Try as I might, my limited free time has hindered all attempts at keeping up with the Sony Rootkit scandal. I knew bits and pieces. I was aware of the rootkit their CDs automatically installed on Windows systems. I knew that there was a kernel extension installed on OS X systems, but that it required the user to enter their administrative password to do so. I'd heard that the copy protection code illegally used LAME's libraries.

In the back of my mind I was asking some questions: how does it work, why will it damage Windows if you remove it, and why has it taken this long to be exposed? Bruce Schneier wrote a column for Wired News that outlines the entire debacle. It's thorough, and filled with links explaining the things he mentions. And, most importantly for me, he addresses the greatest concern: why has it taken this long for security companies to notice and do something about it? Is anyone actively working to find a way to remove the code without damaging Windows?

Working for one of those security companies, I can tell you why most haven't done much.

Simply put, the Rootkit it's malicious. Like it or not, agree with it or not, it isn't malicious.

Rootkits, as a rule, simply hide something else. What that "something else" does may or may not be malicious, and we pick up a trojan than exploits this, for example.

But Rootkits themselves are simply annoying and frustrating, not malicious. The rootkit doesn't do anything bad to your computer.

Sony used a rootkit to hide a piece of software that supposedly stopped CDs from being copied. It was a dirty tactic that PUA ("Potentially Unwanted Application") style detectors likely would have or should have picked up. But speaking from a virus company perspective, it wasn't a virus.

I do appreciate getting an answer from you. It's a legitimate, logical answer. I sort of wonder whether or not it's posted in as many words on the major security sites?

It's probably not. It was a hot subject, and no one wanted to be the ones to say "hey, this is the deal"

We had an update against the Trojan that used the rootkit, and we developed and released a standalone tool that would scan for, disable and remove the rootkit for those who thought they may have it ... but detection for it was never roled into the actualy AV engine, as it wasn't really relevant.

We did a survey, and 98% of respondents thought it was a genuine security threat, but so are Windows holes, and AV software doesn't scan for them :)

I dunno how I feel about it ... I think blurring the lines between vulnerabilities, viruses, adware, malware, spyware should be avoided. We product Anti *virus*, and will be introducing "PUA" detection next year, but the PUA stuff will be at the administrators descretion, and kept seperate to the AV detection. They are two seperate problems.