Mark Russinovich was doing a routine test this week of computer security software he'd co-written, when he made a surprising discovery: Something new was hiding itself deep inside his PC's guts.
It took Russinovich, an experienced programmer who has written a book on the Windows operating system for Microsoft, some time to track down exactly what was happening, but he ultimately traced it to code left behind by a recent CD he'd bought and played on his computer.
The SonyBMG-produced Van Zant album had been advertised as copy-protected when he'd bought it on Amazon.com, and he'd clicked through an installation agreement when he put the disc in his computer. What he later found is that the software had used a sophisticated cloaking technique that involves a "rootkit"--something not dangerous in itself, but a tool often used by virus writers to hide all traces of their work on a computer.
Rootkit tools often are used by virus writers to hide malicious software, and security experts say rootkit mechanisms used by recording companies could be misused by others. That threat is only theoretical so far, but the debate continues between consumers and record companies about what copy-protection technologies are necessary and appropriate. More stories on this topic
"We're still trying to find a line between fair use and digital rights management, and it is going to take issues like this, with discussions between lawmakers and industry, to come up with what's fair and honest," Russinovich said. "But I think this has gone too far."
Russinovich posted a detailed step-by-step account of his findings on his blog, drawing immediate criticism of SonyBMG's technology from some inside the security software community. The passionate response underlines the power copy protection retains to inflame emotions and spark bitter debate, despite the growing string of chart-topping albums that have been released over the past year with the protections included.
A handful of security companies weighed in on the issue, saying the rootkit could present a possible--if still theoretical--risk to computers.
The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case. The cloaking function was aimed at making it difficult, though not impossible, to hack the content protection in ways that have been simple in similar products, the company said.
In any case, First 4 has moved away from the techniques used on the Van Zant album to new ways of cloaking files on a hard drive, said Mathew Gilliat-Smith, the company's CEO.
"I think this is slightly old news," Gilliat-Smith said. "For the eight months that these CDs have been out, we haven't had any comments about malware (malicious software) at all."
A SonyBMG representative said the software could be easily uninstalled, by contacting the company's customer support service for instructions. Those instructions are not specifically available on the Web site that answers questions about the company's copy protection tools.
Rootkit software has been around for over a decade but has recently come to increased prominence as more writers of viruses and the like adopt it for their purposes. Essentially, rootkits are tools for digging deep into a computer's operating system to hide the fact that certain software files exist or that the computer is performing certain functions.
Unlike other, less-powerful means of hiding files on a hard drive, rootkits are created to be extraordinarily difficult to uninstall without specific instructions, rooting themselves in an operating systems' deepest recesses in order to prevent their deletion.
In the case of the SonyBMG software, trying to remove the software manually could shut off access to the computer's CD player, researchers said.
Security researchers also note that simply hiding something doesn't make it a threat. The SonyBMG software itself hides the digital rights management tools that prevent unauthorized copies of the CD from being made. It does remain active in the background of a computer, taking up a small amount of memory even when the CD is not being played, however.
But the rootkit software does have the potential to be misused by others, some security researchers say. The First 4 Internet software's technique for hiding files is broad enough that it could be adopted by virus writers, allowing them to hide their own tools on computers that have run the software from the CD, say some security experts.
That's an "academic" concern, but a real one, said F-Secure Chief Research Officer Mikko Hypponen, who wrote a warning on the issue Tuesday.
"Obviously there are a lot of people who don't like the technology, and we will take note if we need to."
--Mathew Giliat-Smith, CEO, First 4 Internet
"Right now if you have this on your system, there is no real-world risk just because of this," Hypponen said. "But it would not be too far-fetched that some virus writer would try to take advantage of this."
Giliat-Smith said his company is working with major antivirus software companies to help their software recognize the copy-protection tools, and help guard against misuse by any malicious software writers.
A balancing act
The criticism over the protection technology highlights the delicate balance that record labels are trying to strike as they seek ways to guard their discs against copying.
Label executives have increasingly shifted their public piracy concerns from Internet file-swapping to the effect of widespread CD burning. The Recording Industry Association of America cites recent research from marketing specialist NPD Group showing that 29 percent of consumers' new music is acquired through ripping or burning a copy of CDs.
The CD copy protection tools now on the market do allow consumers to make copies of the music, both in the form of digital files on their computer and a limited number of backup CDs. Labels say they support both these activities, as long as they are for personal use.
The files that can be ripped to computers from these discs can not be played on iPod MP3 players, however. The labels say that they have not yet been able to persuade Apple Computer to include this capability.
Several earlier versions of copy protection were widely mocked online for being trivially easy to circumvent, by using techniques that included holding the computer's "shift" key down while starting, and coloring the rim of a CD with a magic marker.
Later versions of the technology, such as that produced by First 4 Internet, have made it more difficult to disable while still allowing the discs to be played on most computers.
"Obviously there are a lot of people who don't like the technology, and we will take note if we need to," Gilliat-Smith said. "Our approach is to make the balance between protection and the consumer experience the best that we can make it for our customers."