Sony: >500,000 systems compromised? (fwd)

["David J. Farber" <dave () farber net>]

===== Forwarded message from Jonathan Corbet <corbet () killermarmot com> =====

\From: Jonathan Corbet <corbet () killermarmot com>
To: dave () farber net
Subject: Sony: >500,000 systems compromised?
Date: Tue, 15 Nov 2005 17:08:32 -0700

 From http://www.doxpara.com/?q=sony:

> Sony.
>
> Sony has a rootkit.
>
> The rootkit phones home.
>
> Phoning home requires a DNS query.
>
> DNS queries are cached.
>
> Caches are externally testable (great paper, Luis!), provided you have a
> list of all the name servers out there.
>
> It just so happens I have such a list, from the audits I've been running
> from http://deluvian.doxpara.com .
>
> So what did I find?
>
> Much, much more than I expected.
>
> It now appears that at least 568,200 nameservers have witnessed DNS
> queries related to the rootkit.

More on the site, including wild graphics showing the locations of infected
systems.  Food for the class-action lawyers.

jon


===== End forwarded message =====

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/