From: "Andrew Cheetham" To: "'AllUCStaff'" Sent: Tuesday, November 15, 2005 8:09 AM Subject: IT Security Risk - Sony BMG Audio CDs To all staff and students: It has been brought to our attention that there is significant risk to the security and the operation of UC computers in using Sony BMG produced CDs. For this reason, the use of Sony BMG produced CDs in University of Canberra computers is prohibited. The reasons behind this decision are explained in more detail below for those interested. If you are not sure as to whether a CD is produced by Sony BMG, please check the record label against the list below. This restriction does not apply to Sony BMG CDs used in personal CD players or music systems on campus. Portable computers, such as laptops, whether University or privately owned are prohibited from being connected to the campus network at all, if Sony BMG CDs have been played in them. If you have inserted a Sony BMG music CD into a campus machine running the Microsoft Windows operating system you should contact the ICT Service Desk for assistance in removal of the rootkit software. Thank-you, Andrew Cheetham ------------------------------------------------ Known record labels owned by Sony BMG: Arista Records BMG Classics BMG Heritage BMG International Companies Columbia Records Epic Records J Records Jive Records LaFace Records Legacy Recordings Provident Music Group RCA Records RCA Victor Group RED Distribution Relatively Entertainment RLG a.. Nashville RME (Recording Media & Energy) SONY BMG Masterworks Sony/ATV Music Publishing Sony Classical Sony Music International Sony Music Independent Labels Sony Music Nashville Sony Urban Music Sony Wonder So So, Def Records Verity Records --------------------------------------------------- Details: As part of good house keeping it is strongly advised that caution is exercised when any compact disc, email or web page prompts you with a End User License Agreement, a pop up window, or 'Security Warning' when you did not specifically request the new window or a software installation. The reasons, in detail, for the decision to prohibit the use of Sony BMG CDs in any computer on campus are; A Sony BMG CD inserted into a PC running Windows will attempt to install the Sony proprietary CD player software. As part of this installation the end user will have to agree to an End User License Agreement (EULA) which has no information regarding the uninstallation of the software, nor does it mention that proceeding will install stealth software (known as a rootkit) which deliberately hides running programs and the files it has installed in the same way that viruses, Trojans and hackers do. This software will cause some versions of Windows to become immediately unbootable and require a complete reinstall of the machine to recover. The software also has no known manufacturer created uninstall program, and should other tools (such as anti hacking tools, virus scanners etc) be used to remove the software it will render the CD drive of the machine completely inoperable. Further analysis of the "rootkit" indicates it is extremely badly written and allows the easy exploitation of the "rootkit" by persons less skilled and therefore allows potential virus writers to hide themselves from the operating system with no technical knowledge of "rootkits". During the last 24 hours a number of anti virus vendors have announced they have examples of new viruses that are using the Sony BMG "rootkit" to hide themselves. For the reasons above, CDs produced by Sony BMG are not to be inserted into any University of Campus computer for any reason. Further if you have inserted a Sony BMG music CD into a campus machine running the Microsoft Windows operating system you should contact the Service Desk for assistance in removal of the rootkit software. Macintosh users are not affected by this particular software, however there are reports of Macintosh aware software being installed so extreme caution should be exercised. Further announcements may be made later with regard to Macintosh computers. Please note: Sony BMG have produced a new version of the software and are requesting people to update, this will not uninstall the software. This software requires you to enter your email address before it will allow you to download it. The conditions of the update page are that Sony may use the email address supplied for any marketing or promotional material (ie spam). We do not advise you to use the new version of the software. Further (technical) information on the Sony rootkit can be found using the following links: Technical explanation about what it does: http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous- decloaking.html Exploit found using the rootkit: http://news.yahoo.com/s/nm/20051110/wr_nm/sony_hack_dc Reports of lawsuits over the installation of this software: http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362 http://www.eff.org/deeplinks/archives/004144.php http://www-128.ibm.com/developerworks/power/library/pa-spec11/? ca=dgr-lnxw06StandardDRM ----------------------------------------------------- Professor Andrew Cheetham Pro Vice-Chancellor - Research & Information Management University of Canberra ACT 2601 Australia Phone: +61 xxxxxxxxxxx Mobile: +61 xxxxxxxxxxx Fax: +61 xxxxxxxxxxx Email: xxxxxxxxxxx@canberra.edu.au Location: Room 1D126, Building 1, Kirinari Street, Bruce ACT 2617 Australian Government Higher Education Registered Provider (CRICOS): #00212K NOTICE & DISCLAIMER: This email and any files transmitted with it may contain confidential or copyright material and are for the attention of the addressee only. If you have received this email in error please notify us by email reply and delete it from your system. The University of Canberra accepts no liability for any damage caused by any virus transmitted by this email.