Sony DRM rootkit code (#13) Sony DRM rootkit code (#13)

Mark Russinovich has an update to his original post titled: "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home". He first goes through the hoops that Sony puts you through to partially uninstall their DRM code. It turns out that all it does is to uncloak it, and installs 3.5 mb worth of updated DRM drivers. Again, no mention is made of any of this in the Sony EULA. It apparently attempts to act like a normal driver/program install, with an entry for MediaJam showing up in the Add/Remove Program control panel. However, to no one's surprise, it doesn't work. Somewhere along the way, it executes:

net stop “network control manager”

Where “Network Control Manager” is the misleading name the developers assigned to the Aries driver so the command directs the Windows I/O system to unload the driver from memory. However, since the drivers utilize system call hooking, stopping the cloaking this way apparently opens a system to the small possibility of a crash.

Then comes the point that is interesting to me. Earlier posters had suggested that the Sony code connected to Sony. In otherwords, that we had some spyware here. This was vehemently denied by Sony. Mark confirmed that it indeed was going on. When you play a Sony CD, the drivers connect to a Sony site to tell them that. Mark says:

It appears the Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and is not configurable in any way.

It still looks like spyware to me.

Update#1 - comment by xcp_support:

In responding to the specific comments in this blog we set out the following comments which I hope clears things up.

1) Blog: "The Player is automatically checking to see if there are updates for the album art and lyrics for the album it’s displaying. This behavior would be welcome under most circumstances, but is not mentioned in the EULA, is refuted by Sony, and not configurable in any way. I doubt Sony is doing anything with the data, but with this type of connection their servers could record each time a copy-protected CD is played and the IP address of the computer playing it."

Answer: The player has a standard rotating banner that connects the user to additional content (e.g. provides a link to the artist web site). The player simply looks online to see if another banner is available for rotation. The communication is one-way in that a banner is simply retrieved from the server if available. No information is ever fed back or collected about the consumer or their activities.

2) Blog: "The download of what should be a small patch is around 3.5 MB because it includes updated filters for the DRM software that the patch also installs (again, no mention of this is made in the download description)."

Answer: In addition to removing the cloaking, Service Pack 2 includes all fixes from the earlier Service Pack 1 update. In order to ensure a secure installation, Service Pack 2 includes the newest version of all DRM components, hence the large file size for the patch. We have updated the language on our web site to be clearer on this point.

3) Blog: He states that the patch installs something called MediaJam which he was not expecting and could not uninstall.

Answer: Service Pack 2 does not install the MediaJam player on the user's hard drive. The only MediaJam related file installed on the user's drive is a standard Windows file (unicows.dll) used to support multiple languages. When this standard Windows file is installed by Service Pack 2, it creates a MediaJam group in the Add or Remove Programs list -- even though no MediaJam player is installed. Attempting to 'uninstall' this program results in a dialog box which confirms that this program had never been installed in the first place.

4) Blog: He claims that the patch itself could cause a blue-screen, although he says the risk is small.

Answer: This is pure conjecture. F4I is using standard Windows commands (net stop) to stop their driver. Nothing more.

5) Blog: As part of the uninstall process he notes that "clicking on the Sony privacy policy link at the bottom of the page takes you to a notice that your email address will be added to various Sony marketing lists."

Answer: An email address is required in order to send the consumer the uninstall utility. The wording on the web site is the standard Sony BMG corporate privacy policy that is put on all Sony web sites. Sony BMG does nothing with the customer service data (email addresses) other than use them to respond to the consumer.