Genius DNS hacker Dan Kaminsky designed a research project that has produced a count of the number of networks that have been infected with the malicious rootkit Sony distributed with its audio CDs: over 500,000 networks contain at least one infected machine. Some of these are governmental and military networks.
Sony has recalled some of the CDs in shops, but still has not offered an effective uninstaller for infected users. In fact, the installer they've shipped has been shown to create massive, dangerous security vulnerabilities in the PCs of users who run it.
More than half a million networks, including military and government sites, were likely infected by copy restriction software distributed by Sony on a handful of its CDs, according to a statistical analysis of domain servers conducted by a well-respected security researcher and confirmed by independent experts on Tuesday…
Kaminsky asked over 3 million DNS servers across the net whether or not they knew the addresses associated with the Sony rootkit — connected.sonymusic.com, updates.xcp-aurora.com, and license.suncom2.com. He uses a "non-recursive DNS query" which allows him to just peek into the cache of that server, and find out if anyone else has asked that particular machine for those addresses recently.
If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's DRM site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.
The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of one third of the 9 million DNS servers Kaminsky estimates are on the net.
Link,
Link to November 14 time-line of Sony's misdeeds
(Thanks, Quinn!)
Update: Dan's posted his research too:
It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows…unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident. The process of discovering this has led to some significant advances in the art of cache snooping.
