More than half a million networks, including military and government sites, were likely infected by copy restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts on Tuesday.
Sony BMG has been on the run for almost two weeks with the public relations debacle of its XCP copy restriction software, which has installed an exploit-vulnerable rootkit with at least 20 popular music titles on PCs all over the world.
While the company has committed to withdrawing the CDs from production, and is said to be pulling them from the shelves, the biggest problem remaining for the company, and perhaps the internet as well, is how many Sony-compromised machines are still out there.
That's a number only Sony knows for sure -- and isn't releasing. One person, however, is getting closer to a global figure: Dan Kaminsky, an independent internet security researcher based in Seattle.
Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.
Sony did not respond to phone calls seeking comment.
Each installation of Sony's rootkit not only hides itself and rewrites systems drivers, it also communicates back out to Sony, and the creators of the software, British company First4internet and Phoenix-based Suncomm, who handled the Mac side for Sony.
Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name service, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP ......
More is at Wired News here.
Any one for a fork and some popcorn?
Could someone from Utah send the Wired article to Orrin Hatch?