Sony BMG Installs Hidden Rootkit DRM on 22 Million CDs, Opens Windows PCs to Malware
What happened
In 2005, Sony BMG was found to have shipped approximately 22 million music CDs containing software that automatically installed a rootkit on Windows PCs when the disc was inserted. The software — developed by First4Internet under the XCP DRM system — hid itself from Windows tools, prevented CD ripping, reported listening habits to Sony servers, and critically opened a kernel-level vulnerability that malware authors immediately exploited to hide their own processes. Sony's initial response was that "most people don't even know what a rootkit is, so why should they care?"[1]
What went wrong
Sony BMG contracted First4Internet to build copy protection that users could not disable. The implementation used techniques identical to a rootkit: hiding processes and registry keys at the kernel level via a Windows driver. Sony's legal and technical teams apparently did not fully audit what they had deployed. When security researcher Mark Russinovich published his analysis on 31 October 2005, Sony first denied the severity, then released a "patch" that uninstalled the rootkit but left a different browser vulnerability. A second patch caused systems to stop reading optical drives. Sony eventually issued a full recall of the affected CDs and settled class action lawsuits in 40 US states.[1]
Lesson learned
DRM that functions by attacking the customer's operating system is both technically reckless and legally indefensible. Sony's rootkit installed itself silently without informed consent on over 22 million machines — a textbook definition of malware, regardless of commercial intent. The public response pioneered what became known as the Streisand Effect for corporate denials: Sony's dismissive statement about rootkit awareness was quoted in every subsequent news cycle about the scandal.
Sources
- [1] Mark Russinovich / Sysinternals Blog Sony BMG Installs Hidden Rootkit DRM on 22 Million CDs, Opens Windows PCs to Malware