Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management

    Sonys Rootkit Is on 500,000 Systems, Expert Says

    By
    Paul F. Roberts
    -
    November 15, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Sony BMG will have a big job ahead of it as it tries to replace all copies of controversial copy protection software, according to a computer security expert, who says that he has evidence there are more than 500,000 versions of the program installed worldwide.

      Dan Kaminsky, an independent security researcher, discovered evidence that so-called “rootkit” style stealth programs developed by U.K. firm First 4 Internet Ltd. and used by Sony while conducting an audit of the DNS (Domain Name System) infrastructure. Sony BMG has declined past requests to comment on the number of systems that run the software, known as XCP. However, Kaminskys figures, if true, suggest that the software, which shipped on CDs by just 20 Sony BMG artists, has already been distributed and installed widely around the world.

      Sony BMG said on Tuesday that it would allow customers to exchange CDs with the XCP technology for copies that did not have the copy protection software installed. The company did not respond to e-mail and phone requests for comment on the number of XCP installations. First 4 Internet CEO Mathew Gilliat-Smith said he had no further comment on the controversy over XCP.

      Machines running the XCP copy protection software, which is almost totally invisible to Windows users, can be found in almost every country in the World, from Afghanistan (1) to Zambia (2), though the vast majority are running in just three countries: Japan, the U.S. and the United Kingdom, according to figures provided to eWEEK by Kaminsky.

      More than 200,000 copies of the program are installed on computers in Japan, with around 130,000 running on computers in the United States. The United Kingdom has about 44,000 copies of the program installed, Kaminskys research shows.

      Netherlands and Spain both have more than 27,000 copies of the program running, followed by Korea, Peru, France, Australia and Switzerland with between 12,000 and 8,000 installations.

      Kaminsky, who is known for his novel security research on core Internet components like the TCP/IP communications protocol, identified systems running the copy protection software from First 4 Internet using a technique called “DNS cache sniffing.” Kaminsky searched through the saved (or “cached”) DNS requests submitted to a large number of the worlds publicly accessible DNS servers and looked for requests for domains associated with the XCP software, such as update.xcp-aurora.com and connected.sonymusic.com.

      DNS is a network of computer servers that match up Internet user requests for Internet domains, like eweek.com, with IP addresses that machines recognize.

      Kaminsky used a database of around three million DNS name servers he had compiled for unrelated research into security vulnerabilities in the DNS system.

      /zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

      The search turned up almost one million references to the XCP and Sony domains. Kaminsky weeded out duplicate or forwarded requests from that number and narrowed the list down to 568,000 requests from unique IP addresses on the Internet.

      He used geolocation software to associate the IP address of the machine running the XCP software to particular countries, he said.

      The large number of installations poses a real problem for security experts, because the XCP software is difficult to remove and because it is a form of adware, pulling content from a Sony Web server that is targeted to a particular artist and CD.

      Research by Windows expert Mark Russinovich, of Winternals, suggests that the program could also cause instability on Windows system. That prompted Microsoft to say late Friday that it would alter its Windows Defender antispyware program to find and remove the XCP software and update its free malicious code removal program to do the same.

      /zimages/2/28571.gifClick here to read about Sonys decision to stop distributing its concealed DRM software.

      Also on Friday, Sony said it would temporarily suspend production of CDs with the XCP copy protection program on them. The companys decision followed more than a week of steady criticism of the XCP technology, which manipulates the Windows core processing center, or “kernel” to make it almost totally undetectable on Windows systems and nearly impossible to remove without fouling Windows, much like malicious programs known as “root kits.”

      XCP came to light on Oct. 31, after Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at Sysinternals.com.

      Russinovich showed that the XCP program hid files with a name that began with the characters $sys$, rather than looking for and hiding the specific files used by the media player for copyright enforcement. He speculated that others who gained access to Windows systems with the XCP technology on it could also hide their programs simply by assigning them names that began with $sys$.

      That prediction proved prophetic last week, when antivirus and security software companies began detecting Trojan horse programs and a worm that tried to take advantage of machines running XCP by using names on their malicious files that began with $sys$.

      Russinovich and others have criticized Sonys poor description of the XCP technology in the EULA (end user license agreement) that customers agreed to when installing the media player.

      Sony BMG reacted quickly to the initial criticism, releasing a software patch to disable it and instructions for obtaining a removal program within days of Russinovichs analysis.

      /zimages/2/28571.gifClick here to read commentary about Sonys DRM efforts.

      The XCP program caught security experts like Kaminsky unaware, because it has the backing of a major media and technology company, and because it is installed directly on a machine, rather than slipping on over the Internet or through an e-mail attachment, Kaminsky said.

      If true, Kaminskys numbers show the breadth of the XCP problem, said Ari Schwartz, associate director for the Center for Democracy and Technology, in Washington, D.C. “This shows exactly why groups like ours expressed concern. This is a major concern and people treated it that way,” he said.

      Even with Sonys decision to recall affected CDs, the companys actions show the need for digital rights management technology that respects the rights of consumers, Schwartz said.

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Paul F. Roberts
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×