A backdoor that tries to phone home usually uses DNS-queries to locate the host they should report to. These DNS queries are cached by the DNS server for some time. Dan Kaminski uses this behaviour to estimate the number of PCs that are infected by Sony’s DRM rootkit(he found more than 500.000 DNS servers that received a query related to the rootkit, leading to a conservative estimate that the number of infected PCs is in the millions).

The image shows the distribution of the located DNS servers in Europe (click here for larger maps: USA, Asia, Europe). The more I learn about DNS, the more I am intrigued by this often overlooked protocol.

Oh - Sony’s uninstaller leaves the PC even more open to further attacks.