Hidden DRM code's legitimacy questioned

The latest headache for security professionals has become a secret weapon in the battle between copyright owners and their customers.

This week, two research groups independently and separately reported that music giant Sony BMG has used software hiding techniques more commonly found in rootkits to prevent removal of the company's copy protection software. A rootkit is software that hides its presence on a computer while controlling critical system functions, and security professionals have lately warned that the addition of the technology to a variety of Internet threats - from bots to spyware - makes the malicious code more difficult to find and remove.

Both antivirus firm F-Secure and security information site SysInternals.com identified the copy protection scheme deployed by Sony BMG as essentially a rootkit. The tactic abuses the trust of the computer user, said Mikko Hippönen, chief research officer for F-Secure.

"No one reads the licensing agreements, and even if you do, (the Sony BMG agreement) does not make it obvious what is happening," he said. "It's also not obvious that it is almost impossible to uninstall the program." The concerns are the latest backlash against music and movie companies over what many critics call heavy-handed tactics designed to maintain the status quo in the face of innovative technologies that are disrupting the copyright holders' traditional business models. The industries' tactics have varied from frequent lawsuits against consumers to lobbying Congress for harsher penalties against those who use file-sharing technologies. Meanwhile, some vigilantes have poisoned peer-to-peer file sharing systems with Trojan horse programs that report the user.

The latest tactic, however, hews much closer than past actions to the definition of a malicious threat to a user's computer system, said Edward Felten, a professor of computer science and public affairs at Princeton University and an expert in digital-rights management technology. "It is not legitimate to undermine the user's desire to secure their own computer," Felten said. "I don't think they should be hiding files and programs and registry entries from the system administrator, ever." Answering critics, Sony BMG released on Wednesday a limited statement on its site and also posted a patch that Windows users can run using Internet Explorer to remove the copy-protection software from their system. Neither First 4 Internet or Sony BMG returned requests for comment on the issue.

"The protection software simply acts to prevent unlimited copying and ripping from discs featuring this protection solution," Sony BMG said in a statement posted on its site. "It is otherwise inactive. The software does not collect any personal information nor is it designed to be intrusive to your computer system."

Both F-Secure and SysInternals discovered the software after detecting the presence of a rootkit on a system that had played a content protected CD. After investigating, researchers at both organizations found that the root cause of the problem was the software installed by U.K.-based First 4 Internet. The software, known as XCP, also indiscriminately hides registry keys - the values used by the Windows operating system to run, configure and maintain software on the system - allowing malicious code to use the copy-protection software to hide itself.

Moreover, mimicking a tactic used by spyware and adware, the copy-protection software cannot be uninstalled under Windows XP except by contacting Sony BMG through a special Web site. For SysInternals.com's Mark Russinovich, the software is taking copy protection to an unpalatable extreme.