Saturday, November 19, 2005

Sony Rootkit Global Infection Maps

Dan Kaminsky at Doxpara Research is probing the extent of the SONY rootkit problem using cache-snooping techniques and has discovered 568,200 name servers with cached DNS queries related to the rootkit. When the Sony software installed on a computer attempts to contact the mother ship, it has to phone home via a Domain Name Server query. The query resides in the cache of the name server that handled it. Along comes Mr. Kaminsky who tickles the cache, asks it if it has witnessed any queries related to the rootkit, and, Presto!

The really cool thing is the series of global maps Kaminsky has generated by geolocating the server IP data. The maps graphically show the extent of the infection worldwide. The most recent set of maps for the US, Europe, and Japan are here. has a nice overview on the continuing saga.

tags: , , , ,

No comments: