Trojan Using Sony DRM Rootkit Spotted

Analise writes "The Register reports on the first trojan using Sony's DRM rootkit. A newly discovered variant of the Breplibot trojan makes use of the way Sony's rootkit masks files whose filenames begin with '$sys$'. This means that any files renamed this way by the trojan are effectively invisible to the average user. The malware is distributed via an email supposedly from a reputable business magazing requesting that the businessperson verify his/her attached 'picture' to be used for an upcoming issue. Once the payload is executed, the trojan then installs an IRC backdoor on affected Windows systems."

Rant Time...

[Anonymous Coward]

Sony, you are despicable loathing scum who will no longer get another penny from me. For deliberately putting computers I maintain at risk to save a penny on your end, I find you guilty as charged. Microsoft should be suing you for such as well. In fact everyone just gang up on Sony and charge with those attorneys. Burn in hell bastards...

Boycott Sony

[Winckle]

I reccomend voting with our wallets, and not purchasing Sony/BMG products. Also see here [boycottsony.us]

Also here [first4internet.com] is the company that created the DRM technology.

From the article, virus firms response

[matt me]

"The response of anti-virus firms, some of which have only promised to flag up rather than block system changes made by Sony-BMG's rootkit, remains unclear. "
Ooh fun to be had here. Sony are gonig to love this publicity.

Ha ha. I have little respect for these companies who I see to be the same as those who four hundred years ago sold "herbs" to protect you from the plague. These ppl still profit from ppl's lack of knowledge.

Really easy test to see if you're vulnerable

[HMC CS Major]

Since there was some confusion about how you can tell if this rootkit is installed, remember that it hides files beginning with '$sys$' -

1) If you're not using windows, you're fine.
2) Create a file on your desktop ('test.txt' should be fine). Rename the file to '$sys$test.txt'.

If the file is gone, you're vulnerable.

Back again to Windows Security

[Tibor the Hun]

Can anyone explain if this rootkit prompts for a password when installing (during the autorun, I presume)

As an OS X user, I'd find it slightly odd that my music CD is prompting me for an administrative password.

But to stay on topic, I'm sure this is but one of the many exploits that will be based on this rootkit.
Does anyone have a comprehensive list of CDs that install it, and is it true that Sony has been using it since April?

Sony's actions recently mean they've lost my money

[hattig]

I don't know if they are selling these DRM encrusted music discs in the UK, but if they are, each and every one of them will be breaching the 1990 Computer Misuse Act, and in a way that the act does cover - namely it alters the system without your approval or knowledge. What is doubly sad is that the software was written by a British company. Still, makes it easier to sue them.

Secondly, does this rootkit install even if you are logged in as a normal Windows user, not Administrator? That suggests a security hole in Windows. However I suspect the issue is Windows making users Administrator by default, which is a really dumb system, security wise.

Re:Back again to Windows Security

[danrik]

No, because 99.975% of Windows users run as super users.

On OS X, accounts marked as Administrators are really regular users who happen to have sudo powers, so you have to type in your password.

Re:A Natural Rights perspective

[dada21]

The natural right to private property that you take an active role in maintaining and upgrading has been recognized for hundreds of years. Locke, George, and dozens of others have successfully debated it.

Google [google.com] for some great links.

sony vs. microsoft

[doyoulikegoatseeee]

so does this at all put sony in hotwater with microsoft legally? perhaps this rootkit, trojan email or not, violates the windows eula.

Lawsuits if this thing DDoSes the net

[G4from128k]

I've often wondered if non-users of product X can sue the maker of product X if said product causes a major disruption of the internet.

If someone creates a worm that exploits a negligent design flaw in Sony's DRM or Microsoft Windows, then couldn't the affected sue Sony or Microsoft? This would include non-users of these products whose internet usage was disrupted. And as someone who does NOT use DRMed Sony CDs or Microsoft Windows, I have NOT agreed to these company's EULAs with all their legalese of limited liability. Thus non-users may have more rights to sue than users of these products.

IANAL. Any thoughts?

Infected with DRM

[saskboy]

Here's the Slashdot crowd's chance to get the phrase invented by a Slashdotter out in the public eye. It's important that the public learn that DRM is a bad thing, and this is simply one way to tell them plainly how it is bad. DRM breaks their computer, or makes their life more difficult.

"Infected with DRM"
        Sony's rootkit has also been linked to Windows crashes, which isn't surprising to me. Most spyware causes instability in Windows because it is poorly written and designed to break parts of Windows to protect itself from removal. Sony writes, "This component is not malicious and does not compromise security. However to alleviate any concerns that users may have about the program posing potential security vulnerabilities, this update has been released to enable users to remove this component from their computers."
The incongruence of their words, is not startling to me, as they are playing a PR game to hide the fact that they messed up people's computers, and made them vulnerable to an attack that hasn't gained popularity yet, but now surely will. Virus writers will be able to easily hide their virus files using programs like Sony's cloaking DRM. Sony is lying that their cloaking DRM does not compromise security of an infected computer.
http://www.informationweek.com/story/showArticle.j html?articleID=173601122 [informationweek.com]

Re:A Natural Rights perspective

[Surt]

Who grants the natural right to property?

For example, I own the world. So I can go anywhere I please, including into 'your' home which is really mine.

You might suggest that the state decides who owns what, and the state says you own your home. But if so, then they also have the power to decide what the limits on that ownership are, including the powers of copyright.

If you rely on the force of the state to create property rights, then you pretty much have to go along with the whole legal system in determining who has what assorted rights. The state has decided that copyright and property rights are both to exist, and that it will offer to use its force in defending those rights in certain ways. You can live with the legal system, or you can work with others to change it, or you can resist it (though your odds of doing that effectively seem quite low).

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Back again to Windows Security

[Tibor the Hun]

OK, I've found a partial list, but according to the article SONY/BMG are not releasing a complete list:

Trey Anastasio, Shine (Columbia)
Celine Dion, On ne Change Pas (Epic)
Neil Diamond, 12 Songs (Columbia)
Our Lady Peace, Healthy in Paranoid Times (Columbia)
Chris Botti, To Love Again (Columbia)
Van Zant, Get Right with the Man (Columbia)
Switchfoot, Nothing is Sound (Columbia)
The Coral, The Invisible Invasion (Columbia)
Acceptance, Phantoms (Columbia)
Susie Suh, Susie Suh (Epic)
Amerie, Touch (Columbia)
Life of Agony, Broken Valley (Epic)
Horace Silver Quintet, Silver's Blue (Epic Legacy)
Gerry Mulligan, Jeru (Columbia Legacy)
Dexter Gordon, Manhattan Symphonie (Columbia Legacy)
The Bad Plus, Suspicious Activity (Columbia)
The Dead 60s, The Dead 60s (Epic)
Dion, The Essential Dion (Columbia Legacy)
Natasha Bedingfield, Unwritten (Epic)

Re:A Natural Rights perspective

[froi]

Irregardless of the existence of government, the natural rights of an individual cannot be given away (you can't sell yourself into slavery, you can't tell a higher power that it's ok to kill you). One such right is the right to private property, closed to others' prying eyes or presence.

Property rights are hardly on pair with freedom and the right to live. Even the very notion of "property" is problematic.

One great force behind this right is that past acts bear no allowances for future acts. If I let you into my house yesterday, you have no right to be here today. I may contractually allow you to come and go as you please, but I have to willfully sign the contract with witnesses noting the act.

Here you even contradict yourself, seeming unnoticed. The fact that you can contractually give up this "right" demonstrates that it's fundamentally different from the right to live or to be free.

Sony's DRM uses government force (through copyright provisions) to settle its legality. They say that by using their property, you have to permanently give up your natural right to private property (free speech Statists wrongfully call it Right to Privacy). Sony is wrong.

This is nonsense. Sony is wrong here because they install illegal things on your computer without telling you, breaking several laws in the process, not because they are violating some fundamental natural right.

By violating numerous natural rights, Sony has opened itself to a demand for restitution. I wholeheartedly believe that corporate protections are wrong, as is copyright. My solution? Go after Sony through the shareholders directly (they own the business and allowed the breach of a basic human right). Demand restitution for the trojan if you receive it.

This is the kind of high-brow crap that gives Slashdot advocates a bad rep. If you go up to Sony shareholders and tell them they are violating human rights, not only will they laugh you in the face, but so will the media. Let's at least try to keep things in perspective here, shall we? Sony are installing stuff on your computer without your consent, not forcing children into prostitution.

I think Sony made a mess here as well, but post like yours pisses me off even more. You people need to go outside or read the freaking newspaper once in a while. DRM protection gone awry is bad, but it isn't the end of the world either.

Re:On what platforms does Sony DRM rootkit work?

[dbc]

Yes, but, what OS's other than Microsoft products allow surf-by and auto-mount driver installs that diddle low level file system api's? Why is no one angry at Microsft about this Sony fiasco?

I'm thinking that outside of users that habitually surf and/or listen to music as root, that Linux and OS X users should be just a wee bit safer than the casual Windows user.

Sure, Linux can be rooted. Now, your homework assignment is to go burn me a disk with music on it that will root my Linux box merely by being inserted, and won't let me listen to the music until my box has been rooted. I like classical.

Re:Jobseekers rejoice!

[Lemmy Caution]

Eh, that's a little "I was only following orders" for my blood.

If I'm working for a homicidal maniac and I build a gun for him, I'm not innocent when he goes on a rampage.

Werner Heisenberg claims that he sabotaged the Nazi atomic bomb effort. If that's true, this would have been a very different world if he had just decided to be a "good engineer." (Yes, Godwin, blah blah. I don't think it applies.)

Re:Back again to Windows Security

[NSObject]

It looks like there's an OS X version as well, but from a different source. Here's a reader comment from macintouch.com...

Darren Dittrich followed up on the discovery that Sony was playing a dirty trick on its customers, secretly installing a malware-style "root kit" on their computers via audio CDs:

I recently purchased Imogen Heap's new CD (Speak for Yourself), an RCA Victor release, but with distribution credited to Sony/BMG. Reading recent reports of a Sony rootkit, I decided to poke around. In addition to the standard volume for AIFF files, there's a smaller extra partition for "enhanced" content. I was surprised to find a "Start.app" Mac application in addition to the expected Windows-related files. Running this app brings up a long legal agreement, clicking Continue prompts you for your username/password (uh-oh!), and then promptly exits. Digging around a bit, I find that Start.app actually installs 2 files: PhoenixNub1.kext and PhoenixNub12.kext.

Personally, I'm not a big fan of anyone installing kernel extensions on my Mac. In Sony's defense, upon closer reading of the EULA, they essentially tell you that they will be installing software. Also, this is apparently not the same technology used in the recent Windows rootkits (made by XCP [xcp-aurora.com]), but rather a DRM codebase developed by SunnComm, who promotes their Mac-aware DRM technology [sunncomm.com] on their site.

Re:Infected with DRM

[Tsiangkun]

Don't buy music Infected with DRM [sonymusic.com].

A variant of that trojan ...

[Anonymous Coward]

The sales manager at the company I work for recently received a variant of this worm, and after finding that the attachment "didn't do anything" forwarded it on to me to find out why. I extracted the attachment and analysed it in IDA and discovered that it connected to one of two IRC servers and joined a specific channel.

So posing as the trojan I logged onto the IRC channel. I idled there for a while watching the channel op send commands to the connected bots, and decided to have a go myself. The channel was +m but I could PRIVMSG the bots, and a bit more work in IDA revealed the command set - which contained an unload command. So I scripted my irc client to send a msg to every non-op in the channel with the command .. suddenly they all quit and the room was empty except for me and the op.

"OH SHIT" he typed. He was more shocked than anything, and then more curious than angry. We ended up having a rather long and interesting conversation about our respective jobs. He told about his bot network, what he uses them for (in the UK it's for harvesting email addresses, apparently), the ££ he gets for it - it's a full time job for him - and who writes most of the bot software (his partner.) He was no stereotypical teenage script kiddie either, more a computer professional turned to the 'dark side' of IT .. I felt quite akin to him in many ways.

All in all, it was fascinating. (Btw, our firewall blocked the trojan from connecting to IRC and it was fairly easily to remove from the sales manager's laptop)

Major event

[openfrog]

This could end up being a turning point. The organisations pusing for DRM will easily and swiftly realise what this leads to:

All their heavy public relations work to portray the reluctant consumers as merely "pirates" is on for a trying test.

antivirus vendors violate DMCA?

[jimbro2k]

IF antivirus vendors do start removing the sony rootkit, won't that qualify as circumvention of a copyright device and put them in clear violation of the DMCA? This just keeps getting better and better.

Re:Jobseekers rejoice!

[CowboyBob500]

Exactly, and I happen to think that the scientists are at least partly responsible.

I was recently called up by a pimp (consultancy agent) and he asked if there was any company I wouldn't want to work for. I said anyone connected directly with the defence industry and he told me that I'd be surprised how many people also said that.

As far as I'm concerned, if I write software for a guided missile for example, and that missile happens to kill innocent civilians (even if by mistake) then I feel like there'd be at least some blood on my hands too - which I don't want.

Bob

Remember Intuit's TurboTax debacle?

[sizzzzlerz]

Several years ago, Intuit infested your computer with their own DRM software when you installed their TurboTax software. Of course, the packaging said nothing about it but once it was discovered, the shit hit the fan. They first denied doing anything wrong, then when forced to admit that presence of this software, they insisted it did no harm to the owner's computer. Once again, their logic was that all buyers of the software were thieves and this was protecting their I.P.. Finally, when sales of the product dropped sufficiently, they provided a mechanism to remove said-DRM software, however, TurboTax would no longer run.

The following year, all traces of this were removed in the next version and, afaik, it has never returned. I, for one, however, haven't bought their product since and don't plan to ever buy from them again.

I guess Sony just wasn't paying attention.

Re:antivirus vendors violate DMCA?

[PhoenixPath]

McAfee is the first. Detects, removes, *and* prevents re-installation.

See below:

http://www.betanews.com/article/Antivirus_Firms_Ta ke_On_Sony_DRM/1131641594 [betanews.com]

Re:Jobseekers rejoice!

[Lemmy Caution]

Many traditional criminals are also motivated by financial anxiety. People in organized crime also have families to support. Does that exonerate them?

Re:Jobseekers rejoice!

[MightyMartian]

No, they likely have a mortgage to pay and kids to feed and educate. No matter how you try to conflate this with organized crime or Nazis or whatever it is precisely you're bit of hyperbole is attempting to do, engineers are paid to do a job, and part of that job is doing what management tells them. If management's orders put lives at risk, then yes, I could see putting it on the line, but for some stupid security measure, why bother? You tell your superiors that this is a rootkit and there could be security and public relations repurcussions, and you've done your job.

Re:Jobseekers rejoice!

[Lemmy Caution]

See, the main problem I see with this defense comes from my experience in the industry: engineers are usually too eager to please, too enthusiastic about giving their bosses a solution. I've seen so many developers enjoy an almost conspiratorial glee in showing off just how clever and even devious they can be in delivering to management. I don't think it really takes a lot of hiding-the-truth from the engineers. They only have to frame it as a problem, and the engineers trip over each other to show how smart they are with a solution.

The ethical questions themselves never get raised. Partially, it may because ethics are seen as outside rationality.

Re:Jobseekers rejoice!

[PetriBORG]

Excellent points. I still feel that knowledge of intent is more important. If you were a programmer writing code for the NSA or other Three Letter Agency, how could you be ever sure that the program you are making to spy on Some Guy isn't used incorrectly? I don't believe you can. You can only make the best choice to your knowledge.

But in this case, I would bet that this 'product' was made by said 3rd parties with this in mind - to sell it to Sony or whoever and that they went to Sony, not that Sony found them. So here the 3rd party programmers share responsibility with The Man at Sony, but vast bulk of responsibility goes with those who at the helm that make the choices.

This is the problem I have with large corps (american or otherwise) that choose to do these things. If you are management, and making those choices, then you must bear 80-90% of the responsibility. Even if your subordinates did help you do such a thing, you are the most to blame. The man who runs the drug cartel is more to blame for the drug problem then the drug dealer or drug user (ha, thats probably just as close to Godwin as I need to be, heh).

Re:Fun with $sys$

[meringuoid]

Could it be?! Is "$sys$" the new "^H^H^H"?

Probably. Since the Sony Rootkit is the big story at the moment, this thread will get read by a lot of people. That post went to +5, and it's got Slashdot memeicity all over it.

I wouldn't use it as a straight drop-in replacement for ^H^H^H, though; that merely implies 'I nearly wrote this - whoops!' $sys$ conveys malevolence. So, for instance, if someone were to write

We must invade Iraq to look for oil^H^H^HWMD

would suggest that oil is at least part of the purpose of the invasion, and that it's just not diplomatic to mention it. A careless typo that reveals too much of what you're thinking. On the other hand

We must invade Iraq to look for $sys$oil WMD

would suggest that oil is the real purpose of the invasion, and that this is being deliberately hidden by a lot of bullshit about WMD. A subtext deliberately trojaned in and kept dark.

Use the $sys$ prefix in place of ^H^H^H to lend a nastier, more malevolent tone to what it is you're editing out.

Definition of "Natrual Rights"

[radtea]

Here is a useful definition of "natural right" that might help people understand the natural rights perspective:

      natural right(n): A political condition required for the life of a morally autonomous being.

A natural right, in this view, is to political or social life what the requrirement for food, water or air is to physical life. I cannot say, "I relenquish my need for food" in any meaningful sense, because it is my nature to need food to live.

Likewise, for a being whose mode of life involves making and acting on its own value judgements, certain political conditions are required. The need for these political conditions cannot be relenquished.

"Tyranny" is a political condition, as is "republic", "police state", etc. Not all of these political conditions allow morally autonomous beings to live as such.

Note that I do not believe that natural rights theory is sufficient to construct a theory of society. Nor do I believe that protection of natural rights is a sufficient basis for a just society. Humans are more than rights-bearing creatures, and our social needs are far more complex than the needs described by natural rights. A natural-rights-only society is the bread-and-water diet of social theory: sufficient to sustain some kind of existence, but not sufficient for genuine health and happiness.