Bloggers vs. Sony: The Rootkit Fiasco

In just another demonstration of how blogs can change the course of human opinion worldwide, bloggers have exposed that Sony/BMG is actually installing rootkits–a form of malware–in systems where some of its audio CDs are played.

Mark Russinovich of Sysinternals, who originally discovered the rootkit, wrote an analysis of how certain Sony/BMG discs implement a digital rights management scheme that basically modifies the Operating System core to hide files and running processes, and “phone home” back to Sony/BMG to send back data on the user’s music playing habits.

The malware, which is actually classified as a rootkit because of how it modifies the operating system to hide files and running processes, was reportedly so badly written that infected computers took a performance hit. And while Sony/BMG’s own software (actually licensed from a third party, First 4 Internet) had no payload itself, its ability to hide files from the operating system is a potential threat. To date, a couple of trojan horses that use the Sony Rootkit’s technology have been discovered. To add salt to the wounds, the rootkit’s creators made it so difficult to remove that some resorted to reformatting their hard drives to get rid of the malware.

Simply put, this is DRM gone bad!

Russinovich’s initial blog commentary sparked extensive discussion and even debate (but generally leaning towards the “Sony is bad” camp) both on- and off-line, which involved the Electronic Frontier Foundation and other online advocacy and techie groups. This eventually led to certain parties filing class-action lawsuits against Sony (including the EFF, the states of California, Texas, New York, and even Italy–yes, the country). Here’s a site that collects information on lawsuits against Sony/BMG.

In the local context, fellow pinoy tech blogger Atty. Noel Punzalan writes his analysis of the applicability of Sony’s End-User License Agreement in the light of local laws.

It’s a question of which will prevail: the rights of the intellectual property owner, or the privacy of the consumer. In my opinion, in this case, where the copyright holder knowingly violates the privacy of the consumer and utilizes underhanded tactics, then it is the latter who should be protected.

Sony has since capitulated and apologized, but still short of admitting its culpability.

Whatever the results of all the lawsuits, the fact remains that Sony/BMG has etched its mark on the world–there will inevitably be dozens, if not hundreds, of infected discs still lying around in CD racks of those unaware about the problem (which is perhaps majority of the populace), waiting to be inserted in a computer and do its bad stuff.

But without blogs and vigilant bloggers like Mark Russinovich, the world would not have known about this issue, or at least it would have taken longer to discover.

See more of Mark Russinovich’s posts on his Sysinternals Blog.

Here’s a comprehensive wikipedia entry on the Sony/BMG Rootkit fiasco.

*** Angelo has recently moved his blog to and is passionate about beautiful websites and winning the Isulong SEOPH challenge.

Leave a Reply