January 17, 2006 4:25 PM PST
Sony rootkit victims in every state, researcher says
- Related Stories
Anti-spyware guidelines get final versionJanuary 12, 2006
Symantec closes off hiding place for hackersJanuary 11, 2006
Sony settles 'rootkit' class action lawsuitDecember 29, 2005
Patches out for IE holes, Sony-related issueDecember 13, 2005
Taking on rootkits with hardwareDecember 13, 2005
Dan Kaminsky released the information at the Shmoocon 2006 hacker conference in Washington last week. Florida seems to have the highest number, with 12,588 networks detected that are hosting computers with the digital rights management software installed, according to his research. California and Massachusetts also exhibit high rates of infection, although the numbers are only an estimate, as each network could host any number of computers with the Sony software installed.
The DRM software is automatically installed by some Sony BMG music CDs and is hidden using a rootkit, which can be exploited by a particular type of Trojan horse and hence constitutes a significant security risk.
Kaminsky worked out the locations of machines with the rootkit installed by collating information on communication between the rootkit and Sony--the software contacts Sony each time the CD is played.
"Sony has a rootkit. The rootkit phones home. Phoning home requires a DNS query. DNS queries are cached. Caches are externally testable provided you have a list of all the name servers out there," Kaminsky said in a November blog posting.
In December, Kaminsky reported that around 560,000 name servers had "witnessed DNS queries related to the rootkit," which he claimed was "much, much more" than he expected.
The numbers presented at Shmoocon last week are more accurate, Kaminsky wrote in an e-mail to News.com. "Now we're only getting discs that are clearly linked to XCP," he said. "This is further validation for my original assertion of the 100,000-to-1 million scale of the problem."
The XCP copy protection software, created by U.K.-based First 4 Internet, is included on a limited number of Sony BMG titles, including recent releases from My Morning Jacket and Southern rockers Van Zant. When the discs are played on a computer, the listener is asked to click through a consent form and install the copy-protection software.
While the software may be on many PCs, the risk to those computers has been mitigated somewhat, Kaminsky said. "Antivirus may suppress the actual rootkit, and Sony is definitely warning people about the risk--but the question I was asking was is this a large-scale problem, and best available data says yes," he said.
The problems with Sony's DRM are not limited to U.S. customers, according to Kaminsky's research. He found that infected PCs are located in many places across the world, including many European countries.
Ingrid Marson of ZDNet UK reported from London. Joris Evers contributed to this report.