Sony BMG incorporated a Digital Rights Management (DRM) system on the CDs to prevent purchasers making illegal copies. That is not uncommon. But the nature of the DRM has caused an outcry.
Blogger Mark Russinovich of Sysinternals.com revealed on 31st October that the DRM is accompanied by a rootkit, a type of cloaking technology used by hackers to hide files in a computer system to run processes or access data. Rootkits are often used to install backdoors to otherwise secure systems.
Russinovich was scanning his system for rootkits when he came across the Sony application, installed with the DRM that accompanied a CD purchased on Amazon.com, Get Right with the Man by the Van Zant brothers. His attempt to remove the rootkit disabled the CD player of his computer.
Since his first posting on 31st October, the music giant has faced a storm of criticism from customers and rights groups.
Sony BMG has denied that the software is malicious or compromises security, but it released a patch to remove the program from computers. Russinovich wrote last Friday that even the patch is dangerous, saying it "puts users systems at risk of a blue-screen crash and the associated chance of data loss."
In California, a class action lawsuit was filed last week. According to the BBC, another class action suit is planned for New York residents, while US lobby group the Electronic Frontier Foundation (EFF) is also considering legal action.
"Entertainment companies often complain that fans refuse to respect their intellectual property rights. Yet tools like this refuse to respect our own personal property rights," said EFF staff attorney Jason Schultz on Wednesday. "Sony's tactics here are hypocritical, in addition to being a security threat."
In Europe, digital rights group Electronic Frontiers Italy has asked the Italian government to identify whether Sony BMG has breached any laws. The DRM is accompanied by an End User Licence Agreement (EULA); but the EULA does not appear to disclose the full nature of the rootkit.
Meanwhile, claims have been made that hackers are now using the Sony BMG rootkit to hide viruses and trojans that subsequently infect the PC.
According to security firm Sophos, if PCs containing the Sony BMG copy-protection system then fall victim to a spam email containing the Stinx-E Trojan, the virus that is downloaded onto the PC will hide itself under the DRM program.
"Despite its good intentions in stopping music piracy, Sony's DRM copy protection has opened up a vulnerability which hackers and virus writers are now exploiting," said Graham Cluley, senior technology consultant for Sophos.
"We wouldn't be surprised if more malware authors try and take advantage of this security hole, and consumers and businesses alike would be sensible to protect themselves at the earliest opportunity," he added.