Extended Copy Protection

While Sony eventually recalled the CDs that contained the XCP system, the web-based uninstaller was investigated by noted security researchers Ed Felten and Alex Halderman, who stated that the ActiveX component used for removing the software exposed users to far more significant security risks, including arbitrary code execution from websites on the internet.

Attempting to remove the software by deleting the associated files manually will render the CD drive inoperable due to registry settings that the program has altered.

XCP's cloaking technique, which makes all processes with names starting with $sys$ invisible, can be used by other malware "piggybacking" on it to ensure that it, too, is hidden from the user's view.

[5] Follow-up research by Felten and Halderman showed that the Web-based uninstaller Sony later offered for the software contained its own critical security problems.

(Some discs involved in the Sony scandal contained a competing technology, MediaMax from SunnComm, which attempts to install a kernel extension on Mac OS X.

Although Russinovich was the first to publish about the rootkit, other researchers had discovered it around the same time, but were either still analyzing it or chose not to disclose anything sooner due to the chilling effect of the anti-circumvention clause of the Digital Millennium Copyright Act.

Computer Associates, makers of the PestPatrol anti-spyware software, characterize the XCP software as both a trojan horse and a rootkit:[8] XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows.

Approximately every 1.5 seconds, this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive.

XCP.Sony.Rootkit loads a system filter driver which intercepts all calls for process, directory or registry listings, even those unrelated to the Sony BMG application.

"[12] Beginning as early as August 2005, Windows users reported crashes related to a program called aries.sys, while inexplicably being unable to find the file on their computers.

Call for Help host Leo Laporte said that he had experienced a rise in reports of "missing" CD-ROM drives, a symptom of unsuccessful attempts to remove XCP.

Kaminsky's technique uses the fact that DNS nameservers cache recently fetched results, and that XCP phones home to a specific hostname.

[15] After the release of the data, Kaminsky learned that an as-yet undetermined number of "Enhanced CDs" without the rootkit also phone home to the same address that rootkit-affected discs use, so infection rates are still under active investigation.

[4] Slysoft's AnyDVD program, which removes copy protection from DVDs and Blu-ray discs, also defeats DRM on audio CDs.

CDs by themselves are incapable of updating legacy hardware such as stand-alone CD players, and lack the ability to change or upgrade the firmware in order to read DRM.

Picker does not analyze the legal merits of such suits, but the cost of litigation potentially outweighs the benefit of attempting to add-on DRM.

[24] Princeton researcher Alex Halderman discovered that on nearly every XCP CD, code which uses a modified version from Jon Johansen's DRMS software which allows to open Apple Computer's FairPlay DRM is included.

On a National Public Radio program, Thomas Hesse, President of Sony BMG's global digital business division asked, "Most people, I think, don't even know what a rootkit is, so why should they care about it?

"[citation needed] An analysis of this uninstaller has been published by Mark Russinovich - who initially uncovered XCP - titled "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home".

"We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use," Sony BMG added.

[36] Amazon says it's treating the XCP CDs as defective merchandise and will offer a refund with shipping, as long as the customer specifies the request.