AV Firms Say New Trojan Uses Sony DRM Rootkit

Security vendors, including Symantec, warn users about malicious Trojan horse programs that can become invisible on Windows systems that have the Sony DRM technology installed.

Anti-virus firms are warning computer users about a new malicious program that attempts to hide on victims computers by taking advantage of maligned DRM (digital rights management) technology from Sony BMG.

Symantec Corp., Sophos PLC and Bit Defender, part of Romanian company SOFTWIN, all issued alerts about Trojan horse programs that can become completely invisible on Windows systems with the Sony DRM technology installed.

The program, which goes by the name "Backdoor.IRC.Snyd.A" and "Backdoor.Ryknos," was discovered on Wednesday and is considered a low threat.

However, the appearance of malicious software that takes advantage of a cloaking feature in technology developed by Sony by UK firm First 4 Internet Ltd. makes good on the dire predictions of security researchers, who speculated that hackers could use the "rootkit" style DRM technology to hide their own malicious programs.

/zimages/1/28571.gifSonys second rootkit DRM patch doesnt hush critics. Click here to read more.

Sony did not respond to requests for comment in time for this article.

Sonys rights management technology—called "sterile burning"—were shipped on CDs by around 20 Sony BMG artists along with a custom media player that must be used to play and make a limited number of copies of the CD on a Windows PC.

Using code written by First 4 Internet, the DRM technology manipulates the Windows core processing center, or "kernel," to make it almost totally undetectable on Windows systems and nearly impossible to remove without fouling Windows, much like malicious programs known as "rootkits."

Sonys efforts to hide the anti-piracy programs erupted into a controversy last week, after Windows expert Mark Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at Sysinternals.com.

Russinovichs analysis of First 4 Internets code showed that the rootkit programs hid any file with a name that began with the characters $sys$, rather than looking for and hiding the specific files used by the media player for copyright enforcement.

At the time, he speculated that others who gained access to Windows systems with the sterile burning technology on it could also hide their programs simply by assigning them names that began with $sys$.

The new Trojan program does just that, copying itself from an e-mail attachment to a file called $sys$drv.exe, according to the BitDefender Web site.

The Trojan program has remote control "bot" features that allow the infected system to be controlled by a remote attacker using IRC (Internet Relay Chat) communications, Symantec Corp. said in a statement.

Sophos researchers have received a number of copies of the program attached to e-mails from what is believed to be a spam campaign, said Graham Cluley, a senior technology consultant at Sophos.

/zimages/1/28571.gifClick here to read more about rootkit sprouting on networks.

The e-mail messages were mainly sent to business e-mail addresses and claimed to be from Total Business Monthly, a UK business periodical.

"It didnt require Einstein to do this," Cluley said. "Theyre just exploiting the vulnerability that Sony introduced with its copy protection."

Faced with mounting criticism of its DRM technology, Sony BMG quickly released a software patch to disable it. The company also posted instructions for obtaining a program that could re-move the DRM technology altogether.

However, it is unclear how many copies of the sterile burning technology have been installed, and users who have installed it would have a hard time finding it on Windows without advanced knowledge of the operating systems and diagnostic tools, Russinovich and others have noted.

Consumers in California filed a class action lawsuit on Nov. 1 to stop Sony from distributing the CDs, and seeking monetary damages for consumers who already purchased CDs with the sterile burning technology on it, according to a published report.

Security companies are taking different approaches in dealing with the DRM feature. Symantec has labeled the First 4 Internet DRM features a "security risk" and points customers to a software update on Sony BMGs Web site to remove the stealth features.

Earlier in the week, Computer Associates International Inc. said that their security programs would label the First 4 Internet programs a "rootkit." Sophos will release an update Thursday that will detect the First 4 Internet program and allow users to disable it and the Sony media player, Cluley said.

"I think people would rather lose out on listening to Celine Dion on their PC than have the security vulnerability," Cluley said.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.