Ben Edelman discovered a very simple, effective way that Sony BMG can notify customers that they have the rootkit on their system.

Since the Sony BMG CDs in question actually call home, there is a simple way for Sony to insert an advertisement into the XCP player, warning users they have the rootkit on their system. 

Highlighted in green is call for a banner ad (currently nothing is there): 

HTTP/1.1 302 Moved Temporarily
Set Cookie: ARPT=JKXVXZS64.14.39.161CKMJU; path=/
Date: Sat, 12 Nov 2005 18:36:49 GMT
Server: Apache/1.3.27 (Unix) mod_ssl/2.8.14 OpenSSL/0.9.7d
Keep Alive: timeout=10
Connection: Keep Alive
Transfer Encoding: chunked
Content Type: text/plain

By simply replacing it with his own, he was able to create an ad on the Sony BMG player with a warning.

<?xml version=”1.0″ encoding=”UTF-8″ ?>
<banner src=”” href=”” time=”4000″ />

See Ben’s site for all details, and a screen shot of what an ad might look like. Link here.

Sony BMG: Do this.  It’s a good idea.


Alex Eckelberry

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.