Trojan horses targeting Sony DRM rootkit found

Trojan horses targeting Sony DRM rootkit found

Summary: Two Trojan horses have been discovered that exploit Sony's copy-restriction software, as F-Secure tries not to say 'I told you so'

TOPICS: Security

Two Trojan horses with very similar characteristics that exploit Sony's DRM software to avoid detection were found on Thursday.

The Stinx-E Trojan horse, found by antivirus vendor Sophos, has been sent out in spam and uses filenames such as Article+Photos.exe and poses as a message from a British business magazine.

Sophos says Stinx-E takes advantage of DRM software included on some Sony CDs. The discovery of this software last week has caused a storm of protest, as it uses a rootkit-like product to hide itself.

Antivirus firms had already warned that Sony's DRM software could be exploited by a malicious hacker to hide a piece of malware on a user's PC.

"This Trojan horse allows hackers to gain access to a PC, and control it. The Trojan can cloak itself if you've been running a Sony CD with DRM. The copy-protection software hides the malware," said Graham Cluley, senior technology consultant at Sophos.

When Stinx-E runs it copies itself to a file called $sys$drv.exe . Any file with $sys$ in its name is automatically cloaked by Sony's copy-restriction code, making it invisible on computers which have used CDs carrying Sony's copy protection, according to Sophos.

"When your antivirus software looks for malware, the Sony DRM software jumps in and says 'No, nothing here.' Antivirus, Windows Explorer — nothing can see the Trojan, because the Sony software is cloaking it," Cluley explained.

Antivirus software can stop the exploit at the gateway to a system, but if the exploit does get onto a system it is then very difficult to detect, according to Sophos.

The second Trojan was found by Finnish antivirus company F-Secure, which reported the discovery of Breplibot.b on its blog. The Trojan horse is also attempting to hide on machines that have Sony DRM software installed.

"Luckily, the [Trojan] has a design flaw. If the Sony DRM rootkit is active (hiding) in the system during infection, the [Trojan] will not run at all," F-Secure said on its blog on Thursday.

Breplibot.b cannot survive a reboot because of a programming error, F-Secure reported. It is also known as Backdoor.Win32.Breplibot.b.

Although this particular Trojan was flawed, F-Secure still feels that rootkits should not be used for copy-restriction.

"We wouldn't like to say "we told you so" but unfortunately this is one of those times you just have to do it. This is a very good example of why software should not use rootkit techniques," F-Secure said.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Doing a little bit of digging has found that the domain seems to be kicking out loads of these emails.

    I must admit i have a keen eye on the security and email front and this little bugger nearly caught me out.

    i have informed the above domain but only realised it had anything to do with the SONY ROOTKIT once i had read this.

    I must say how irressponsible sony are for allowing computers around the world to be subject to this kind of vulnerability.
  • Has a Sony employee played one of the infected CDs on their work computer? How ironic if Sonys internal network was compromised.