This morning, security researcher Dan Kaminsky announced an ingenious method for gauging the extent of the Sony XCP CD rootkit infection. His findings suggest that at least hundreds of thousands of computers are likely already infected, and that Sony probably has data that would show exactly how many computers are infected. Kaminsky's method is based on sophisticated use of the Domain Name System (DNS), which translates names like into the IP addresses that computers use to route communications on the Internet.

As other researchers had discovered, the XCP rootkit's spyware component appears to "phone home" in order to tell Sony what you're listening to. As part of the process of phoning home, the spyware needs to connect to two computers operated by Sony or its contractors. In order to do this, it needs to find their IP addresses, and therefore it needs to ask DNS servers.

For efficiency, those DNS servers will remember that they've been asked about the Sony-operated servers in question, for a certain amount of time, known as the time-to-live. This is called DNS caching, and the efficiency improvement it produces is one of the principal benefits of the DNS system.

However, the use of DNS caching can reveal some information about who's been communicating with whom, through a process called DNS cache snooping. In cache snooping, a DNS server answering a query can be induced to reveal whether or not it's already answered that same query within the associated time-to-live time period. This can reveal, for example, whether or not some subscriber of a particular ISP (or perhaps a user at a particular university or business) has visited a certain web site recently. In Kaminsky's experiment, it revealed that many networks contained computers infected by the XCP spyware. Those computers tried to connect to Sony's and First4Internet's servers, leaving traces in DNS server caches; Kaminsky could then scan for those traces.

His result? "At least 568,200 nameservers have witnessed DNS queries related to the rootkit." (It is difficult to translate this directly into a number of infected machines, because many desktop computers may use the same nameserver. On the other hand, more than one nameserver may cache a record as a result of a single query. The former consideration suggests that this number is too low as a estimate of infected machines, whereas the latter consideration suggests that it is too high.) Dan Kaminsky has produced an extremely striking picture of the geographic extent of rootkit-related DNS traffic. It's pretty, but it's also scary. Each infected machine is vulnerable to several security threats (including new vulnerabilities reported today by Internet Security Systems), and Ed Felten and Alex Halderman have discovered that using Sony's uninstaller only makes the security problems worse!

Wired News reports that the affected networks "includ[e] military and government sites".

Related Issues