http://www.wired.com/news/technology/0,1282,69573,00.html By Quinn Norton Nov. 15, 2005 More than half a million networks, including military and government sites, were likely infected by copy-restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts Tuesday. Sony BMG has been on the run for almost two weeks with the public relations debacle of its XCP copy-restriction software, which has installed an exploit-vulnerable rootkit with at least 20 popular music titles on PCs all over the world. While the company has committed to withdrawing the CDs from production, and is said to be pulling them from the shelves, the biggest problem remaining for the company, and perhaps the internet as well, is how many Sony-compromised machines are still out there. That's a number only Sony knows for sure -- and isn't releasing. One person, however, is getting closer to a global figure: Dan Kaminsky, an independent internet security researcher based in Seattle. Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher. Each installation of Sony's rootkit not only hides itself and rewrites systems drivers, it also communicates back to Sony and the creators of the software, British company First 4 Internet and Phoenix-based SunnComm Technologies, who handled the Mac side for Sony. Sony did not respond to phone calls seeking comment. First 4 Internet declined to comment for this story. Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP. His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it. Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently. If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it. The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net. The damage spans 165 countries, with the top five countries being Spain, the Netherlands, Great Britain, the United States and Japan, which, with more than 217,000 DNS servers reporting knowledge of Sony-related addresses, takes the top spot. Could the traffic be from human visitors? Kaminsky doesn't think so. "Having First 4 Internet at the scale of 700,000 or 800,000 name servers knowing about it -- it's just not that popular a site." Kaminsky doesn't speculate on how many machines may actually be compromised. "My approach is entirely statistical -- the only people who know are the people who put together the software themselves. The problem is they don't have to tell us the truth." Adam Stubblefield, an assistant research professor of computer science at Johns Hopkins University, has inspected Kaminsky's methodology, and noted security researcher Ed Felten of Princeton University is currently reproducing his work. Stubblefield expresses confidence. "Dan has done a very careful job of collecting the data, and thought through all the possibilities for false positives, and filtering out all the data points," Stubblefield said. "He's produced a lower bound on the number of (positive DNS servers)." Should the average person write software that took control of a computer at the system level without a user's knowledge and distributed that software across the world, there are plenty of laws that would put him behind bars. But what happens when Sony does this, ostensibly to protect its intellectual property? Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society and Wired News legal columnist, sees this as a question of how well-written Sony's end-user license agreement is, a topic of much conversation in the media lately. But either way, she noted over IM, "If the EULA did not advise the user that s/he was installing software on the machine that would collect information and/or open the machine to vulnerabilities, then the software arguably violates 18 USC 1030(a)(5)(A)." That's a criminal charge. But Granick doesn't see criminal prosecution of Sony any time soon. "The (Department of Justice) is not going to charge Sony.... They have never charged a big corporation with a computer crime." In order to invoke 18 USC 1030, you have to show $5,000 in damages or damage to a computer system used by or for a government entity in furtherance of the administration of justice, national defense or national security. That's another interesting point of Kaminsky's work, because it shows networks that are part of national security and civil infrastructure faithfully reporting their existence back to Sony, along with as-yet-unknown information about the compromised computers. Granick see this playing out in civil litigation. Cases are already pending in California, New York and Italy. But with Sony backpedaling on the XCP CDs and Microsoft offering a patch for compromised machines, what more needs to be done? Kaminsky says withdrawing the CDs or offering signatures to anti-spyware programs is simply not enough. "The problem is Sony has done a significant amount of damage, and it's not enough to stop doing damage," he said. "(This is) something that needs to be remedied. Microsoft's approach only helps those who are very well-patched. Sony needs to figure out ways to get rid of it." _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Tue Nov 15 2005 - 23:45:50 PST