At first glance, Dan Kaminsky’s bright red-colored map of the world looks like a visualization of global population - but it’s actually a map of networks carrying Sony’s DRM software. The computer security expert estimated the number of infected networks and superimposed the data as red dots on a map of the world. The result is a impressively red globe. Kaminsky told TG Daily that "there could be three million or more infected computers."
Sony’s highly controversial DRM software "XCP" is installed when users insert certain Sony music CDs into their computers. Kaminsky and other security experts have called XCP a rootkit, while others like the virus protection company F-Secure classify XCP as a virus. In a recent TG Daily interview, Matthew Gilliat-Smith, chief executive officer of First 4 Internet, claimed that XCP "is not malware, not spyware." Kaminsky disagrees and told us that "this program is aggressive and is not designed to be removed. It treats the user as the enemy and hides its processes and the person that discovered XCP had to be one of the top Win32 people in the world."
After poking around with XCP, Kaminsky discovered that the software sends out a DNS lookup request to find its home server. "It turns out that Sony releases a rootkit, it calls home and everyone knows this. But it happens to use a DNS lookup to do that," he said. According to Kaminsky, phoning home is done by many programs and could be completely innocent, but in Sony’s case it’s different he says : "When it’s done in an environment where the program is trying to hide itself, then it’s malware."
During a DNS lookup, computers ask a DNS server to give an IP address that matches a domain name such as www.tgdaily.com. The name makes it easier for people to remember the site, but it is actually the IP address that helps the computer connect to the server. Kaminsky said that he was able to access most DNS servers and pull up whether computers have requested the address to XCP’s home. "There has to be a response that gets cached on the server and this might be useful to a guy like me. I know most of the name servers because I audit them all on a regular basis. So this past Friday, I started scanning," said Kaminsky.
At first, Kaminsky told us that he expected to find 50,000 to 100,000 servers that had given out the request, but he found much more. "I found 950,000 servers that had given out the request, but I eliminated about 350,000 as false positives," says Kaminsky. On Kaminsky’s website, www.doxpara.com, he estimates a total of 568,200 nameservers that have dished out XCP’s phone home request. Kaminsky was shocked at the total, saying, "At that point, I realized this was not a small problem."
|Dan Kaminsky’s estimates of the reach
of Sony’s DRM software
Raw data is one thing, but the human brain is designed to see patterns and prefers graphical representations of data. Computer graphics is another specialty of Kaminsky’s and he took the data and fed it into IPGEO and Partiview, both open-source programs that help plot out data on an image. In this case, he used a globe and found the resulting image to look like an infection, adding, "This is at pandemic levels and is like the battle days of old worms."
While Kaminsky has found DNS servers that have responded to clients, exactly how many computers are infected ? DNS servers are found in homes and small companies, all the way up to large businesses and ISPs. While there could only be one affected computer behind the DNS server, Kaminsky explained, "There could be just one host or 10,000 hosts. Even if we take a conservative guess and say five or six, this means three million infected computers."
Kaminsky cautions that his data could be off and says that he could have underestimated the amount of DNS servers. "I have a limited view and I fear how big this is because there are many name servers that I can’t talk to. I welcome Sony to correct me, but I don’t think they are very motivated to do so," says Kaminsky.
Sony has just announced that they are pulling the affected CDs and offering customers who have already purchased them a direct swap.