Sony's controversial copy-protection scheme had been in use for seven months before its cloaking rootkit was discovered, leading one analyst to question the effectiveness of the security industry.
"[For] at least for seven months, Sony BMG Music CD buyers have been installing rootkits on their PCs. Why then did no security software vendor detect a problem and alert customers?" asked Joe Wilcox, an analyst with JupiterResearch.
"Where the failure is, that's the question mark. Is it an indictment of how consumers view security software, that they have a sense of false protection, even when they don't update their anti-virus and anti-spyware software?
"Or is it in how data is collected by security companies and how they're analyzing to catch trends?"
Sony's list of 52 albums with the XCP copy-protection include CDs that were released as long ago as late March, said Wilcox.
"If Sony's software exhibits so many characteristics of a malicious rootkit, why wasn't it detected?" Wilcox asked. "When you have half a million or a million or two million CDs all 'phoning home' to Sony, shouldn't that trigger some [warning] somewhere by something?"
Early in the Sony brouhaha, researchers found that the Sony copy-protection technology surreptitiously transmitting the user's IP address to Sony.
"We all missed this," acknowledged Sam Curry, vice president of Computer Associates’ eTrust security group, which develops and sells the PestPatrol anti-spyware line.
"It has to do where security companies look for malicious code, and where samples come from. We still need that first sample in order to identify a threat. The whole security community failed to go to stores and check out commercial CDs."
Anti-virus and anti-spyware security vendors essentially rely on two sources for the malware samples necessary to create detection definitions, Curry went on. One source is users who report problems, the other is proprietary networks of honeypots -- dubbed honeynets -- set up to snare worms and spyware.
"Why did we miss this? We didn't check CDs or DVDs for malicious code like this rootkit," said Curry. "Now, though, we've begun a program where we'll regularly go out and buy sample CDs and DVDs from the major labels and studios, and check them for things like this."
And only users who are very well versed in Windows -- as is Mark Russinovich, the researcher who was among the first to go public with information about the Sony rootkit -- would be likely to send in reports to a security vendor, added Curry.
Curry offered up other excuses for his industry missing the rootkit boat.
"Frankly, we were busy looking for where the [spyware] money was going," said Curry. "We weren't looking at legitimate industries."
He also said that Computer Associates had the rootkit on its radar this summer, but didn't act. "CA did catch one of the earlier iterations of this rootkit in July, but we only saw a sample or two. It just wasn't very widespread. It wasn't a very big bell ringing." Now, however, it's a different story.
"Admittedly, the security industry is too reactive. But this has been a wake up call for all of us."
Other anti-spyware firms contacted for comment declined to respond. At least one cited legal issues.
Curry blasted such colleagues. "I've yet to hear many in the industry come right out and call the Sony rootkit 'spyware.' That's unforgivable."