Sony rootkit: A black eye for security vendors?

Sony's XCP technology went undetected by several major security vendors, who are improving their ability to detect rootkits.

Sony BMG Music Entertainment has been lambasted for shipping its spyware-like XCP software on music CDs over the past year, but an important question has gone largely unanswered throughout the controversy: Why didn't security vendors catch the problem sooner?

Though one security vendor, Finland's F-Secure, was aware of XCP's (extended copy protection's) problems before blogger Mark Russinovich went public with the issue, none of the major antispyware or antivirus vendors had any idea that something was amiss, according to representatives from Symantec, McAfee, and CA.

Sony has sold an estimated 2 million CDs containing the copy protection software, which used special "rootkit" techniques to hide itself on the PC. Rootkit software runs at a very low level of the operating system and is designed to be extremely difficult to detect. Ultimately XCP's cloaking ability was used by hackers to write malicious software, a development that prompted Sony to recall its XCP CDs.

Shortly after its discovery XCP was classified as dangerous software by most security vendors, but Princeton University computer science professor Edward Felten was disturbed it took so long for such a widespread problem to be exposed.

"This malware had been on the market for months and presumably had been installed on hundreds of thousands of computers, but still none of the anti-malware vendors had discovered it," Felten wrote in a blog posting ( earlier this week. "It's not a good sign that all of the major anti-malware vendors missed it for so long."

There were two things about XCP that presented challenges for the big security vendors. The first was Sony's use of rootkit techniques to cloak XCP and make it harder to circumvent its copy protection capabilities. Most security vendors admit that because rootkits have only recently come into widespread usage, there is still much to be done to improve rootkit detection in their products.

A second problem is that the software was distributed by a trusted company: Sony.

While most security vendors prefer not to think of the XCP incident as a failure, at least one vendor, McAfee Inc., admitted that there was some room for improvement. "I'd probably have to accept some culpability there," said Joe Telafici, director of operations for McAfee Avert. "It's not like we go to the record stores every week to see what's on the shelves. Maybe we should have been doing that."

Security companies like McAfee are moving away from signature-based threat prevention, where security software is told how to spot and disable certain known types of malware, to "behavior" based techniques, where the product is less concerned with identifying the software, as it is with preventing all software from doing bad things.

Improved behavior-based detection will help McAfee do a better job of identifying software like XCP, Telafici said.

Paying more attention to detecting and removing rootkits will also improve the situation, said Mikko Hypponen, chief research officer with F-Secure. F-Secure's products have rootkit-identifying capabilities that spotted the XCP software on a customer's system more than one month before the problem was publicly known, Hypponen said.

Rootkit software, like spyware, will eventually attract the attention of the larger vendors as it becomes a larger and larger problem, Hypponen said. "There will always be new kinds of attacks, and there will always be small vendors filling a niche for the new kind of problem before the big boys move in," he said. "McAfee and Symantec haven't made their move yet. They will."

Without going into specifics, both McAfee and Symantec said they will have new techniques to deal with rootkits in upcoming versions of their products, but Telafici noted that security enhancements in the upcoming Windows Vista operating system, due in late 2006, will also change things.

In particular, the Windows Vista model of giving users more restricted privileges on the PC may represent a major change in the fight against malicious software. Interestingly, Telafici was unable to predict whether Vista would give an advantage to the attackers or the security companies. "It may depend on how well (Vista) is implemented," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?