[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help] 

Status: Not Logged In; Sign In

Lawyer for Epstein VICTIMS Shares Details Trump FEARED THE MOST WW3? French Hospitals Told To Prepare For A "Major Military Engagement" Within Six Months The Zionist Experiment Is Over Sen. Tim Kaine: ‘Extremely Troubling’ to Say Natural Rights Are from God Israel & The Assassination Of The Kennedy Brothers JEWISH RITUAL MURDER (Documentary) The Pakistani mayor of Rotherham claims she proud to be British and proud to be Pakistani. Khe Sanh 1968 How U.S. Marines Faced the Siege in Vietnam Did Xi's Parade Flip The Script On US Defense Of Taiwan? Cascade Volcanoes Show Weird Pulse Without Warning – Mount Rainier Showing Signs of Trouble! Cash Jordan: Chicago Apartments RAIDED... ICE 'Forcibly Evicts' Illegal Squatters at 3AM We are FINALLY turning the tide on 9/11 - The TRUTH is coming out | Redacted w Clayton Morris Netanyahu SHAKEN as New Hostage Video DESTROYS IDF Lies! We are FINALLY turning the tide on 9/11 VIDEO Shocking Video Shows Ukrainian Refugee Fatally Stabbed On Charlotte Train By Career Criminal Man Identifies as Cat to Cop his video made her stop consuming sugar. Shot And Bothered - Restored Classic Coyote & Road Runner Looney Tunes Cartoon 1966 How to Prove the Holocaust is a Hoax in Under 2 Minutes ..And The Legacy Media Wonders Why Nobody Trusts Them "The Time For Real Change Is Now!" - Conor McGregor Urges Irish To Lobby Councillors For Presidential Bid Daniela Cambone: Danger Not Seen in 40+ Years Tucker Carlson: Whistleblower Exposes the Real Puppet Masters Controlling the State Department Democrat nominee for NJ Governor, says that she will push an LGBTQ agenda in schools and WILL NOT allow parents to opt out. Holy SH*T, America's blood supply is tainted with mRNA Thomas Massie's America First : A Documentary by Tom Woods & Dan Smotz Kenvue Craters On Report RFK Jr To Link Autism To Tylenol Use In Pregnancy All 76 weapons at China 2025 military parade explained. 47 are brand new. Chef: Strategy for Salting Steaks 'Dangerous' Chagas disease confirmed in California, raising concerns for Bay Area

Science/Tech
See other Science/Tech Articles

Title: Still More on Sony's DRM Rootkit
Source: Schneier On Security
URL Source: http://www.schneier.com/blog/archives/2005/11/still_more_on_s_1.html
Published: Nov 15, 2005
Author: Schneier
Post Date: 2005-11-15 20:19:47 by boonie rat
Keywords: Rootkit, Sonys, Still
Views: 152
Comments: 2

Schneier on Security

A weblog covering security and security technology.

November 15, 2005 Still More on Sony's DRM Rootkit

This story is just getting weirder and weirder (previous posts here and here).

Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who inadvertently bought them.

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

Even more interesting is that there may be at least half a million infected computers:

Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.

I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:

Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.

His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.

Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- http://connected.sonymusic.com, http://updates.xcp-aurora.com and http://license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.

If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.

The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.

In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.

Post Comment   Private Reply   Ignore Thread  

#1. To: boonie rat (#0)

Sorry to report that your links don't appear in your post.

Seems that Sony has also used SummComm's MediaMax DRM programs Link.

Here is a technical article on the Sony Rootkit.

Here is a tool (_not_ from Sony) to remove the Sony rootkit.

Here is a tool to detect any rootkit on a Windows system (bottom of page).

Another Mogambo Day

rack42  posted on  2005-11-15   22:02:44 ET  Reply   Trace   Private Reply  

Screw all this DRM shit. Bittorrent anyone.

A K A Stone  posted on  2005-11-15   22:06:14 ET  Reply   Trace   Private Reply  

[Home]  [Headlines]  [Latest Articles]  [Latest Comments]  [Post]  [Sign-in]  [Mail]  [Setup]  [Help]