Security threats Toolkit

Sony rootkit victims 'in every US state'

Tags:
Rootkit,
DRM

Published: 17 Jan 2006 17:40 GMT

A security researcher has revealed that computers in every US state have been affected by copy-restriction software produced by Sony BMG.

Security researcher Dan Kaminsky released the information at the Shmoocon 2006 hacker conference in Washington last week. Florida seems to have the highest number, with 12,588 networks detected that are hosting computers with the DRM installed, according to figures posted by The Washington Post. California and Massachusetts also exhibit high rates of infection, although the numbers are only an estimate as each network could host any number of computers with the Sony software installed.

The digital rights management (DRM) software is automatically installed by some Sony BMG music CDs and is hidden using a rootkit, which can be exploited by a particular type of Trojan horse and hence constitutes a significant security risk.

Kaminsky worked out the locations of machines with the Sony rootkit installed by collating information on communication between the rootkit and Sony — the software contacts Sony each time the CD is played.

"Sony has a rootkit. The rootkit phones home. Phoning home requires a DNS query. DNS queries are cached. Caches are externally testable provided you have a list of all the name servers out there," explains Kaminsky in his blog.

In December, Kaminsky reported that around 560,000 name servers had "witnessed DNS queries related to the rootkit", which he claimed was "much, much more" than he expected.

The problems with Sony's DRM are not limited to US customers, with Kaminsky's research showing that infected PCs can be found in many countries across the world, including many European countries.