Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Using Sony DRM Rootkit Spotted

Posted by Zonk on from the gift-from-sony-to-you dept.

Analise writes "The Register reports on the first trojan using Sony's DRM rootkit. A newly discovered variant of the Breplibot trojan makes use of the way Sony's rootkit masks files whose filenames begin with '$sys$'. This means that any files renamed this way by the trojan are effectively invisible to the average user. The malware is distributed via an email supposedly from a reputable business magazing requesting that the businessperson verify his/her attached 'picture' to be used for an upcoming issue. Once the payload is executed, the trojan then installs an IRC backdoor on affected Windows systems."

22 of 597 comments (clear)

  1. Jobseekers rejoice! by Ooblek · · Score: 5, Funny

    It's just a rumor, but Sony should have some Engineering and Executive positions open in 3....2....1...

    1. Re:Jobseekers rejoice! by Daniel_Staal · · Score: 5, Insightful

      Remember: Sony didn't write the rootkit. They bought it from someone else.

      Now, the question is, what department thought it was a good idea? Sales and Marketing? Legal? Somebody had to think it was worth the money...

      --
      'Sensible' is a curse word.
    2. Re:Jobseekers rejoice! by 3dr · · Score: 5, Funny

      No, you don't wait to get fired.

      If a task is against your principles, ask for a different task. If none exist, ask for a transfer. If impossible, then quit.

      Principles are greater than profits.

      Or you can be spineless and sell out.

  2. Boycott Sony by Winckle · · Score: 5, Interesting

    I reccomend voting with our wallets, and not purchasing Sony/BMG products. Also see here

    Also here is the company that created the DRM technology.

  3. Nice Job Sony by xlr8ed · · Score: 5, Funny

    You might want to add a couple of more zeros to the settlement check you are thinking about

  4. A Natural Rights perspective by dada21 · · Score: 5, Insightful

    Irregardless of the existence of government, the natural rights of an individual cannot be given away (you can't sell yourself into slavery, you can't tell a higher power that it's ok to kill you). One such right is the right to private property, closed to others' prying eyes or presence.

    One great force behind this right is that past acts bear no allowances for future acts. If I let you into my house yesterday, you have no right to be here today. I may contractually allow you to come and go as you please, but I have to willfully sign the contract with witnesses noting the act.

    Sony's DRM uses government force (through copyright provisions) to settle its legality. They say that by using their property, you have to permanently give up your natural right to private property (free speech Statists wrongfully call it Right to Privacy). Sony is wrong.

    By violating numerous natural rights, Sony has opened itself to a demand for restitution. I wholeheartedly believe that corporate protections are wrong, as is copyright. My solution? Go after Sony through the shareholders directly (they own the business and allowed the breach of a basic human right). Demand restitution for the trojan if you receive it.

    Imagine if you buy a Saab and Saab has an agreement stating "If you turn the car on, you allow two Saab employees to ride in your trunk and search your house for proof you might install a non-Saab oil filter." You've signed nothing. The two Saab employees open your house door, take up residence and leave the door wide open. Two typical pro-copyright arguments: You're not allowed to install non-Saab oil filters or how else would Saab make money? Why would they design cars?

    This is the problem with copyright. Instead of individuals protecting proprietary information of value (books, music, etc) and producing it in the best way over anyone else (live shows, subscriptions to new music, etc), they say "copy us and government will use force against you."

    It's all wrong. Don't publicly say anything valuable to you. Don't think you can come in my home because you did once before. Don't think you can rape me because a note in your pocket says you're allowed to, and I let you in without checking your pockets.

    1. Re:A Natural Rights perspective by iambarry · · Score: 5, Funny

      If I let you into my house yesterday, you have no right to be here today
      While you may be correct WRT US property laws, it seems to me that vampire rules call for a vampire to have free reign over your house in perpetuity if they are ever invited in. Perhaps Sony is operating using Vapire law rather than US law?

      BTW - irregardless

  5. Really easy test to see if you're vulnerable by HMC+CS+Major · · Score: 5, Interesting

    Since there was some confusion about how you can tell if this rootkit is installed, remember that it hides files beginning with '$sys$' -

    1) If you're not using windows, you're fine.
    2) Create a file on your desktop ('test.txt' should be fine). Rename the file to '$sys$test.txt'.

    If the file is gone, you're vulnerable.

    --
    Video for Online Dating Profiles
  6. That's not all by JumperCable · · Score: 5, Funny

    I hear the trojan witter is also using an unusual distribution method. Ricky Martin CDs.

  7. Back again to Windows Security by Tibor+the+Hun · · Score: 5, Interesting

    Can anyone explain if this rootkit prompts for a password when installing (during the autorun, I presume)

    As an OS X user, I'd find it slightly odd that my music CD is prompting me for an administrative password.

    But to stay on topic, I'm sure this is but one of the many exploits that will be based on this rootkit.
    Does anyone have a comprehensive list of CDs that install it, and is it true that Sony has been using it since April?

    --
    If you don't know what AltaVista is (was), get off my lawn.
    1. Re:Back again to Windows Security by NSObject · · Score: 5, Interesting
      It looks like there's an OS X version as well, but from a different source. Here's a reader comment from macintouch.com...

      Darren Dittrich followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:

      I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

      Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology on their site.
  8. Re:Rant Time... by freedom_india · · Score: 5, Funny
    With California filing a class-action suit, i think more states and consumers should file suits NOT just for damaging their computers, but delibrate unauthorized entry into another person's property which is a crime.

    Seriously i wish some Sony officials got what Worldcomm's Ebbers got: 25 years for entering into another property without permission, vandalism, etc. The less privileged have got far worse sentences for lesser crimes all along

    And more so, Sony should replace EVERY affected computer with a brand new Vaio.

    --
    "Doing what i can, with what i have." ~ Burt Gummer
  9. Ahhh, Sony by PhilHibbs · · Score: 5, Funny

    It wouldn't be right if the day went by without a Sony Rootkit story on Slashdot. Seriously, I can't get enough of this story, it's what Slashdot was invented for.

  10. Re:Rant Time... by xlr8ed · · Score: 5, Funny
    Sony should replace EVERY affected computer with a brand new Vaio



    That would be a crime in itself...
  11. SONY, redefining DRM by Anonymous Coward · · Score: 5, Funny

    Disappearing Rootkit Malware

  12. Fun with $sys$ by Anonymous Coward · · Score: 5, Funny

    Sony just loves everyone $sys$anally. They are the greatest company ever when it comes to technology $sys$that $sys$sucks. Everyone is gonna love $sys$to $sys$hate Sony, and they will $sys$not buy any Sony product that they see. It's because Sony loves $sys$to $sys$fuck $sys$with their customers.

  13. Re:From the article, virus firms response by Lisandro · · Score: 5, Insightful

    I know i should be shocked and offended by retarded attemps at DRM lock-in by Sony... but i can't.

        I'm loving this. I just can't wait to see what happens when antivirus/spyware vendors decide to consider the Sony rootkit as an attack vector and remove it accordingly... will it show up as "Sony.CDcopyprotection.malware"? "F4I.XCP.Aurora"? How about the information about it? Will we see legal battles between antivirus vendors and Sony? Class action lawsuits from consumers? I'm already preparing some popcorn for the event!

  14. Re:Suprise suprise by froi · · Score: 5, Funny

    I'm still waiting for a worm that uses the Sony rootkit to hide itself, spreads to many computers, and then DDoS sony.com. They'd have a hard time knowing what press release to put out if that ever happened.

  15. A variant of that trojan ... by Anonymous Coward · · Score: 5, Interesting

    The sales manager at the company I work for recently received a variant of this worm, and after finding that the attachment "didn't do anything" forwarded it on to me to find out why. I extracted the attachment and analysed it in IDA and discovered that it connected to one of two IRC servers and joined a specific channel.

    So posing as the trojan I logged onto the IRC channel. I idled there for a while watching the channel op send commands to the connected bots, and decided to have a go myself. The channel was +m but I could PRIVMSG the bots, and a bit more work in IDA revealed the command set - which contained an unload command. So I scripted my irc client to send a msg to every non-op in the channel with the command .. suddenly they all quit and the room was empty except for me and the op.

    "OH SHIT" he typed. He was more shocked than anything, and then more curious than angry. We ended up having a rather long and interesting conversation about our respective jobs. He told about his bot network, what he uses them for (in the UK it's for harvesting email addresses, apparently), the ££ he gets for it - it's a full time job for him - and who writes most of the bot software (his partner.) He was no stereotypical teenage script kiddie either, more a computer professional turned to the 'dark side' of IT .. I felt quite akin to him in many ways.

    All in all, it was fascinating. (Btw, our firewall blocked the trojan from connecting to IRC and it was fairly easily to remove from the sales manager's laptop)

  16. antivirus vendors violate DMCA? by jimbro2k · · Score: 5, Interesting

    IF antivirus vendors do start removing the sony rootkit, won't that qualify as circumvention of a copyright device and put them in clear violation of the DMCA? This just keeps getting better and better.

    --
    There is not nearly enough love in the world, but there is far too much trust.
  17. Remember Intuit's TurboTax debacle? by sizzzzlerz · · Score: 5, Interesting
    Several years ago, Intuit infested your computer with their own DRM software when you installed their TurboTax software. Of course, the packaging said nothing about it but once it was discovered, the shit hit the fan. They first denied doing anything wrong, then when forced to admit that presence of this software, they insisted it did no harm to the owner's computer. Once again, their logic was that all buyers of the software were thieves and this was protecting their I.P.. Finally, when sales of the product dropped sufficiently, they provided a mechanism to remove said-DRM software, however, TurboTax would no longer run.

    The following year, all traces of this were removed in the next version and, afaik, it has never returned. I, for one, however, haven't bought their product since and don't plan to ever buy from them again.

    I guess Sony just wasn't paying attention.

  18. Sony Rootkit News Absent From CNN by Esion+Modnar · · Score: 5, Insightful

    So far, I haven't seen any mention on the mainstream news about this. Maybe because it's too technical, but I think it's because CNN is a company of Time-Warner, and Time-Warner and Sony are fellow MPAA (and/or RIAA?) members. They (CNN) are great about covering the fluff. Count on them to down-play the stuff that hurts their business sleaze.

    --

    They say the first thing to go is your penis. Well, it's either that or your brain. I forget which...