First Trojan using Sony DRM spotted
The first trojan using Sony's rootkit software to hide itself has been discovered by anti-virus companies. The register.co.uk:
"Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory."
This new Trojan can only be detected by special software like the freeware product Rootkit Revealer. The trojan seems to be spread by fake emails asking people to verify their picture.
Update: There has been a lot of talk about Sony's Rootkit. What we know is that the company used the technology on about 20 different music CDs that it shipped to retail channels. This reduces the likelihood of misuse considerably, considering that users not only had to play one of those music CDs in their PC, but also get that Trojan on their system somehow.
Here is the email that was used to distribute the trojan.
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly.
Can you check over the format and get back to us with your approval or any changes?
If the picture is not to your liking then please send a preferred one.
We have attached the photo with the article here.
The Professional Development Institute
And the attachment: Article+Photos.exe
A malicious IRC backdoor is then installed on the system which cannot be detected by normal security software if the Sony rootkit is running on the system.
The trojan then creates a startup key for itself in the Windows Registry, and connects to several IRC servers to wait for commands from the remote hacker. The malicious attacker can perform operations such as downloading, deleting or running files on infected machines without the user of the system ever knowing about it.
The trojan furthermore terminates processes of known security software to avoid detection and removal.Advertisement