Meanwhile, SonyBMG's infamous digital rights management rootkit has resulted in at least one Trojan horse (Ryknos), which takes over PCs "infected" by the SonyBMG music software. In the wake of the threat — and the fact that Sony made removing the malware a complex, difficult process that often requires dreaded contact with a corporate help desk — Microsoft has already announced upgrades for its Windows AntiSpyware and Malicious Software Removal tools to deal with the dangerous rootkit infection. (Microsoft are yet to respond with details on this.) Symantec has already posted a Ryknos removal tool, which also appears to remove the underlying cause — the First4 rootkit infection.
Sony and First 4 Internet, the UK-based vendor of the rootkit copy-restriction software used on the CDs, apparently still don't get it. According to a News.com story, when announcing the malware removal code, First 4 Internet's chief executive told the press, "We want to make sure we allay any unnecessary concerns". That doesn't sound as if he understands that his company produced a dangerous piece of software.
As of 17 November, several days after reports surfaced of a Trojan taking advantage of the SonyBMG malware, the First 4 Internet's home page still contained no mention of the problem or any fix. In fact, if you search the site for "rootkit", you'll get no results.
Even drilling down several layers to the press releases showed that the company isn't responding — the last posted press release is from August and it focuses on the problem of putting copy-restricted music from the DRM-protected CDs onto an iPod. The company offers to email a workaround for any iPod users who feel confident enough in the vendor's code.
Final word
A class action suit against SonyBMG is already in the works and if I'd
been stupid enough to run something with DRM code on my office system,
I'd certainly be joining. What do you think? Is this the death of
efforts to enforce licences on music CDs? It certainly gives a boost to
all the online music services.
My question is whether Sony will face prosecution for planting dangerous malware on computers? Is there a law that specifically addresses this sort of thing? If not, when will Congress pass some serious and carefully thought-out high-tech crime laws that can protect us?
Although flawed, the UK's 1990 Computer Misuse Act may apply. It will be worth watching to see if the Welsh creator of this DRM software undergoes prosecution for selling the code to Sony that leaves computers open to attack.
