MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Kaminsky Analysis of Sony Rootkit traffic. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Kaminsky Analysis of Sony Rootkit traffic
by Elonka at 1:17 pm EST, Nov 15, 2005

Sony.
Sony has a rootkit.
The rootkit phones home.
Phoning home requires a DNS query.
DNS queries are cached.
Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.
It just so happens I have such a list, from the audits I've been running from http://deluvian.doxpara.com .
So what did I find?
Much, much more than I expected.
It now appears that at least 568,200 nameservers have witnessed DNS queries related to the rootkit. How many hosts does this correspond to? Only Sony (and First4Internet) knows...unsurprisingly, they are not particularly communicative. But at that scale, it doesn't take much to make this a multi-million host, worm-scale Incident. The process of discovering this has led to some significant advances in the art of cache snooping. Here are some of the factors I've dealt with . . .

Interesting data, courtesy of Dan Kaminsky.

Kaminski Analysis of Sony Rootkit traffic
by Decius at 5:06 pm EST, Nov 15, 2005

Sony.
Sony has a rootkit.
The rootkit phones home.
Phoning home requires a DNS query.
DNS queries are cached.
Caches are externally testable (great paper, Luis!), provided you have a list of all the name servers out there.

Nice pictures of worldwide distribution of the rootkit.

There is a redundant post from skullaria not displayed in this view.