Trojan Using Sony DRM Rootkit Spotted

Analise writes "The Register reports on the first trojan using Sony's DRM rootkit. A newly discovered variant of the Breplibot trojan makes use of the way Sony's rootkit masks files whose filenames begin with '$sys$'. This means that any files renamed this way by the trojan are effectively invisible to the average user. The malware is distributed via an email supposedly from a reputable business magazing requesting that the businessperson verify his/her attached 'picture' to be used for an upcoming issue. Once the payload is executed, the trojan then installs an IRC backdoor on affected Windows systems."

Boycott Sony

[Winckle]

I reccomend voting with our wallets, and not purchasing Sony/BMG products. Also see here

Also here is the company that created the DRM technology.

Really easy test to see if you're vulnerable

[HMC+CS+Major]

Since there was some confusion about how you can tell if this rootkit is installed, remember that it hides files beginning with '$sys$' -

1) If you're not using windows, you're fine.
2) Create a file on your desktop ('test.txt' should be fine). Rename the file to '$sys$test.txt'.

If the file is gone, you're vulnerable.

Back again to Windows Security

[Tibor+the+Hun]

Can anyone explain if this rootkit prompts for a password when installing (during the autorun, I presume)

As an OS X user, I'd find it slightly odd that my music CD is prompting me for an administrative password.

But to stay on topic, I'm sure this is but one of the many exploits that will be based on this rootkit.
Does anyone have a comprehensive list of CDs that install it, and is it true that Sony has been using it since April?

Re:Back again to Windows Security

[danrik]

No, because 99.975% of Windows users run as super users.

On OS X, accounts marked as Administrators are really regular users who happen to have sudo powers, so you have to type in your password.

Re:Back again to Windows Security

[NSObject]

It looks like there's an OS X version as well, but from a different source. Here's a reader comment from macintouch.com...

Darren Dittrich followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:

I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.

Sony's actions recently mean they've lost my money

[hattig]

I don't know if they are selling these DRM encrusted music discs in the UK, but if they are, each and every one of them will be breaching the 1990 Computer Misuse Act, and in a way that the act does cover - namely it alters the system without your approval or knowledge. What is doubly sad is that the software was written by a British company. Still, makes it easier to sue them.

Secondly, does this rootkit install even if you are logged in as a normal Windows user, not Administrator? That suggests a security hole in Windows. However I suspect the issue is Windows making users Administrator by default, which is a really dumb system, security wise.

sony vs. microsoft

[doyoulikegoatseeee]

so does this at all put sony in hotwater with microsoft legally? perhaps this rootkit, trojan email or not, violates the windows eula.

Lawsuits if this thing DDoSes the net

[G4from128k]

I've often wondered if non-users of product X can sue the maker of product X if said product causes a major disruption of the internet.

If someone creates a worm that exploits a negligent design flaw in Sony's DRM or Microsoft Windows, then couldn't the affected sue Sony or Microsoft? This would include non-users of these products whose internet usage was disrupted. And as someone who does NOT use DRMed Sony CDs or Microsoft Windows, I have NOT agreed to these company's EULAs with all their legalese of limited liability. Thus non-users may have more rights to sue than users of these products.

IANAL. Any thoughts?

Infected with DRM

[saskboy]

Here's the Slashdot crowd's chance to get the phrase invented by a Slashdotter out in the public eye. It's important that the public learn that DRM is a bad thing, and this is simply one way to tell them plainly how it is bad. DRM breaks their computer, or makes their life more difficult.

"Infected with DRM"
        Sony's rootkit has also been linked to Windows crashes, which isn't surprising to me. Most spyware causes instability in Windows because it is poorly written and designed to break parts of Windows to protect itself from removal. Sony writes, "This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."
The incongruence of their words, is not startling to me, as they are playing a PR game to hide the fact that they messed up people's computers, and made them vulnerable to an attack that hasn't gained popularity yet, but now surely will. Virus writers will be able to easily hide their virus files using programs like Sony's cloaking DRM. Sony is lying that their cloaking DRM does not compromise security of an infected computer.
http://www.informationweek.com/story/showArticle.j html?articleID=173601122

Re:Jobseekers rejoice!

[Fx.Dr]

Does this now mean that Sony is open to criminal negligence lawsuits as well?

Re:On what platforms does Sony DRM rootkit work?

[dbc]

Yes, but, what OS's other than Microsoft products allow surf-by and auto-mount driver installs that diddle low level file system api's? Why is no one angry at Microsft about this Sony fiasco?

I'm thinking that outside of users that habitually surf and/or listen to music as root, that Linux and OS X users should be just a wee bit safer than the casual Windows user.

Sure, Linux can be rooted. Now, your homework assignment is to go burn me a disk with music on it that will root my Linux box merely by being inserted, and won't let me listen to the music until my box has been rooted. I like classical.

Re:Jobseekers rejoice!

[Lemmy+Caution]

Eh, that's a little "I was only following orders" for my blood.

If I'm working for a homicidal maniac and I build a gun for him, I'm not innocent when he goes on a rampage.

Werner Heisenberg claims that he sabotaged the Nazi atomic bomb effort. If that's true, this would have been a very different world if he had just decided to be a "good engineer." (Yes, Godwin, blah blah. I don't think it applies.)

A variant of that trojan ...

The sales manager at the company I work for recently received a variant of this worm, and after finding that the attachment "didn't do anything" forwarded it on to me to find out why. I extracted the attachment and analysed it in IDA and discovered that it connected to one of two IRC servers and joined a specific channel.

So posing as the trojan I logged onto the IRC channel. I idled there for a while watching the channel op send commands to the connected bots, and decided to have a go myself. The channel was +m but I could PRIVMSG the bots, and a bit more work in IDA revealed the command set - which contained an unload command. So I scripted my irc client to send a msg to every non-op in the channel with the command .. suddenly they all quit and the room was empty except for me and the op.

"OH SHIT" he typed. He was more shocked than anything, and then more curious than angry. We ended up having a rather long and interesting conversation about our respective jobs. He told about his bot network, what he uses them for (in the UK it's for harvesting email addresses, apparently), the ££ he gets for it - it's a full time job for him - and who writes most of the bot software (his partner.) He was no stereotypical teenage script kiddie either, more a computer professional turned to the 'dark side' of IT .. I felt quite akin to him in many ways.

All in all, it was fascinating. (Btw, our firewall blocked the trojan from connecting to IRC and it was fairly easily to remove from the sales manager's laptop)

antivirus vendors violate DMCA?

[jimbro2k]

IF antivirus vendors do start removing the sony rootkit, won't that qualify as circumvention of a copyright device and put them in clear violation of the DMCA? This just keeps getting better and better.

Re:antivirus vendors violate DMCA?

[PhoenixPath]

McAfee is the first. Detects, removes, *and* prevents re-installation.

See below:

http://www.betanews.com/article/Antivirus_Firms_Ta ke_On_Sony_DRM/1131641594

Remember Intuit's TurboTax debacle?

[sizzzzlerz]

Several years ago, Intuit infested your computer with their own DRM software when you installed their TurboTax software. Of course, the packaging said nothing about it but once it was discovered, the shit hit the fan. They first denied doing anything wrong, then when forced to admit that presence of this software, they insisted it did no harm to the owner's computer. Once again, their logic was that all buyers of the software were thieves and this was protecting their I.P.. Finally, when sales of the product dropped sufficiently, they provided a mechanism to remove said-DRM software, however, TurboTax would no longer run.

The following year, all traces of this were removed in the next version and, afaik, it has never returned. I, for one, however, haven't bought their product since and don't plan to ever buy from them again.

I guess Sony just wasn't paying attention.

Re:Fun with $sys$

[meringuoid]

Could it be?! Is "$sys$" the new "^H^H^H"?

Probably. Since the Sony Rootkit is the big story at the moment, this thread will get read by a lot of people. That post went to +5, and it's got Slashdot memeicity all over it.

I wouldn't use it as a straight drop-in replacement for ^H^H^H, though; that merely implies 'I nearly wrote this - whoops!' $sys$ conveys malevolence. So, for instance, if someone were to write

We must invade Iraq to look for oil^H^H^HWMD

would suggest that oil is at least part of the purpose of the invasion, and that it's just not diplomatic to mention it. A careless typo that reveals too much of what you're thinking. On the other hand

We must invade Iraq to look for $sys$oil WMD

would suggest that oil is the real purpose of the invasion, and that this is being deliberately hidden by a lot of bullshit about WMD. A subtext deliberately trojaned in and kept dark.

Use the $sys$ prefix in place of ^H^H^H to lend a nastier, more malevolent tone to what it is you're editing out.