First Trojan using Sony DRM spotted
Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs.
Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory.
"This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit," warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro
The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" to be used for the December issue. If the malicious payload contained in this email is executed then the Trojan installs an IRC backdoor on affected Windows systems.
Romanian anti-virus firm BitDefender confirms that the malware is in the wild but a full technical analysis of the Trojan is yet to be completed. The response of anti-virus firms, some of which have only promised to flag up rather than block system changes made by Sony-BMG's rootkit, remains unclear. ®
Iain Thomson and Tom Sanders, vnunet.com 10 Nov 2005
Virus writers have already started to exploit Sony's controversial digital rights management software, which uses a rootkit to hide the code and ensure that the CDs are not copied.
A new Trojan, Troj/Stinx-E, has been mass-mailed to UK email addresses. The worm is a variant of what McAfee referred to as the Brepibot virus that was first discovered on April this year. BitDefender calls the new worm Backdoor IRC Snyd A and F-Secure Breplibot.B.
The new version has been altered to exploit a feature in the XCP digital rights management technology for Windows systems that comes bundled with several audio CDs from the Sony BMG record label. The software will automatically install the first time a user tries to play an infected audio CD on his computer's CD Rom drive.
In addition to digital rights manament technology, CD also installs a so-called root kit that hides files from the user and the system, including anti-virus software. Security experts have argued that it is extremely poorly engineered and that worm authors can exploit it by simply placing the characters "$sys$" in front of a file name.
The new variant of the Stinx trojan tries to do exactly that.
"Sony started off with the right intentions but did not recognise the implications of what it was doing," said Graham Cluley, senior technology consultant at Sophos.
"We've had companies calling up all day asking what to do with this. We feel sorry for the musicians; if you look on Amazon right now reviewers are telling people not to buy the album, not because of the music but because of the copy protection.
Systems that don't have the Sony rootkit installed have little to fear as their existing anti-virus software is likely to spot and smother the threat. Sony has shipped about 2 million audio CDs with the XCP technology. There is no data to determine how many of those have been used on Windows computers, but the limited number of shipped CDs caused McAfee to rate the trojan's threat level as "low".
The rootkit in theory should help the worm to dodge detection by the virus scanning software. But the worm's authors however have made several design errors that will prevent it from causing any real harm, said anti virus provider F-Secure.
"If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error," said F-Secure's Mika Pehkonen.
Sony has always maintained that its DRM technology is harmless and despite widespread criticism from the security community claims that it doesn't have any security risks associated with it. Vnunet.com was unable to reach the firm. It's media relations depertment doesn't answer the phone and the number's voicemail box has been disabled.
This worm however proves the record label wrong. "This is a very good example of why software should not use rootkit hiding techniques," said Pehkonen.
Sophos has promised to issue a tool later today which will permanently disable the Sony copy protection software and allow antivirus engines to delete the malware.
Cluley stressed that Sophos will support the technology when Sony comes up with a copy protection system that does not leave such a "massive backdoor" on users' machines.
Other companies have also reacted against the Sony DRM software. Computer Associates has blacklisted the code, which it defines as a Trojan horse, and computer experts have also been highly critical of the software.
The DRM code was developed for Sony by UK firm First 4 Internet.
Silenus said:That's good to hear.
Hope that other countries do the same.
Actuaily no we still hate it but it's not as bad most of the time and it is easily removable compared to XCPDoes that means you guys tolerate Starforce on your systems but not Sony's XCP?
Shouldn't we somehow keep in mind that SONY is a huge corporation with lots of different branches? I mean, I don't think that Sony Computer Entertainment International/Japan/America/Europe has anything to do with SONY-Music/Sony-BMG/Sony-Whatevar. Of course, I share your opinion that Sony developed the Playstation, but too many people seem to think that the name SONY means that those two entirely different cogs in the system were connected in any way.Hard core Rikki said:Surely SONY isn't the only company doing this. It only got our attention because we're expecting their PS3
LMFAO!!!! If somebody "burgles" my home and steal my DRM infested Sony CD and NOT my computer, there is something seriously wrong with the burglar, and my first worry would not be needing to delete those files off my harddrive!If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
Yaaaaa, I am going to post some of the other stupid things that the EULA states.Jldnr77 said:LMFAO!!!! If somebody "burgles" my home and steal my DRM infested Sony CD and NOT my computer, there is something seriously wrong with the burglar, and my first worry would not be needing to delete those files off my harddrive!
Electronic Frontier Foundation said:1. If your house gets burgled, you have to delete all your music from your laptop when you get home. That's because the EULA says that your rights to any copies terminate as soon as you no longer possess the original CD.
2. You can't keep your music on any computers at work. The EULA only gives you the right to put copies on a "personal home computer system owned by you."
3. If you move out of the country, you have to delete all your music. The EULA specifically forbids "export" outside the country where you reside.
4. You must install any and all updates, or else lose the music on your computer. The EULA immediately terminates if you fail to install any update. No more holding out on those hobble-ware downgrades masquerading as updates.
5. Sony-BMG can install and use backdoors in the copy protection software or media player to "enforce their rights" against you, at any time, without notice. And Sony-BMG disclaims any liability if this "self help" crashes your computer, exposes you to security risks, or any other harm.
6. The EULA says Sony-BMG will never be liable to you for more than $5.00. That's right, no matter what happens, you can't even get back what you paid for the CD.
7. If you file for bankruptcy, you have to delete all the music on your computer. Seriously.
8. You have no right to transfer the music on your computer, even along with the original CD.
9. Forget about using the music as a soundtrack for your latest family photo slideshow, or mash-ups, or sampling. The EULA forbids changing, altering, or make derivative works from the music on your computer.
-----------------------------------F-3582 said:Shouldn't we somehow keep in mind that SONY is a huge corporation with lots of different branches? I mean, I don't think that Sony Computer Entertainment International/Japan/America/Europe has anything to do with SONY-Music/Sony-BMG/Sony-Whatevar. Of course, I share your opinion that Sony developed the Playstation, but too many people seem to think that the name SONY means that those two entirely different cogs in the system were connected in any way.
It's like comparing Budweiser and Budweiser.