Sony BMG will have a big job ahead of it as it tries to replace all copies of controversial copy protection software, according to a computer security expert, who says that he has evidence there are more than 500,000 versions of the program installed worldwide.
Dan Kaminsky, an independent security researcher, discovered evidence that so-called “rootkit” style stealth programs developed by U.K. firm First 4 Internet Ltd. and used by Sony while conducting an audit of the DNS (Domain Name System) infrastructure. Sony BMG has declined past requests to comment on the number of systems that run the software, known as XCP. However, Kaminsky’s figures, if true, suggest that the software, which shipped on CDs by just 20 Sony BMG artists, has already been distributed and installed widely around the world.
More than 200,000 copies of the program are installed on computers in Japan, with around 130,000 running on computers in the United States. The United Kingdom has about 44,000 copies of the program installed, Kaminsky’s research shows.
Netherlands and Spain both have more than 27,000 copies of the program running, followed by Korea, Peru, France, Australia and Switzerland with between 12,000 and 8,000 installations.
Kaminsky, who is known for his novel security research on core Internet components like the TCP/IP communications protocol, identified systems running the copy protection software from First 4 Internet using a technique called “DNS cache sniffing.” Kaminsky searched through the saved (or “cached”) DNS requests submitted to a large number of the world’s publicly accessible DNS servers and looked for requests for domains associated with the XCP software, such as update.xcp-aurora.com and connected.sonymusic.com.
Kaminsky used a database of around three million DNS name servers he had compiled for unrelated research into security vulnerabilities in the DNS system.
The search turned up almost one million references to the XCP and Sony domains. Kaminsky weeded out duplicate or forwarded requests from that number and narrowed the list down to 568,000 requests from unique IP addresses on the Internet.
He used geolocation software to associate the IP address of the machine running the XCP software to particular countries, he said.