[ news_security_news ]
Sony Rootkit Update: Through The Back Door
John Stith
Staff Writer
2005-11-10
 Insider Reports RSS Feed
Sony appears to have more problems now. Security firms Kaspersky Lab and Sophos discovered the first malicious software to crawl through the backdoor of Sony BMG's rootkit. Many critics warned this problem would occur and Sony BMG's statements blew them off. They may need to reexamine the situation.
According to Moscow-based Kaspersky, a trojan hourse program utilizing the rootkit technology was detected. Kaspersky labeled it Backdoor.Win32.Breplibot.b. Sophos is calling Troj/Stinx-E. The program was distributed through spam and attached to messages with photograph. All it takes is to open the image and the damage is done.
"Despite its good intentions in stopping music piracy, Sony's DRM copy protection has opened up a vulnerability which hackers and virus writers are now exploiting," said Graham Cluley, senior technology consultant for Sophos. "We wouldn't be surprised if more malware authors try and take advantage of this security hole, and consumers and businesses alike would be sensible to protect themselves at the earliest opportunity."
They said when the program launches, the backdoor copies itself to the Windows system directory as $SYS$DRV.EXE. "Using this name makes possible for the Sony rootkit technology to be used to hide the activity of the malicious program." They were quick to point out this only happens if you run one of those 20 or so Sony BMG CDs who use this particular form of DRM.
Kaspersky's blog, Viruslist.com lists the email with the offending attachment. The subject is "Requesting Photo Approval." The attachment is called "article_December_3621.exe. The text of the email is as follows:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.
Kind regards,
Jamie Andrews
Editor
www.TotalBusiness.co.uk
**********************************************
The Professional Development Institute
**********************************************
This is the system changed in the system registry key:
[HKEY_LOCAL_MACHINE]
"WkbpsevaXImgvkwkbpXSmj`kswXGqvvajpRavwmkjXVqj"="$SYS$DRV.EXE"
There are two basic ways to avoid this. First, don't open any strange attachments in your email, a good rule of thumb anyway. There other is not to purchase the CDs. One can only assume more of these will be created and Sony will have even more to answer for in this situation.
About the Author:
John is a staff writer for SecurityProNews covering cyber security.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
