Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Using Sony DRM Rootkit Spotted

Posted by Zonk on from the gift-from-sony-to-you dept.

Analise writes "The Register reports on the first trojan using Sony's DRM rootkit. A newly discovered variant of the Breplibot trojan makes use of the way Sony's rootkit masks files whose filenames begin with '$sys$'. This means that any files renamed this way by the trojan are effectively invisible to the average user. The malware is distributed via an email supposedly from a reputable business magazing requesting that the businessperson verify his/her attached 'picture' to be used for an upcoming issue. Once the payload is executed, the trojan then installs an IRC backdoor on affected Windows systems."

34 of 597 comments (clear)

  1. Jobseekers rejoice! by Ooblek · · Score: 5, Funny

    It's just a rumor, but Sony should have some Engineering and Executive positions open in 3....2....1...

    1. Re:Jobseekers rejoice! by portwojc · · Score: 4, Insightful

      It's not the enginners fault. It's the ones that decided to put it out.

    2. Re:Jobseekers rejoice! by Daniel_Staal · · Score: 5, Insightful

      Remember: Sony didn't write the rootkit. They bought it from someone else.

      Now, the question is, what department thought it was a good idea? Sales and Marketing? Legal? Somebody had to think it was worth the money...

      --
      'Sensible' is a curse word.
    3. Re:Jobseekers rejoice! by Guppy06 · · Score: 4, Funny

      " Remember: Sony didn't write the rootkit. They bought it from someone else."

      Remember: your Friendly Neighborhood Crack Dealer didn't grow the coca. They bought it from someone else.

    4. Re:Jobseekers rejoice! by 3dr · · Score: 5, Funny

      No, you don't wait to get fired.

      If a task is against your principles, ask for a different task. If none exist, ask for a transfer. If impossible, then quit.

      Principles are greater than profits.

      Or you can be spineless and sell out.

    5. Re:Jobseekers rejoice! by Lemmy+Caution · · Score: 4, Interesting

      Eh, that's a little "I was only following orders" for my blood.

      If I'm working for a homicidal maniac and I build a gun for him, I'm not innocent when he goes on a rampage.

      Werner Heisenberg claims that he sabotaged the Nazi atomic bomb effort. If that's true, this would have been a very different world if he had just decided to be a "good engineer." (Yes, Godwin, blah blah. I don't think it applies.)

    6. Re:Jobseekers rejoice! by MightyMartian · · Score: 4, Insightful

      Oh gimme a break. The media companies are delerious with the power granted them by their whores in Congress. The engineers, I'm sure, were given no real choice in the matter. Remember, it is RIAA, the MPAA and all those sleeze bag politicians who'd sell their own mothers for a little political cash who have produced this abomination. If you want to solve the problem, tell all the people in your district that your congressman is a hooker sucking off the teats of media giants, and tell them to make this kind of behavior an election issue.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  2. Boycott Sony by Winckle · · Score: 5, Interesting

    I reccomend voting with our wallets, and not purchasing Sony/BMG products. Also see here

    Also here is the company that created the DRM technology.

  3. Nice Job Sony by xlr8ed · · Score: 5, Funny

    You might want to add a couple of more zeros to the settlement check you are thinking about

  4. A Natural Rights perspective by dada21 · · Score: 5, Insightful

    Irregardless of the existence of government, the natural rights of an individual cannot be given away (you can't sell yourself into slavery, you can't tell a higher power that it's ok to kill you). One such right is the right to private property, closed to others' prying eyes or presence.

    One great force behind this right is that past acts bear no allowances for future acts. If I let you into my house yesterday, you have no right to be here today. I may contractually allow you to come and go as you please, but I have to willfully sign the contract with witnesses noting the act.

    Sony's DRM uses government force (through copyright provisions) to settle its legality. They say that by using their property, you have to permanently give up your natural right to private property (free speech Statists wrongfully call it Right to Privacy). Sony is wrong.

    By violating numerous natural rights, Sony has opened itself to a demand for restitution. I wholeheartedly believe that corporate protections are wrong, as is copyright. My solution? Go after Sony through the shareholders directly (they own the business and allowed the breach of a basic human right). Demand restitution for the trojan if you receive it.

    Imagine if you buy a Saab and Saab has an agreement stating "If you turn the car on, you allow two Saab employees to ride in your trunk and search your house for proof you might install a non-Saab oil filter." You've signed nothing. The two Saab employees open your house door, take up residence and leave the door wide open. Two typical pro-copyright arguments: You're not allowed to install non-Saab oil filters or how else would Saab make money? Why would they design cars?

    This is the problem with copyright. Instead of individuals protecting proprietary information of value (books, music, etc) and producing it in the best way over anyone else (live shows, subscriptions to new music, etc), they say "copy us and government will use force against you."

    It's all wrong. Don't publicly say anything valuable to you. Don't think you can come in my home because you did once before. Don't think you can rape me because a note in your pocket says you're allowed to, and I let you in without checking your pockets.

    1. Re:A Natural Rights perspective by jotok · · Score: 4, Insightful

      I am with you on almost everything except this:

      One such right is the right to private property, closed to others' prying eyes or presence.

      To me, this doesn't seem as "self-evident" as the other rights (Life, Liberty, freedom to pursue happiness, etc.) in the D of C. But it does seem to make sense as a possible necessary qualification to achieve the other three: I could live, be free, and try to be happy without owning anything, but it might be exceedingly difficult.

      Just sayin'.

      (Also, "irregardless" is not a word)

    2. Re:A Natural Rights perspective by iambarry · · Score: 5, Funny

      If I let you into my house yesterday, you have no right to be here today
      While you may be correct WRT US property laws, it seems to me that vampire rules call for a vampire to have free reign over your house in perpetuity if they are ever invited in. Perhaps Sony is operating using Vapire law rather than US law?

      BTW - irregardless

  5. Oh noes! by taskforce · · Score: 4, Funny

    Early reports indicate the IRC backdoor is used by the propagator of the virus to bombard you with random chat messages from #windowshelp. So far the most common phrases appearing are "how do i reformat" and "how do i download the internet?"

    --
    My 3D Texturing Skinning work (under construction)
  6. Really easy test to see if you're vulnerable by HMC+CS+Major · · Score: 5, Interesting

    Since there was some confusion about how you can tell if this rootkit is installed, remember that it hides files beginning with '$sys$' -

    1) If you're not using windows, you're fine.
    2) Create a file on your desktop ('test.txt' should be fine). Rename the file to '$sys$test.txt'.

    If the file is gone, you're vulnerable.

    --
    Video for Online Dating Profiles
  7. That's not all by JumperCable · · Score: 5, Funny

    I hear the trojan witter is also using an unusual distribution method. Ricky Martin CDs.

  8. Back again to Windows Security by Tibor+the+Hun · · Score: 5, Interesting

    Can anyone explain if this rootkit prompts for a password when installing (during the autorun, I presume)

    As an OS X user, I'd find it slightly odd that my music CD is prompting me for an administrative password.

    But to stay on topic, I'm sure this is but one of the many exploits that will be based on this rootkit.
    Does anyone have a comprehensive list of CDs that install it, and is it true that Sony has been using it since April?

    --
    If you don't know what AltaVista is (was), get off my lawn.
    1. Re:Back again to Windows Security by jcostantino · · Score: 4, Funny

      The delicious irony in that is that titles like, "Healthy in Paranoid Times," "Get Right With the Man," "Nothing is Sound," "The Invisible Invasion," "Phantoms," "Life in Agony," and "Suspicious Activity" all install the rootkit and compromise your computer.

      --
      Reviews with a twist! http://www.sardonicbastard.com
    2. Re:Back again to Windows Security by NSObject · · Score: 5, Interesting
      It looks like there's an OS X version as well, but from a different source. Here's a reader comment from macintouch.com...

      Darren Dittrich followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:

      I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

      Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.
    3. Re:Back again to Windows Security by _xeno_ · · Score: 4, Informative

      Short answer: No, it just assumes you're running as an administrator, which is generally true.

      Much longer answer:

      Windows XP comes from two roots: Windows as a DOS shell, and Windows NT. Both of these operating systems encouraged running as Administrator, for a variety of reasons.

      Windows as a DOS shell is easy to explain, it was a single-user system, and therefore really had no security system in place at all. This single-user style persisted through to Windows ME, and is essentially "emulated" in Windows XP Home by having the users, by default, run as Administrators. (You can change them to regular users after creating new accounts, though.) By default, Windows XP Home doesn't require passwords on accounts - you just click on the user account you want to use, and you're logged in. So even making "less privileged" users isn't all that helpful. (I believe, by default, Windows XP Home DOES disable the built-in Administrator account, though.)

      Anyway, Windows NT is another story. Technically, an "Administrator" account is just a normal user account that just happens to belong to the Administrators group. Because Windows NT's security model is much more complicated than the Unix security model (and I'd argue much more robust), essentially the Administrators group is a group with all permissions set to "allow." (There is a super-user under Windows NT. It's called "SYSTEM" and it's essentially identical to root under Unix.)

      But anyway, Windows NT's security model is very complicated. Combined with no ability to "sudo" in Windows NT 4, most people who used NT just made themselves Administrators so that they didn't have to poke around the miriade of settings and ACLs to give them permissions to do whatever they needed to do.

      Windows 2000 added "Run As" which allows you to essentially "su" and switch to another account when starting a program. This meant that it would in theory be possible to administer a system from a non-privileged account, much like Mac OS X does.

      But the damage was already done. Most of the Windows software had been written for Windows 9x or assumed that you'd be an administrator under Windows NT. So attempting to run as a non-privileged account required constantly using the Run As feature to run the programs you needed to use as an administrator. (For a while, Winamp wouldn't run under a non-privileged account.) Of course, this meant that since most programs were running as administrator ANYWAY, you really weren't gaining much security.

      Now, with Windows XP Pro, this is starting to change. Microsoft now requires user programs to run on non-privileged accounts. It's much clearer where user-specific information goes. But the damage has been done. Windows XP Home defaults to an administrator account for all new accounts. Most people are used to not having to enter a password to change their system settings and don't understand the concept of a non-privileged account.

      So almost everyone using Windows is running as an administrator, and therefore there's no need to require a password to install a rootkit. They already have the permissions they require.

      --
      You are in a maze of twisty little relative jumps, all alike.
  9. Re:Rant Time... by freedom_india · · Score: 5, Funny
    With California filing a class-action suit, i think more states and consumers should file suits NOT just for damaging their computers, but delibrate unauthorized entry into another person's property which is a crime.

    Seriously i wish some Sony officials got what Worldcomm's Ebbers got: 25 years for entering into another property without permission, vandalism, etc. The less privileged have got far worse sentences for lesser crimes all along

    And more so, Sony should replace EVERY affected computer with a brand new Vaio.

    --
    "Doing what i can, with what i have." ~ Burt Gummer
  10. Ahhh, Sony by PhilHibbs · · Score: 5, Funny

    It wouldn't be right if the day went by without a Sony Rootkit story on Slashdot. Seriously, I can't get enough of this story, it's what Slashdot was invented for.

  11. Re:Rant Time... by xlr8ed · · Score: 5, Funny
    Sony should replace EVERY affected computer with a brand new Vaio



    That would be a crime in itself...
  12. SONY, redefining DRM by Anonymous Coward · · Score: 5, Funny

    Disappearing Rootkit Malware

  13. Re:Rant Time... by mmzplanet · · Score: 4, Funny

    "And more so, Sony should replace EVERY affected computer with a brand new Vaio." Upon the annoucement of this, Sony sees record sales of its DRM'd CDs.

  14. Fun with $sys$ by Anonymous Coward · · Score: 5, Funny

    Sony just loves everyone $sys$anally. They are the greatest company ever when it comes to technology $sys$that $sys$sucks. Everyone is gonna love $sys$to $sys$hate Sony, and they will $sys$not buy any Sony product that they see. It's because Sony loves $sys$to $sys$fuck $sys$with their customers.

  15. Infected with DRM by saskboy · · Score: 4, Interesting

    Here's the Slashdot crowd's chance to get the phrase invented by a Slashdotter out in the public eye. It's important that the public learn that DRM is a bad thing, and this is simply one way to tell them plainly how it is bad. DRM breaks their computer, or makes their life more difficult.

    "Infected with DRM"
            Sony's rootkit has also been linked to Windows crashes, which isn't surprising to me. Most spyware causes instability in Windows because it is poorly written and designed to break parts of Windows to protect itself from removal. Sony writes, "This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."
    The incongruence of their words, is not startling to me, as they are playing a PR game to hide the fact that they messed up people's computers, and made them vulnerable to an attack that hasn't gained popularity yet, but now surely will. Virus writers will be able to easily hide their virus files using programs like Sony's cloaking DRM. Sony is lying that their cloaking DRM does not compromise security of an infected computer.
    http://www.informationweek.com/story/showArticle.j html?articleID=173601122

    --
    Saskboy's blog is good. 9 out of 10 dentists agree.
  16. Re:From the article, virus firms response by Lisandro · · Score: 5, Insightful

    I know i should be shocked and offended by retarded attemps at DRM lock-in by Sony... but i can't.

        I'm loving this. I just can't wait to see what happens when antivirus/spyware vendors decide to consider the Sony rootkit as an attack vector and remove it accordingly... will it show up as "Sony.CDcopyprotection.malware"? "F4I.XCP.Aurora"? How about the information about it? Will we see legal battles between antivirus vendors and Sony? Class action lawsuits from consumers? I'm already preparing some popcorn for the event!

  17. Being ignorant == fair game? by dsands1 · · Score: 4, Informative

    Sony President Defends Rootkit
    The President of Sony BMG's Global Digital Business, Thomas Hesse, defends Sony's installation of a rootkit by declaring, "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

    Source

    --
    "What is the answer?" (Silence) "In that case, what is the question?" --Gertrude Stein
  18. Re:Suprise suprise by froi · · Score: 5, Funny

    I'm still waiting for a worm that uses the Sony rootkit to hide itself, spreads to many computers, and then DDoS sony.com. They'd have a hard time knowing what press release to put out if that ever happened.

  19. A variant of that trojan ... by Anonymous Coward · · Score: 5, Interesting

    The sales manager at the company I work for recently received a variant of this worm, and after finding that the attachment "didn't do anything" forwarded it on to me to find out why. I extracted the attachment and analysed it in IDA and discovered that it connected to one of two IRC servers and joined a specific channel.

    So posing as the trojan I logged onto the IRC channel. I idled there for a while watching the channel op send commands to the connected bots, and decided to have a go myself. The channel was +m but I could PRIVMSG the bots, and a bit more work in IDA revealed the command set - which contained an unload command. So I scripted my irc client to send a msg to every non-op in the channel with the command .. suddenly they all quit and the room was empty except for me and the op.

    "OH SHIT" he typed. He was more shocked than anything, and then more curious than angry. We ended up having a rather long and interesting conversation about our respective jobs. He told about his bot network, what he uses them for (in the UK it's for harvesting email addresses, apparently), the ££ he gets for it - it's a full time job for him - and who writes most of the bot software (his partner.) He was no stereotypical teenage script kiddie either, more a computer professional turned to the 'dark side' of IT .. I felt quite akin to him in many ways.

    All in all, it was fascinating. (Btw, our firewall blocked the trojan from connecting to IRC and it was fairly easily to remove from the sales manager's laptop)

  20. antivirus vendors violate DMCA? by jimbro2k · · Score: 5, Interesting

    IF antivirus vendors do start removing the sony rootkit, won't that qualify as circumvention of a copyright device and put them in clear violation of the DMCA? This just keeps getting better and better.

    --
    There is not nearly enough love in the world, but there is far too much trust.
    1. Re:antivirus vendors violate DMCA? by PhoenixPath · · Score: 4, Interesting

      McAfee is the first. Detects, removes, *and* prevents re-installation.

      See below:

      http://www.betanews.com/article/Antivirus_Firms_Ta ke_On_Sony_DRM/1131641594

  21. Remember Intuit's TurboTax debacle? by sizzzzlerz · · Score: 5, Interesting
    Several years ago, Intuit infested your computer with their own DRM software when you installed their TurboTax software. Of course, the packaging said nothing about it but once it was discovered, the shit hit the fan. They first denied doing anything wrong, then when forced to admit that presence of this software, they insisted it did no harm to the owner's computer. Once again, their logic was that all buyers of the software were thieves and this was protecting their I.P.. Finally, when sales of the product dropped sufficiently, they provided a mechanism to remove said-DRM software, however, TurboTax would no longer run.

    The following year, all traces of this were removed in the next version and, afaik, it has never returned. I, for one, however, haven't bought their product since and don't plan to ever buy from them again.

    I guess Sony just wasn't paying attention.

  22. Sony Rootkit News Absent From CNN by Esion+Modnar · · Score: 5, Insightful

    So far, I haven't seen any mention on the mainstream news about this. Maybe because it's too technical, but I think it's because CNN is a company of Time-Warner, and Time-Warner and Sony are fellow MPAA (and/or RIAA?) members. They (CNN) are great about covering the fluff. Count on them to down-play the stuff that hurts their business sleaze.

    --

    They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...