Feeds

Researcher: Sony BMG rootkit still widespread

'The global scope is the big mystery here'

The Essential Guide to IT Transformation

WASHINGTON D.C. Hundreds of thousands of networks across the globe, including many military and government networks, appear to still contain PCs with the controversial copy-protection software installed by music discs sold by media giant Sony BMG, a security researcher told attendees at the ShmooCon hacking conference this weekend.

Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks - many belonging to the military and government - contain computers affected by the software.

"It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks," Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains.

The latest research results comes as Sony BMG is attempting to finish up this particular embarrassing chapter in the company's use of digital-rights management software. Earlier this month, a New York district court judge gave the nod to a settlement penned by Sony BMG and the attorneys for six class-action lawsuits in the state. More than 15 other lawsuits are pending against the media giant, according to court filings.

The controversy surrounds several flaws in two types of copy-protection software used on Sony BMG music CDs and the company's previous practices of hiding the software from a computer's user and making removal of the software extremely inconvenient. The two practices - considered unfair by the Attorney General for the State of Texas, whose office sued Sony BMG--resemble "rootkit" techniques used by malicious internet attackers.

Sony BMG uses two types of digital-rights management (DRM) software: the Extended Copy Protection (XCP) program created by First 4 Internet and the MediaMax program created by SunnComm.

Kaminsky's research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of nine million domain-name servers, about three million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the three million systems, asking each to look up whether an address used by the XCP software - in this case, xcpimages.sonybmg.com - was in the systems' caches.

During his first survey, carried out over three days in mid-November, he found 568,000 DNS servers had previously been asked to look up three different server addresses used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet.

The most recent survey, which lasted between December 15 and December 23, he found 350,000 servers had the unique address in their caches. While other factors may increase or decrease the number, Kaminsky continues to stress that the experiment is about finding out the magnitude of the impact of Sony BMG's software.

"The data shows that this is most likely a hundreds-of-thousands to millions of victims issue," Kaminsky said.

The data might also show how widespread piracy has become. The 52 music titles released with the XCP software were only released in North America, he said. However, the network apparently affected by the Sony BMG issue covered 135 countries. About 4.7 million discs were manufactured and about 2.1 million had sold, according to Sony statements.

"The global scope is the big mystery here," he said. "It is fairly likely that a lot of the discs were pirated."

In December, Sony BMG changed the banner ad that displays on PCs that play a CD to a graphic that requests them to download the uninstaller. The graphical reminder showed that Sony BMG is taking the threat seriously, Kaminsky said, and could be responsible for much of the decrease in his numbers. Sony BMG could not be reached for comment on Monday.

While the security issues related to the copy-protection software have apparently affected US government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.

"I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."

This article was first published at SecurityFocus.

Copyright © 2006, SecurityFocus

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.