Those are amazing infection numbers, making this one of the most serious internet epidemics of all time -- on a par with worms like Blaster, Slammer, Code Red and Nimda.
What do you think of your antivirus company, the one that didn't notice Sony's rootkit as it infected half a million computers?
When a new piece of malware is found, security companies fall over themselves to clean our computers and inoculate our networks. "Mc Afee detects, removes and prevents reinstallation of XCP." That's the cloaking code.
And this isn't one of those lightning-fast internet worms; this one has been spreading since mid-2004.
Because it spread through infected CDs, not through internet connections, they didn't notice?
These questions are the real story, and we all deserve answers. EDITED TO ADD (11/19): Details of Sony's buyback program.
And more GPL code was stolen and used in the rootkit.
And it can't be removed; trying to get rid of it damages Windows. 11, Sony announced it was temporarily of that copy-protection scheme. 14 the company announced it was pulling copy-protected CDs from store shelves and offered to replace customers' infected CDs for free. When its actions were first discovered, Sony offered a "fix" that didn't remove the rootkit, just the cloaking. Some pointed out how this sort of software would degrade the reliability of Windows.
This story was picked up by other blogs (including mine), followed by the computer press. Sony claimed the rootkit didn't phone home when it did. 4, Thomas Hesse, Sony BMG's president of global digital business, demonstrated the company's disdain for its customers when he said, "Most people don't even know what a rootkit is, so why should they care about it? Even Sony's apology only admits that its rootkit "includes a feature that may make a user's computer susceptible to a virus written specifically to target the software." However, imperious corporate behavior is not the real story either. Sony's latest rootkit-removal tool actually leaves a gaping vulnerability. Someone created malicious code that used the rootkit to hide itself.
This is exactly the kind of thing we're paying those companies to detect -- especially because the rootkit was phoning home. 15 it doesn't remove the rootkit, only the cloaking device.
But much worse than not detecting it before Russinovich's discovery was the deafening silence that followed. The company admits on its web page that this is a lousy compromise.
• November 17, 2005 AM Bruce - Thanks for pulling all of the details of this sad and sordid affair together into one place that I can point the less security aware toward to get the whole story.
Feeding one individual column after another just wasn't putting the whole thing in perspective...
At first the company didn't consider XCP malware at all. 11 that Symantec posted a tool to remove the cloaking. 15, it is still wishy-washy about it, explaining that "this rootkit was designed to hide a legitimate application, but it can be used to hide other objects, including malicious software." The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.