Posted on 11/15/2005 1:43:21 PM PST by dickmc
More than one-half million networks infected by Sony including U.S. military and various countries.
Dan Kaminsky, http://www.doxpara.com/ ,is the expert who broke this and did the work. His U.S. and Europe infection maps are shown below and are frightening. Dan did a hell of a good job.
Search Google News for "sony numbers trouble" for more in an excellent article today that is very worth reading.
with original at http://www.doxpara.com.nyud.net:8090/planetsony_usa.JPG
and for Europe which was not supposed to have any is at 
with the original at http://www.doxpara.com.nyud.net:8090/planetsony_europe.JPG
Any one for a fork and some popcorn?
Could those of you from Utah send the 'search yield' article to Orrin Hatch?
Sony needs to be raked over the coals for this.
Sony is pretty sad.
Sooooo.....uhhhhhh......what's Sony's liability for terrorist exploitation, economic espionage, and business losses due to their induced vulnerabilities?
Maybe someone would like to see the article.
Sony.
Sony has a rootkit.
The rootkit phones home.
Phoning home requires a DNS query.
DNS queries are cached.
Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .
So what did I find?
Much, much more than I expected.
It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows...unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident. The process of discovering this has led to some significant advances in the art of cache snooping. Here are some of the factors I've dealt with:
Just because you *request* the disabling of recursion, doesn't mean it'll actually happen. A full 353,200 name servers had to be excluded from the final tally because not only would recursive queries emit from them whether or not they were desired, but they'd also notify their neighbors of the results.
Low TTL names exist, and are rather difficult to catch by cache snooping (they expire before you can find proof of life). However, they may be hosted by names that last much longer -- updates.xcp-aurora.com has a lifespan of an hour, but xcp-aurora.com's NS link to resolver1.first4internet.co.uk will last 150,000 seconds.
Some hosts lie -- captive portals, I'm looking at you. Simply filtering TTL's that are divisible by 100 has a way of eliminating most of them; after that, you're left with surprisingly few NS's that lie about IP
Oops. Sony's going to be busy. Rootkits suck!
John Connor, the white courtesy phone, please.
On this, you and I agree wholeheartedly, my FRiend!
For a company that size this is a pretty stupid example of competence.
"I understand that Sony is pulling the offending CDs from the shelves.
"
Oh, they're going to have to do better than that. The infection's already in place. I forsee much trouble for that company in the future.
Here's a tool to detect and remove the Sony Rootkit, as well as the first of the hacker viruses designed to ride on it.
http://www.sophos.com/support/disinfection/rkprf.html
I can't vouch for it since I'm not infected, but it is recommended by several trustworthy sources.
Pulling them from the shelves now isn't a whole lot of help. There are still a lot of them still out there, and a lot of infected computers.
Who do you think would win, Skynet or Colossus?
-PJ
I'm not up this stuff. Translation please. What does this mean for the average Joe?
Skynet, hands down. Skynet was like Colossus with guns, and wanted to kill all humans.
And some wonder why we complain when Congresscritters and Judges try to make decisions about technological issues.
Most of them have no idea what technology is, nor what it does. Yet they write laws -- based on what lobbyests and benefactors tell them WE need.
-PJ
Hey...doesn't P1 rate?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.