Sony settles lawsuit from rootkit fiasco

Record label pays the price for an anti-piracy scheme gone wrong

Sony BMG has settled a lawsuit with the State of California over rootkit technology illegally installed on computers. 

The record label has agreed to pay a $750,000 fine and will reimburse consumers up to $175 to offset the cost of repairs required to uninstall digital rights management software that the company bundled with several of its music CDs.

The settlement also bans Sony from distributing CDs with bundled DRM technology without proper disclosure.

The settlement stems from last year's rootkit fiasco. In an attempt to prevent illegal copying of its music, Sony bundled anti-piracy software on several of its music CDs that installed automatically when a user inserted the CD in a computer.

To prevent consumers from uninstalling the application, the software used rootkit technology to hide the files and the processes from the user and the system.

Security experts argued that the rootkit was poorly engineered and that worm authors could exploit it simply by placing the characters '$sys$' in front of a file name.

Although Sony initially denied that its software posed a security risk, the company was proved wrong when the Stinx-E Trojan started exploiting the rootkit's features.

An estimated 450,000 Californians purchased one or more of the malware infested CDs, but the state is not aware of how many tried playing the CDs on their computer and are therefore eligible for compensation.

The complaint accused Sony of 'false or misleading advertising', 'unfair and unlawful businesses practices', and 'unauthorised access to computers'.

"Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it does not inflict security vulnerabilities on computers," said California attorney general Bill Lockyer.

"To its credit, Sony BMG learned this lesson and has stopped the practices that led to this lawsuit.

"But the settlement further protects consumers by prohibiting similar conduct in the future and requiring Sony BMG to pay consumers back for out-of-pocket expenses they incurred to repair harm to computers caused by the software."

Sony settled a class-action lawsuit in January from a group of consumers, agreeing to exchange CDs and pay up to $7.50 in cash.

• Sony CD rootkit could spell doom
• Sony rapped over music CD rootkit
• Virus writers exploit Sony DRM
• Sony BMG settles rootkit lawsuit