Brandon Paddock's Blog

Microsoft to remove Sony's DRM rootkit

I was very happy to see this post by the Microsoft Anti-Malware Engineering team.

If you don't know what this is about, here's a quick summary.  Sony BMG recently began selling about 20 different music albums in the US with what basically amounts to a computer virus on them.  The software comes in 3 parts:

1)  A “rootkit” that affects your Windows installation at the kernel level.  It rewrites the System Service Table and replaces certain kernel function calls with calls to a device driver that Sony installs.

2)  A couple of poorly written device drivers that sit at both ends between your IDE controller and your CD drive.

3) Some “anti-piracy” software that's supposed to prevent you from making copies of your CDs.

What's worse, most attempts to manually remove the software can render your system unusable, or cause your system to lose access to its CD drive.

Because the “rootkit“ hides files or directories with a $sys$ prefix in the name, several viruses have already started taking advantage of Sony's malware.  Also, there are reports that malicious exploits against the online game World of Warcraft that use Sony's software have started to show up.

Mark Russonivich of SysInternals discovered the infection a couple weeks ago.  Since then the tech news media have been covering the story.  Apparently several lawsuits have been filed against Sony related to this matter.

The good news?  Microsoft's Anti-Spyware (soon to be called “Windows Defender” - sounds like an 80s arcade game to me) will remove the scourge.  And so will the Windows Live Safety Center and the Malicious Software Removal Tool that ships on Windows Update every month or so.

posted @ Sunday, November 13, 2005 5:19 PM