Brian Krebs on Computer Security
Virus Writers Exploit Sony Anti-Piracy Software

This was bound to happen.

Anti-virus maker Sophos is reporting that it has spotted an e-mail going around that tries to exploit the controversial file-hiding abilities of anti-piracy software embedded on some of Sony BMG's music CDs.

According to Sophos, the e-mail, posing as a message from a British business magazine, begins:

"Hello, Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here."

If the recipient has Sony's anti-piracy installed on his or her machine and happens to click on the file attached to the e-mail, the computer is infected with a Trojan horse that copies a file to the victim's machine -- "$sys$drv.exe."

As Security Fix has noted in past posts, the Sony software successfully hides any file with the "$sys$" convention in it.

Sophos, which is based in Denmark, said it would issue a tool later today to detect the existence of Sony's DRM copy-protection on Windows computers, disable it, and prevent it from re-installing.

Sony could be in big trouble soon. The emergence of this virus should provide ample fodder to the class action suit that was recently filed in California against Sony.

UPDATE, 12:36 p.m. EST: Finnish anti-virus company F-Secure Corp. says the nasty bug in question is a bot program designed to force the infected computer to connect to an Internet relay chat server where the attacker who created it can update the infected PC with additional software, delete files, or command the machine to attack other computers online. According to F-Secure, the bot program does not work due to a programming flaw. However, given the enormous amount of public attention paid to the Sony anti-piracy software, working variants are likely to emerge within a short time.

By Brian Krebs | November 10, 2005; 11:57 AM ET | Category: Latest Warnings
Previous: Sony's Attitude Has a History | Main Index
TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/3620870

Listed below are links to weblogs that reference Virus Writers Exploit Sony Anti-Piracy Software:
Comments

Please email us to report offensive comments.

"Sophos, which is based in Denmark, said it would issue a tool later today to detect the existence of Sony's DRM copy-protection on Windows computers, disable it, and prevent it from re-installing."

Good for Sophos.

You know, Kaspersky, F-Secure, and Sophos come out of this really well; Symantec and Microsoft come out of it really badly.

There is clear evidence - including crytic comments at microsoft.com itself - that indicate that Microsoft has known about the rootkit for quite some time. However, Microsoft has said very little and recent inquirers have been told that the Malicious Software Removal Tool will *not* flag the Sony rootkit.

Here are people messing around with the Windows kernel and hiding what they're doing and Microsoft knows and JUST DOES NOT CARE. It would sooner suck up to Sony than protect its own customers.

Likewise, First 4 Internet has said that Symantec, the makers of Norton "antivirus" helped them develop the rootkit. Symantec has not denied this.

Symantec has now bowed to pressure and says that some of its products will detect the rootkit but not remove it. And it actually declares on its site that the Sony spyware is "a legitimate application". Legitimate! What a joke Symantec! What you say; let's see what the courts say, huh?

I'll never buy another Norton anti-virus product. You simply can't rely on Symantec to protect you. They should re-name the Norton AV product to "Norton anti-some-viruses-and-pro-some-others".