[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

Turn Dead Dirt Into Living Soil With IMO 4 Michael Knowles: Trump & Israel, Candace Owens, and Why Christianity Is Booming Despite the Attacks Save Canada's Ostrich Farms! Protests Erupt Over Government Tyranny in Canada Holy SH*T! Poland just admitted the TRUTH about Zelensky and it's not good Very Alarming Earthquakes Strike As We Enter The Month Of September Billionaire Airbnb Co-Founder Reveals Why He Abandoned Democrat Party For Trump Monsoon floods devastate Punjab’s crops, (1.7 billion people) at risk of food crisis List Of 18 Things That Are Going To Happen Within The Next 40 Days Pentagon Taps 600 Military Lawyers To Serve As Temporary Immigration Judges For DOJ 81 Actors Who Have Passed Away So Far in 2025 High school is different now Banks REMOVING CASH and nearing major DISASTER. Prof St Onge. Did America Pick the Wrong Side in WWII? Chicago in CHAOS – Mayor Tells Police to Stand Down as Trump Says ENOUGH Murder Graham Linehan ARRESTED in UK for gender critical tweets - UK COLLAPSE IS IMMINENT Cash Jordan: 400,000 Illegals ‘Forcibly Returned’ To Mexico… as NYC COLLAPSES The ChatGPT CEO's Web Of Lies by Vanessa Wingardh The Fall of the Israel Lobby Has Begun — And This Is Just the Start | Denzel Washington speech 'Statistically Almost Impossible' – 4 AfD Candidates Have Died 'Suddenly And Unexpectedly' Before Key State Election Israel And The West Set The Stage For Next Round Of Warfare On Iran Last night in Milan, an 18-year-old girl was beaten and raped while trying to catch a train home Russia has developed a truly modern system of warfare. Alberta's Independence and Finances Daniela Cambone: 100% Loan Losses Loom as Fed Shrinks Balance Sheet- Tucker Carlson Cash Jordan: ICE HALTS 'Invasion Convoy'... ESCORTS 'Armada' of Illegals BACK to MEXICO Cash Jordan: “We’re Coming In"... Migrant Mob ENTERS ICE HQ, Get ERASED By 'Deportation Unit' Opioids More Likely To Kill Than Car Crashes Or Suicide The association between COVID-19 “vaccines” and cognitive decline Democrats Sink to Near Zero in New Gallup Poll, Theyre Just Not Satisfied

Science/Tech
See other Science/Tech Articles

Title: Still More on Sony's DRM Rootkit
Source: Schneier On Security
URL Source: http://www.schneier.com/blog/archives/2005/11/still_more_on_s_1.html
Published: Nov 15, 2005
Author: Schneier
Post Date: 2005-11-15 20:19:47 by boonie rat
Keywords: Rootkit, Sonys, Still
Views: 150
Comments: 2

Schneier on Security

A weblog covering security and security technology.

November 15, 2005 Still More on Sony's DRM Rootkit

This story is just getting weirder and weirder (previous posts here and here).

Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who inadvertently bought them.

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

Even more interesting is that there may be at least half a million infected computers:

Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.

I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:

Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.

His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.

Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- http://connected.sonymusic.com, http://updates.xcp-aurora.com and http://license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.

If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.

The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.

In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.

Post Comment   Private Reply   Ignore Thread  

#1. To: boonie rat (#0)

Sorry to report that your links don't appear in your post.

Seems that Sony has also used SummComm's MediaMax DRM programs Link.

Here is a technical article on the Sony Rootkit.

Here is a tool (_not_ from Sony) to remove the Sony rootkit.

Here is a tool to detect any rootkit on a Windows system (bottom of page).

Another Mogambo Day

rack42  posted on  2005-11-15   22:02:44 ET  Reply   Trace   Private Reply  

Screw all this DRM shit. Bittorrent anyone.

A K A Stone  posted on  2005-11-15   22:06:14 ET  Reply   Trace   Private Reply  

[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]