Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Sony

Trojan Using Sony DRM Rootkit Spotted 597

Posted by Zonk from the gift-from-sony-to-you dept.
Analise writes "The Register reports on the first trojan using Sony's DRM rootkit. A newly discovered variant of the Breplibot trojan makes use of the way Sony's rootkit masks files whose filenames begin with '$sys$'. This means that any files renamed this way by the trojan are effectively invisible to the average user. The malware is distributed via an email supposedly from a reputable business magazing requesting that the businessperson verify his/her attached 'picture' to be used for an upcoming issue. Once the payload is executed, the trojan then installs an IRC backdoor on affected Windows systems."
This discussion has been archived. No new comments can be posted.

Trojan Using Sony DRM Rootkit Spotted More

Trojan Using Sony DRM Rootkit Spotted

Comments Filter:

  • Re:A Natural Rights perspective (Score:2, Informative)

    by Anonymous Coward on Thursday November 10, 2005 @01:28PM (#13999045)
    Do not use irregardless . [getitwriteonline.com]

  • Re:Back again to Windows Security (Score:3, Informative)

    by JadeNB ( 784349 ) on Thursday November 10, 2005 @01:30PM (#13999062) Homepage
    Can anyone explain if this rootkit prompts for a password when installing (during the autorun, I presume)
    Under Windows, when you're logged in as the administrator, you don't need any further password to proceed with, say, installing a rootkit. If you're a Home user, you can't give limited privileges, so you have no option, for the vast majority of crappily-written software, but to install it as an administrator (albeit with Spybot S&D and StartupMonitor running in the background to catch the seventeen start-up items it thinks you now need).

  • Re:A Natural Rights perspective (Score:1, Informative)

    by Anonymous Coward on Thursday November 10, 2005 @01:35PM (#13999126)
    Go after Sony through the shareholders directly (they own the business and allowed the breach of a basic human right)

    We meet again ;) Which shareholder wrote the DRM rootkit? Which one put it on the CD?

    I agree that corporate protections have no right to exist, however mens rea dictates that only those who can be reasonably expected to know about this has any reason to feel guilty, or be guilty.

    Attacking the shareholders of a corporation does nothing to change how the actual criminals behave, all it does is chill investment. Putting an end to the corporate veil will allow society to quickly weed out those who would prey on others, without having to resort to indirect attacks with collateral damage. It would also reduce the amount of damage that could be done... I suspect that for most people, if their manager instructed them to install a rootkit on every consumer's computer, they would rather polish their resume than look forward to jail time and fines out of their own pockets.

    Besides, if shareholders did become culpable for the actions of every janitor and codemonkey in the corporation, and we assume that the stock market completely collapses due to this, and all companies switch to selling bonds for financing, how then would you proceed with the punishment?

    Now if only this concept could apply to the repeated breaches of our Constitution by our government.

  • Re:Sony's actions recently mean they've lost my mo (Score:4, Informative)

    by Daedala ( 819156 ) on Thursday November 10, 2005 @01:36PM (#13999140)
    El Reg [theregister.co.uk] says that Sony UK says they are not selling them in the UK.

  • Being ignorant == fair game? (Score:4, Informative)

    by dsands1 ( 183088 ) on Thursday November 10, 2005 @01:49PM (#13999286)
    Sony President Defends Rootkit
    The President of Sony BMG's Global Digital Business, Thomas Hesse, defends Sony's installation of a rootkit by declaring, "Most people, I think, don't even know what a Rootkit is, so why should they care about it?"

    Source [about.com]

  • Clarifying parent's post... (Score:1, Informative)

    by Anonymous Coward on Thursday November 10, 2005 @01:54PM (#13999338)
    Apparently it's not as obvious to some other people as it is to me that the parent is clearly not saying Sony is not at fault because they purchased the rootkit from someone else. The parent is pointing out that Sony's ENGINEERS are most likely not at fault and that it was probably some idiot in a suit.

  • Re:Back again to Windows Security (Score:5, Informative)

    by _xeno_ ( 155264 ) on Thursday November 10, 2005 @01:59PM (#13999407) Homepage Journal

    Short answer: No, it just assumes you're running as an administrator, which is generally true.

    Much longer answer:

    Windows XP comes from two roots: Windows as a DOS shell, and Windows NT. Both of these operating systems encouraged running as Administrator, for a variety of reasons.

    Windows as a DOS shell is easy to explain, it was a single-user system, and therefore really had no security system in place at all. This single-user style persisted through to Windows ME, and is essentially "emulated" in Windows XP Home by having the users, by default, run as Administrators. (You can change them to regular users after creating new accounts, though.) By default, Windows XP Home doesn't require passwords on accounts - you just click on the user account you want to use, and you're logged in. So even making "less privileged" users isn't all that helpful. (I believe, by default, Windows XP Home DOES disable the built-in Administrator account, though.)

    Anyway, Windows NT is another story. Technically, an "Administrator" account is just a normal user account that just happens to belong to the Administrators group. Because Windows NT's security model is much more complicated than the Unix security model (and I'd argue much more robust), essentially the Administrators group is a group with all permissions set to "allow." (There is a super-user under Windows NT. It's called "SYSTEM" and it's essentially identical to root under Unix.)

    But anyway, Windows NT's security model is very complicated. Combined with no ability to "sudo" in Windows NT 4, most people who used NT just made themselves Administrators so that they didn't have to poke around the miriade of settings and ACLs to give them permissions to do whatever they needed to do.

    Windows 2000 added "Run As" which allows you to essentially "su" and switch to another account when starting a program. This meant that it would in theory be possible to administer a system from a non-privileged account, much like Mac OS X does.

    But the damage was already done. Most of the Windows software had been written for Windows 9x or assumed that you'd be an administrator under Windows NT. So attempting to run as a non-privileged account required constantly using the Run As feature to run the programs you needed to use as an administrator. (For a while, Winamp wouldn't run under a non-privileged account.) Of course, this meant that since most programs were running as administrator ANYWAY, you really weren't gaining much security.

    Now, with Windows XP Pro, this is starting to change. Microsoft now requires user programs to run on non-privileged accounts. It's much clearer where user-specific information goes. But the damage has been done. Windows XP Home defaults to an administrator account for all new accounts. Most people are used to not having to enter a password to change their system settings and don't understand the concept of a non-privileged account.

    So almost everyone using Windows is running as an administrator, and therefore there's no need to require a password to install a rootkit. They already have the permissions they require.

  • Re:Rant Time... (Score:4, Informative)

    by NormalVisual ( 565491 ) on Thursday November 10, 2005 @02:18PM (#13999648)
    California is *not* filing a class-action suit. A private lawyer is filing a suit on behalf of a number of California residents, but the state is not involved with it. Apparently both the submitter of the earlier Sony story and approving "editor" failed to actually read the article that was submitted.

  • Re:Really easy test to see if you're vulnerable (Score:3, Informative)

    by pegr ( 46683 ) on Thursday November 10, 2005 @02:19PM (#13999671) Homepage Journal
    Since there was some confusion about how you can tell if this rootkit is installed, remember that it hides files beginning with '$sys$' -

    1) If you're not using windows, you're fine.
    2) Create a file on your desktop ('test.txt' should be fine). Rename the file to '$sys$test.txt'.

    If the file is gone, you're vulnerable.
     
    How about a "read-only" way?
    Boot with Knoppix
    At the command prompt:
    $su bash
    #mkdir cdrive
    #mount /dev/hdc cdrive -o ro,noexec
    #find cdrive -name $sys$* -print

    Any hits? You got da SonySyph...

  • Re:Back again to Windows Security (Score:1, Informative)

    by Orrin Bloquy ( 898571 ) on Thursday November 10, 2005 @03:36PM (#14000574) Journal
    Apple isn't fond of kernel extensions any more, either, because they have a tendency to only work with the version of OS X they were written for.

  • Re:Rant Time... (Score:4, Informative)

    by mwood ( 25379 ) on Thursday November 10, 2005 @04:34PM (#14001340)
    "So how do you put a corporation in jail?"

    Revoke their import/export licenses.

    Stop the trading of their securities.

    Lots of other ways. You need all kinds of permissions to do big business. Those permissions can be withdrawn.

  • Computer Associates Removes Sony DRM (Score:2, Informative)

    by inverselimit ( 900794 ) on Thursday November 10, 2005 @04:43PM (#14001427)
    CA antivirus is now removing the DRM. I think this is a violation of the DMCA, right? 5 years in prison and a big fine? Let the fireworks begin. story [zdnet.com.au]

Slashdot Top Deals

Suggest you just sit there and wait till life gets easier.

Close