F-Secure contacted Sony about the rootkit vulnerability on October 17. But the relationship got off to a bad start, according to Kangas. Not knowing whom to approach, F-Secure took the problem first to Sony DACD, an Austrian subsidiary that manufactures CDs. “They said, ‘Thank you, but this is from Sony BMG,’” Kangas recounts. When he and his colleagues finally reached Sony BMG’s Los Angeles headquarters, “The first reaction we got was, why were we talking about their copy protection software with a competing unit of Sony? They were rather angry.”
Once the recriminations passed, Sony BMG DRM managers asked Kangas and his staff to work with First 4 Internet on a way to safeguard owners of the protected CDs. “From our point of view, the only solution with this first version of XCP was to stop deploying it,” says Kangas. “But that was something they clearly didn’t want to do.” According to Kangas, First 4 Internet’s plan was simply to release a new version of XCP in 2006 without the rootkit – not to replace the millions of discs that had already been purchased – and offer an uninstaller tool to customers who asked for it.
Kangas and his team readied a public report on the rootkit but were waiting for First 4 Internet’s uninstaller before releasing it, as courtesy in the Internet security business demands. That’s when they were beaten to the punch by a Texan named Mark Russinovich.
Russinovich and colleague Bryce Cogswell are the authors of Sysinternals.com, one of the leading U.S. blogs on computer security. Russinovich is also the chief software architect at Austin-based Winternals Software and, by chance, the inventor of some of the very cloaking techniques used by XCP. He and Cogswell had spent part of 2005 working on Rootkit Revealer, a detection program similar to F-Secure’s Blacklight. One day in late October, Russinovich was running Rootkit Revealer on his own PC as part of a test to make sure the program wasn’t generating false positives. Russinovich says he purposely avoids the seedier areas of the Internet in order to keep his machine clear of malware – so he was astonished when Rootkit Revealer found actual rootkit files.
Just as Guarino had, Russinovich discovered that deleting the files disabled his CD-ROM drive. “Even a sophisticated home user, if they attempted to uninstall the rootkit by deleting the files, would end up crippling their machine,” Russinovich says. But since he had himself come up with most of the tricks Windows rootkits use to deceive the operating system and other applications, he wasn’t stymied. Russinovich was able to bypass the rootkit’s cloaking function and – after remembering that he’d recently played the copy-protected Sony BMG disc Get Right with the Man on his computer – trace the files it had been hiding to First 4 Internet and Sony BMG.
“It was disturbing to me, the fact that this thing had installed rootkit software on my PC,” Russinovich says. “It had installed itself without telling me. There didn’t appear to be any uninstaller. But what was most surprising of all was to run into a rootkit that was part of a well-known company’s DRM.”
Russinovich did not contact Sony BMG about his discovery; rather, he poured his findings into an angry blog entry published on Halloween. Within hours, Russinovich’s post was picked up by Slashdot, the famous home of “News for Nerds.” And from there the rootkit story raged across the blogosphere and even into mainstream newspapers. F-Secure – though it had been scooped by Russinovich – quickly got back into the game, publishing its own analysis of the rootkit on November 1.
Among music fans and technology watchers, reaction to the rootkit news was explosive. Within days, anti-DRM activists launched several boycotts against Sony BMG. “Sony aims at pirates – and hits users,” blared a November 9 headline in the Christian Science Monitor. Antivirus and security companies issued warnings advising consumers to avoid or return the Sony BMG discs. Bloggers fanned the flames; the word “rootkit” appeared in blogs 150 to 750 times every day throughout November, according to blog search engine Technorati.