Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Who's Got Your Back?

Not Sony, that's for sure.
Mark Russinovich over at Sysinternals discovered Sony BMG's rootkit recently and blogged the process (great reading for anyone who likes nitty gritty, device driver details and hex code dumps).

The fuss was over Sony's unauthorized installation of a rootkit that cloaked files from the system and inserted a driver into the CD device driver stack that, if removed, would break the ability of your PC to play any CDs. The software was installed off of Sony BMG "copy protected CDs" and no mention of it was made in the EULA.

Since then, Sony has altered its EULA to cover and has grudgingly offered instructions on how to safely remove its rootkit without killing your PCs ability to play CDs. Antivirus providers pointed out that such a rootkit could potentially provide a mechanism for virus writers to hijack PCs, and today we learn that this is exactly what has happened with the discovery of a trojan using the Sony DRM rootkit to drop an IRC trojan on user's machines.

A new trojan which uses the cover provided by the Sony DRM component to hide has been detected by BitDefender Labs at 12.15 PM GMT today and is in the wild. This is the first ever observed instance of malware using the Sony DRM rootkit detected and analysed by Mark Russinovich.

***UPDATED (14.02 pm GMT)***

Analysts at the BitDefender Labs have completed a technical description of the threat and published a signature update. A removal tool for the trojan and a detection tool for the Sony DRM component are in preparation at the BitDefender Labs and will be made available to the general public in the following hours.

The full analysis of the trojan is available here

  • 1