Researcher: Sony BMG "rootkit" still widespread
Robert Lemos, SecurityFocus 2006-01-16

WASHINGTON D.C. -- Hundreds of thousands of networks across the globe,
including many military and government networks, appear to still contain PCs
with the controversial copy-protection software installed by music discs
sold by media giant Sony BMG, a security researcher told attendees at the
ShmooCon hacking conference this weekend.

Building on previous research that suggested some 570,000 networks had
computers affected by the software, infrastructure security expert Dan
Kaminsky used a different address used by the copy protection software to
estimate that, a month later, 350,000 networks--many belonging to the
military and government--contain computers affected by the software.

"It is unquestionable that Sony's code has gotten into military and
government networks, and not necessarily just U.S. military and government
networks," Kaminsky said in an interview after his presentation at ShmooCon.
The researcher would not say how many networks belonged to government or
military top-level domains.

The latest research results comes as Sony BMG is attempting to finish up
this particular embarrassing chapter in the company's use of digital-rights
management software. Earlier this month, a New York district court judge
gave the nod to a settlement penned by Sony BMG and the attorneys for six
class-action lawsuits in the state. More than 15 other lawsuits are pending
against the media giant, according to court filings.

The controversy surrounds several flaws in two types of copy-protection
software used on Sony BMG music CDs and the company's previous practices of
hiding the software from a computer's user and making removal of the
software extremely inconvenient. The two practices--considered unfair by the
Attorney General for the State of Texas, whose office sued Sony
BMG--resemble "rootkit" techniques used by malicious Internet attackers.

Sony BMG uses two types of digital-rights management (DRM) software: the
Extended Copy Protection (XCP) program created by First 4 Internet and the
MediaMax program created by SunnComm.

Kaminsky's research uses a feature of domain-name system (DNS) servers: The
computers will tell whether an address has recently been looked up by the
server. The security researcher worked from a list of 9 million domain-name
servers, about 3 million of which are reachable by computers outside their
networks. Kaminskly sent DNS requests to the 3 million systems, asking each
to look up whether an address used by the XCP software--in this case, in the systems' caches.

During his first survey, carried out over three days in mid-November, he
found 568,000 DNS servers had previously been asked to look up three
different server addresses used by the XCP software. Another 350,000 servers
had to be thrown out from the data set because they did not obey commands to
only look in their cache, and instead asked for information from other
servers on the Internet.

The most recent survey, which lasted between December 15 and December 23, he
found 350,000 servers had the unique address in their caches. While other
factors may increase or decrease the number, Kaminsky continues to stress
that the experiment is about finding out the magnitude of the impact of Sony
BMG's software.

"The data shows that this is most likely a hundreds-of-thousands to millions
of victims issue," Kaminsky said.

The data might also show how widespread piracy has become. The 52 music
titles released with the XCP software were only released in North America,
he said. However, the network apparently affected by the Sony BMG issue
covered 135 countries. About 4.7 million discs were manufactured and about
2.1 million had sold, according to Sony statements.

"The global scope is the big mystery here," he said. "It is fairly likely
that a lot of the discs were pirated."

In December, Sony BMG changed the banner ad that displays on PCs that play a
CD to a graphic that requests them to download the uninstaller. The
graphical reminder showed that Sony BMG is taking the threat seriously,
Kaminsky said, and could be responsible for much of the decrease in his
numbers. Sony BMG could not be reached for comment on Monday.

While the security issues related to the copy-protection software have
apparently affected U.S. government and military computers, the Department
of Justice will not likely get involved, said Jennifer Granick, executive
director of the Center for Internet and Society at Stanford Law School.

"I don't see the federal government suing a big company like Sony," she
said. "The fact that military networks have likely been affected by this
won't change that."

You are a subscribed member of the infowarrior list. Visit for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to