Feeds

Researcher: Sony BMG rootkit still widespread

'The global scope is the big mystery here'

Seven Steps to Software Security

WASHINGTON D.C. Hundreds of thousands of networks across the globe, including many military and government networks, appear to still contain PCs with the controversial copy-protection software installed by music discs sold by media giant Sony BMG, a security researcher told attendees at the ShmooCon hacking conference this weekend.

Building on previous research that suggested some 570,000 networks had computers affected by the software, infrastructure security expert Dan Kaminsky used a different address used by the copy protection software to estimate that, a month later, 350,000 networks - many belonging to the military and government - contain computers affected by the software.

"It is unquestionable that Sony's code has gotten into military and government networks, and not necessarily just U.S. military and government networks," Kaminsky said in an interview after his presentation at ShmooCon. The researcher would not say how many networks belonged to government or military top-level domains.

The latest research results comes as Sony BMG is attempting to finish up this particular embarrassing chapter in the company's use of digital-rights management software. Earlier this month, a New York district court judge gave the nod to a settlement penned by Sony BMG and the attorneys for six class-action lawsuits in the state. More than 15 other lawsuits are pending against the media giant, according to court filings.

The controversy surrounds several flaws in two types of copy-protection software used on Sony BMG music CDs and the company's previous practices of hiding the software from a computer's user and making removal of the software extremely inconvenient. The two practices - considered unfair by the Attorney General for the State of Texas, whose office sued Sony BMG--resemble "rootkit" techniques used by malicious internet attackers.

Sony BMG uses two types of digital-rights management (DRM) software: the Extended Copy Protection (XCP) program created by First 4 Internet and the MediaMax program created by SunnComm.

Kaminsky's research uses a feature of domain-name system (DNS) servers: The computers will tell whether an address has recently been looked up by the server. The security researcher worked from a list of nine million domain-name servers, about three million of which are reachable by computers outside their networks. Kaminskly sent DNS requests to the three million systems, asking each to look up whether an address used by the XCP software - in this case, xcpimages.sonybmg.com - was in the systems' caches.

During his first survey, carried out over three days in mid-November, he found 568,000 DNS servers had previously been asked to look up three different server addresses used by the XCP software. Another 350,000 servers had to be thrown out from the data set because they did not obey commands to only look in their cache, and instead asked for information from other servers on the Internet.

The most recent survey, which lasted between December 15 and December 23, he found 350,000 servers had the unique address in their caches. While other factors may increase or decrease the number, Kaminsky continues to stress that the experiment is about finding out the magnitude of the impact of Sony BMG's software.

"The data shows that this is most likely a hundreds-of-thousands to millions of victims issue," Kaminsky said.

The data might also show how widespread piracy has become. The 52 music titles released with the XCP software were only released in North America, he said. However, the network apparently affected by the Sony BMG issue covered 135 countries. About 4.7 million discs were manufactured and about 2.1 million had sold, according to Sony statements.

"The global scope is the big mystery here," he said. "It is fairly likely that a lot of the discs were pirated."

In December, Sony BMG changed the banner ad that displays on PCs that play a CD to a graphic that requests them to download the uninstaller. The graphical reminder showed that Sony BMG is taking the threat seriously, Kaminsky said, and could be responsible for much of the decrease in his numbers. Sony BMG could not be reached for comment on Monday.

While the security issues related to the copy-protection software have apparently affected US government and military computers, the Department of Justice will not likely get involved, said Jennifer Granick, executive director of the Center for Internet and Society at Stanford Law School.

"I don't see the federal government suing a big company like Sony," she said. "The fact that military networks have likely been affected by this won't change that."

This article was first published at SecurityFocus.

Copyright © 2006, SecurityFocus

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.