Sony stops shipping controversial DRM code

XCP's cloaking ability proves to be a security hazard

One day after hackers released malicious software that used controversial Sony BMG Music Entertainment copy-protection software to attack computers, Sony has decided to stop shipping the product, the company said Friday.

Sony has temporarily suspended the manufacture of CDs that contain the software, called XCP, (Extended Copy Protection), said John McKay, a Sony spokesman.

McKay did not say when Sony planned to resume the use of XCP, but XCP's developers have previously stated that they are in the process of writing new copy protection software that does not use the same controversial cloaking techniques that have stirred up so much bad publicity for Sony.

XCP was developed for Sony by U.K. software vendor First 4 Internet Ltd. It has been shipping since early 2005, and is included on about 20 of Sony music titles, including country music duo Van Zant's "Get Right with the Man." It is designed to limit the number of copies that CD owners can make of their music.

The software first popped into the public eye two weeks ago when a Windows operating system expert named Mark Russinovich described how XCP used "rootkit" cloaking techniques to hide itself on his computer. At the time, Russinovich described the software as "digital rights management gone too far," and criticized it for not warning users that it would become virtually undetectable and extremely difficult to remove.

Rootkit software uses a variety of techniques to gain access to a system and then cover up any traces of its existence so that it cannot be detected by system tools or antivirus software. Russinovich and other computer experts were concerned that hackers might somehow use XCP's cloaking ability to hide their software from antivirus products.

That prediction came true Thursday when the first variations of a malicious 'Trojan' program that exploited the XCP software began circulating on the Internet. Trojans are malicious programs similar to viruses that often appear to be legitimate software.

One of these Trojan programs, called Stinx-E, masquerades as a photo sent from a U.K. Business magazine, security vendor Sophos PLC said in a statement. Once clicked on, the malicious software uses Sony's rootkit techniques to hide itself on the system, Sophos said.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies