This morning, security researcher Dan Kaminsky announced an ingenious method
for gauging the extent of the Sony XCP CD rootkit infection. His
findings suggest that at least hundreds of thousands of computers are
likely already infected, and that Sony probably has data that would
show exactly how many computers are infected. Kaminsky's method is
based on sophisticated use of the Domain Name System
(DNS), which translates names like www.eff.org into the IP addresses
that computers use to route communications on the Internet.
As other researchers had discovered, the XCP rootkit's spyware
component appears to “phone home” in order to tell Sony what you're
listening to. As part of the process of phoning home, the spyware needs
to connect to two computers operated by Sony or its contractors. In
order to do this, it needs to find their IP addresses, and therefore it
needs to ask DNS servers.
For efficiency, those DNS servers will remember that they've been asked about the Sony-operated servers in question, for a certain amount of time, known as the time-to-live. This is called DNS caching, and the efficiency improvement it produces is one of the principal benefits of the DNS system.
However, the use of DNS caching can reveal some information about who's been communicating with whom, through a process called DNS cache snooping.
In cache snooping, a DNS server answering a query can be induced to
reveal whether or not it's already answered that same query within the
associated time-to-live time period. This can reveal, for example,
whether or not some subscriber of a particular ISP (or perhaps a user
at a particular university or business) has visited a certain web site
recently. In Kaminsky's experiment, it revealed that many networks
contained computers infected by the XCP spyware. Those computers tried
to connect to Sony's and First4Internet's servers, leaving traces in
DNS server caches; Kaminsky could then scan for those traces.
His result? “At least 568,200 nameservers have witnessed DNS queries
related to the rootkit.” (It is difficult to translate this directly
into a number of infected machines, because many desktop computers may
use the same nameserver. On the other hand, more than one nameserver
may cache a record as a result of a single query. The former
consideration suggests that this number is too low as a estimate of
infected machines, whereas the latter consideration suggests that it is
too high.) Dan Kaminsky has produced an extremely striking picture
of the geographic extent of rootkit-related DNS traffic. It's pretty,
but it's also scary. Each infected machine is vulnerable to several
security threats (including new vulnerabilities reported today by Internet Security Systems), and Ed Felten and Alex Halderman have discovered that using Sony's uninstaller only makes the security problems worse!
Wired News reports that the affected networks “includ[e] military and government sites“.