Schneier on Security
A blog covering security and security technology.
« Hans Bethe on Security |
| Stride-Based Security »
November 15, 2005
Still More on Sony's DRM Rootkit
This story is just getting weirder and weirder (previous posts here and here).
Sony already said that they're stopping production of CDs with the embedded rootkit. Now they're saying that they will pull the infected disks from stores and offer free exchanges to people who inadvertently bought them.
Sony BMG Music Entertainment said Monday it will pull some of its most popular CDs from stores in response to backlash over copy-protection software on the discs.
Sony also said it will offer exchanges for consumers who purchased the discs, which contain hidden files that leave them vulnerable to computer viruses when played on a PC.
That's good news, but there's more bad news. The patch Sony is distributing to remove the rootkit opens a huge security hole:
The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.
Even more interesting is that there may be at least half a million infected computers:
Using statistical sampling methods and a secret feature of XCP that notifies Sony when its CDs are placed in a computer, [security researcher Dan] Kaminsky was able to trace evidence of infections in a sample that points to the probable existence of at least one compromised machine in roughly 568,200 networks worldwide. This does not reflect a tally of actual infections, however, and the real number could be much higher.
I say "may be at least" because the data doesn't smell right to me. Look at the list of infected titles, and estimate what percentage of CD buyers will play them on their computers; does that seem like half a million sales to you? It doesn't to me, although I readily admit that I don't know the music business. Their methodology seems sound, though:
Kaminsky discovered that each of these requests leaves a trace that he could follow and track through the internet's domain name system, or DNS. While this couldn't directly give him the number of computers compromised by Sony, it provided him the number and location (both on the net and in the physical world) of networks that contained compromised computers. That is a number guaranteed to be smaller than the total of machines running XCP.
His research technique is called DNS cache snooping, a method of nondestructively examining patterns of DNS use. Luis Grangeia invented the technique, and Kaminsky became famous in the security community for refining it.
Kaminsky asked more than 3 million DNS servers across the net whether they knew the addresses associated with the Sony rootkit -- connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. He uses a "non-recursive DNS query" that allows him to peek into a server's cache and find out if anyone else has asked that particular machine for those addresses recently.
If the DNS server said yes, it had a cached copy of the address, which means that at least one of its client computers had used it to look up Sony's digital-rights-management site. If the DNS server said no, then Kaminsky knew for sure that no Sony-compromised machines existed behind it.
The results have surprised Kaminsky himself: 568,200 DNS servers knew about the Sony addresses. With no other reason for people to visit them, that points to one or more computers behind those DNS servers that are Sony-compromised. That's one in six DNS servers, across a statistical sampling of a third of the 9 million DNS servers Kaminsky estimates are on the net.
In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media.
Posted on November 15, 2005 at 3:16 PM
• 57 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sony obtained the rootkit from someone else, right? Maybe some other black hat (besides Sony, which is also a black hat) is using the same rootkit, which would lead to the half-million number of infected systems.
Either that or there's a secret underground society of Celine Dion fans. That would be scary.
Hell hath no fury like a Celine Dion fan scorned.
528,000 networks have at least one computer that's been on them in the past few weeks with the software installed.
DNS works recursively; if I query an internal corporate server, it may query an external server, which will in turn query a root server- the odds are that between roaming mobile users, recursive queries, and so on that you're really talking about 250,000 infected machines. Since Sony has claimed there are 2 million machines out there with the rootkit, that suggests a 10% infection rate, which still seems high. I just can't see that many celine dion fans being literate, let alone computer literate.
I wonder if there are pirates out there who are simply duplicating the entire CD - rootkit and all- and driving up the numbers beyond what sony admits to. Of course, this is the type of piracy that will cost Sony far more money than fan to fan copies will- and the kind of piracy that Sony's rootkit can't touch.
Whoops, I misstated. Sony doesn't claim 2 million machines have been rooted, they claim 2 million CDs have been sold.
Well the number of DNS machines that know about this web sites that the rootkit use to call home, just sets a lower boundary. This is a minimum, so there are more than that, how many more? Probably a lot since some of those DNS are for really big networks.
It gets worse.
Sony's software allegedly includes copyrighted code: the LAME mp3 encoder software is under the LGPL license. If true, Sony's sold 2.1 million infringing copies of someone else's intellectual property without permission.
Ironic, don't you think?
Oh, and under the laws Sony helped to push through, that's $75,000 max damages per infringing copy, or $150 billion total.
Yeah, it looks like 47 titles with the XCP software - not 20, as Sony had (rather disengenuously) claimed:
And it seems that the Sunncomm "Mediamax" DRM is phoning home, too:
And what else might Sony have on people's machines that we don't yet know about that sends back information to the mother ship, too? Scary thought.
We know a fair bit about the CDs now, but what's on the DVDs? Anything pre-installed on new Sony machines?
Try it for yourself:
dig +norec connected.sonymusic.com @your.dns.server.address
From what I heard, the LAME thing is a red herring. The rootkit code contains certain strings from LAME so it can detect and block the software from ripping music, but it doesn't contain any of its code proper.
Damian said: "And what else might Sony have on people's machines that we don't yet know about that sends back information to the mother ship, too? Scary thought."
Scary thought, yes, but even worse is the reality that this was only discovered by someone who happened to be tinkering.
How many other rootkits, trojans, keyloggers, backdoors, spyware, adware, viruses, etc. exist within closed source software available for Windows that has YET to be discovered? How many new closed source programs have been released TODAY in stores, online, available from companies and individuals whose source code is NOT available for review?
Who is going to try all of these closed source programs and examine how they work on their systems and sniff for any odd traffic going in and out after installing these programs?
It's a useless battle.
Intelligent people don't use nor support close source.
I personally wonder if Sony had anybody with any experience with computer security, or even application development, look at the things the bought from First 4 Internet. If it’s so, I guess that person will be sacked very quickly. These security mistakes are so very basic things. The other things are neglect on the highest level. A second year student in computer science would fail courses if they did this.
What I find most astonishing in the whole process is that Sony will, most likely, get away with it, perhaps after paying a symbolic sum. If I released a CD like this on purpose I think I would end up in jail for a considerable time.
It’s not often that I call for harsher punishments, but in this case I think that the punishment should be hard enough to make the message stick. Creating security problems on purpose for other people should never be an alternative. There shouldn’t be a difference for a 1334 HAXOR and Sony. Neglect on this level should also be illegal and HURT.
I am also very much in favour of personal responsibility. In this part of the world you always have to name a “responsible publisher��? when selling a newspaper or other sort of information. If the person responsible for publishing these disks and creating this mess had to take personal responsibility I think they would think twice about what they actually send out. The construction where a corporation acts as shield and takes away responsibility has to end.
Now I have cleaned this mess away from one computer. Good thing I live outside the main area of infection.
That's a rumor that it's trying to detect LAME... I've seen a number of stories referring to actual disassemblies that show parallels to actual LAME code.
The thing that worries me the most is that if this is what they are doing on _CDs_ what are they doing in Vaio device drivers, online games like Everquest or Star Wars Galaxies, DVDs or the upcomming PS3. Sony is a huge company with a lot of hardware and software out there, if this is the kind of thing they think is "alright" either through malicious intent or ignorance, what else haven't we figured out yet?!?
I, for one, am going to try to avoid sony products when possible, not as some sort of boycott, but rather because I simply don't trust them to act properly either through bad design or mal-intent.
@Fester: "that this was only discovered by someone who happened to be tinkering."
For "happened to be tinkering," I'd substitute "was conducting a routine security audit of his system." He was running RKR - "Rootkit Revealer" - a security tool that detects just this sort of compromise.
What I didn't expect, given the black eye they already have, is that their uninstaller activex can be hooked by any website to get shell access to your computer.
Welcome to hell, courtesy of sony. Enjoy your stay in the botnet.
@Kevin: "For "happened to be tinkering," I'd substitute "was conducting a routine security audit of his system." He was running RKR - "Rootkit Revealer" - a security tool that detects just this sort of compromise."
No shit, but the point still remains: no matter how many scanners you add to your closed source Windows system, no matter how many of them you keep updated, no matter how many new definitions you keep fresh on a daily basis, it's still useless and an endless battle.
How many remote exploit "bugs" had to be patched in WinXP (and continue to be) from day one? Why are they there? Who discovered them and reported them? How many of them existed for how long before being patched? And that's just the OS. What of all the millions of closed source programs out there on CDs, DVDs, floppies, etc. both for purchase, developed for free, shareware, freeware, etc.?
I actually know a lot of Windows users who think because they have Zone Alarm, Ad-Aware, Spybot, RKR, and a few other closed source tools that they're "safe". Bullshit.
I know very well about RKR as well as F-Secure's Blacklight beta, it doesn't matter, they are just more scanners to throw on the pile of a closed source OS to try and make the lipstick on the pig look pretty.
Big corps know how stupid the average PC user is, so of course it doesn't surprise me when one/some with deep pockets pulls something like this, after all, we all know where DRM and Trusted Computing is headed anyway, pretty soon you'll have to CAT scan your head everytime you use your computer with a closed source parasite running the show - it's just a matter of time.
Give it a few years, after the shock of corporations pulling shit like this has numbed us to breaking related news, eventually we'll all be used to encryption , open source, and any "open" ideas/inventions being illegal...........
....BECAUSE THE STUPID HAVE ALREADY INHERITED THE EARTH.
The DNS servers don't set a lower boundary, unless machines never roam.
Also, if 2mm cds have been sold, and 1/10 have been popped into computers, then there's 200,000 infected computers. If 1/2 of those (100,000) are laptops that go on the road quite a bit, each visiting 4 hotspots, then we get 4*100000+100000=500,000. Seems reasonable to me.
Well, bryan, I did that dns-lookup described above, but how do I interpret the result?
dig +norec connected.sonymusic.com @your.dns.server.address
And: Perhaps someone in my net did that query before.
Will this affect my result?
It is amazing that, after all the embarassing news, Sony actually managed to make things worse with their uninstaller. At this point you have to assume they'll continue messing up.
Perhaps I spoke too soon...a person from the EFF tells me that it's the number of works infringed, not the number of copies made. Still, I'd be interested in knowing whether or not there'd be more to this--namely, I seem to recall something about RIAA member companies suing people on the assumption that a certain number of infringing copies had been made.
DNS is so complex that point samples like this cannot be the end of the story. DNS caches can and are routinely purged. Dozens or hundreds of servers can be clustered and share much the same caches. A single request can reach up a chain of as many as a dozen different servers requesting a domain. Downlevel servers can request zone transfers for latency and high availability reasons.
But maybe his methodology corrects for all of that through some ingenious methods, I don't know anything about it really.
The more I hear about this whole affair, the more the suspicion grows on me that somebody inside Sony knew exactly what the PR effect of this was likely to be, and was deliberately setting out to sabotage their employers' extremist DRM agenda.
I suspect you're right to suspect those numbers, Bruce. Having had arguments with Kaminsky (admittedly many years ago - maybe he's improved) over basic computer science concepts a first-year should grasp, if he told me his research had revealed that the sky was blue I'd go look out a window before I believed it.
The other thing about this that nobody has mentioned is that *if* the figures for infection are true; that means that Sony has been selling lots of 'DRM' stuff into the UK.
In the US, it largely seems like a public relations disaster.
But in the UK, their rootkit may very well come under hacking laws. They could be in *big* trouble there.
What I expect them to get burnt most strongly on is the fact that they're sending unknown data out of government and military installations. Can you spell "espionage law"? That's some stuff you don't want to be touching.
Unless some Sony people go to prison, and soon, then this is just a glimpse of the future.
Installing hostile software should be a criminal act just like breaking and entering.
A rootkit should be considered a burglary tool.
Locksmiths, hardware stores, and workmen have legitimate uses for tools that could be considered burglary tools, but we have centuries of legal practices guiding our decisions, which is why the hardware store can sell you a hacksaw, a punch, and a ballpeen hammer, while if you're caught at 3 am in an alley with the same tools hidden in your pants, the cops will likely hook you up and haul you off.
Security people could have legitimate uses for rootkits, and could shield themselves from prosecution by informing an NGO centralized registry of their holdings.
This doesn't require new laws, just application of existing laws.
The authorities should go out there, investigate, and make arrests. A bunch of public perp walks would do us all some good.
"In any case, Sony's rapid fall from grace is a great example of the power of blogs; it's been fifteen days since Mark Russinovich first posted about the rootkit. In that time the news spread like a firestorm, first through the blogs, then to the tech media, and then into the mainstream media."
F-Secure wrote about it on 11/1:
Their research went back to early October.
Nice soapbox. Unfortunately, you are only ever going to be s4f3 if you review every line of code on your box. Most sesible people don't have the time for that and fall back on tools that detect the symptoms of these sorts of problems (like RKR, or firewalls.)
These programs don't need to know what the latest security hole is, they just need to know how a compromised system tends to behave, which is a much harder thing for an attacker to hide.
I agree with you that reliance on signature-checking tools like AdAware, Spybot, and many anti-virus solutions, provides a false sense of security for many. However, it is also unreasonable to preach that the ultimate solution is for everyone to write their own OS and apps. That would take us back to the stone age of computing. And would be like suggesting that the best way of preventing worldwide flu pandemics would be to make sure that nobody *ever* leaves their own house.
Keep your friends close, and your customers closer.
I may be mistaken, but isn't one of the "phone home" servers, updates.xcp-aurora.com, owned by aurora, the insidious hard to remove pop up "kings" (my word)? I have spent some serious time killing that bastard from systems. It messes up the TCP/IP stack in windows and is damn near impossible to remove. Anybody run into a program called "nail.exe" lately? That's their baby. It seems sony is taking a lesson from organized crime and hiring black hats.
You know what, I'm done buying products from the media conglomerates. If it's not released by an independent label, or a small publisher, I don't need it. These people have got to be out of their f'king minds if they think that I want or need their half-assed products so much that I'll destroy my computer or suffer through all the headaches and contortions that you have to endure to enjoy so-called "licensed" music and video. There's no moron like a moron who doesn't know he's a moron, and the suits who dream this stuff up are morons of the highest order.
And "student" is exactly right. What Sony did is reckless and criminal. I'm going to write my representatives and demand that the Justice Department seek an indictment against Sony BMG executives for violation of the relevant statutes. I suggest everyone else do the same.
Read on MSNBC that Microsoft is going to remove Sony's code in there antispy software. They say it comprimises Windows security!
I assume some senior Sony executives over in Japan will be committing Seppuku soon [lol]
I suspect a lot of DNS cache entries for connected.sonymusic.com at least result from people following links to this site during the recent controversy.
It seems to host some CD-related web pages in any case, so it may not be a good indicator for rootkit infections.
Here's a conspiracy theory for you:
What if this was actually planned in the smoke-filled room of some glass tower or sub-basement at Sony or one of the other labels?
Incite panic and paranoia into consumers against CDs and then you have a perfect excuse to kill them off and force everybody to go digital which just happens to be vastly more controllable than those annoying CDs.
People will refuse to buy CDs knowing that all the major labels are using the same or similar DRM technology, so they(the labels)get to say "Hey, we're just responding to consumer demand!, everybody wants downloadable music now, not those clunky virus-ridden CDs" and *poof* there goes those annoying analog and ripping holes.
Sure they take a PR hit and maybe lose a few million on lawsuits and spin, but they've got to have a few billion in the bank and given the public attention span, it'll all have blown over in a few weeks and they can go back to selling WEGA TVs and Playstations.
I'm never buying Sony again, ever (unless I can't help it). As are quite a lot of people I know who've heard of this stroy.
Signature scanners have a use: I know how to do "safe computing". I hope that I perform it good enough and that my incidental lapses (or unfixed defects) don't subvert my computer. I use a signature scanner to find the first signs of corruption on my system and verify media and downloaded files before using them on my system.
Of course....if you use ANOTHER browser (http://www.mozilla.org) then you neededn't worry about ActiveX controls being installed by websites...
I wonder what Morita-san would think of all this?
Copyright infringement, deliberate criminal actions, lying in public.
Nobody seems to remember that it was *Sony*, among others, who tried very hard, and mostly succeeded, to turn private customers into criminals. Not by the doing of the customers. They just continued to do what they once were allowed to do.
But all the wrath of an inflexible industry came down on them.
And now this? So, they relied on the power of law, did not hesitate to break it when it seemed opportune?
Why, then, is nobody hurting them now? They were caught in the act. And what they did was illegal long before they started it. And they *knew* it.
People, if they are not punished at least as severely as they punish not-exactly-rich students, then we should all doubt that this is a for-real democracy.
Why is it that Dan Kaminsky's Asia map shows Korea as being completely dark? It it that all those broadband users we keep hearing about don't listen to Sony CDs on their computers? Is it really credible that there are more Sony DNS enteries for Hyderabad than Seoul? See http://http://www.doxpara.com.nyud.net:8090/...
Also months ago various Sony/BMG or F4I people were claiming they already sold millions of discs with one type of copy protection or another. From press clippings on http://www.xcp-aurora.com/:
Feb 2005: "BMG has used MediaMax on a number of titles.... In all, it has shipped more than 5.5 million content-enhanced and protected discs, which have been met with positive consumer reactions, according to Katz."
May 2005: "Sony already has shipped about 2 million CDs protected by First4Internet's XCP technology, which allows users to make copies of CDs for personal use, including transfers to personal mobile devices."
June 2005: "Some 2 million of the CDs using the First4Internet protection have been sold since March in the United States."
Unfortunately, Internet Explorer (and the ActiveX control) is required to run the Sony DRM uninstaller.
Of course, if you run another OS (http://www.kernel.org/), then you wouldn't be having this problem in the first place :)
As long as you're explaining why you say "may be at least", please explain what it means. Such verbal indecision is not your normal style.
> A rootkit should be considered a burglary tool.
No. Criminalizing possession is almost always the wrong approach. Use, on the other hand, should be punished quite severely.
> Unfortunately, you are only ever going to be s4f3 if
> you review every line of code on your box.
Not even then, unless your compiler was hand-compiled the first time, as Ken Thompson taught us.
> Why is it that Dan Kaminsky's Asia map shows
> Korea as being completely dark?
The blurb about his methodology points out that there are many things that can invalidate results - exchange of cache data between DNS servers, for instance. If most DNS servers in an area are sharing cache data, then that might invalidate positive results that would otherwise show up on the map. The results are intended to be a lower bound, although mobile computers do certainly seem to be a weak point.
Some other reasons the DNS information is incomplete.
Well configured DNS servers are goint to either be recursive resolves for authorized users or publishing authoritative data but not both. That way you don't leak cache information.
I am somewhat surprised that military sites are leaking cache information as that could be valuable information to other governments. This might be a wake up call to them.
Also there was a previous comment saying that recursive resolvers contact other recursive resolvers and so on to the root. Only broken ones do this. Recursive resolvers should start at the root (unless they have already cached that information) and work down the tree. This protects against cache poisoning.
For those of you who use Snort the guy from Bleeding Snort and Demarc Security have made a few rules to determine if machines in your network has the Sony DRM and the one by Blake Hartstein actually catches if Malicious websites are trying to exploit the big Acitve-X hole they left.
#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1"; flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase; uricontent:"&uId="; nocase; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002675; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2"; flow: to_server,established; content:"sonymusic.com"; nocase; pcre:"User-Agent\:[^\n]+SecureNet[^\n]+Xtra/i"; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002674; rev:2;)
#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE Malware Sony DRM Related -- CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase; content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0; reference:url,www.frsirt.com/english/advisories/2005/2454; reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack; sid:2002679; rev:3;)
Let me get this straight. The SONY software will only install if the Autorun is allowed, doesn't it? So it all boils down to Microsoft enabling this behavior by default and actually not providing any notice about it nor an easy way to disable it. True, you can use the TweakUI to do this, bu how many "Losers" know about it.
In short - Microsoft simplifies the installation of any software to unsuspecting users who simply insert a CD (and, for that matter a USB drive etc.) into their computer.
My comment is a question. What about the multimedia software on Sony computers? Or the installation software on Sony CD/DVD peripherals? Is the same DRM management present in these products?
Is Sony BMG telling the truth about selling CDs only in the US?
The Stiftung Warentest, a foundation for product tests and consumer rights notes, according to this article:
(article in german language)
that CDs with xcp were sold in Germany too, and have been found on a CD, which the dealer ordered directly at Sony BMG Germany.
This would fit to the observation, that a lot of computers in Europe are infected.
Sony's FAQ (http://cp.sonybmg.com/xcp/english/faq.html) has a very interesting line in question 3, where they try to excuse the "phone home" behavior:
"This methodology is widely used in enhanced CDs without content protection distributed by SONY BMG and other labels."
So they have many other, non-XCP CDs, that are also designed to make connections -- probably to the same server, to get the same banners.
This probably invalidates Dan Kaminsky's results, unless he found a hostname that is specific to XCP. (His report doesn't say which hostnames he was scanning for.)
And it might be worth looking for those other CDs. Sony's argument doesn't work, this "methodology" does report their customers' listening habits to Sony, whether it was "intended to" or not. There might be a whole lot of spyware CDs out there.
First they got my family with the betamax, then they got me with a laptop vaio (shame on me for giving them a second chance, we should all spend as much time in southern california in mid-winter as that machine did) and now I'm not even safe from their "content". I thought my step-daughter was dating a "hacker" at school & lying to me. I never dreamed when speaking to the kids about security with computers I'd have to warn them about their CDs! AOL should sue them, I spent hours driving them crazy over just the behaviours the kids machines did, it never occured to me to ask about music cd's. I think we'll never get a correct number of infected machines. To wit: Did your kid borrow a cd at school today?, how about last month? did their little brother stick it in his machine when sissy wasn't looking. Don't look now, the list is up to 52 titles last I read.
Well, I certainly didn't expect to see 550K, or 350K name servers returning these values, but then I wouldn't think these 52 discs would sell 2.1M copies. But that's what Sony said, and this is what the data shows.
Do people play CD's on their computer? When was the last time you saw someone walking around with a CD player instead an MP3 player? How do you think those MP3's got there?
Ultimately, it'd be nice to have real data from Sony. Bruce, how 'bout speculating less, and joining me in asking Sony to volunteer their server logs? It's almost guaranteed they'll fall to subpeona eventually, so there's not much of a status quo change, and then we can stop guessing and actually know what the damage is.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.