[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

How Red Light Unlocks Your Body’s Hidden Fat-Burning Switch The Mar-a-Lago Accord Confirmed: Miran Brings Trump's Reset To The Fed ($8,000 Gold) This taboo sex act could save your relationship, expert insists: ‘Catalyst for conversations’ LA Police Bust Burglary Crew Suspected In 92 Residential Heists Top 10 Jobs AI is Going to Wipe Out It’s REALLY Happening! The Australian Continent Is Drifting Towards Asia Broken Germany Discovers BRUTAL Reality Nuclear War, Trump's New $500 dollar note: Armstrong says gold is going much higher Scientists unlock 30-year mystery: Rare micronutrient holds key to brain health and cancer defense City of Fort Wayne proposing changes to food, alcohol requirements for Riverfront Liquor Licenses Cash Jordan: Migrant MOB BLOCKS Whitehouse… Demands ‘11 Million Illegals’ Stay Not much going on that I can find today In Britain, they are secretly preparing for mass deaths These Are The Best And Worst Countries For Work (US Last Place)-Life Balance These Are The World's Most Powerful Cars Doctor: Trump has 6 to 8 Months TO LIVE?! Whatever Happened to Robert E. Lee's 7 Children Is the Wailing Wall Actually a Roman Fort? Israelis Persecute Americans Israelis SHOCKED The World Hates Them Ghost Dancers and Democracy: Tucker Carlson Amalek (Enemies of Israel) 100,000 Views on Bitchute ICE agents pull screaming illegal immigrant influencer from car after resisting arrest Aaron Lewis on Being Blacklisted & Why Record Labels Promote Terrible Music Connecticut Democratic Party Holds Presser To Cry About Libs of TikTok Trump wants concealed carry in DC. Chinese 108m Steel Bridge Collapses in 3s, 16 Workers Fall 130m into Yellow River COVID-19 mRNA-Induced TURBO CANCERS. Think Tank Urges Dems To Drop These 45 Terms That Turn Off Normies Man attempts to carjack a New Yorker

Science/Tech
See other Science/Tech Articles

Title: Still More on Sony's DRM Rootkit
Source: Schneier On Security
URL Source: http://www.schneier.com/blog/archives/2005/11/still_more_on_s_1.html
Published: Nov 15, 2005
Author: Schneier
Post Date: 2005-11-15 20:19:47 by boonie rat
Keywords: Rootkit, Sonys, Still
Views: 130
Comments: 2

Schneier on Security

A weblog covering security and security technology.

November 15, 2005 Still More on Sony's DRM Rootkit

This story is just getting weirder and weirder (previous posts here and here).

Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who inadvertently bought them.

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

Even more interesting is that there may be at least half a million infected computers:

Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.

I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:

Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.

His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.

Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- http://connected.sonymusic.com, http://updates.xcp-aurora.com and http://license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.

If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.

The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.

In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.

Post Comment   Private Reply   Ignore Thread  

#1. To: boonie rat (#0)

Sorry to report that your links don't appear in your post.

Seems that Sony has also used SummComm's MediaMax DRM programs Link.

Here is a technical article on the Sony Rootkit.

Here is a tool (_not_ from Sony) to remove the Sony rootkit.

Here is a tool to detect any rootkit on a Windows system (bottom of page).

Another Mogambo Day

rack42  posted on  2005-11-15   22:02:44 ET  Reply   Trace   Private Reply  

Screw all this DRM shit. Bittorrent anyone.

A K A Stone  posted on  2005-11-15   22:06:14 ET  Reply   Trace   Private Reply  

[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]