Tuesday, November 15, 2005

Schneier on Security: Still More on Sony's DRM Rootkit:

This story is just getting weirder and weirder (previous posts here and here).

Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who have inadvertently bought them.

Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.

Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.

That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.

Even more interesting is that there may be at least half a million infected computers:

Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.

I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:

Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.

His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.

Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.

If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.

The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.

In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.

(Via Schneier on Security.)

No comments: