November 8, 2005 | By Fred von Lohmann

Are You Infected by Sony-BMG's Rootkit?

As we've mentioned before, Sony-BMG has been using copy-protection technology called XCP in its recent CDs. You insert your CD into your Windows PC, click "agree" in the pop up window, and the CD automatically installs software that uses rootkit techniques to cloak itself from you. Sony-BMG has released a "patch" that supposedly "uncloaks" the XCP software, but it creates new problems.

But how do you know whether you've been infected? It turns out Sony-BMG has deployed XCP on a number of titles, in variety of musical genres, on several of its wholly-owned labels.

EFF has confirmed the presence of XCP on the following titles (each has a data session, easily read on a Macintosh, that includes a file called "VERSION.DAT" that announces what version of XCP it is using). If you have one of these CDs, and you have a Windows PC (Macs are totally immune, as usual), you may have caught the XCP bug.

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)
Ricky Martin, Life (Columbia) (labeled as XCP, but, oddly, our disc had no protection)

Several other Sony-BMG CDs are protected with a different copy-protection technology, sourced from SunnComm, including:

My Morning Jacket, Z
Santana, All That I Am
Sarah McLachlan, Bloom Remix Album

This is not a complete list. So how do you recognize other XCP-laden CDs in the wild?

Tip-off #1: on the front of the CD, at the left-most edge, in the transparent "spine", you'll see "CONTENT PROTECTED" along with the IFPI copy-protection logo. A few photos make this clearer.

Tip-off #2: on the back of the CD, on the bottom or right side, there will be a "Compatible with" disclosure box. Along with compatibility information, the box also includes a URL where you can get help. The URL has a telltale admission buried in it: cp.sonybmg.com/xcp. That lets you know that XCP is on this disc (discs protected with SunnComm have a different URL that includes "sunncomm").

If you haven't been infected yet, to protect yourself from XCP in the future, disable "autorun" on your Windows PC. Once you have done so, however, these CDs may not be accessible under Windows unless you have specialized ripping software installed; these CDs are encoded in a way that intentionally confuses standard Windows CD drivers. For a smarter audio grabber for Windows, you may want to consider using Exact Audio Copy, which reportedly can read these CDs if you have turned off autorun and avoided infection by XCP.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

Snowden's legacy grows in South America: Brazil’s crypto movement marches on. https://eff.org/r.a7l1

Apr 27 @ 2:51pm

After 8 years, our dancing baby case is dancing to court: oral arguments in Lenz v. Universal scheduled for July 7 in San Francisco.

Apr 27 @ 2:51pm

Obama claims TPP critics don't know what we're talking about—while his administration keeps the entire deal secret. https://eff.org/r.q5w5

Apr 27 @ 2:40pm
JavaScript license information