I've stayed out of the whole Sony DRM affair because I felt Windows guru Mark Russinovich has forgotten more about Windows internals than I will ever know. I try to avoid commenting on issues out of my league, and Windows rootkits are generally not something I know how to analyze at the host level.
However, today I learned of a Wired story that incorporates new Dan Kaminski research. Dan has provided a conservative estimate of the number of systems on which the Sony DRM software is installed, based on Luis Grangeia's cache snooping methodology.
Essentially Dan used his Deluvian Scanning Platform -- DoxPara Infrastructure Validation Project (DIVP) to ask name servers if they had cached results for the hosts associated with Sony's DRM. For example, in the following I query a name server to see if it knows how to resolve www.bejtlich.net. The key is to tell the name server not to perform recursion; if the name server can't answer my request on its own, it has to report the authoritative name servers for .net:
orr:/home/richard$ dig @kis.visi.com www.bejtlich.net A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com www.bejtlich.net A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29658
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;www.bejtlich.net. IN A
;; AUTHORITY SECTION:
net. 44802 IN NS k.gtld-servers.net.
net. 44802 IN NS l.gtld-servers.net.
net. 44802 IN NS m.gtld-servers.net.
net. 44802 IN NS a.gtld-servers.net.
net. 44802 IN NS c.gtld-servers.net.
net. 44802 IN NS d.gtld-servers.net.
net. 44802 IN NS e.gtld-servers.net.
net. 44802 IN NS f.gtld-servers.net.
net. 44802 IN NS g.gtld-servers.net.
net. 44802 IN NS h.gtld-servers.net.
net. 44802 IN NS i.gtld-servers.net.
net. 44802 IN NS j.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 155541 IN A 192.5.6.30
a.gtld-servers.net. 159964 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 156332 IN A 192.33.14.30
b.gtld-servers.net. 159476 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 156283 IN A 192.26.92.30
d.gtld-servers.net. 156283 IN A 192.31.80.30
e.gtld-servers.net. 156283 IN A 192.12.94.30
f.gtld-servers.net. 156283 IN A 192.35.51.30
g.gtld-servers.net. 156283 IN A 192.42.93.30
h.gtld-servers.net. 156283 IN A 192.54.112.30
i.gtld-servers.net. 156299 IN A 192.43.172.30
j.gtld-servers.net. 156299 IN A 192.48.79.30
k.gtld-servers.net. 156299 IN A 192.52.178.30
l.gtld-servers.net. 156299 IN A 192.41.162.30
;; Query time: 49 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:12:49 2005
;; MSG SIZE rcvd: 503
As you can see, kis.visi.com did not know how to resolve www.bejtlich.net, so it gave the .net generic top level domain server list.
Next I ask kis.visi.com to resolve www.bejtlich.net, but I just use the host command and I allow kis.visi.com to ask a name server that knows how to resolve www.bejtlich.net:
orr:/home/richard$ host www.bejtlich.net kis.visi.com
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
www.bejtlich.net has address 66.93.110.10
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
I get a response -- www.bejtlich.net is 66.93.110.10. Now when I use dig again and specify no recursion, kis.visi.com responds with the IP -- it has been cached.
orr:/home/richard$ dig @kis.visi.com www.bejtlich.net A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com www.bejtlich.net A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42310
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.bejtlich.net. IN A
;; ANSWER SECTION:
www.bejtlich.net. 7194 IN A 66.93.110.10
;; AUTHORITY SECTION:
bejtlich.net. 7194 IN NS ns18.zoneedit.com.
bejtlich.net. 7194 IN NS ns8.zoneedit.com.
;; ADDITIONAL SECTION:
ns8.zoneedit.com. 704 IN A 206.55.124.4
ns18.zoneedit.com. 384 IN A 72.9.106.68
;; Query time: 49 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:13:20 2005
;; MSG SIZE rcvd: 131
Dan used this technique to ask as many name servers as possible to resolve connected.sonymusic.com, updates.xcp-aurora.com and license.suncom2.com. When I asked the kis.visi.com name server about connected.sonymusic.com, I got these results:
orr:/home/richard$ dig @kis.visi.com connected.sonymusic.com A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com connected.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10447
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;connected.sonymusic.com. IN A
;; AUTHORITY SECTION:
sonymusic.com. 1255 IN NS udns2.ultradns.net.
sonymusic.com. 1255 IN NS udns1.ultradns.net.
;; ADDITIONAL SECTION:
udns1.ultradns.net. 155728 IN A 204.69.234.1
udns2.ultradns.net. 155944 IN A 204.74.101.1
;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 16:29:38 2005
;; MSG SIZE rcvd: 125
This means some system has asked kis.visi.com to resolve an unspecified sonymusic.com host before I did. There is no result for connected.sonymusic.com, however. Compare that result with the following for www.sonymusic.com:
orr:/home/richard$ dig @kis.visi.com www.sonymusic.com A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com www.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37716
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.sonymusic.com. IN A
;; ANSWER SECTION:
www.sonymusic.com. 211 IN A 64.14.39.200
;; AUTHORITY SECTION:
sonymusic.com. 211 IN NS udns2.ultradns.net.
sonymusic.com. 211 IN NS udns1.ultradns.net.
;; ADDITIONAL SECTION:
udns1.ultradns.net. 147104 IN A 204.69.234.1
udns2.ultradns.net. 147320 IN A 204.74.101.1
;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 18:53:23 2005
;; MSG SIZE rcvd: 135
Notice the answer?
Next I try querying for connected.sonymusic.com, and we check the dig results again:
orr:/home/richard$ host connected.sonymusic.com kis.visi.com
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
connected.sonymusic.com has address 64.14.39.158
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
Using domain server:
Name: kis.visi.com
Address: 209.98.98.98#53
Aliases:
orr:/home/richard$ dig @kis.visi.com connected.sonymusic.com A +norecurse
; <<>> DiG 9.3.1 <<>> @kis.visi.com connected.sonymusic.com A +norecurse
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 284
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;connected.sonymusic.com. IN A
;; ANSWER SECTION:
connected.sonymusic.com. 3592 IN A 64.14.39.158
;; AUTHORITY SECTION:
sonymusic.com. 87 IN NS udns1.ultradns.net.
sonymusic.com. 87 IN NS udns2.ultradns.net.
;; ADDITIONAL SECTION:
udns1.ultradns.net. 146980 IN A 204.69.234.1
udns2.ultradns.net. 147196 IN A 204.74.101.1
;; Query time: 53 msec
;; SERVER: 209.98.98.98#53(209.98.98.98)
;; WHEN: Tue Nov 15 18:55:26 2005
;; MSG SIZE rcvd: 141
The other two domains returned the gtld name servers. That means no one else asked kis.visi.com about those domains or hostnames recently.
Nice work Dan -- cool stuff.
0 komentar:
Posting Komentar