11-10-2005, 12:52 PM
http://www.pcpro.co.uk/news/79728/virus-ta...ootkit-drm.html
Quote:Thursday 10th November 2005
Virus targets SonyBMG rootkit DRM 2:01PM
Security researchers' worst fears have been realised as the first instance of a virus taking advantage of the rootkit DRM technology in some SonyBMG copy-protected CDs has been discovered.
Sophos says that the Trojan known as Stinx-E uses the Sony DRM rootkit to make itself invisible through the file $sys$drv.exe. However, this does not mean that in not having the Sony DRM installed you are immune to infection.
The rootkit makes all files beginning with '$sys$' invisible, and Sophos' senior antivirus consultant Graham Cluley described it as 'particularly troublesome'. He told us that antivirus software will detect the file when it is first run if it has already been updated to look out for it. But out of date antivirus software won't detect the virus at that point, and once the virus is installed, won't be able to see it at all.
Despite the fact that the Sony DRM in question is available on US CDs, it is possible to get them in the UK from the likes of Amazon. Curiously, the Trojan appears to be targetting the UK specifically. Cluley said that Sophos' research centres across the globe were aware of the new Trojan but had yet to encounter it.
'There's a peculiarly British angle to this one in that it pretends to come from an organisation called Total Business Monthly and refers to the website totalbusiness.co.uk,' he said.
He said that while the Trojan appears to be out there in numbers, Sophos has yet to receive any reports of infection. 'We've had reports from a few large companies that have received the virus, but fortunately it seems they had the good sense to quarantine it.'
The Trojan arrives in an email with attached files with names such as Article+Photos.exe, subjects such as 'Photo Approval Required' and the following message:
Quote:'Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes?If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************'
If the recipient opens the attachment, the Trojan will attempt to copy the file $sys$drv.exe onto the hard drive where the Sony rootkit, if present, will render it invisible. The Trojan opens a backdoor onto the computer allowing remote control over the machine through IRC channels. The backdoor allows an attacker to delete, execute, and download files on the target machine. It also attempts to bypass the Windows Firewall.
The DRM technology the Trojan takes advantage of is included in a number of SonyBMG CDs and was first discovered by IT researchers when it turned up on a computer that was scanned for rootkits - a form of malware that talks directly to operating systems at a low-level and is invisible through Windows, and thus to other programs.
Further research showed that any file beginning with '$sys$' would also be cloaked by the Sony rootkit used to hide its DRM technology.
The company that developed the technology for Sony has since updated its software and removed the rootkit element, but that update may take sometime to make it to CDs on sale. It has also released patches to antivirus companies, but again this depends on end users updating their software.
Security firms immediately warned of the likelihood that virus writers would take advantage of this simple method of rendering their malicious creations invisible. Sony has been noticeable in its silence on the issue, although a spokesperson for the UK said that there were no absolutely plans to use to the technology for CDs sold here.
Cluley said that any allegations of irresponsible disclosure for revealing the information are misguided. 'Don't blame the guys who blew the whistle on Sony's activities,' he said.
Sophos will later today make a tool available from its website that will detect the presence of the Sony rootkit and, if desired, remove it and prevent reinstallation.
Cluley said that this Trojan is likely to be just the first of new viruses adapted to take advantage of the '$sys$' cloaking capabilities made possible through the DRM protection in some Sony CDs.
Matt Whipp