First Sony Rootkit Trojan
Thursday November 10, 2005
The first Trojan exploiting the Sony DRM cloaking technology (aka rootkit) has been discovered. Dubbed Troj/Stinx-E by antivirus vendor Sophos, Trojan.Downloader.Small-882 by ClamAV, and detected heuristically by BitDefender, the Sony Stinx Trojan is easily able to bypass the Windows XP Firewall, sets up an IRC backdoor, and downloads other malware.
Troj/Stinx-E aka Trojan.Downloader.Small-882 was seeded in an email. The infected attachment was named:
Article+Photos.exe
If the attachment is opened, the Trojan copies itself to the Windows\System directory as:
$sys$drv.exe
This causes the Trojan to be automatically hidden by the Sony rootkit, effectively making the Trojan invisible and undetectable by many (if not most) antivirus scanners. Of course, even if you have never played a Sony BMG music CD on your computer, you can still be infected by this Trojan, but its presence won't be masked and it will be easily detectable by up-to-date antivirus.
Interestingly, however, the Trojan uses invalid registry keys, preventing its loading when Windows is restarted and, according to research from F-Secure, if the DRM cloaking technology is present the Trojan won't even load initially.
Sony's decision to use rootkit technology to hide its Digital Rights Management software has led to at least two lawsuits. A class action lawsuit has been filed in California on behalf of its residents and the ALCEI (Italian Electronic Frontier) has also filed suit on behalf of its constituents. It is expected that more lawsuits will follow.
See the article Rootkits Revealed for tips on detecting malware hidden by rootkits.
Also see:
Troj/Stinx-E aka Trojan.Downloader.Small-882 was seeded in an email. The infected attachment was named:
Article+Photos.exe
If the attachment is opened, the Trojan copies itself to the Windows\System directory as:
$sys$drv.exe
This causes the Trojan to be automatically hidden by the Sony rootkit, effectively making the Trojan invisible and undetectable by many (if not most) antivirus scanners. Of course, even if you have never played a Sony BMG music CD on your computer, you can still be infected by this Trojan, but its presence won't be masked and it will be easily detectable by up-to-date antivirus.
Interestingly, however, the Trojan uses invalid registry keys, preventing its loading when Windows is restarted and, according to research from F-Secure, if the DRM cloaking technology is present the Trojan won't even load initially.
Sony's decision to use rootkit technology to hide its Digital Rights Management software has led to at least two lawsuits. A class action lawsuit has been filed in California on behalf of its residents and the ALCEI (Italian Electronic Frontier) has also filed suit on behalf of its constituents. It is expected that more lawsuits will follow.
See the article Rootkits Revealed for tips on detecting malware hidden by rootkits.
Also see:
No comments yet. Leave a Comment