Sony BMG rootkit scandal: 5 years later

The revelation 5 years ago that Sony BMG was planting a secret rootkit onto its music customers’ Windows PCs in the name of anti-piracy is seen now as one of the all-time significant events in IT security history.

“Sony rootkit was one of the seminal moments in malware history,” says Mikko Hypponen, chief research officer at Helsinki, Finland-based security company F-Secure. “Not only did it bring rootkits into public knowledge, it also gave a good lesson to media companies on how not to do their DRM [digital rights management] solutions.”

Also see: 10 more of the worst moments in network security history 

For those of you who are fuzzy on the details, Sony BMG secretly included Extended Copy Protection (XCP) and MediaMax CD-3 software on millions of music CDs from artists such as Celine Dion, Neal Diamond and Santana in the mid-2000s that was designed to keep music owners from making too many copies of the music.  The software, which proved undetectable by anti-virus and anti-spyware programs, was in the form of a rootkit that opened the door for other malware to infiltrate computers unseen as well.  Once the rootkit was exposed by security researcher Mark Russinovich on Oct. 31, 2005, all hell broke loose, with Sony BMG botching its initial response (“Most people don’t even know what a rootkit is, so why should they care about it?” went the infamous quote from Thomas Hesse, then president of Sony BMG’s Global Digital Business.) and later recalling products, issuing and re-issuing software removal tools, and settling lawsuits with a number of states, the Federal Trade Commission and Electronic Frontier Foundation. 

Rootkits have since become common among modern malware, with one security company this past summer even demonstrating how a rootkit might one day plague the Google Android smartphone operating system.  The sophisticated Stuxnet worm identified this year as a threat to Windows PCs and industrial systems also uses a rootkit. 

F-Secure’s Hypponen recalls that it took just nine days for a variant of the Breplibot malware to exploit the Sony BMG rootkit. F-Secure became aware of the Sony BMG rootkit even before Russinovich exposed it, but had kept quiet about it while trying to convince Sony BMG to do something about the rootkit first.

“Unfortunately, they only acted after the Breplibot trojans were already out,” he says (noting that a key figure of virus writing gang “m00p” that was behind Breplibot pled guilty in court last month.)

Following the Sony BMG rootkit’s exposure, security experts came down hard not just on the music company but also on security vendors whose products failed to sniff out the threat. Bruce Schneier, for example, wrote a column for Wired.com  in November, 2005 in which he took Symantec and McAfee to task.

“[M]uch worse than not detecting it before Russinovich’s discovery was the deafening silence that followed. When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. Not in this case,” Schneier wrote.

Schneier also at the time chided Microsoft for not reacting more swiftly. However, the following year Microsoft did make one interesting statement: It acquired Winternals Software,  the company co-founded in 1996 by Sony BMG rootkit sleuth Russinovich, now a Microsoft technical fellow whose biography on the software vendor’s website highlights that “his discovery of a rootkit on popular Sony audio CDs led to industry reforms in the area of computer privacy.”

It’s no secret where to find Bob Brown on Twitter: www.twitter.com/alphadoggs