When Sony BMG Exposed Millions To Malware Attacks

BY Ray Stevens / ON Feb 22, 2022

Sony is a gigantic multipartite corporation that has been prone to multiple different types of hacks, leaks and vulnerabilities that have affected nearly every part of its business and forced it to rely more heavily on social engineering testing.

Whilst the Sony Pictures leaks and data breaches related to the PlayStation line of consoles have received far greater attention in recent years, Sony BMG themselves performed some social engineering of their own, leading to recalls, class actions and a change in approach to copy protection.

This all started with attempts to fight music piracy.

Copy Protected CDs

In 1999 a piece of software was launched that would change the music industry forever.

Napster, a peer-to-peer file-sharing program launched by Shawn Fanning and Sean Parker, was not the first file-sharing service, but it was the first to specialise in MP3 files, a relatively small, easy to download and play music format.

Over two decades later, its impact is still felt, as the music industry moved from a rather traditional industry that sold albums and singles as it had since the 1960s, to a very different model based on streaming, merchandise and live performances.

Before this, however, there were frantic efforts to stop Napster, through legal challenges (which made it even more popular), public campaigns that backfired, and through attempts to stop ‘casual copying’, where people rip a CD to their computer and share the tracks with friends and family.

A White Lilies Island Lie

One of these was an aggressive push to make it more difficult, if not impossible to extract music from a CD, which would initially take the form of undocumented copy protection on certain albums starting with Natalie Imbruglia’s White Lilies Island in November 2001.

This expanded to all BMG CDs sold in Europe and many of Sony Records’ albums of the time and totalled over 22 million CDs by the time the scandal was exposed and hit the merged company in 2005.

What made it quite insidious is that whilst the CD provided an end-user license agreement that could be refused, the system was installed anyway, which due to Windows 98, 2000 and XP’s limited user access control systems could not be stopped.

This also affects Mac OS X, but this would at least warn users that the software was attempting to modify the OS.

Extended Copy Protection

The system at the centre of the controversy, which had been increasing since 2001 but ultimately erupted in 2005 was the Extended Copy Protection system (XCP), which effectively worked as a rootkit.

A rootkit is a piece of software that hides its existence and enables access to a computer that it would otherwise not have, and is an exceptionally extreme method to use for copy protection.

A blog was posted by Windows technical expert Mark Russinovich in October 2005 that described it as digital rights management (DRM) gone too far to the point that it was running illegal software without the consent of the user and putting them in danger.

In particular, Mr Russinovich was worried about security holes it created on installation, its resource hogging which continued even when the CD was not playing, its propensity to cause system crashes and the lack of an uninstaller and the potential to brick systems when uninstalling manually.

Not long after this revelation, it was reported that hackers were using the rootkit to infect computers with viruses and worms, and even using its ability to evade detection to cheat at games such as the then-highly popular World of Warcraft.

Sony BMG, under pressure from a widespread outcry, released an “uninstaller” that was meant to remove the rootkit, but actually only unmasked hidden files, did not remove the kit and installed more software that could not be uninstalled.

Ironically enough, XCP infringed on copyright by misusing open-source software as part of the program.

After multiple class-action lawsuits, recalls and customer settlements, Sony BMG relented and the era of DRM music CDs came to an end in 2007, forever tainted by the connection to a social engineering vulnerability.