Not only is music publisher Sony BMG in the process of writing the book on how not to do digital rights management, but it also has created a network of at least half a million vulnerable PCs, security researchers have said.
There are also whispers of further research into whether Sony’s much-maligned DRM/rootkit software also contains functionality designed to impair the performance of third-party applications.
Noted security researcher Dan Kaminsky said that he counted at least 568,200 networks that have users that have been compromised by the malicious Trojan program, which was bundled on an unknown number of Sony music CDs.
This is getting into companies, he said.
Separately, a Finnish hacker known as Muzzy said he discovered that the rootkit uninstaller Sony recently released also contains vulnerabilities that can be exploited to break into infected computers via the web.
Muzzy released exploit code to prove his point, which suggests that if it is not already being used by malicious hackers to cause trouble, it soon will be.
Kaminsky said he obtained his results by scanning three million internet-facing domain name system servers, to see if they knew where to find the servers to which the Sony rootkit’s spyware component phones home.
Sony has a rootkit, that rootkit is phoning home. To phone home it needs an IP address, and to get that it uses DNS, Kaminsky said. DNS servers cache previously resolved addresses, so it is possible to test them to see if a certain lookup has been performed.
I’m under no illusions that I’ve got the definitive data, but I did have a sample of three million machines and found one in six [had witnessed the queries], he said.
Because each DNS name server typically serves far more than one person, the number of end hosts that have been compromised by the Sony malware is likely much greater than half a million, but it’s difficult to say how much greater.
The DRM/rootkit has been included on certain music CDs possibly for over a year. It was made for Sony by First4Internet Ltd, a London-based DRM software maker, and goes by the commercial name XCP, for eXtended Copy Protection.
By contrast, security companies call it malware. Computer Associates for example, says: XCP.Sony.Rootkit modifies your operating system at a low level, [and] represents a large threat to both corporate and consumer users’ system integrity.
The list of transgressions is fairly long, for a supposedly legitimate application. The least of which is that it employs social engineering techniques such as misleadingly named programs and license agreements, according to experts.
The biggest beef is that it is a rootkit, the name given to the software crackers use to control machines they have compromised. According to CA, it intercepts all calls for process, directory or registry listings, even those unrelated to the Sony BMG application.
The software also makes itself exceptionally difficult to be uninstalled, digging into the OS so deeply that manual uninstallation attempts can break other device drivers, according to experts.
It also cloaks itself by making any process invisible to the end user if it begins with the prefix $sys$, a feature that third-party malware writers quickly discovered could also be exploited to hide their own nasties.
Indeed, the software had been lurking on PCs for many months before anyone even became aware of its existence.
To even find it you need Mark Russinovich, who’s probably one of the top five Win32 coders in the world outside of Microsoft, said Kaminsky. Russinovich broke the rootkit story on his blog, after discovering it on his own PC in October.
Compounding users’ problems, the uninstaller Sony and First4Internet made available, after getting some bad press, was also defined as malware. It can bluescreen Windows PCs on which it is run, according to CA.
And Muzzy has discovered that the uninstaller, an ActiveX control marked safe for scripting that remains on PCs, permanently, after it is first executed, can be exploited by malicious web pages to run code of the cracker’s choice.
After a virus was released that exploited the original rootkit, Sony BMG decided on November 11, 2005 to temporarily stop using XCP software on its CDs, and it has since been reported that the company is recalling affected CDs from stores.
We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists, Sony said. Nonetheless, as a precautionary measure, Sony BMG is temporarily suspending the manufacture of CDs containing XCP technology.
We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use, the company said in a statement.
Security professionals, who have already been miffed for years that the US Digital Millennium Copyright Act makes it illegal for them to tamper with DRM software, are pretty angry about Sony BMG’s apparent lack of ethics.
I should be able to put a CD into my computer without getting a fricking virus, Kaminsky said. They’re supposed to be a big law-abiding company, they’re not supposed to be out there hax0ring people.
He added that he is aware of not-yet-completed research into whether the DRM/rootkit software contains even more dubious functionality designed to rein in users’ activities.
It has a list of software in there that they would prefer people not to use, Kaminsky said, declining to elaborate. He gave CD-burning software as an example of something on the list. This story is not over yet, he said.