It was a grand experiment that failed miserably: As a means of copy-protecting its music, Sony employed a piece of software from First4Internet. But the technology, as used by Sony, did two bad things: First, it hid itself on computers by using root-kit technology; and second, it opened a remote access connection that called out to Sony (or one of its agencies). This exposed users' computers to worms that took advantage of the stealth technology.
Sony has agreed not to put root-kit technology on future music CDs as a means of protecting its copyrights. But this story is far from over. There are at least two lawsuits pending. There are also viruses poised to take advantage of already-infected PCs worldwide, the number of which may be much higher than anyone previously thought. Worse, Sony's fix for the problem may not be any more secure than the original root kit.
In case you missed it
Here's how users get stuck with the Sony root kit: When they first inserted certain CD titles from Sony BMG onto a desktop or laptop PC, a brief End User License Agreement flashed on the screen before they could listen to the music. Most people just agreed to the EULA so that they could get to the music. But by agreeing, they also consented to having additional software installed on their computer. That software, produced by First4Internet, hid itself and opened the remote connections.
The problem with root kits is that they are well known to criminal hackers (crackers), and they are all but invisible to most off-the-shelf antivirus apps available today.
By definition, that's a root kit. The problem with root kits is that they are well known to criminal hackers (crackers), and they are all but invisible to most off-the-shelf antivirus apps available today. The infected Sony CDs have been out in the world since last spring, but researchers such as Mark Russinovich at SysInternals and more recently, antivirus vendor F-Secure began wondering whether virus writers would soon exploit this in some fashion.
They did. Word of the Sony root kit surfaced in the first week of November, and starting on November 10, several viruses began to appear. Breplibot.c is one of several that attempted to go undercover using the Sony root kit. While a serious threat nonetheless, coding errors (perhaps because the criminal hackers worked in great haste) prevented the malicious part of the code from activating.
There is now hard data available
Now that Sony has agreed to stop producing CDs with a stealthlike DRM software embedded, one would think the threat would go away. It won't. Security Researcher Dan Kaminsky, a frequent speaker at Black Hat, has done some fascinating research into Domain Name Service servers and the related security threats potential to them. Recently, Kaminsky posted what the Sony root kit might mean in terms of sheer numbers of people infected. The data isn't good from a security standpoint.
Kaminsky started with a very basic premise: Sony has a root kit; all root kits phone home; phoning home requires a DNS query; DNS queries are cached. From this simple theory, Kaminsky was able to query roughly 3 million Domain Name Service servers to find traces or signatures of Sony root kits calling from their desktop and laptop PC clients back home to Sony (or some other agency) host servers. He didn't find a few thousand, nor a hundred thousand. Kaminsky found roughly 568,200 DNS servers that have signatures of the Sony root kit calling home. He states that from this figure, he can't conclusively determine how many hosts that translates into--only Sony and First4Internet know that number.
"0wned" by Sony
Kaminisky has translated his data into a satellite image of Earth; here's a graphic of Sony-owned North American PCs. As mentioned, Sony has stopped production of music CDS and has offered to replace CDs already purchased with CDs sans DRM software, but the company has yet to state how it proposes to remove the remote-access Trojans from the roughly half-million infected PCs.
Also, the patch, offered by Sony, apparently causes more harm than good. Finnish security researcher Muzzy reported that in removing the First4Internet root kit, new ActiveX code is installed. The new code, called CodeSupport, doesn't restrict itself to Sony or First4Internet; instead, someone could write an exploit for CodeSupport that directs new traffic to a cracker's domain. First4Internet is apparently aware of this and may soon offer a fix to its patch.
But wait, there's more
While First4Internet's root kit has enjoyed the lion's share of media, there's a secondary software package used by Sony to protect its assets, SunComm's MediaMax. The site Free to Tinker has reported that MediaMax uses spywarelike behavior, although it does not hide itself the way the First4Internet software does. And security company ISS is reporting new vulnerabilities for those still infected with the original Sony root kit.
Perhaps someday vendors will understand that my PC is a temple, and I (and only I) decide what should be running on it.
Looking ahead, what would happen if rival companies started installing root kits on consumer's PCs--say, you buy one CD from Sony and another from Warner. According to F-Secure's blog site, in order for any root kit to hide itself, it must interface with the operating system kernel on a very low level, one that leaves no room for error. But what happens if you buy CDs from two competing manufacturers? Installing one root kit on top of another could lead to a very unstable situation. I say could, because this is all theoretical at this point. News.com has collected a variety of "what this might mean" stories regarding the Sony root-kit fiasco here.
I suspect we'll see more exposure of business practices like this in the near future. Antivirus companies are getting better at finding and exposing root kits, and brand-name vendors may find themselves, like Sony, having to answer for their past actions. Perhaps someday vendors will understand that my PC is a temple, and I (and only I) decide what should be running on it.
Does Kaminsky's estimate of a half-million Sony root-kit infections seem too high or too low to you? Talk back to me.