2. "Most people, I think, don't even know what a rootkit is, so why should they care about it?" - Thomas Hesse, President of Sony's Global Digital Business operations.

3. Why should we care? Rootkits do not actually harm a computer, and have many useful applications. Their only purpose is to conceal other processes from both the user and any security software. They are often used in combination with keyloggers or Trojan horses.

4. Extended Copy Protection Sony started using Extended Copy Protection (or XCP), DRM software developed by First 4 Internet, on their CDs in late 2005. This program was bundled with MediaMax CD-3, another DRM program designed to prevent users from unauthorized playback or duplication of CDs.

5. XCP MediaMax CD-3 was relatively easy to disable, so XCP was designed to hide both MediaMax CD-3 and itself from the user. This was accomplished by modifying the operating system to conceal all files beginning with the tag $sys$. The program was set to install as soon as an infected CD was inserted, even if the user declined the license agreement.

6. Problems with XCP XCP did not limit the concealed files to those it installed – ANY file beginning with $sys$ would be concealed, even if it was installed afterwards. The first Trojan horse which exploited this flaw was reported on November 10 th, 2005 – less than two weeks after this flaw had first been discovered.

7. World of Warcraft World of Warcraft uses a program nicknamed “The Warden” to scan a user’s active processes for known cheat and hack programs. If it discovers one, the information is sent back to Blizzard, and the player’s account may be suspended. By installing the Sony XCP, and adding the $sys$ tag to a hacking program, people would be able to use these programs without detection.

8. Additional Problems XCP added filter drivers for the CD-ROM, which intercepted all requests to read from the CD. Removing XCP would cause the CD-ROM to stop functioning. XCP monitored all processes a user was running, which required nearly constant read attempts on the hard drive. This can shorten the drive’s lifespan.

9. The Patch Sony eventually released a patch to decloak and remove the XCP. This patch required users to install an ActiveX control, as well as provide their name, address, and e-mail address. Sony’s terms of service specifically stated this information would be shared with “reputable third-parties who may contact you directly.”

10. CodeSupport.ocx Users could only download the patch with the CodeSupport.ocx ActiveX control installed, using Microsoft Internet Explorer, on the computer they had first requested the patch with. This control essentially gave Sony’s website full control of a user’s computer, including the ability to install and remove programs.

11. Problems The ActiveX control was marked safe, and was not specifically tied to Sony’s website. With a little work, it could be run from ANY website, without the user’s knowledge. This control was not removed after the installation of the patch. It remained on the user’s machine until they manually removed it. Additionally, because of the way the patch was designed, there was a small chance of a system crash during its operation.

12. Questions?