To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/malware/0,3800003100,39154327,00.htm

Sony's DRM woes grow as hackers say hello
"It's someone trying to make a point. They could have done a lot worse"

By Alorie Gilbert

Published: Thursday 17 November 2005

Sony BMG took another blow on Wednesday, when a security company said it has found malicious attacks based on software designed to defuse the record label's "rootkit" problems.

Websense's security labs reported it has discovered several websites designed to exploit security flaws in a rootkit uninstaller program issued by Sony BMG Music Entertainment. As reported earlier, some Sony CDs deposit rootkit-like code onto people's computers that leave them open to attacks.

Websense has uncovered only a couple of websites set up to attack flaws in the initial uninstall program, and the damage they cause appears to be minimal so far. One of them, hosted in the US, simply restarts infected computers.

Dan Hubbard, senior director of security and technology research at Websense, said: "It's someone trying to make a point. They could have done a lot worse."

Sony became embroiled in controversy earlier this month after the record label was discovered to be distributing secret code similar to a rootkit with certain music CDs as a copy-protection mechanism. Sony BMG recalled millions of these CDs on Tuesday, after viruses exploiting flaws in the rootkits began to appear.

The company also released programs to uninstall the rootkits but the initial web-based version has its own set of flaws, Princeton University computer science professor Ed Felten wrote in his blog on Tuesday.

In the case of the US-hosted malicious site, the attacker may have compromised the site without the owner's knowledge, Websense's Hubbard said. The site appears to be associated with Canada's version of the American Idol TV show. Websense also found the following message in the site's malicious code: "Sony DRM Christmas Gift." DRM stands for digital rights management, a type of copy-protection technology.

Websense said in a statement: "Any user who has downloaded and run the Sony uninstaller program is susceptible to this attack."

A Sony BMG representative did not immediately respond to inquiries about the alert.

However, in response to concerns about the security of its uninstall software, Sony has removed the program from its website, and promised to release another version soon.

The Sony site now reads: "We currently are working on a new tool to uninstall First4Internet XCP software. In the meantime, we have temporarily suspended distribution of the existing uninstall tool for this software. We encourage you to return to this site over the next few days."

The flaw in Sony's uninstall software was based on an ActiveX program installed on hard drives, which allowed websites to run malicious code automatically in the Internet Explorer web browser. Some security experts are advising people who think they might have used Sony's uninstall tool to use the Firefox web browser, which does not support automatic ActiveX controls.

Princeton computer science professor Ed Felten and researcher Alex Haldeman have created a page that tests whether a computer might be at risk as a result of running the uninstall tool.

CNET News.com reporter John Borland contributed to this story

Alorie Gilbert writes for CNET News.com