First Trojan Using Sony DRM Spotted

The Register ^ | 11/10/05 | John Leyden

[steve-b]

Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs.

Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory....

[steve-b]

If you own Sony, sell before the lawsuits start....

[BipolarBob]

Thanks a lot Sony. You SonyBeaches.

[KeyWest]

They are already in trouble and have been for some time.

[MizSterious]

I can only hope that this is a cautionary tale for other companies who hope to "protect" their products in the same way.

[FReepaholic]

More info on the rootkit HERE

[Redcloak]

Don't blame Sony. Blame Microsoft. There's no good reason for allowing an audio disk to automatically install software; especially software that screws with the OS.

[MizSterious]

I blame them both.

[Paradox]

There it is I think, its the thing covering his nose.

[NotJustAnotherPrettyFace]

Ping for later self-reference.

[Question_Assumptions]

How about blaming Microsoft for allowing software to be installed that can hide files from the OS?

[steve-b]

Here's how Sony's department president defends this fiasco:

In an interview with NPR reporter Neda Ulaby, the President of Sony BMG's Global Digital Business, Thomas Hesse, defends Sony's installation of a rootkit by declaring, "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

So help me God, I am not making this up.

This bozo makes Mary Mapes' defense of the Dan Ra^ther bogus memos look like a masterpiece of logic and reason.

[TitanicMan2003]

He thinks that people not knowing what a rootkit is excuses these actions? So, by his logic, would it be ok for me to develop some new kind of virus or such* since most people won't know what it is? Lord Almighty, what a moron.

MGY

*Hypothetical only. I'm not developing any malicious programs.

[Born Conservative]

Ping

[zeugma]

Ping for later self-reference.

I'm sorry, but I must insist that all self-referencing posts conform to my trademarked tagline.

[ShadowAce]

[NotJustAnotherPrettyFace]

LOL!

[TechJunkYard]

One Trojan horse discovered by security companies Thursday is a variant of a pre-existing software distributed by spam e-mail, among other techniques.

One version of the e-mail claims to be from a business publication and says it is using a photograph of the recipient for a soon-to-be published article, according to security company BitDefender. Clicking on the alleged photograph installs the malicious software, which then connects automatically to the Internet Relay Chat chat network, opening up a channel to control the infected computer.

In a new version of the program, the software hides itself using Sony's rootkit tool and then tries to connect to a server on the chat network. The first version of the Trojan was unable to function after hiding itself, security company F-Secure said. However, several other variants have been found that are able to successfully take over control of a computer after hiding under the Sony software.

All virus companies are rating the danger as fairly low so far, since the Trojans seem to be spreading slowly.

Sony/BMG should be in DEEP doo-doo over this.

Aren't you glad you run Linux? Don't you wish everybody did?

[TechJunkYard]

Hmmm... apparently Sony/BMG discs can also install Mac kernel extensions. You guys aware of this?

I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

[RogueIsland]

Don't blame Sony. Blame Microsoft. There's no good reason for allowing an audio disk to automatically install software; especially software that screws with the OS.

Don't blame Sony? I guess you're the type that blames gun manufacturers for criminal use of firearms too. And BTW, AFAIK it doesn't "automatically install". The EULA/installer comes up automatically under autorun, but I don't believe it installs until you agree to the EULA. In other words, you are basically deliberately installing software on your machine, whether you know it or not (and Sony goes out of its way to make sure you don't), so it's a classic Trojan.

[Redcloak]

The EULA doesn't mention the hidden software. But more to the point, there's no good reason for allowing an audio disk to install software that alters the OS. It's stupid of MSFT to allow such behavior.