Gamekeeper turns poacher

TECHNO BEAT

It took the best part of five decades for Sony to establish itself as an iconic brand. It is a market leader in everything from PCs, game-playing consoles, laptops and diskmans to movie, TV and music/video content and programming.

In the past five weeks, that image has been hugely tarnished. The digital giant is now at the centre of a PR disaster. It is also the target of massive class action suits in Italy, Texas, California and New York and calls for boycott from a mass of irate global consumers.

Sony BMG Music Entertainment's debacle occurred when it made the transition from gamekeeper to poacher. In an attempt to restrict piracy, the company turned hacker by commissioning a diabolical copy protection software, "XCP".

XCP, which was created by the UK-based software-maker First4internet, sits on Sony BMG music CDS and was installed on at least 52 music titles (and 4.7 million CDs) released in the past year. It's supposed to allow a maximum of 3 copies.

If an XCP CD is played on a computer, XCP installs and runs undetected at the heart of the system. Not only does it cloak itself and send information unannounced to Sony websites, it creates a road map for other malware to install and run undetected.

A computer network where an XCP CD has been played is insecure. The damage is likely to be extremely severe precisely because of the reach and popularity of Sony. According to security expert Dan Kaminsky, there are at least 568,000 compromised networks already and there may be many more. Only Sony (and First4internet) would know the number of compromised systems for sure (because each compromised system contacts Sony). The projected infection rates are similar to worms like Blaster, Code Red and Nimda.

The damage spans 165 countries, with the top five affected including Spain, the Netherlands, Great Britain, the United States and Japan. The implications are such that Microsoft has officially labelled XCP "malware" and released an emergency XCP detection tool and patch as part of its beta Anti-spyware. Anti-virus companies like Symantecs and McAfee have also released patches.

Security experts opine that the MS patch may not be sufficient. Sony has withdrawn the XCP CDs from distribution and offered replacements. It could well be forced into funding a cleanup for compromised systems.

XCP goes a long way beyond spyware, which can be defined as programs designed to collect information and send it somewhere without explicitly informing the user. XCP installs a rootkit. A rootkit is an entire set of hacking tools. These replace critical system components with designer copies to run undetected or "cloaked". A rootkit is designed to allow a user to maintain access to root resources while being invisible to admin.

For example, Windows and Unix systems run "netstat", a program designed to list active connections to the Net. Ordinary spyware is easily detected on netstat because the connection is visible. A rootkit would use a recompiled version of netstat that runs apparently normally but doesn't list specific spyware.

Similarly, rootkits can hide user logons by replacing password utilities. An anti-virus package or a firewall can also be re-engineered. A rootkit can intercept anything typed into a network computer and thus, can be used to gain remote access cloaked from system security.

Rootkits are normally created and used by hackers, who are seeking backdoor access. Most hackers are single individuals lacking the wherewithal and know-how to create an entire package of recompiled utilities to cloak intrusions.

Sony BMG, which is the second-biggest record label in the world, is not short of resources. The XCP is a near-complete rootkit. Removing the rootkit is a painful process. A casual attempt at removal could crash the entire system or make the CD/DVD drive invisible.

Unfortunately, on an XCP-hit system, it's impossible to detect any malware, which has a name starting with "sys*". It's as though XCP opens the front-door, switches off burglar-alarms and invites intruders to enter at their leisure. The XCP rootkit has been used by hackers to bypass security and cheat at the World of Warcraft role-playing game.

If a hacker was caught creating and distributing a rootkit, he or she would end up behind bars. Sony's excuse is that it did this to protects its intellectual property. If the fine print on the EULA (End user licensing agreement) of the CDs is well-drafted, the company may escape criminal prosecution.

But according to Bruce Schneier, the best-selling author of "Applied Cryptography" and editor of the e-journal Crypto-Gram, national security networks in several countries may have been compromised and transmitted information to Sony. That could make the corporation liable under anti-terrorist legislation as well!

So why did Sony perpetrate this lunacy? And why did it compound the folly with arrogant statements such the one Thomas Hesse, Sony BMG president, Global Digital Business, made: "Most people don't know what a rootkit is, so why should they care about it?"

The company also took several weeks to react after techies like Mark Russinovich of Sysinternals (the internet security firm that provides the superb Autorun free utility) flagged it in late October.

The legal fallout of this is likely to set precedents in drawing a line as to how far corporates may go to protect intellectual property. Whatever the legal decisions, Sony will have to work hard to rebuild consumer trust. If it can sell CDs that compromise entire computer networks, it's natural to wonder whether it can sell secure computers.