If the CD's are constructed in such a way that normal techniques for ripping won't work, with or without the existence of the malware rootkit, then the rootkit would seem unnecessary "protection". And if the CD's are not so constructed, i.e. they can be ripped via conventional methods if the rootkit is not installed, then the rootkit would seem insufficient protection.
So what purpose, other than the harassment of paying customers, is the rootkit supposed to serve?
Without the source code, this will never be answered, which is what makes this such an interesting case.
Sony buys this DRM software from another vendor and installs it on every Sony CD sold since March of this year.
The only way for the offended parties, the people who got hit with the rootkits, can be sure the rootkits are benign is to subpoena the DRM software in court, thus revealing how it works.
I'll tell ya one thing, Sony can take their "blueray" thing and shove it. It's obvious they using DRM software for data mining purposes.
So the software gets installed. But then the user sees what it really does and wants to un-install it. Remember, this crap shipped with no uninstaller. So eventually someone was going to have to come up with a "cookbook" method of un-installing it. This was the "problem" that the rootkit was trying to "solve". If you can't see the files or the registry keys, there ain't much you can do about it.
The rootkit's purpose is to prevent ripping software from working correctly when a "protected" disk is inserted
From Wikipedia entry on the Sony DRM rootkit:
XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.Furthermore, XCP.Sony.Rootkit installs a device driver, specifically a CD-ROM filter driver, which intercepts calls to the CD-ROM drive. If any process other than the included Music Player (player.exe) attempts to read the audio section of the CD, the filter driver inserts seemingly random noise into the returned data making the music unlistenable.
XCP.Sony.Rootkit loads a system filter driver which intercepts all calls for process, directory or registry listings, even those unrelated to the Sony BMG application. This rootkit driver modifies what information is visible to the operating system in order to cloak the Sony BMG software. This is commonly referred to as rootkit technology. Furthermore, the rootkit does not only affect XCP.Sony.Rootkit's files. This rootkit hides every file, process, or registry key beginning with $sys$. This represents a vulnerability, which has already been exploited to hide World of Warcraft RING0 hacks as of the time of this writing, and could potentially hide an attacker's files and processes once access to an infected system had been gained.
I'm a Win32 API expert. 10-to-1 odds that they were trying to create un-uninstallable software and picked the fastest way to do so without concern for the side-effects it'd have.
Probably to make it harder for anti-virus and anti-malware software to detect the DRM. Or maybe to make it harder for people to figure out how to get around the DRM, since it's hard to reverse engineer what you can't see.