Virus targets SonyBMG rootkit DRM

10 Nov 2005

New Trojan programmed to don the magic cloak in Sony's DRM technology and disappear from view

Security researchers' worst fears have been realised as the first instance of a virus taking advantage of the rootkit DRM technology in some SonyBMG copy-protected CDs has been discovered.

Sophos says that the Trojan known as Stinx-E uses the Sony DRM rootkit to make itself invisible through the file $sys$drv.exe. However, this does not mean that in not having the Sony DRM installed you are immune to infection.

The rootkit makes all files beginning with '$sys$' invisible, and Sophos' senior antivirus consultant Graham Cluley described it as 'particularly troublesome'. He told us that antivirus software will detect the file when it is first run if it has already been updated to look out for it. But out of date antivirus software won't detect the virus at that point, and once the virus is installed, won't be able to see it at all.

Despite the fact that the Sony DRM in question is available on US CDs, it is possible to get them in the UK from the likes of Amazon. Curiously, the Trojan appears to be targetting the UK specifically. Cluley said that Sophos' research centres across the globe were aware of the new Trojan but had yet to encounter it.

'There's a peculiarly British angle to this one in that it pretends to come from an organisation called Total Business Monthly and refers to the website totalbusiness.co.uk,' he said.

He said that while the Trojan appears to be out there in numbers, Sophos has yet to receive any reports of infection. 'We've had reports from a few large companies that have received the virus, but fortunately it seems they had the good sense to quarantine it.'

The Trojan arrives in an email with attached files with names such as Article+Photos.exe, subjects such as 'Photo Approval Required' and the following message:

'Hello,

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.

Kind regards,

Jamie Andrews

Editor

www.TotalBusiness.co.uk

**********************************************

The Professional Development Institute

**********************************************'

If the recipient opens the attachment, the Trojan will attempt to copy the file $sys$drv.exe onto the hard drive where the Sony rootkit, if present, will render it invisible. The Trojan opens a backdoor onto the computer allowing remote control over the machine through IRC channels. The backdoor allows an attacker to delete, execute, and download files on the target machine. It also attempts to bypass the Windows Firewall.

The DRM technology the Trojan takes advantage of is included in a number of SonyBMG CDs and was first discovered by IT researchers when it turned up on a computer that was scanned for rootkits - a form of malware that talks directly to operating systems at a low-level and is invisible through Windows, and thus to other programs.

Further research showed that any file beginning with '$sys$' would also be cloaked by the Sony rootkit used to hide its DRM technology.

The company that developed the technology for Sony has since updated its software and removed the rootkit element, but that update may take sometime to make it to CDs on sale. It has also released patches to antivirus companies, but again this depends on end users updating their software.

Read more

News