Trojan Found Piggybacking Sony DRM Rootkit

Anti-virus firms have discovered the first known trojan horse program to hide inside the Sony digital rights management (DRM) software that critics say is downloaded without consent to users' PCs.

The trojan horse is being referred to as Backdoor.IRC.Snyd.A (BitDefender), Backdoor.Win32.Breplibot.b (Kaspersky), Troj/Stinx-E (Sophos) and W32/Brepibot virus (McAfee).

The Sony DRM issue came to light Oct. 31 when Windows kernel expert Mark Russinovich, co-founder of Winternals Software, blogged about his discovery that a Sony audio CD installed DRM software that behaves like a rootkit without prompting on his system.

One of the immediate concerns raised after Russinovich's discovery was that malware authors would find ways to piggyback on Sony's DRM rootkit. Backdoor.IRC.Snyd.A appears to be the first trojan of that type, according to a spokesperson for BitDefender.

"It is virtually impossible for a normal user to detect presence of any files hidden by Sony DRM Software," BitDefender writes in its advisory about the trojan horse, which was discovered Wednesday and which BitDefender classifies as a low spreading, medium damage threat.

This particular IRC backdoor is spread through a conventional .exe attachment to a spam message. When executed, the program installs itself and connects to one of five hardcoded IRC servers. "The backdoor uses the Sony DRM copy protection system in order to hide its presence in the system," BitDefender's advisory notes.

The backdoor contains the string, "SonyEnabled".

Rootkits are cloaking technologies that hide files, Registry keys and other system objects from diagnostic and security software, says Russinovich, who discovered the original Sony DRM software while testing a tool called Rootkit Revealer.

In attempting to remove the Sony DRM software, Russinovich encountered problems locating and removing the software, including having his CD drive disabled.

"The entire experience was frustrating and irritating. Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files," Russinovich wrote.

"While I believe in the media industry’s right to use copy protection mechanisms to prevent illegal copying, I don’t think that we’ve found the right balance of fair use and copy protection, yet. This is a clear case of Sony taking DRM too far," he said.

Sony released a patch within days of Russinovich's post, but the patch itself immediately drew criticism for technical flaws, EULA discrepancies and privacy issues.

Russinovich's discovery has dealt a serious blow to large media companies' DRM plans. Already unpopular with technical users, the plans rely on widespread trust in the competence and trustworthiness of the software and media companies that require users to accept DRM software with CDs, DVDs and downloads. Microsoft is a major DRM backer.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Malwarebytes Affirms Other APT Attack Methods Used Besides 'Solorigate'

    Security solutions company Malwarebytes affirmed on Monday that alternative methods besides tainted SolarWinds Orion software were used in the recent "Solorigate" advanced persistent threat (APT) attacks.

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

comments powered by Disqus