It all started with Mark Russinovich testing RootKitRevealer, a program used to find rootkits installed by hackers to hide viruses, spyware, and trojans they install on computers they have broken into. These programs allow them to gain control over a computer to do their nefarious deeds.

Mark was amazed to see that a rootkit had been installed on one of his computers. He's a really careful kind of guy. His investigation revealed that Sony BMG was installing this software created by First 4 Internet on their music CDs.

Sony CDs install hacker's rootkit

When the Sony BMG CD is inserted into the drive of a computer, it automatically installs the rootkit and hides itself. It will then allow the CD to be played. Only 3 copies of the CD is allowed to be burned. Mark also discovered that if attempts are made to remove the software, the modification made to Windows will prevent it from seeing the CD drive. At that point, you are unable to play any CD.

The story of Sony's rootkit spread like wildfire on the Internet. Initially spread over the blogophere, the story was picked up by major news organizations like BBC News and USA Today.

At first, Sony BMG seemed unconcerned and unapologetic. They were only "protecting" their digital rights. However, the onslaught of criticism continued so they finally agreed to halt production of the CDs. The furor remained so Sony offered a patch.

Sony offers "patch"

The patch requires visiting Sony's web site and submitting a request for it. After registering with a name and email address, a link is sent which requires the recipient to return to Sony's site to get the patch. Anger towards Sony increased when it was discovered that the "patch" only revealed the hidden files, it did nothing to remove the software.

Sony maintained that it was their right to install DRM software on those computers. That's when it was discovered that the software was acting as spyware sending info back to Sony. They again maintained it was their right. But it was also sending info to Sony even when their CDs were not being played!

Hackers find security hole in Sony's software

Hackers certainly know how to use rootkits so it wasn't long before they were using Sony's software to install their own malware. And the patch Sony supplied created an even bigger security hole than the original software.

USA Today referred to the reaction of Sony's DRM lockdown as a firestorm. Sony finally admitted to having 20 CDs with the rootkit that made computers vulnerable to security issues.

The Department of Homeland Security admonished Sony at a Chamber of Commerce event on combating intellectual-property theft. "It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

Determined to be malicious software

Perhaps Sony thought things would die down but it didn't. Microsoft and several anti-virus companies labeled the software as malicious code. In December, Microsoft will add it to their Malicious Software Removal Tool update for detection and removal.

Amazon offered a refund for any "infected" CD that was returned. And Sony finally planned to pull the controversial CDs off the shelf.

More than half million computer infected

Dan Kaminsky, an independent internet security researcher based in Seattle, began a statistical study of computers that had "phoned home." He determined that security on more than half a million computers had been compromised. These included networks used by military and government sites.

Sony's recall has grown to involve more than 50 titles and 4 million CDs. While the record labels complain about declining sales, Sony has caused consumers to cast suspicion on all CDs. Pulling this large number of records off the shelves just before the Thanksgiving/Christmas season will gain no favors from their cohorts.

Sony facing lawsuits

This isn't the end of the story. Sony BMG is facing possible lawsuits from the states of California, New York, and Texas as well as many other civil suits. Consumers are so angry they are boycotting anything Sony.

And here Sony thought they were out of the woods after New York's attorney general nailed them for payoffs for radio play.

Emerald Bay Records against DRM