The writeup by shaogo is an excellent discussion of the litigation part, but I feel the need to explain some of the technical aspects of the whole snafu, mainly what actually happens to your computer when stick one of these evil things in it.

In 2005, Sony BMG purchased a software package called XCP-Aurora from a company called, at the time, First 4 Internet. XCP is a Digital Rights Management scheme for compact disks; Sony included it on some Sony/BMG albums. When a someone inserts a CD with XCP into a Windows computer, the following things happen:

  • The User is asked to accept an EULA. By the time he/she answers, some of the software has already been installed on their machine.
  • A filter is installed on the drivers for the CD-ROM drive, that hijacks all access to XCP enabled disks.
  • The XCP player is installed. This is the only player that can be used with XCP enabled disks.
  • A Patch is applied to Windows file system driver that filters out all files and folder beginning with $sys$ from process, directory, or registry listings. This is the rootkit part, as its sole purpose is to hide things from the user.
  • The Plug and Play Device Manager is installed, which constantly monitors the executable files of all processes running on the computer.

Related to this, some disks also included MediaMax from SunnComm. MediaMax tries to install a kernel extension to Mac OS X. But since few Mac OS X have their permissions set to allow this, very few Mac users were affected. This also means, users of operating systems other than Windows (Linux, BSD Solaris, Macs, etc) are effectively immune, and the CDs operate normally.

At this point, the only way to access an XCP enabled disk is through the included player. The user is limited to how many times they can rip the music, or burn it to another CD. The music can only be copied to the small, select list of portable music players. The iPod is not on that list. Any other program that attempts to access the CD is greeted with a barrage of white noise, rendering the music unusable.

More than one aspect of this software can be considered a Bad ThingTM.

  • It installs itself automatically, and does not give the user a chance to say no, despite the EULA dialog box.
  • It tampers with the inner workings of the operating system, interposing itself between the OS and hardware devices.
  • It takes active measures to hide itself from the user, at the file system level; and the hiding aspect can be (and was) easily exploited by other malicious software.
  • Part of the software regularly phones home to a Sony server, without informing the user that it is accessing the Internet, or what kind of information is being conveyed.
  • It does not provide an easy and straight forward way to completely remove itself, and if you simply delete the files, you'll render parts of your computer unusable.
  • The Plug and Play Device Manager, in addition to having a misleading name, causes near constant access of the computer's hard drive. This can shorten the drive's life, and places unnecessary load on the system.

These are all considered be very bad practices by computer programmers and security specialists. The software was flagged as both a Trojan Horse and a rootkit by multiple anit-spyware setups, including the Windows Malicious Software Removal Tool from Microsoft.

Now we come to the real fun part. Once the Shit started to really hit the fan, First 4 Internet made an uninstaller available on the Internet so people could remove this wonderful piece of software from their machines. The uninstaller is actually an ActiveX control installed by the First 4 Internet website. Once it is done, it remains on the computer indefinitely. And it allows any website to run software on the infected computer without restriction.

Let me repeat:

Once you remove XCP from your computer using the web-based uninstaller from First 4 Internet, ANY website you visit can run any software it wants on your computer, WITHOUT RESTRICTION!

And then there's the fact that XCP infringes on the copyright of LAME, mpglib, FAAC, id3lib, mpg123, and VLC. Some of these are licensed under the GPL or LGPL.

Ironic that software designed to keep you from violating copyright law is itself violating copyright law.