GoogleIt Mail IT Print IT PermaLinkThe Sony Rootkit And The Security Companies
12:08:37 PM
Written By : Richard SchwartzCategory : Spam And Security
Location : Nashua, NH

Via Bruce Schneier, from his column on Wired, another reason to be angry about the Sony rootkit, and not just angry at Sony:

Initial estimates are that more than half a million computers worldwide are infected with this Sony rootkit. Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda.

What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers? And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn't notice? This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home.

McAfee didn't add detection code until Nov. 9, and as of Nov. 15 it doesn't remove the rootkit, only the cloaking device. The company admits on its web page that this is a lousy compromise. "McAfee detects, removes and prevents reinstallation of XCP." That's the cloaking code. "Please note that removal will not impair the copyright-protection mechanisms installed from the CD. There have been reports of system crashes possibly resulting from uninstalling XCP." Thanks for the warning.

Symantec's response to the rootkit has, to put it kindly, evolved. At first the company didn't consider XCP malware at all. It wasn't until Nov. 11 that Symantec posted a tool to remove the cloaking. As of Nov. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software."

The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.

It's tactics like this from Sony that, more than anything else, will turn me from being committed to respecting copyright into a P2P music downloader. And if Symantec and the other security companies are in collusion (or simply too interested in the value of bundling deals for Sony PCs), then I think it's time to look at the open source alternatives. At this point, though, I don't know what the open source AV products have come up with for dealing with the Sony rootkit yet. Anybody know?

This page has been accessed 258 times. .
Comments :v

1. Esther Strom11/17/2005 05:33:36 PM

Rich, I haven't found any AV products that will detect it in an ordinary scan, but there are free utilities out there to remove it. (among others)

2. Richard Schwartz11/17/2005 06:26:31 PM

Thanks. I don't believe that I have any of the affected CDs so my own machines should actually be find, but... I can't say for sure about either my wife or kids computers.

3. Jon Johnston11/17/2005 08:10:50 PM

This is one of the problems that the security companies face, as I pointed out here....

The AV vendors have a difficult time with this type of stuff because technically, people have agree (in the EULA) to install the software. Since it was voluntary, if the AV vendors remove it, then they may be open to suit. Most rootkits are involuntary hacks. That's the big difference.
Given...... I wish the AV vendors were more forthcoming with how they're handling this stuff.

4. Richard Schwartz11/17/2005 08:46:01 PM

@Jon: I don't buy that. These were music CDs, and the rootkit installation can not in any way be construed to be "voluntary". There there simply wasn't sufficient disclosure for the EULA to be valid.

And even if you assume the EULA was valid, it can make all the claims that it wants (and my understanding is that it did make some ridiculous claims!) but there's no way it can legally bind the user to never uninstall the softare or to never allow an AV package to disable it. It could make the claim that user is in violation if he does this, but if there's no intent to violate copyright the only valid remedy would be forfeiture of the right to play the CD on the computer. Anything else would be absurd, totally unenforceable, and would be thrown out of court if it ever went there (which it wouldn't). So all the AV companies would have to do in order to completely avoid liability is make sure that they prompt the user and give adequate information about what they know about the source of the malware before removing it.

OTOH -- even if I'm 100% right about this and even if the AV vendors know I'm 100% right about this, the prospect of having to fight off Sony's lawyers could be more than enough to keep them from doing anything.

5. Chris Linfoot11/18/2005 07:14:00 AM

Rich, a manual trackback for you - seeing as you have real trackbacks turned off

Sony's Rootkit - Cockup or Conspiracy?

6. Richard Schwartz11/18/2005 07:24:06 AM

@Chris: All I ever seemed to get was spam when I had the trackback feature enabled.

7. Chris Linfoot11/18/2005 08:03:04 AM

@Rich: Me too, but as I verify trackbacks manually, they are never published and I just delete them. The benefits of this:

1. No visitor ever sees them.

2. The robots that write spam trackbacks seem to prefer to hit the button to submit a trackback when it exists, rather than submit a comment. That is, the trackback button is a magnet that draws spamming robots away from the comment button.

This is why I get so little comment spam.

8. Richard Schwartz11/18/2005 08:27:52 AM

@Chris: I've only just started getting a trickle of comment spam within the past couple of weeks, and blogsphere blocked all but one of them. But I suppose that does constitute an accelerating trend, so maybe re-enabling trackback would be of benefit if it does indeed deflect attention away from the comment button.

I've actually started using trackback myself at other sites. My client doesn't support it, but I've been using Kalsey's Simpletracks at to submit trackbacks the hard way, particularly to blogs like Ray's that don't support comments but do support trackback. So that's another reasaon why I might want to re-enable it: if it's good enough for me to use elsewhere, I should allow it here.

9. Esther Strom11/18/2005 05:07:25 PM

Rich, David Pogue (NYT) just published this info about determining if you own any of the CDs that installed this, and how to get rid of it:

"* "Is there a list of the affected CD's somewhere?"

There's a partial list at Sony initially refused to identify the complete list, but now says that it will post the list on its Web site soon. Meanwhile, you can tell if your CD has the rootkit protection by looking at the back. If you see a black and white table called "Compatible With," it's copy-protected; if the Web address at the bottom of table ends with XCP, it's protected using the rootkit method. "


"Then it went even farther, and actually recalled the 2 million rootkit discs that had already been sold-a costly move. If you bought one of these albums, Sony BMG will exchange it for the same CD minus the nasty software; shipping will be free both ways. Details, along with an uninstaller, will be posted at

10. generic_cialis09/12/2016 06:33:36 AM

Hello! , ,

Enter Comments^

Email addresses provided are not made available on this site.

You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links

:-x :cry: :laugh: :-( :cool: :huh: :-) :angry: :-D ;-) :-p :grin: :rolleyes: :-\ :emb: :lips: :-o
bold italic underline Strikethrough

Remember me    

Monthly Archive
Responses Elsewhere

About The Schwartz


All opinions expressed here are my own, and do not represent positions of my employer.