Trojans target Sony DRM and Windows

There's double trouble in cyberspace for those affected by Sony's rootkit-laced digital rights management (DRM) system and the Graphics Rendering Engine flaw in Windows. Security researchers are tracking two Trojan horse programs that try to exploit the vulnerabilities.

The first is called Stinx-E and it takes aim at the DRM program Sony BMG Music Entertainment Inc. is using to prevent CD copying.

Security experts and users have lashed out against the company over its use of the program because it includes rootkit technology, tools or programs malicious hackers typically use to mask software or network intrusions.

UK-based antivirus firm Sophos said the Trojan was spammed out to e-mail addresses posing as a message from a British business magazine. A typical e-mail looks like this:

Subject: Photo Approval Deadline

Message body: Hello,Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here. If the attached program is run, the Trojan horse copies itself to a file called $sys$drv.exe. Any file with $sys$ in its name is automatically cloaked by Sony's copy-protection code, making it invisible on computers which have used CDs carrying Sony's copy protection.

"Despite its good intentions in stopping music piracy, Sony's DRM copy protection has opened up a vulnerability which hackers and virus writers are now exploiting," Sophos Senior Technology Consultant Graham Cluley said in a statement. "We wouldn't be surprised if more malware authors try and take advantage of this security hole, and consumers and businesses alike would be sensible to protect themselves at the earliest opportunity."

Finnish antivirus firm F-Secure Corp. said it's investigating a bot that hides on machines that have Sony DRM software installed. Breplibot-B is a backdoor with bot capabilities that connects to several IRC servers and waits for commands from the backdoor's author, the firm said. The backdoor tries to use the Sony DRM software to hide its process, file and registry keys.

Fortunately, F-Secure said in its daily lab blog, Breplibot-B appears to have a design flaw. "If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all," F-Secure said. "Moreover, the bot cannot survive a reboot because of a programming error. In any case, this is a very good example of why software should not use rootkit hiding techniques."

Cluley confirmed in an e-mail Thursday that Breplibot-B and Stinx-E are the same piece of malcode.

Cupertino, Calif.-based antivirus provider Symantec has identified the malware as Backdoor.Ryknos.

Meanwhile, Tokyo-based antivirus firm Trend Micro has detected Emfsploit-A, a Trojan that could possibly target a critical security hole in Windows. Microsoft issued a patch for the flaw Tuesday. Specifically, the patch fixes three glitches in how the Graphics Rendering Engine processes Windows Metafile (WMF) and Enhanced Metafile (EMF) images. Attackers could exploit one of the EMF flaws to cause a denial of service and exploit the others to "take complete control of an affected system" and "install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft said.

Trend Micro said that upon execution, the Trojan causes the Explorer.exe function on affected machines to crash. "Thus, users are no longer able to view the graphical interface of Windows," the firm said on its Web site. The firm is conducting further tests to try to determine more clearly if the malcode was indeed designed to attack the latest Windows flaw.