By Quinn Norton
Nov. 15, 2005
More than half a million networks, including military and government
sites, were likely infected by copy-restriction software distributed
by Sony on a handful of its CDs, according to a statistical analysis
of domain servers conducted by a well-respected security researcher
and confirmed by independent experts Tuesday.
Sony BMG has been on the run for almost two weeks with the public
relations debacle of its XCP copy-restriction software, which has
installed an exploit-vulnerable rootkit with at least 20 popular music
titles on PCs all over the world.
While the company has committed to withdrawing the CDs from
production, and is said to be pulling them from the shelves, the
biggest problem remaining for the company, and perhaps the internet as
well, is how many Sony-compromised machines are still out there.
That's a number only Sony knows for sure -- and isn't releasing. One
person, however, is getting closer to a global figure: Dan Kaminsky,
an independent internet security researcher based in Seattle.
Using statistical sampling methods and a secret feature of XCP that
notifies Sony when its CDs are placed in a computer, Kaminsky was able
to trace evidence of infections in a sample that points to the
probable existence of at least one compromised machine in roughly
568,200 networks worldwide. This does not reflect a tally of actual
infections, however, and the real number could be much higher.
Each installation of Sony's rootkit not only hides itself and rewrites
systems drivers, it also communicates back to Sony and the creators of
the software, British company First 4 Internet and Phoenix-based
SunnComm Technologies, who handled the Mac side for Sony.
Sony did not respond to phone calls seeking comment. First 4 Internet
declined to comment for this story.
Kaminsky discovered that each of these requests leaves a trace that he
could follow and track through the internet's domain name system, or
DNS. While this couldn't directly give him the number of computers
compromised by Sony, it provided him the number and location (both on
the net and in the physical world) of networks that contained
compromised computers. That is a number guaranteed to be smaller than
the total of machines running XCP.
His research technique is called DNS cache snooping, a method of
nondestructively examining patterns of DNS use. Luis Grangeia invented
the technique, and Kaminsky became famous in the security community
for refining it.
Kaminsky asked more than 3 million DNS servers across the net whether
they knew the addresses associated with the Sony rootkit --
connected.sonymusic.com, updates.xcp-aurora.com and
license.suncom2.com. He uses a "non-recursive DNS query" that allows
him to peek into a server's cache and find out if anyone else has
asked that particular machine for those addresses recently.
If the DNS server said yes, it had a cached copy of the address, which
means that at least one of its client computers had used it to look up
Sony's digital-rights-management site. If the DNS server said no, then
Kaminsky knew for sure that no Sony-compromised machines existed
The results have surprised Kaminsky himself: 568,200 DNS servers knew
about the Sony addresses. With no other reason for people to visit
them, that points to one or more computers behind those DNS servers
that are Sony-compromised. That's one in six DNS servers, across a
statistical sampling of a third of the 9 million DNS servers Kaminsky
estimates are on the net.
The damage spans 165 countries, with the top five countries being
Spain, the Netherlands, Great Britain, the United States and Japan,
which, with more than 217,000 DNS servers reporting knowledge of
Sony-related addresses, takes the top spot. Could the traffic be from
human visitors? Kaminsky doesn't think so. "Having First 4 Internet at
the scale of 700,000 or 800,000 name servers knowing about it -- it's
just not that popular a site."
Kaminsky doesn't speculate on how many machines may actually be
compromised. "My approach is entirely statistical -- the only people
who know are the people who put together the software themselves. The
problem is they don't have to tell us the truth."
Adam Stubblefield, an assistant research professor of computer science
at Johns Hopkins University, has inspected Kaminsky's methodology, and
noted security researcher Ed Felten of Princeton University is
currently reproducing his work. Stubblefield expresses confidence.
"Dan has done a very careful job of collecting the data, and thought
through all the possibilities for false positives, and filtering out
all the data points," Stubblefield said. "He's produced a lower bound
on the number of (positive DNS servers)."
Should the average person write software that took control of a
computer at the system level without a user's knowledge and
distributed that software across the world, there are plenty of laws
that would put him behind bars. But what happens when Sony does this,
ostensibly to protect its intellectual property?
Jennifer Granick, executive director of Stanford Law School's Center
for Internet and Society and Wired News legal columnist, sees this as
a question of how well-written Sony's end-user license agreement is, a
topic of much conversation in the media lately.
But either way, she noted over IM, "If the EULA did not advise the
user that s/he was installing software on the machine that would
collect information and/or open the machine to vulnerabilities, then
the software arguably violates 18 USC 1030(a)(5)(A)." That's a
criminal charge. But Granick doesn't see criminal prosecution of Sony
any time soon.
"The (Department of Justice) is not going to charge Sony.... They have
never charged a big corporation with a computer crime."
In order to invoke 18 USC 1030, you have to show $5,000 in damages or
damage to a computer system used by or for a government entity in
furtherance of the administration of justice, national defense or
national security. That's another interesting point of Kaminsky's
work, because it shows networks that are part of national security and
civil infrastructure faithfully reporting their existence back to
Sony, along with as-yet-unknown information about the compromised
Granick see this playing out in civil litigation. Cases are already
pending in California, New York and Italy.
But with Sony backpedaling on the XCP CDs and Microsoft offering a
patch for compromised machines, what more needs to be done? Kaminsky
says withdrawing the CDs or offering signatures to anti-spyware
programs is simply not enough.
"The problem is Sony has done a significant amount of damage, and it's
not enough to stop doing damage," he said. "(This is) something that
needs to be remedied. Microsoft's approach only helps those who are
very well-patched. Sony needs to figure out ways to get rid of it."
Earn your Master's degree in Information Security ONLINE
Study IA management practices and the latest infosec issues.
Norwich University is an NSA Center of Excellence.