of a computer are controlled.

Sony was pretty adamant on stopping the copying of music, with Steve Heckler, senior vice president of IT at Sony Pictures, saying in 2000 that, “we will develop technology that transcends the individual user. We will firewall Napster at [the] source — we will block it at your cable company, we will block it at your phone company, we will block it at your [Internet-service provider]. We will firewall it at your PC,” according to an article by the Daily Forty-Niner.

The situation started when Sony began putting Extended Copy Protection on their CDs. The program was made by the UK firm First 4 Internet. The program ran automatically when a CD with the software was put into a computer running Windows. The user was presented with a EULA (End User Licence Agreement), the disk would eject if the EULA was rejected or go through with installing the software if the user agreed (without mention of any hidden programs in the EULA). It would then prevent users from using media player software other than the one provided. There was no uninstaller and removing it without care would hide your CD drive directory. The later web-based uninstaller left massive security holes

Security researcher Mark Russinovich remarked in 2005 that, “the entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall.” Other researchers had found out about the DRM, but didn’t want to write about it due to the DMCA preventing people from reverse engineering copy protection methods.

The cloaking method that XCP used allowed malware to hide with it. The Backdoor.IRC.Snyd.a trojan was the first to use this method and was discovered within two weeks of the reveal, according to Bitdefender.

Sony also used a DRM by SunComm called MediaMax CD-3, this program installs itself regardless of the choice of the user at the EULA. 

The reaction once people found out about XCP and MediaMaxx was one of outrage. Stewart Baker, Assistant Secretary of the Department of Homeland Security, scolded Sony and other manufacturers, saying that, “it’s very important to remember that it’s your intellectual property; it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.”

Sony initially felt that it was overboard with Thomas Hesse, President of Sony BMG’s digital business division saying that, “most people, I think, don’t even know what a rootkit is, so why should they care about it?” Sony then stopped manufacturing the XCP discs, and recalling them on Nov. 14, 2005, with Sony saying that, “Sony BMG deeply regrets any inconvenience to our customers and remains committed to providing an enjoyable and safe music experience.”

This didn’t stop several class-action lawsuits from being filed. There were two lawsuits in the state of Texas, with Sony paying the state $750,000 in fees, and them paying at least $25 to anybody who had the DRM disable their CD drive.

Bands did protest the DRM measures with My Morning Jacket burning copies of their album without the software on it, “If that didn’t work, we offered to burn a copy of the album and send it to the fan who already purchased a copy of Z. To date, we have sent out over 100 copies of [the album] to friends and fans who have purchased the album and have not been able to enjoy the music.”

Time magazine has ranked XCP as one of the worst inventions in history, as it broke computers, was easily bypassable (using a permanent marker to put a line around the disc broke the DRM) and tarnished the trust between bands, the public and the record label.Laptop Illustration

Leave a Reply

Your email address will not be published.