Ed Felten says Don’t Use Sony’s Web-based XCP Uninstaller:

Alex Halderman and I have confirmed that Sony’s Web-based XCP uninstallation utility exposes users to serious security risk. Under at least some circumstances, running Sony’s Web-based uninstaller opens a huge security hole on your computer. We have a working demonstration exploit.

We are working furiously to nail down the details and will report our results here as soon as we can.

In the meantime, we recommend strongly against downloading or running Sony’s Web-based XCP uninstaller.

Oy.

Dan Goodin of Wired News published a piece today entitled Boycott Sony, which contains this stirring call to action:

A lot has been written about this issue already. But a lot more needs to be said to ensure Sony gets the message: This kind of behavior can never be tolerated. It may be unrealistic to think many will heed this call, but someone’s got to say it: Boycott Sony. Boycott them until they come clean and recall all the infected CDs. Boycott them until they distribute a removal program. Boycott them until they promise never do anything like this again.

“Someone’s got to say it.” Indeed. In fact, someone already did. I published a list of recommendations for Sony that was almost identical to Goodin’s list, except mine appeared nearly two weeks ago. And I had a Boycott Sony post as well, which linked to Tim Jarrett’s Sony Boycott Blog. That was, ahem, a full week ago.

A good idea is a good idea. But if you want to get a movement off the ground, it helps to link to the other people who are already doing the work.

Hot damn! Microsoft’s Anti-Malware Engineering Team is on the ball:

We are concerned about any malware and its impact on our customers’ machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems.

We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.

That was fast! I hope my request from last week was at least partially responsible.

Here’s some good news:

Sony to stop making protected CDs:

Beleaguered Sony BMG will temporarily suspend the manufacture of copy-protected CDs and re-examine its digital-rights management strategy, the media giant said on Friday.

Maybe this stinging criticism from the Department of Homeland Security made them nervous?

[A]t a U.S. Chamber of Commerce-sponsored event in downtown Washington on combating intellectual-property theft … Stewart Baker, recently appointed by President Bush as the Department of Homeland Security’s assistant secretary for policy … wrapped up his opening comments with the following admonition for the industry:

“I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples’ [and] businesses’ computers are secure. … There’s been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples’ computers that even the system administrators can’t find.”

In a remark clearly aimed directly at Sony and other labels, Stewart continued: “It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days.

“If we have an avian flu outbreak here and it is even half as bad as the 1918 flu epidemic, we will be enormously dependent on being able to get remote access for a large number of people, and keeping the infrastructure functioning is a matter of life and death and we take it very seriously.”

It would be appropriate, in my opinion, if all of the executives in charge of this cascade of truly lame decisions would just resign.

Ed Felten has put together a SonyBMG DRM Customer Survival Kit. It includes command-line instructions to determine if you have the Aries.sys driver installed on your computer, along with instructions on how to disable the service.

Professor Felten also notes that Sony will actually tell you how to work around its copy protection if you ask:

How to get songs from these discs into iTunes, an iPod, or anywhere else you can legally put them: SonyBMG will send instructions on how to do this to anyone who asks. Note that their instructions direct you to agree to their End User License Agreement; be sure to read the agreement and think about whether you want to accept it.

Or you could just read the instructions at his site.

Unfortunately, the workaround involves making inferior (128K) WMA copies of the tracks, burning them to a CD, then reripping them in any format you like. There’s no way to get a decent copy, much less a perfect digital copy.

Sophos is the first security software vendor to make available a removal tool for the Sony rootkit. Get it here:

Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers.

This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

I just ran it. Pretty much painless (and as expected I didn’t find a trace of it here).

F-Secure says “I told you so”:

We have just analyzed the first malware (Breplibot.b) that is trying to hide on machines that have Sony DRM software installed.

I’ve seen reports that Pest Patrol and some Norton products are now detecting the Sony rootkit.

And in the comments to a previous post in which I asked for Microsoft’s help (Dear Microsoft: Please clean up the Sony mess), my old friend Giesbert Damaschke points out an encouraging new article:

Microsoft ‘Concerned’ by Sony DRM

The Redmond, Wash., software maker said that the security of its customers’ information is a “top priority” and that the company is concerned by software like that deployed by Sony to block illegal CD copying.

However, unlike other security software vendors, Microsoft hasn’t decided whether to take more aggressive action against the product, such as detecting and removing it from systems, the spokesperson said.

Hmmm. Maybe someone could write a little tweak that causes your computer to make a loud retching sound whenever a rootkit-infected CD is inserted?

Update: Brian Krebs of the Washington Post passes along this five-year-old quote from Sony’s CEO, which discloses how the company really feels about its customers:

And somewhere in Sony HQ, a PR person is banging her head against a desk realizing that the spin is just not working.

Dwight Silverman shrugs off the plague and publishes a list of Sony/BMG titles with rootkits.

I only recognize two of them. And I don’t think the list is complete. Unless I’m mistaken, the latest CD from Leo Kottke and Mike Gordon installs this crap.

The irony to me is that Trey Anastasio and Mike Gordon are both on this short list. Ironic, because these two are members of the disbanded Phish, which built up a community of tapers who traded noncommercial copies of concerts with the band’s imprimatur.

So far, no really big artists on this list. No Dylan, no Springsteen…

(PS: Go back to bed, Dwight!)