[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

The Media Flips Over Tulsi & Matt Gaetz, Biden & Trump Take A Pic, & Famous People Leave Twitter! 4 arrested in California car insurance scam: 'Clearly a human in a bear suit' Silk Road Founder Trusts Trump To 'Honor His Pledge' For Commutation "You DESERVED to LOSE the Senate, the House, and the Presidency!" - Jordan Peterson "Grand Political Theatre"; FBI Raids Home Of Polymarket CEO; Seize Phone, Electronics Schoolhouse Limbo: How Low Will Educators Go To Better Grades? BREAKING: U.S. Army Officers Made a Desperate Attempt To Break Out of The Encirclement in KURSK Trumps team drawing up list of Pentagon officers to fire, sources say Israeli Military Planning To Stay in Gaza Through 2025 Hezbollah attacks Israeli army's Tel Aviv HQ twice in one day People Can't Stop Talking About Elon's Secret Plan For MSNBC And CNN Is Totally Panicking Tucker Carlson UNLOADS on Diddy, Kamala, Walz, Kimmel, Rich Girls, Conspiracy Theories, and the CIA! "We have UFO technology that enables FREE ENERGY" Govt. Whistleblowers They arrested this woman because her son did WHAT? Parody Ad Features Company That Offers to Cryogenically Freeze Liberals for Duration of TrumpÂ’s Presidency Elon and Vivek BEGIN Reforming Government, Media LOSES IT Dear Border Czar: This Nonprofit Boasts A List Of 400 Companies That Employ Migrants US Deficit Explodes: Blowout October Deficit Means 2nd Worst Start To US Fiscal Year On Record Gaetz Resigns 'Effective Immediately' After Trump AG Pick; DC In Full Blown Panic MAHA MEME noone2222 and John Bolton sitting in a tree K I S S I N G Donald Trump To Help Construct The Third Temple? "The Elites Want To ROB Us of Our SOVEREIGNTY!" | Robert F Kennedy Take Your Money OUT of THESE Banks NOW! - Jim Rickards Trump Taps Tulsi Gabbard As Director Of National Intelligence DC In Full Blown Panic After Trump Picks Matt Gaetz For Attorney General Cleveland Clinic Warns Wave of Mass Deaths Will Wipe Out Covid-Vaxxed Within ‘5 Years’ Judah-ism is as Judah-ism does Danger ahead: November 2024, Boston Dynamics introduces a fully autonomous "Atlas" robot. Robot humanoids are here. Trump names [Fox News host] Pete Hegseth as his Defense secretary

Science/Tech
See other Science/Tech Articles

Title: Still More on Sony's DRM Rootkit
Source: Schneier On Security
URL Source: http://www.schneier.com/blog/archives/2005/11/still_more_on_s_1.html
Published: Nov 15, 2005
Author: Schneier
Post Date: 2005-11-15 20:19:47 by boonie rat
Keywords: Rootkit, Sonys, Still
Views: 107
Comments: 2

Schneier on Security

A weblog covering security and security technology.

November 15, 2005 Still More on Sony's DRM Rootkit

This story is just getting weirder and weirder (previous posts here and here).

Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who inadvertently bought them.

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

Even more interesting is that there may be at least half a million infected computers:

Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.

I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:

Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.

His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.

Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- http://connected.sonymusic.com, http://updates.xcp-aurora.com and http://license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.

If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.

The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.

In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.

Post Comment   Private Reply   Ignore Thread  

#1. To: boonie rat (#0)

Sorry to report that your links don't appear in your post.

Seems that Sony has also used SummComm's MediaMax DRM programs Link.

Here is a technical article on the Sony Rootkit.

Here is a tool (_not_ from Sony) to remove the Sony rootkit.

Here is a tool to detect any rootkit on a Windows system (bottom of page).

Another Mogambo Day

rack42  posted on  2005-11-15   22:02:44 ET  Reply   Trace   Private Reply  

Screw all this DRM shit. Bittorrent anyone.

A K A Stone  posted on  2005-11-15   22:06:14 ET  Reply   Trace   Private Reply  

[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]