Rooting Out Sony BMG's Rootkit

What you need to know about the CD copying-protection scheme that surreptitiously installed spyware on users' computers

he use of a digital rights management (DRM) program designed to restrict the copying of some Sony BMG recordings has created a lot of concern among readers (see BW Online, 11/22/05, "Sony's Escalating 'Spyware' Fiasco"). Reader Joseph Wieczorek has a series of questions about the software, which has officially been labeled as "spyware" by Microsoft (MSFT) and all major PC security companies because it reports information back to Sony BMG without the user's consent. It also left computers vulnerable to certain other attacks (see BW Online, 11/29/05, "Spitzer Gets on Sony BMG's Case").

I have some questions about Sony's spyware. I understand that it's put on Sony's music CDs and maybe Sony's movie DVDs.
First, a clarification of a widespread misunderstanding. The CDs in question were produced by Sony BMG Music Entertainment, a 50-50 joint venture between Japan's Sony (SNE) and Germany's Bertelsmann, not by Sony, Sony Electronics, or Sony Entertainment. The software, First4DRM, was produced by First 4 Internet, an independent company based in Wales that wrote the software used by Sony BMG (see BW Online, 11/29/05, "Sony BMG's Costly Deafness").

As far as anyone has learned, the First4DRM software was installed only on certain audio CDs from Sony BMG (click here for a list of the titles). For technical reasons, it would be much more difficult to do something like this on movie DVDs, and there's no evidence that this has been tried. Besides, DVDs come with standardized copy protection. The method doesn't prevent someone really determined from copying the disk, but at least it's harmless.

Does Sony put this spyware or any variant of it in other products -- for instance, in the software that comes with their MP3 players or DVD burners?
I'm going to restrict myself to what might be done. In theory, just about any software could contain elements that behave like spyware. In some cases, there are even good reasons for this. For example, it's very useful for antivirus software to report its current status back to a vendor to determine whether any updates are needed.

As for malicious software -- again, anything is possible. There was a case earlier this year where some digital music players sold by Creative Labs were found to have been inadvertently infected with a virus. And there are many cases of viruses, worms, and other bad things being hidden in downloaded music or video files or pictures. I do not, however, know of any other cases where spyware has been hidden in legally purchased music or other entertainment.

Norton has a removal tool for First4DRM. Is the Norton tool sufficient to remove the First4DRM Spyware and any/all variants? Are there other removal tools necessary?
Just about every antispyware/antivirus vendor has modified their programs to detect and remove the Sony BMG rootkit. As far as I know, the only one that didn't do the job was the first repair tool released by Sony BMG itself, which actually made matters worse (see BW Online, 11/17/05, "Sony's Copyright Overreach"). In addition, you can download a free removal tool from Symantec.

Do other companies put this kind of spyware on your computer?
I'm afraid so. Reputable companies don't, but not all companies are reputable. The worst offenders that I know of are the suppliers of clients for peer-to-peer file sharing networks such as KaZaA.

http://www.businessweek.com/technology/content/nov2005/tc20051129_685454.htm