DNS Snooping Shows Widespread Sony Rootkit

A DNS expert says the number of rootkit-infected machines from Sony's DRM could number in the millions. Security companies are providing removal tools and firewall filters.

By Michael Hall | Posted Nov 16, 2005
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Sony's controversial rootkit protection scheme is finding itself unwelcome on more and more networks as security vendors move to block and remove the software.

The company today announced that it's recalling CDs utilizing Extended Copyright Protection (XCP), even as the security experts claim that Sony's aggressive protection software may involve millions of infected PCs.

Dan Kaminsky, a noted DNS expert, took the data from DNS queries from Sony's rootkit and then mapped them on a digital globe Tuesday.

It seems that the DRM software also contacts Sony's Web servers to announce its presence. Each time that connection is made, Kaminsky noted in his blog, it leaves a footprint in name servers that can be tracked through a technique called DNS cache snooping.

Kaminsky discovered that at least 568,200 name servers contained entries related to the rootkit. While the method doesn't translate into exactly how many end-user computers are affected, since multiple users can go through one name server, "at that scale, it doesn't take much to make this a multi-million host, worm-scale incident," he wrote.

He then used the IP addresses of the name servers and mapped them using the libipgeo and IP2LOCATION applications, showing a DNS spread that covers more than half the U.S. Mapping data shows widespread use in Asia and Europe, as well.

Several security companies have responded to Sony's DRM software by providing tools for removing it and filtering the network traffic it sends out.

Symantec has provided a removal tool, and warns that manual removal of the software "may damage the compromised computer's operating system and may violate the manufacturer's end-user license agreement. "

Barracuda Networks today announced that its spyware and spam firewall products will detect and block the rootkit's outgoing communications and will block viruses written to take advantage of the security vulnerabilities Sony's software created. According to Barracuda CEO Dean Drako, his company has tracked at least three virus strains spread via e-mail that exploit the rootkit.

Microsoft announced that its Windows Defender product will remove the software as part of its December update.

Even the federal government has gotten in on the act, with Stewart Baker, an assistant secretary with the Department of Homeland Security noting "It's very important to remember that it's your intellectual property; it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

With reporting by Jim Wagner at internetnews.com

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter