Sony BMG 'Rootkit' on 500,000 Systems, Expert Says

Sony BMG will have a big job ahead of it as it tries to replace all copies of controversial copy protection software, according to a computer security expert, who says that he has evidence there are more than 500,000 versions of the program installed worldwide.

Dan Kaminsky, an independent security researcher, discovered evidence that so-called "rootkit" style stealth programs developed by U.K. firm First 4 Internet Ltd. and used by Sony had spread widely while conducting an audit of the DNS (Domain Name System) infrastructure.

Sony BMG has declined past requests to comment on the number of systems that run the software, known as XCP.

However, Kaminsky's figures, if true, suggest that the software, which shipped on CDs by just 20 Sony BMG artists, has already been distributed and installed widely around the world.

Sony BMG said on Tuesday that it would allow customers to exchange CDs with the XCP technology for copies that did not have the copy protection software installed.

The company did not respond to e-mail and phone requests for comment on the number of XCP installations. First 4 Internet CEO Mathew Gilliat-Smith said he had no further comment on the controversy over XCP.

Machines running the XCP copy protection software, which is almost totally invisible to Windows users, can be found in almost every country in the World, from Afghanistan to Zambia, though the vast majority are running in just three countries: Japan, the U.S. and the United Kingdom, according to figures provided to eWEEK by Kaminsky.

More than 200,000 copies of the program are installed on computers in Japan, with around 130,000 running on computers in the United States. The United Kingdom has about 44,000 copies of the program installed, Kaminsky's research shows.

The Netherlands and Spain both have more than 27,000 copies of the program running, followed by South Korea, Peru, France, Australia and Switzerland, with between 12,000 and 8,000 installations.

Kaminsky, who is known for his novel security research on core Internet components such as the TCP/IP communications protocol, identified systems running the copy protection software from First 4 Internet using a technique called "DNS cache sniffing."

Kaminsky searched through the saved (or "cached") DNS requests submitted to a large number of the world's publicly accessible DNS servers and looked for requests for domains associated with the XCP software, such as update.xcp-aurora.com and connected.sonymusic.com.

DNS is a network of computer servers that match up Internet user requests for Internet domains, such as eweek.com, with IP addresses that machines recognize.

Kaminsky used a database of around three million DNS name servers he had compiled for unrelated research into security vulnerabilities in the DNS system.

The search turned up almost one million references to the XCP and Sony domains. Kaminsky weeded out duplicate or forwarded requests from that number and narrowed the list down to 568,000 requests from unique IP addresses on the Internet.

He used geolocation software to associate the IP address of the machine running the XCP software to particular countries, he said.

The large number of installations poses a real problem for security experts, because the XCP software is difficult to remove and because it is a form of adware, pulling content from a Sony Web server that is targeted to a particular artist and CD.

Research by Windows expert Mark Russinovich, of Winternals, suggests that the program could also cause instability on Windows system. That prompted Microsoft to say late Friday that it would alter its Windows Defender antispyware program to find and remove the XCP software and update its free malicious code removal program to do the same.

Also on Friday, Sony said it would temporarily suspend production of CDs with the XCP copy protection program on them.

The company's decision followed more than a week of steady criticism of the XCP technology, which manipulates the Windows core processing center, or "kernel," to make it almost totally undetectable on Windows systems and nearly impossible to remove without fouling Windows, much like malicious programs known as "root kits."

XCP came to light on Oct. 31, after Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at Sysinternals.com.

Russinovich showed that the XCP program hid files with a name that began with the characters $sys$, rather than looking for and hiding the specific files used by the media player for copyright enforcement.

He speculated that others who gained access to Windows systems with the XCP technology on it could also hide their programs simply by assigning them names that began with $sys$.

That prediction proved prophetic last week, when antivirus and security software companies began detecting Trojan horse programs and a worm that tried to take advantage of machines running XCP by using names on their malicious files that began with $sys$.

Russinovich and others have criticized Sony's poor description of the XCP technology in the EULA (end user license agreement) that customers agreed to when installing the media player.

Sony BMG reacted quickly to the initial criticism, releasing a software patch to disable it and instructions for obtaining a removal program within days of Russinovich's analysis.

The XCP program caught security experts like Kaminsky unaware, because it has the backing of a major media and technology company, and because it is installed directly on a machine, rather than slipping on over the Internet or through an e-mail attachment, Kaminsky said.

If true, Kaminsky's numbers show the breadth of the XCP problem, said Ari Schwartz, associate director for the Center for Democracy and Technology, in Washington, D.C.

"This shows exactly why groups like ours expressed concern. This is a major concern, and people treated it that way," he said.

Even with Sony's decision to recall affected CDs, the company's actions show the need for digital rights management technology that respects the rights of consumers, Schwartz said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.