First Trojan using Sony DRM spotted - gHacks Tech News

First Trojan using Sony DRM spotted

The first trojan using Sony's rootkit software to hide itself has been discovered by anti-virus companies. The register.co.uk:

"Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory."

This new Trojan can only be detected by special software like the freeware product Rootkit Revealer. The trojan seems to be spread by fake emails asking people to verify their picture.

Update: There has been a lot of talk about Sony's Rootkit. What we know is that the company used the technology on about 20 different music CDs that it shipped to retail channels. This reduces the likelihood of misuse considerably, considering that users not only had to play one of those music CDs in their PC, but also get that Trojan on their system somehow.

Here is the email that was used to distribute the trojan.

Hello,

Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly.

Can you check over the format and get back to us with your approval or any changes?

If the picture is not to your liking then please send a preferred one.

We have attached the photo with the article here.

Kind regards,

Jamie Andrews

Editor

www.TotalBusiness.co.uk

**********************************************

The Professional Development Institute

And the attachment: Article+Photos.exe

A malicious IRC backdoor is then installed on the system which cannot be detected by normal security software if the Sony rootkit is running on the system.

The trojan then creates a startup key for itself in the Windows Registry, and connects to several IRC servers to wait for commands from the remote hacker. The malicious attacker can perform operations such as downloading, deleting or running files on infected machines without the user of the system ever knowing about it.

The trojan furthermore terminates processes of known security software to avoid detection and removal.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.