Trojan Found Piggybacking Sony DRM Rootkit
- By Scott Bekker
- November 10, 2005
Anti-virus firms have discovered the first known trojan horse program to hide inside the Sony digital rights management (DRM) software that critics say is downloaded without consent to users' PCs.
The trojan horse is being referred to as Backdoor.IRC.Snyd.A (BitDefender), Backdoor.Win32.Breplibot.b (Kaspersky), Troj/Stinx-E (Sophos) and W32/Brepibot virus (McAfee).
The Sony DRM issue came to light Oct. 31 when Windows kernel expert Mark Russinovich, co-founder of Winternals Software, blogged about his discovery that a Sony audio CD installed DRM software that behaves like a rootkit without prompting on his system.
One of the immediate concerns raised after Russinovich's discovery was that malware authors would find ways to piggyback on Sony's DRM rootkit. Backdoor.IRC.Snyd.A appears to be the first trojan of that type, according to a spokesperson for BitDefender.
"It is virtually impossible for a normal user to detect presence of any files hidden by Sony DRM Software," BitDefender writes in its advisory about the trojan horse, which was discovered Wednesday and which BitDefender classifies as a low spreading, medium damage threat.
This particular IRC backdoor is spread through a conventional .exe attachment to a spam message. When executed, the program installs itself and connects to one of five hardcoded IRC servers. "The backdoor uses the Sony DRM copy protection system in order to hide its presence in the system," BitDefender's advisory notes.
The backdoor contains the string, "SonyEnabled".
Rootkits are cloaking technologies that hide files, Registry keys and other system objects from diagnostic and security software, says Russinovich, who discovered the original Sony DRM software while testing a tool called Rootkit Revealer.
In attempting to remove the Sony DRM software, Russinovich encountered problems locating and removing the software, including having his CD drive disabled.
"The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," Russinovich wrote.
"While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far," he said.
Sony released a patch within days of Russinovich's post, but the patch itself immediately drew criticism for technical flaws, EULA discrepancies and privacy issues.
Russinovich's discovery has dealt a serious blow to large media companies' DRM plans. Already unpopular with technical users, the plans rely on widespread trust in the competence and trustworthiness of the software and media companies that require users to accept DRM software with CDs, DVDs and downloads. Microsoft is a major DRM backer.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.