Previous entries
Next entries

November 11th, 2005

Mac Users Not Safe From Sony BMG DRM

By Michael Santo
Contributing Writer, RealTechNews

Let’s face it, Mac users consider themselves pretty safe from spyware or malware … not completely safe, but very safe. Evidently, Sony BMG’s DRM, which some antivirus vendors are calling spyware, is a little too much for even the Mac OS.

A poster at Macintouch comments on the discovery of apparent Sony BMG copy protection software running continuously in his Macintosh as a kernel extension. The software was apparently installed via a new Imogen Heap CD called “Speak for Yourself”. This is an RCA Victor release, but with distribution credited to Sony BMG, so the reader did some checking, and found the software. Unlike the issue with Windows Sony DRM, the EULA for this software states it will be installing copy protection software, and the files are not hidden.

Darren Dittrich followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style “root kit” on their computers via audio CDs:

I recently purchased Imogen Heap’s new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there’s a smaller extra partition for “enhanced” content. I was surprised to find a “Start.app” Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

Personally, I’m not a big fan of anyone installing kernel extensions on my Mac. In Sony’s defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site. Source: Macintouch, but you have to search for it because of the way the site works. Search for “malware-style”.

We Say: It appears, despite the fact that Sony BMG believes that no one knows what a rootkit is, enough smart people around the Internet do know and continue to add more fuel to the fire.

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • NewsVine
  • Reddit
  • YahooMyWeb
You can leave a comment, or trackback from your own site. RSS 2.0

6 comments to "Mac Users Not Safe From Sony BMG DRM"

  1. SMB IT says:

    Sophos Releaes Anti-Sony Tool

    There’s a big bruhaha in the desktop PC community because of Sony’s installation of a spyware-oriented rootkit in its BMG music CDs. Drop one of these into a PC’s CD drive and you’ve got a really nasty rootkit infection….

    November 11th, 2005 at 10:22 am

  2. JulesLt says:

    Of course, no one knew what a Virus or Trojan or Spyware was once either.
    I’d imagine no one at Sony understood what a rootkit is either, they were just sold a magic program - ‘and the best thing is, the user won’t even know it’s there’.

    I’m intrigued as to whether to EULA for the Macintosh software explained that it was
    a) Installing extensions to the kernel
    b) what the extensions do
    or whether it is a genuine ‘Trojan’ (i.e. user wants to use the enhanced content but gets a program installed that they did not ask for).

    November 12th, 2005 at 7:25 am

  3. David Shlapak says:

    So, on a Mac, how would one go about looking for these little buggers? I’m presuming that they won’t show up in a GUI-level search; would a Terminal “ls -a”find ‘em?

    November 12th, 2005 at 9:24 am

  4. Garner says:

    Acutally, on a Mac, even though Spotlight isn’t set to index the Extensions folder (and thus won’t show .kexts) they WILL show up in the GUI simply by browsing. Kernel extensions are kept in /System/Library/Extensions/ on the startup volume. It’s not a hidden directory at all.

    This isn’t a rootkit at all on the Mac side. (Not yet, anyway!)

    November 21st, 2005 at 10:39 am

  5. Ariel says:

    Technically, this isn’t malware/spyware, because it still asks you for your username/password. After that, it’s user idiocy that ends up installing files on your computer. If you’re smart enough, you probably won’t even be starting up that Start.app to begin with, right?

    December 19th, 2005 at 3:28 am

  6. 08e80ab46675 says:

    08e80ab46675…

    08e80ab46675316748b0…

    May 10th, 2008 at 5:32 am

Leave a comment