Wired on Friday: Inability to identify music group's invasive 'spyware' on customers' computers suggests industry is reluctant to act against big business.
It's all over with the Sony BMG rootkit scandal. The company has said sorry and has handed back its toys. The class action in the United States has led to Sony offering downloads and patches for its customers, and the CDs have been withdrawn from sale.
That's a marked contrast from how the digital rights management (DRM) debacle began. After being caught red-handed putting software on music consumers' computers that did everything from hiding itself, installing itself without permission to making systems vulnerable to hackers, Sony was initially defiant.
Famously, Sony BMG president Thomas Hesse said: "Most people, I think, don't even know what a rootkit is, so why should they care about it?"
But people, companies and governments do care. Or at least, they pay third parties to know what a rootkit is and to care about them - specifically anti-virus companies.
How did the Sony BMG scandal happen in the first place? The biggest story of this may be not what happened, but what didn't. Many of those computers, in businesses and governments, had anti-virus (AV) software installed particularly to prevent this kind of software from being installed and running.
None of the AV software on any of the computers around the world infected by Sony BMG and later by their uninstallers threw up alerts or attempted to uninstall the Sony software. Why would that be?
Was it simply a matter of the AV companies having no idea the Sony BMG rootkit existed or was there something more there?
Dan Kaminsky, a security researcher whose work revealed the extent of the spread of the Sony BMG rootkit in November, was one of several experts troubled by the AV industry's silence on the rootkit.
"When this story broke, I expected to see the AV vendors respond very quickly to what was malicious code."
But they didn't.
January saw the 20th anniversary of the first computer virus in the wild - a boot sector virus called "Brain" that passed from floppy disk to floppy disk. In 1986, brothers Basit and Amjad Farooq Alvi of Lahore, Pakistan, wrote the virus to punish people for copying their software.
In other words, like this most recent Sony BMG debacle, the computer virus itself got its start attempting to protect copyright.
This was the start of the software phenomenon we now call "malware" - and the start of the billion-dollar AV industry that operates to stop it.
Since then we've seen the rise of e-mail viruses, remote exploits, huge zombie armies of controlled computers, and countless other forms of malware, including the rootkit technology employed by Sony BMG.
With each new form and new attack, the anti-virus industry klaxons alerts and deploys uninstallers to its customers. There was one exception in the past, though: AV companies didn't address spyware until 2003. Spyware is software that sits on your computer and reports back what you do to someone else, often with adware that pops up ads for products similar to what you are looking at.
Spyware is essentially what Sony BMG rolled out to tens of millions of customers for years before being caught with their rootkit.
Spyware confused the AV vendors. People didn't want spyware on their computers, often didn't ask for it or agree to it, but the companies that put it on their computers claimed the legal right to do so.
These companies weren't malicious kids or Russian mafiosi, they were Silicon Valley start-ups.
Spyware as we now know it got started with Gator in 1998. It didn't take AV companies five years to learn it was installed, just to work out that corporate malware was still malware, and that their customers were paying them to do something about it. Now every AV vendor has an anti-spyware offering, but the genii is out of the bottle.
In various studies of the prevalence of the spyware, estimates of installs have varied between 67 per cent and 80 per cent of computers infected with some sort of spyware, and usually more than one.
In general, in an atmosphere filled with malware, the only realistic protection is AV software.
As a result, almost every computer is sold with AV software and most governments and corporations require AV software to run on any computer behind their firewalls.
They pay handsomely for this service. But when malware comes from someone incorporated in Delaware for tax purposes, the AV industry can be caught with their pants down. For Kaminsky, this is no excuse.
As he noted in a recently authored an opinion piece in the Virus Bulletin, the key trade publication of the AV industry, "AV vendors cannot take money from users and provide services to Sony".
He explains further: "Anti-virus is in the business of enforcing consent, not generating it. This does mean that AV may sometimes need to enforce user consent, not simply against the riff-raff or the black hat, but against legitimate companies who have . . . thought to destroy property rights in order to save them."
Will it take another five years for AV companies to act on issues like the Sony BMG malware?
How many more packages like the rootkit are out there, protected by the AV industry's reluctance to act against the malware of legitimate fully incorporated companies like Sony?
It might be useful to ask your anti-virus rep.