New images from the Sony Rootkit Research front:
Red signifies evidence of First4Internet accesses; Green signifies accesses to Sony’s enhanced CD site (included with the rootkit, but also elsewhere). Most links are yellow, though: Over 3/4ths of networks found resolving Sony during the sampling period also resolved First4Internet. The geographic evidence lines up pretty nicely as well (Sony | F4I).
What does this signify? Interesting question. Originally, it appeared that the rootkit itself issued queries against First4Internet. It may, it may not, we’re not entirely sure yet. Yet First4Internet exhibits remarkably high popularity, weeks into the controversy, for a site not automatically connected to. I suppose it cannot be too surprising to see high correlation between names exhibiting potential for infection and names implying desire for disinfection/uninstall, but I’d like to know more. Ultimately, as I have said from the start — I simply do not have enough information to determine/imply/”guesstimate” how many hosts have been compromised.
Only Sony does.