Virus targets SonyBMG rootkit DRM
By Matt Whipp
Posted on 10 Nov 2005 at 14:01
Security researchers' worst fears have been realised as the first instance of a virus taking advantage of the rootkit DRM technology in some SonyBMG copy-protected CDs has been discovered.
Sophos says that the Trojan known as Stinx-E uses the Sony DRM rootkit to make itself invisible through the file $sys$drv.exe. However, this does not mean that in not having the Sony DRM installed you are immune to infection.
The rootkit makes all files beginning with '$sys$' invisible, and Sophos' senior antivirus consultant Graham Cluley described it as 'particularly troublesome'. He told us that antivirus software will detect the file when it is first run if it has already been updated to look out for it. But out of date antivirus software won't detect the virus at that point, and once the virus is installed, won't be able to see it at all.
Despite the fact that the Sony DRM in question is available on US CDs, it is possible to get them in the UK from the likes of Amazon. Curiously, the Trojan appears to be targetting the UK specifically. Cluley said that Sophos' research centres across the globe were aware of the new Trojan but had yet to encounter it.
'There's a peculiarly British angle to this one in that it pretends to come from an organisation called Total Business Monthly and refers to the website totalbusiness.co.uk,' he said.
He said that while the Trojan appears to be out there in numbers, Sophos has yet to receive any reports of infection. 'We've had reports from a few large companies that have received the virus, but fortunately it seems they had the good sense to quarantine it.'
The Trojan arrives in an email with attached files with names such as Article+Photos.exe, subjects such as 'Photo Approval Required' and the following message:
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
The Professional Development Institute
If the recipient opens the attachment, the Trojan will attempt to copy the file $sys$drv.exe onto the hard drive where the Sony rootkit, if present, will render it invisible. The Trojan opens a backdoor onto the computer allowing remote control over the machine through IRC channels. The backdoor allows an attacker to delete, execute, and download files on the target machine. It also attempts to bypass the Windows Firewall.
The DRM technology the Trojan takes advantage of is included in a number of SonyBMG CDs and was first discovered by IT researchers when it turned up on a computer that was scanned for rootkits - a form of malware that talks directly to operating systems at a low-level and is invisible through Windows, and thus to other programs.
Further research showed that any file beginning with '$sys$' would also be cloaked by the Sony rootkit used to hide its DRM technology.
The company that developed the technology for Sony has since updated its software and removed the rootkit element, but that update may take sometime to make it to CDs on sale. It has also released patches to antivirus companies, but again this depends on end users updating their software.
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords