May 2006

Inside the Spyware Scandal

When Sony BMG hid a "rootkit" on their CDs, they spied on you and let hackers into your computer. What were they thinking?

By Wade Roush

John Guarino is the owner of TecAngels, a two-man computer consultancy in Manhattan. Give Guarino your ailing Windows PC, and in two or three hours he'll return it to you in perfect health. Often, he can solve his customers' problems over the phone.

But last summer, Guarino came across a problem he couldn't fix. In the process of flushing out the spyware and viruses infecting his customers' computers, he began to find the same mysterious intruders in machine after machine. They were strangely named files lurking deep inside the "registry" where Windows stores settings and instructions that control all of a computer's hardware and software.

To Guarino, the files looked like a rootkit -- software that tricks an operating system into overlooking worms, viruses, and any other files a hacker might want to conceal inside a user's computer. The files didn't seem to be causing damage, and Guarino's antivirus software didn't identify them as threats. But they had appeared on people's hard drives uninvited -- the conventional definition of "malware" -- so Guarino removed them.

But the files didn't go quietly. After Guarino deleted them, the CD drives on his customers' computers would stop working. The usual solution -- reinstalling the software that drives the disc players -- didn't correct the problem. Guarino couldn't explain this odd effect, and his customers weren't paying him to spend hours researching it; they just wanted their computers back. So he would usually resort to the nuclear option: reinstall the operating system from scratch.

After six or seven of these encounters, Guarino was growing weary. Then, on September 30, he discovered the mysterious files on his own PC. "That's what really pissed me off," Guarino says. "I was like, 'I can't believe it. I have the latest firewall, the latest antivirus software, three or four antispyware programs. How did this get here?'"

Like any good investigator, Guarino backtracked. He knew that the files hadn't been there the last time he had scanned his computer. He tried to reconstruct everything he had done with his machine over the previous few days -- what programs he had installed, what e-mails he had received, what websites he had visited.

Then he remembered that he had purchased a music CD the day before and had played it on the computer. It was a Sony BMG Music Entertainment album called Touch, by the rhythm-and-blues singer Amerie. Unlike most CDs, this disc couldn't be played using common media-player software such as iTunes, RealPlayer, or Windows Media Player. To hear the CD, purchasers had to install the customized Sony BMG player included on the disc. Guarino had done this.

Now he took a closer look at the CD's jewel box. One phrase popped out at him: "Content Enhanced and Protected." Evidently, the disc carried some form of digital rights management (DRM) software -- a program designed to control copying and thus discourage piracy.

Finally, the pieces came together. The mystery files resembled a rootkit; the usual purpose of a rootkit is to hide something; a copy protection program was the kind of thing its creators might wish to hide from users; and removing this particular rootkit disabled the CD drive. Guarino could only conclude that the malware's source was Sony BMG itself.

"That's when I gave up," Guarino says. He could fight malware one machine at a time. But if the world's second-largest record company wanted to install secret software on its customers' computers, he would never win.