Trojan horses targeting Sony DRM rootkit found
Two Trojan horses with very similar characteristics that exploit Sony's DRM software to avoid detection were found on Thursday.
The Stinx-E Trojan horse, found by antivirus vendor Sophos, has been sent out in spam and uses filenames such as Article+Photos.exe and poses as a message from a British business magazine.
Sophos says Stinx-E takes advantage of DRM software included on some Sony CDs. The discovery of this software last week has caused a storm of protest, as it uses a rootkit-like product to hide itself.
Antivirus firms had already warned that Sony's DRM software could be exploited by a malicious hacker to hide a piece of malware on a user's PC.
"This Trojan horse allows hackers to gain access to a PC, and control it. The Trojan can cloak itself if you've been running a Sony CD with DRM. The copy-protection software hides the malware," said Graham Cluley, senior technology consultant at Sophos.
When Stinx-E runs it copies itself to a file called $sys$drv.exe . Any file with $sys$ in its name is automatically cloaked by Sony's copy-restriction code, making it invisible on computers which have used CDs carrying Sony's copy protection, according to Sophos.
"When your antivirus software looks for malware, the Sony DRM software jumps in and says 'No, nothing here.' Antivirus, Windows Explorer — nothing can see the Trojan, because the Sony software is cloaking it," Cluley explained.
Antivirus software can stop the exploit at the gateway to a system, but if the exploit does get onto a system it is then very difficult to detect, according to Sophos.
The second Trojan was found by Finnish antivirus company F-Secure, which reported the discovery of Breplibot.b on its blog. The Trojan horse is also attempting to hide on machines that have Sony DRM software installed.
"Luckily, the [Trojan] has a design flaw. If the Sony DRM rootkit is active (hiding) in the system during infection, the [Trojan] will not run at all," F-Secure said on its blog on Thursday.
Breplibot.b cannot survive a reboot because of a programming error, F-Secure reported. It is also known as Backdoor.Win32.Breplibot.b.
Although this particular Trojan was flawed, F-Secure still feels that rootkits should not be used for copy-restriction.
"We wouldn't like to say "we told you so" but unfortunately this is one of those times you just have to do it. This is a very good example of why software should not use rootkit techniques," F-Secure said.