Sony, the rootkit and the internet community

Martin Brinkmann
Nov 16, 2005
Updated • Apr 29, 2013

No matter which internet page you open these days you are guaranteed to find at least one article mentioning the Sony rootkit affair. Instead of providing you with the latest news on the case customer vs. Sony BMG I´d like to analyze an interesting aspect of it.

In the beginning, there was one guy, who found out about the rootkit software, analyzed it in depth and wrote an entry on his blog named Mark's Sysinternals Blog which is a well frequented site. Then the ball got rolling, the news was copied and commented on other sites, big portals like slashdot and digg had articles that soon became the most popular ones for the day.

The news spread like fire throughout the world wide web, people from all over the world read the news. It was soon clear that there were only a few who supported Sony's move, the majority was clearly against it.

News got worse for Sony the following day when Mark identified additional "features" of the application. First, the rootkit software was phoning home to Sony. Second, it was almost impossible for the average user to uninstall it. Third, the rootkit had a cloaking ability that other executable files could use to hide inside, a perfect hiding place for malicious software.

Sony's reaction was to provide an update to the rootkit software that disabled the cloaking feature. Unfortunately it was again almost impossible for the average user to find the uninstaller on their webpage. Still, Sony in its shining glory denied that the rootkit posed a security threat and that most users didn't care whether a rootkit was installed on their system. The patch unfortunately had the nasty habit to crash windows on some machines.

The internet community created lists of CDs that contained the software, boycott websites went into existence and had to deal with a massive amount of visitors who were looking for information or wanted to join the boycott.

With lots of News Coverage from respected institutes like BBC, Sony presented a statement on Monday that they would cease the production of music Cd's containing First 4 Internet's XCP technology, for now.

Yesterday Dan Kaminsky presented the first figures of rootkit infections analyzing the rootkits phone home traces in the dns cache of nameservers. This lead to the conclusion that at least half a million networks are infected with it. He created a graphic showing infections on a map of North America.

sony infection usa rootkit

Today Sony finally announced that it would institute an exchange program for already purchased CDss and pull the rest from the market.

Now, what conclusion can we draw from this? It's pretty obvious to me that Sony underestimated the "power" of the internet community. From a single website the story spread into the whole world in no more than one day. It became so popular that big internet portal sites like, and reported on it. The traditional media became aware and soon the story was also making headlines in newspapers, radio shows and even television.

Sony: 0
Internet Community: 1

What I learn from this? We have a tremendous power in our hands and can use it to force even multinational corporations to yield. And countries? That question remains to be answered.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Martin said on November 16, 2005 at 1:58 pm

    Hoopy what would you suggest then, I think it´s a complicated matter.. maybe something like a driving license for the internet and computers ;)

  2. Hoopy said on November 16, 2005 at 1:44 pm

    It also highlights the fact that windows lets you run as administrator out of the box, and most people, not understanding the implications, just leave it that way.

  3. Martin said on November 16, 2005 at 1:16 pm

    oliver we all know that many computers are vulnerable because of people who don´t know or care, even in security workplaces like the military or science. But thats another story :P

  4. oliver marshall said on November 16, 2005 at 12:10 pm

    I think it highlights far more on the state of security for most users. You can only install the sony rootkit with admin rights, and yet we have heard stories of the military being affected by it, whole company network being affected after IT tried to remove the rootkits etc etc. All of these things were caused by the rootkit, but they were only allowed to happen by bad security setups; allowing users to work with admin rights etc.

  5. mandy said on November 16, 2005 at 11:58 am

    Very well written and thought out.
    Makes ya go “Hmmmm.” doesn’t it. :)

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.