The Sony rootkit is on many music titles now as a copy protection scheme. Sony’s DRM rootkit doesn’t stop the music CD from playing on standard consumer electronics CD players, but when you go to play it on your computer the DRM rootkit automatically installs itself. When played on a Microsoft Windows PC, Sony’s DRM system forces you to play the music though their special software, which secretly installs the rootkit, just like a virus.
Sony installs a system-level application that effectively hides all file names from the user with specific filenames. These files are still present on the system and can be run normally, however any mention of their presence on the system is hidden from the user. This could allow authors of malicious software to use Sony's DRM software to hide their trojan horses on your computer.
The Sony DRM rootkit is a virus in essence. It hides itself so that even many technical computer experts can’t find it. Furthermore, it scans everything running on the system when active, and it causes computer performance to slow.
If you are actually able to find the Sony DRM rootkit and remove it yourself, you will likely lose access to the CDROM drive on your computer. Clean removal is extremely difficult, even for a professional computer technician. The way the rootkit replaces a driver for the CD drive will cause your CD drive to be disabled when you remove the Sony DRM rootkit.
Opportunism
Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs. Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory.
Prevention
When you insert a Sony CD into your computer, do not accept the Sony End User License Agreement (EULA). Accepting this long document in legalese effectively means you give permission for Sony to install software on your computer. Don't.
Hold down the shift key when you insert a CD disc into the drive. This will prevent autorun from executing the rootkit. But keep in mind you may still launch the rootkit by clicking the cd drive letter icon in windows explorer, or certain applications such as Windows Media Player may also launch the rootkit.
Don't put a Sony BMG music CD in your computer. Discs with Sony's DRM cannot be officially called Compact Discs, as they violate the original "Red Book" standard devised by Sony and Philips in June 1980. They can be easily spotted as the cases will not feature the familiar 'Compact Disc' logo.
Detection
Method 1
Create a file with the name $sys$ on your computer, if the file disappears you are most likely already infected with the Rootkit.
Method 2
Open an MS-DOS Command Prompt (Windows XP click START, RUN, and type 'cmd' ENTER
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\owner>cd \ C:\>cd windows C:\WINDOWS>cd system32 C:\WINDOWS\system32>cd $sys$filesystem The system cannot find the path specified.
The example above shows what is visible on the MS-DOS Window. In this example the system is clean, there is no Sony DRM Rootkit. If the last cd command had allowed entry into a $sys$filesystem path then this would indicate the presence of the Sony DRM Rootkit.
Removal
Sony DRM Rootkit Removal Patch
Sony has released a patch in response to criticism. However, the patch does not disable the DRM rootkit and simply unmasks some of the rootkit that was hidden. Some users report more problems after using the Sony patch.
Don't Trust ANYTHING released by SONY.
LavaSoft 3rd Party Tool
Lavasoft's ARIES Rootkit Remover is the best known tool for removing the Sony DRM Rootkit.
Manual Removal
- Must be done from the administrator - Full Control account
- Open an MS-DOS prompt and navigate to the path c:\windows\system32\$sys$filesystem
- Delete the ARIES.SYS file in the $sys$filesystem directory and reboot the system
- Open REGEDT32 (not regedit) and right click on the HKEY_LOCAL_MACHINE hive and select PERMISSIONS from the dropdown menu.
- Click on "everyone" and make sure that FULL CONTROL is checked
- Use FIND (Control-F) to locate anything that matches "$sys$"
- First things you'll encounter are under the HKEY_LOCAL_MACHINE files, under the SOFTWARE key, delete them (see below)
- $sys$reference
- ECDDiskProducers
- SONYBMG