New digital rights management technology shipping on music CDs by Sony Corp. of America/Bertelsmann AG artists employs stealthy, rootkit-style techniques to hide from users, according to a security expert.


The new technology, which Sony has dubbed "sterile burning," manipulates the Windows core processing center, or "kernel," to make the DRM almost totally undetectable on Windows systems.

These DRM files are almost impossible to remove without fouling Windows systems and could be used by malicious hackers to hide their own programs, according to Mark Russinovich (search), chief software architect at Winternals Software Inc., (search) a company that makes administrative software tools.

Sony BMG acknowledged that the rootkit-style features are part of DRM technology that began shipping with CDs in 2005, but referred technical questions about the technology to First 4 Internet Ltd., (search) the Banbury, England, firm that developed it.

Russinovich said he discovered the Sony rootkit technology after scanning his own computer with a tool called RootkitRevealer (search) that he developed.

Russinovich, who is an authority on rootkits, said he was shocked by the discovery.

"Given the fact that I'm careful in my surfing habits and only install software from reputable sources, I had no idea how I'd picked up a real rootkit," he wrote on his blog.

After discovering the program, Russinovich began a detailed analysis of it that turned up the name of First 4 Internet, a UK firm that developed the software for Sony.

Russinovich said he believes that the software was installed on his system by a copy-protected CD of music by Sony BMG artists The Van Zant Brothers (search) that he recently purchased from Amazon.com.

Through a detailed analysis of communication between the media player installed from the Sony CD and the rootkit files, Russinovich was able to determine that the rootkit (search) files were installed with the media player and communicated with it.

Russinovich was reluctant to discuss the details of how the DRM software works, citing fear of prosecution under the DMCA ( Digital Millennium Copyright Act). However, he said the rootkit features help enforce the sterile burning limits on copying Sony music files.

A Sony BMG spokesperson said the sterile burning and rootkit technology is intended to act as a "fence" or "speed bump" for users who want to try to go beyond the limit of three copies on the company's DRM-protected music.

Like other so-called "kernel mode" rootkits, the Sony DRM software interacts with the system service table, a core component of the Windows operating system kernel that coordinates the interactions between instructions from different Windows applications and the kernel.

Read details here about the threat of rootkits on enterprise networks.

By "hooking" the Windows kernel in this way, kernel mode rootkits can intercept communications between the kernel and the Windows API, filtering or distorting the instructions and information that are sent from the kernel.

For example, the Sony DRM software did not appear in the Windows Explorer or the Windows registry, where information on installed programs can typically be viewed, Russinovich said.

Rootkit technology is well established and not, in itself, malicious, said Mathew Gilliat-Smith, CEO of First 4 Internet.

"Rootkit detection programs have made rootkits more high-profile in the media, but this technology has been around for a long time and is used widely by anti-virus and other information security companies," he said.

That said, First 4's technology isn't a rootkit, but part of a copy protection system designed to balance security and ease of use for the CD buyer, he said.

Sony BMG began using a version of First 4 technology called XCP (search) in March 2005, he said.

However, the Sony rootkit files developed by First 4 Internet are unsophisticated and could introduce other problems on systems that install the Sony DRM technology, Russinovich said.

For example, the rootkit features are designed to hide any file on a Windows system with a file name that begins with the characters $sys$, not just the files used by the Sony sterile burn technology.

That feature could be used by malicious hackers to hide their own attack programs on computers that have installed the Sony DRM technology, simply by following the $sys$ naming convention, he said.

The rootkit files also interact with Windows at a very low level, and fail to account for certain conditions that could cause the files to overwrite areas of memory, crashing applications that use that memory, or even crashing Windows altogether, Russinovich said.

Finally, removing the Sony DRM software is extremely difficult. Because it is hidden from Windows, there is no entry for it in the Windows Control Panel (search) and no easy way to determine where or how it is installed on Windows.

Users like Russinovich who are sophisticated enough to find the files and try to delete them will find that Windows can no longer detect the CD drive attached to their systems, Russinovich found, and it requires other subtle manipulations of Windows to restore.

"The average user would not be able to remove [the Sony DRM] without losing … the CD. Even a sophisticated user would have trouble," he said.

First 4 has developed a new version of the stealth features that respond to many of the questions Russinovich raised in his analysis, including the $sys$ and the stability issues. Those features will be available in new Sony BMG CDs, Gilliat-Smith said.

It is not clear whether users with the existing DRM technology will be able to upgrade to the new features. However, Sony BMG offers a removal program for the copy protection software, which can be downloaded from the company's Web site, according to a spokesperson.

Rootkit features are becoming more common in malicious software. Just last week, researchers warned of a rootkit that was being distributed by an IM worm on America Online Inc.'s Instant Messenger network.

However, this is the first known use of rootkit functionality with DRM, Russinovich said, adding that it was unexpected.

However, media companies have good reason to leverage rootkit techniques, as they try to put up barriers to the illegal copying of copyrighted material and make it harder for users to disable DRM technology on their computers, he said.