Sony DRM Rootkit

I’ve been getting a lot of questions in the last week about Microsoft’s position on the Sony DRM and rootkit discussions, so I thought I’d share a little info on what we’re doing here. We are concerned about any malware and its impact on our customers’ machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems.

We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware technology. We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users. This signature will be available to current beta users through the normal Windows AntiSpyware beta signature update process, which has been providing weekly signature updates for almost a year now. Detection and removal of this rootkit component will also appear in Windows Defender when its first public beta is available. We also plan to include this signature in the December monthly update to the Malicious Software Removal Tool. It will also be included in the signature set for the online scanner on Windows Live Safety Center.

I’ll update you if any more information comes up.


Jason Garms

Architect & Group PM
Anti-Malware Technology Team
Microsoft Corporation

Team Blog:




Comments (114)

  1. Anonymous says:

    When you put a music CD in your computer, it starts to play. Is it cool? Probably, but not to everybody….

  2. Anonymous says:

    Когда вы засовываете музыкальный CD в компьютер, он тут же начинает играть. Здорово, правда? Может не…

  3. Anonymous says:

    There have been several significant developments in the Sony DRM story since my last post. The first

  4. Asher says:

    Good for you guys!

  5. moebis says:

    Finally… good work, glad to see at least Microsoft isn’t scared of sony.

  6. JM says:

    Good job! Thanks for sticking up for the little guys!

  7. MF says:

    As a IT Specialist this is the kind of things i am scared of.

    I help manage over 200 computers and this is the kind of thing we fear. We tell people you get 20 hours of Internet access every month. We tell people you can not install any software. Everyone’s access settings is just a regular user. But we tell them its OK to listen to a music CD. Not only will the root kit not install because the accounts are limited, but on Sony’s web site they used to have information on how to install it even though you are not administrator. And you know what, out of our 200 computers, we had 3 of them infected with this root kit. I had to reformat the computers in order to safely know that no other Sony software is on there.

  8. PatRick says:

    That’s good, I know a few people who have discovered this rootkit has been installed.

  9. T'Rex says:

    Excellent news! I was getting worried about Microsoft’s wishy-washy stance in various media publications.

  10. Jargon says:

    Thank you very much!

  11. Gokz says:

    Good Move Guys!

  12. David says:

    Before seeing this, I wouldn’t have belived that MS is truly objective when it comes to malware removal. This changes my mind. It makes feel a lot better about using Microsoft products.


  13. Monty Johns says:

    Cheers, guys. I’m glad someone higher up decided this was wrong.

  14. Rick Martinez says:

    Very nice.

  15. Andrew E. says:

    Great to see Microsoft step up like this and recognize these actions for exactly what they are: hurtful and dangerous to consumer

  16. says:

    What a well deserved blow in Sony’s face!

  17. jim says:

    Nice job guys,Sony needs a slap in the head for this one.

  18. Eric the Grey says:

    Glad to hear it.

  19. Joe says:

    Great work guys!

  20. George L Smyth says:

    Thanks for doing the right thing!

  21. DV says:

    Thank you Microsoft. This is the right thing to do.

  22. Peter Tilbrook says:

    Sony reserve the right to protect their intellectual property – but not at the risk of exposing our PC’s to external threats.

    I applaud Microsoft for taking this path – as they do with any company that try this sort of thing – with no fear or favour.

  23. DC says:

    I would like to see Windows fixed to not allow these types of programs to install in the first place.

  24. David Russell says:

    Thanks a lot – perhaps it would also be useful if you put something into Windows to warn people when these things try to install, and require their permission before they get onto the system (at which point they become difficult to remove) – this way legitimate uses of rootkit technology (e.g. Kaspersky Antivirus) will be unaffected but any future unethical uses such as this will be prevented. In any case, it’s good to see Microsoft finally taking a stand against big companies that think they have the right to install malware on Microsoft customers’ machines, simply because they own a restricted intellectual right in a sound recording.

  25. t says:

    Are you all sheep or what ?

    They waited until sony itself said they would be stopping production of said cd’s and try to remove it.

    Before that they were well ‘ we are evalutating what to do ‘ type b.s. For fear of being sued.

    Yet you are all here like they were mcaffee and said from the GET GO that they would be scanning for and removing.

    Microsoft does not have a backbone for the average consumer and you guys need to wake up..

  26. Dominic Self says:

    Well done Microsoft!

  27. jim says:

    Don´t praise them too loud guys.

    Of course this is the right thing to do, but I would take any bet, that in the not-so-far future there will be a "Microsoft-Certified" way to do very similar things…

  28. Gary says:

    Excellent, thank you MS for removing the rootkit portion of this software.

    However, it would be cleaner to remove the software entirely (just like you do with other dangerous software).

    Why treat Sony software as different to 180solutions or Claria?

    If the software is on the machine it should be vaped.

  29. Dileepa P says:

    Great move. Kill all the malware, guys!

  30. says:

    Well done.

  31. Matti Nikki says:

    I hope you remove the CodeSupport.ocx (required for their own uninstaller) as well, see my RebootMachine demo for a good reason to:

  32. Bill Johnson says:

    I understand that Sony-BMG used two different DRM software packages for different albums. One, called XCP is from First4Internet. The other is from SunnComm, called MediaMax. Will your solution remove both XCP and MediaMax?

  33. Toy Man says:

    But what does this mean?

    That you will just make visible the rootkit files?

    Or will you remove all or some of the program?

    Or will you (sceptic here) just recommend ‘Ignore’ when the rootkit is found.

    Toy Man

  34. Darren Stewart says:

    This has been a creeping sickness in the consumer computing arena for a number of years.

    Now, its clear that Microsoft and Apple as vendors actually believe in Malware and intrusion into people’s computer systems. So long as that invasion suits their interests, then you won’t be protected. Thats an appalling, bad precedent to set.

    Its a new music or film venture, oh right, then yes, we think its a good idea that your system be on the end of intrusion.

    The only way out of this, and I really mean this, in the harshed terms, and I apply this to microsoft – is that we get back to if you misuse someone’s computer, it is a criminal offence. The fact that you might feel that wrapping something in an EULA tries to create some kind of ground allowing you to reach a situation where you have rooted someone’s computer system, and have managed to create some ludicrous ground where you have covered yourself in enough legal loopholes to make this ‘Alright’.

    Its not. I’m not against people protecting their content. However, you don’t do this by breaking the law yourself.

    Someone at Sony must have followed this line in that lots of companies are doing this now and little is done, lets do the same. Nice move Sony.

    In the end now, dumb poor consumers won’t know the difference. Apart from their computers will be circumvented by viruses breaking in via this mal-ware intrusion, and suffer areas such as system damage or slow down. Wiser users WON’T be buying Sony/BMG music. Period. I’m not going to take the risk of my computers getting rooted.

    But beyond this, the bigger question, and I aim this to Microsoft, is how the hell are you going to break down the EULA disaster that allowes illicit installation, and in addition installation where you are not even an administrator.

    Its turning ‘Trusted computing’ into a joke. Are you trusted to use your own software and music. Are you trusted to use what you pay your own hard earned money without being abused by people who seemingly think that because you are dumb enough to buy it, you come under whatever rules and self regulation they deem you suitable to suffer under.

    Microsoft have put somethink of a stop to this invasive procedure from Sony, but they have not come out fighting for their Users.

    The CD platform has inherent issues. The Music industry should consider moving to a platform it sees as secure, and lose all the benefiots of CD. They should not resort to invasive procedures on people’s computers – totally without permission, and also totally without informing the user of that fact that they are installing a root of the system, which may lead to XYZ results.

    Beyond this, the time is coming where people are going to resort to recourse through the courts to limit actions such as this, and if it goes that way, everything upto windows update will come under threat. Microsoft should defend their users totally and without limit in these instances or face the end result that hurts itself and the media companies.

    I for one will not live under the jackboot of criminal behaviour from vendors claiming they have some moral basis for illicite, illegal behaviour.

    Our computers operate with agreed terms with Microsoft. That does not eqalise an agreement on our part to suffer this behaviour. It does not mean we ever agreed to Sony rooting our machines while we answer a devious, misleading EULA because we wanted to listen to a CD.

    Beyond this, between Microsoft, which have allowed the ground work for this invasive behaviour, and Companies like Sony who bundle spyware and Mal-ware on their music CD’s, and the fact that we consumers by accident have uncovered what is actually going on in this instance, with another unpleasant situation where Virus writers everywhere have gained another method of attacking the windows system we tend to rely on, we’re all heading for harder times. This whole episode deserves Microsoft to go to Sony and chew some ass, and then foolow up with some hard line pressure in the media about the behaviour of software vendors when they pull this bull****.

    Anyway, I’m sorry for ranting, but between all the parties, I now have another, YET another security issue that should never NEVER have been. /Rant Off/

  35. Tyler Cranston says:

    Thanks Microsoft!

    I definately didn’t think Microsoft would delete sony, but they did!

  36. Bram Pitoyo says:

    Kudos to Microsoft for siding up with the little guys and being objective in this issue!

    I mean, really, this is coming from a Mac lover.

  37. tec-goblin says:

    That’s something I expected in my best dreams. Absolutely great move.

    It also convinved me to download windows antispyware right now.

  38. Anonymous says:

    I thought microsoft was all into the DRM stuff? Anyway, this is good news for the people who use windows.

  39. PLF_er says:

    We don’t have this problem on Linux, you know. 😉

  40. Lysander says:

    Just to make sure I have this right.

    Microsoft doesn’t remove the XPC software, but rather, un-cloaks it, makes it so that it’s no longer hidden with rootkit technology. Is this correct? Also, since XPC has already provided a tool that uninstalls the rootkit (which doesn’t work very well, like everything made by First Four Internet, but that’s beside the point) is Microsoft just copying that uninstall method? or are they using a different one? I’m afraid of the removal process causing more problems than leaving it there does, what with complete removal causing people to lose access to their CD drives and such.

  41. George says:

    Thanks guys. I had decided to buy a PS3 when they come out in the spring, but after I had to re-format my hard drive twice because of Sony’s malware (I didn’t realize my problems were caused by the Sony rootkit the first time), I had decided that Sony doesn’t want my business. Since Microsoft has taken a stand against this kind of bad business practices, I believe that a 360 is the way to go.

  42. Skooma says:

    Nice to see MS is trying to look out for the consumer for once.

    Though their XP activation process is still daft.

  43. Phillip says:

    Awesome! I figured it was going to take a company with the size of Microsoft (or similar) to actually stand up and generate a removal tool, given the threat of legal action Sony’s EULA imposes. The EULA has been a significant impediment to smaller companies and even independent techs thanks Sony’s strong-arm tactics. Way to go MS!

  44. Bugs Bunny says:

    Good job Microsoft!

  45. gumpy says:

    No offense guys, but is your removal tool safe?

    Mark Russinovich reported that some attempts to remove the rootkit resulted in BSOD or CD-ROM disappearing from the device manager.

  46. gnnlws3 says:

    WOW. I am very happy to hear this from MS. It makes me glad to know that someone with real authority in the computer industry recognizes this issue as a very bad move for everyone.

    Good work!

  47. Wyne J says:

    Good to hear it. I am glad that Sonys DRM is being taken as a serious concern to PC security.

  48. Jonathan says:

    MF: The FAQ at say "You must log on to your computer with Administrator rights or Power User rights to fully use the disc", and doesn’t give any advice how to circumvent this. I’d imagine that installing a rootkit as a normal user is a fairly serious security breach.

    Can you provide a link to the info on Sony’s?

  49. Tommi2 says:

    Excellent move, thank you!

  50. Domingo says:

    Buena decision.


  51. neo says:

    However was Sony’s tool was harmful to our machines, don’t you think that Microsoft made this action for the good of its customers.

    Sony and MS has been battling since the release of the Xbox and windows media center, microsoft is trying to invade Sony’s market (which is already crowded) and they’re ready to hit under the belt to take over Sony’s reputation.

    What’s a maximum of 3% decrease in performance would do to your processes? I am sure Sony is wrong, they should have wrote their DRM Rootkit more efficiently and made it optemized that it doesn’t take this much of our precious CPU times, or they should at least mentioned they will…

    Wait a second, windows XP is taking all of my resources, why doesn’t the "Malicious Software Removal Tool" dettect it?:D

    It’s just my opinion guys, hope I didn’t offend anyone…


  52. Frosty says:

    did Microsoft get smart and actaully wants to save there own operating systems.. imagine how much they would make with stupid people thinkin’ they’d have to buy a whole new copy of XP!! haha.. but its good they are, saves a lot of extra time.

  53. Anthony says:

    Detection and removal is good. Prevention of ALL rootkits installations; not just XCP, is better.

  54. Jason says:

    Thanks for looking out for your customers. By the way, Xbox rules playstation.

  55. zack says:

    excellent! Someone at Microsoft is getting paid to do the right thing!

  56. Mark says:

    Microsoft is not removing XCP DRM software — Microsoft plans to remove only the "rootkit component of the XCP software" that hides the XCP software.

    As I understand, here’s what remains: 1) a driver filter that loads in front of the certified CD driver, 2) software that limits number of copies and copy format, 3) a "phone home" component that contacts a Sony server each time a "protected" CD is played.

    Unhiding the Sony XCP software removes the security breach caused by the rootkit component, but it also increases the possibility that naive users will disable their CD drives by removing the XCP software.

    The remaining components of XCP compromise the reliability and stability of the Windows OS with uncertified driver software.

  57. SM says:

    Rootkit removal is a good thing. There are already reports of trojans that expoit the $sys$ cloaking mechanism installed by this DRM.

    I would like to add that this particular DRM software also tempers with the Windows API (it e.g. hooks NtCreateFile) and therefore threatens the stability, performance and security of Windows. In addition is replaces Windows’ drivers for optic devices (e.g. CD and DVD drives) with faulty ones. This could in principle damage the hardware.

    There are two lessons to be learned from this:

    Lesson 1: Third party DRM is a bad thing. It is a bad thing because DRM products needs to alter the OS and "they can be created by anyone", i.e. there are no quality control. Windows is a quality controlled product, third party DRMs like XCP are not. This is a tremendous security risk. DRM needs to be an integral part of the tested operating system. I do not trust a Sony BMG subcontractor to install system level hooks for Windows API calls (e.g. CreateFile) and replace the CD drivers on my private computer or my companies computers.

    Lesson 2: It is to easy to make Windows FUBAR. Most users use "Administrator" accounts for their daily work, which resembles root access on Unix. Consequently, it is easy to autorun and autoinstall changes to the Windows operating system, in this case drivers and system level hooks. It should not be possible to infect Windows with new CD/DVD drivers and a rootkit simply by putting an audio CD in the player. Please add more security checks (e.g. password protection similar to the /etc/sudo mechanism on Unix) to make system changes more difficult to automate.

  58. anton says:

    When will the signature files be available for each solution listed above? (the online scanner, the antispyware beta, and the normal windows malicious software tool)

  59. John Q Hacker says:

    I think you should protect KiServiceTable.

    You could sign or checksum it. When Microsoft stuff like win32k.sys touched it, it would need to know how to update the signature.

    You could even patent the signing algorithm and use that to sue people who copy it in order to hack the kernel.

  60. Zach says:

    Um, I downloaded Microsoft Anti-Spyware Beta, updated it, ran a full-system scan, and IT DIDN’T DETECT THE SONY DRM SOFTWARE! I know I have the software because $sys$DRMServer.exe shows up in my process list. Am I doing something wrong? Why wasn’t it detected?

  61. Neil says:

    I’m used to being critical of Microsoft when it does something bad, so it’s nice for once to be able to say:

    Well done, Microsoft!

    Thanks for doing the right thing.

  62. whistleradmin says:

    thank you!

  63. tom says:

    Autoplay should be protected by better security, so that these programs don’t get loaded in the first place. This is just like bootable floppy transferring viruses/malware to the computer on power-up.

  64. Rog says:

    The war against spyware and virus’ just got tougher thanks to Sony and their lack of consideration for consumer rights.

    Since Microsoft is pushing DRM in Vista, I can’t help but wonder what help Sony got from Microsoft.

    Rootkits are like keys to the kingdom. Microsoft and other developers should be doing EVERYTHING they can to prevent them. I understand it’s purpose, but using them, without consumer knowledge, nor a ready way to remove the rootkit in an invitation to every hacker and a violation of users trust.

    Microsoft, if your going to put rootkit DRM’s on cd’s and in programs, let me know in advance so I can find another program or operating system to use.

    The security of my computer trumphs any developers right to put DRM rootkits on my computer.

  65. Garry Trinder says:

    Why Microsoft was unable to find this rootkit before Mark did ?

    Are their AntiSpyware SpyNet not working at all ?

  66. David Oxley says:

    Wish I could say I was so happy. Using the same methodology as F4I did to unhide the files isn’t anything groundbreaking (though without the ActiveX component, thank God), and the real security threat still remains on the system, running in the open. How many users outright deleting the unhidden files and screwing themselves over will it take for a *real* removal tool?

    It might be a "feel-good" move, but it is far from a solution.

  67. Lordmike says:

    Why play music cds in your computers? Only time I put a music cd in my computer is when I rip em and it works for all cd’s I have tried so far. I don’t share my MP3’s so I don’t see this as illegal.

    Quote from

    "I don’t play cd’s in my computer.. That would be just as stupid as microwave your toast"

  68. triggermanjoey says:

    keep up the good work! I hope Sony realizes their mistakes!

  69. Mac User says:

    I’ve used a OSX on a Mac of course, for yrs with high speed internet. I even run a lab at a college with over 50 Mac’s running Osx, and I’ve never encountered any spyware or viruses. Maybe instead of having extra software running bogging down your system, Buy a Mac.

  70. Larry Timmins says:

    Jasong… Wow! What a great position for Microsoft to take on this issue. It’s nice for MSFT to be on the ‘other side’ of it for a change. Sony VAIO and Microsoft have been a great combination for me, but NO ONE has the right to foil or damage equipment I pay for.

    Microsoft’s tools upgrade to Microsoft’s AntiSpyware Beta will correct any damage done to my CD and DVD drives right?

    All the best,

    Larry T

    "Pay to download music? Not interested – I’ll either buy media or use my library. As for paying for audio book downloads? Now that I’d like. How about $12/month (up to 10) or $2 a novel." LarryT

  71. Galenklein says:

    I’ll have to go out and get one of those Sony CDs just so I can test and see if it’s removed with MSAS and with the Malicious Software Removal Tool. Sounds like a good time to me… Now to find a moderately new artist with music I can tollerate… Ah well…

  72. K. Weidenbacher says:

    Security aside, for support and stability of an OS, why should the installation of a rootkit EVER be allowed? Me thinks the team should work on hardening the core OS…

  73. Simon says:

    Does disabling the rootkit component of XCP count as "interfering with a copy protection mechanism"? Won’t US customers who run the updated MSRT be in breach of the DMCA, with Microsoft as an accessory to the "crime"?

  74. I think that we should get back to Sony’s attempt to hijack our PCs without our consent. I agree that they need to protect their product, but not at our expense. This software should have been disclosed and it should not put security at risk.

    I would propose that consumer not to buy any Sony CD for a few weeks or even a month. I know that it is very unlikely that people can hold off from buying CD for that long. I don’t even know if it will do a dent’s in Sony’s pockets. However, how else can they know the discontent that their own customers have. It’s just wishful thinking!!!

  75. PatriotB says:

    According to, the x64 editions of Windows don’t allow kernel patching, eliminating the specific rootkit techniques that Sony used.

    On that page, it says "For x86-based systems, Microsoft discourages such practices but does not prevent them programmatically, because doing so would break compatibility for a significant amount of released software." I’m curious about this. How much software is there out there that "depends" on this? I think the "security trumps functionality" mantra would say that kernel patching needs to be forbidden for x86 systems as well.

  76. colin says:

    As this rootkit is a copy-protection thing, will Microsoft violate the DMCA by removing it?

    That would be interesting.

  77. randy says:

    How about fixing the Windows AntiSpyware beta so that it works with new IE7 beta!

  78. E. L. Rafats says:

    Does this impeded the installation of SP2? My system crashed after my support folks attempted to install SP2. I just accidentally found the reference to this malware. We’d appreciate knowing as we have an organization of over 5K people. Thanks! E. L.

  79. zzz says:

    The AUTORUN has to be DISABLED BY DEFAULT. It is UNACCEPTABLE TO HAVE THIS KIND OF "BOOT SECTOR" so to speak. These were a huge issue back 10 years ago and Microsoft has to take the blame for enabling silent driver installations through just putting a CD or other media in the drive.

    It’s quite incredible that when we got rid of floppy disk boot sector viruses, now we got MS’s autorun rootkits and DRM drivers that disabled functionality you bought from 3RD parties. No copy protection has the right to do permanent, unspoken modifications to how the hardware or software from 3rd party vendor works!

    Such game protections are breaking the laws in many countries as we speak. But MS must take the blame for keeping the holes enabled with full awareness of these scenarios.

  80. madsonv says:

    This certainly sounds like MS is doing the right thing – however the devil is in the details. A few poeple have already asked – what exactly is the MS procedure for removal? Are you able to outline the steps taken by Windows Antispware to remove the Sony malware?

  81. jecky says:

    Agree! Thanks Microsoft! 😉

  82. jecky says:

    Agree! Thanks Microsoft!

  83. Stu says:

    Its nice to see Microsoft have, at last, taken a positive stance in recognising the Rookit issue as being one of a serious nature for many music lovers.

    Definately a `gigantic step for mankind` in the right direction.

  84. Anonymous says:

    Blogs – Anti-Malware Engineering Team – Site Home – TechNet Blogs

  85. Anonymous says:

    Blogs – Anti-Malware Engineering Team – Site Home – TechNet Blogs

  86. Anonymous says:

    Blogs – Anti-Malware Engineering Team – Site Home – TechNet Blogs

  87. Anonymous says:

    Blogs – Anti-Malware Engineering Team – Site Home – TechNet Blogs