Researcher: Sony BMG rootkit still widespread

'The global scope is the big mystery here'

channel

WASHINGTON D.C. Hundreds of thousands of networks across the globe, including many military and government networks, appear to still contain PCs with the controversial copy-protection software installed by music discs sold by media giant Sony BMG, a security researcher told attendees at the ShmooCon hacking conference this weekend.

Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks - many belonging to the military and government - contain computers affected by the software.

"It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks," Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains.

The latest research results comes as Sony BMG is attempting to finish up this particular embarrassing chapter in the company's use of digital-rights management software. Earlier this month, a New York district court judge gave the nod to a settlement penned by Sony BMG and the attorneys for six class-action lawsuits in the state. More than 15 other lawsuits are pending against the media giant, according to court filings.

The controversy surrounds several flaws in two types of copy-protection software used on Sony BMG music CDs and the company's previous practices of hiding the software from a computer's user and making removal of the software extremely inconvenient. The two practices - considered unfair by the Attorney General for the State of Texas, whose office sued Sony BMG--resemble "rootkit" techniques used by malicious internet attackers.

Sony BMG uses two types of digital-rights management (DRM) software: the Extended Copy Protection (XCP) program created by First 4 Internet and the MediaMax program created by SunnComm.

Kaminsky's research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of nine million domain-name servers, about three million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the three million systems, asking each to look up whether an address used by the XCP software - in this case, xcpimages.sonybmg.com - was in the systems' caches.

During his first survey, carried out over three days in mid-November, he found 568,000 DNS servers had previously been asked to look up three different server addresses used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet.

The most recent survey, which lasted between December 15 and December 23, he found 350,000 servers had the unique address in their caches. While other factors may increase or decrease the number, Kaminsky continues to stress that the experiment is about finding out the magnitude of the impact of Sony BMG's software.

"The data shows that this is most likely a hundreds-of-thousands to millions of victims issue," Kaminsky said.

The data might also show how widespread piracy has become. The 52 music titles released with the XCP software were only released in North America, he said. However, the network apparently affected by the Sony BMG issue covered 135 countries. About 4.7 million discs were manufactured and about 2.1 million had sold, according to Sony statements.

"The global scope is the big mystery here," he said. "It is fairly likely that a lot of the discs were pirated."

In December, Sony BMG changed the banner ad that displays on PCs that play a CD to a graphic that requests them to download the uninstaller. The graphical reminder showed that Sony BMG is taking the threat seriously, Kaminsky said, and could be responsible for much of the decrease in his numbers. Sony BMG could not be reached for comment on Monday.

While the security issues related to the copy-protection software have apparently affected US government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.

"I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."

This article was first published at SecurityFocus.

Copyright © 2006, SecurityFocus

Sponsored: Network DDoS protection