Microsoft will Remove Sony Rootkit

After dithering for a few days over whether to categorize Sony's new audio CD copy protection system as spyware, Microsoft on Friday announced that the next update to its antispyware package would indeed remove the Sony code from users' PCs. Microsoft will include the removal code in an update to the recently renamed Windows Defender, formerly Windows AntiSpyware. Sony's system is based on a rootkit, typically used by malicious hackers to keep their malware hidden. Sony was using it to prevent users from pirating its CDs.

"We use a set of objective criteria for both Windows Defender and the Malicious Software Removal Tool to determine what software will be classified for detection and removal by our anti-malware [sic] technology," Jason Garms, a program manager on the Microsoft antimalware team, wrote in his blog. "We have analyzed this software, and have determined that in order to help protect our customers we will add a detection and removal signature for the rootkit component of the XCP software to the Windows AntiSpyware beta, which is currently used by millions of users." Microsoft will also add the Sony rootkit removal code to the next Windows AntiSpyware update and the December update to the Malicious Software Removal Tool, Garms said.

The Sony rootkit was discovered in October by an F-Secure customer. F-Secure contacted Sony but didn't release any public information. Later, security expert Mark Russinovich discovered that his Windows PC had been infected with the code after he played a Van Zant CD. Russinovich touched off a huge controversy when he wrote about his experience in his blog.

Facing mounting complaints from customers, Sony this weekend announced that it would temporarily stop making audio CDs with the rootkit-based antipiracy technology. About 20 different audio CD titles were affected. For more information about this event, please refer to Mark Russinovich's blog, in which he details his discovery and the methods he used to remove Sony's software.