Bot trying to hide under Sony DRM

**temeteus82** · Nov 10, 2005, 04:28 PM

We wouldn't like to say "we told you so" but unfortunately this is one of those times you just have to do it. We have just analyzed the first malware (Breplibot.b) that is trying to hide on machines that have Sony DRM software installed.Luckily, the bot has a design flaw. If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error. In any case, this is a very good example of why software should not use rootkit hiding techniques.

Source F-Secure weblog: F-Secure

INSTG8R · Nov 10, 2005, 04:59 PM

Looks like I will be uninstalling my Sonic Stage software post haste

Pluvious · Nov 10, 2005, 08:14 PM

BOT?.. how about a VIRUS instead : http://www.theregister.co.uk/2005/11...ny_drm_trojan/

First Trojan using Sony DRM spotted

"Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs.

Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory.

Ads_kid=0;Ads_bid=0;Ads_xl=0;Ads_yl=0;Ads_xp='';Ad s_yp='';Ads_opt=0;Ads_wrd='';Ads_par='';Ads_cnturl ='';Ads_sec=0;Ads_channels=''; function Ads_PopUp() {}

http://[img]http://ad.uk.doubleclick....gif[/img]

"This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit," warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro

The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" to be used for the December issue. If the malicious payload contained in this email is executed then the Trojan installs an IRC backdoor on affected Windows systems.

Romanian anti-virus firm BitDefender confirms that the malware is in the wild but a full technical analysis of the Trojan is yet to be completed. The response of anti-virus firms, some of which have only promised to flag up rather than block system changes made by Sony-BMG's rootkit, remains unclear. "

**temeteus82** · Nov 10, 2005, 09:02 PM

Well F-Secure has their own way to classify things

EDIT:
update on the matter ... From F-Secure weblog

Quote:

Soon after the first Bot using Sony rootkit technology was found another one appeared - Breplibot.C.This new variant fixes some bugs found in the previous Breplibot.B variant. It uses file '$sys$xp.exe' instead of '$sys$drv.exe' when copy to Windows System folder.

Nov 10, 2005, 04:59 PM	#2
INSTG8R DriverHeaven Senior Member Join Date: Dec 2004 Location: Canadian lost in Norway Posts: 527 Rep Power: 0	Looks like I will be uninstalling my Sonic Stage software post haste __________________ Sys. Specs. Intel E6600@3.2\|Abit IP35 Pro\|2x1024 Crucial Ballistix PC8500 \|Sapphire HD4870 512\|Seagate Barracuda 7200.10 500G SATAII 16MB w/PRT\|SB X-Fi Fatality\|TT Tough Power 1200W\|TT Kandalf L.C.S.\|Samsung 204B 20" 5ms LCD\|Logitech G25\|Logitech G5\|Logitech G15\|Saitek X-52+Pro Rudder Pedals\|TrackIR w/Trackclip Pro 3DMark06

Nov 10, 2005, 08:14 PM	#3
Pluvious Elisha = hottie Join Date: Jul 2003 Location: USA CA. SF Bay Area Posts: 1,318 Rep Power: 0	BOT?.. how about a VIRUS instead : http://www.theregister.co.uk/2005/11...ny_drm_trojan/ First Trojan using Sony DRM spotted "Virus writers have begun taking advantage of Sony-BMG's use of rootkit technology in DRM software bundled with its music CDs. Sony-BMG's rootkit DRM technology masks files whose filenames start with "$sys$". A newly-discovered variant of of the Breplibot Trojan takes advantage of this to drop the file "$sys$drv.exe" in the Windows system directory. Ads_kid=0;Ads_bid=0;Ads_xl=0;Ads_yl=0;Ads_xp='';Ad s_yp='';Ads_opt=0;Ads_wrd='';Ads_par='';Ads_cnturl ='';Ads_sec=0;Ads_channels=''; function Ads_PopUp() {} http://[img]http://ad.uk.doubleclick....gif[/img] "This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit," warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her "picture" to be used for the December issue. If the malicious payload contained in this email is executed then the Trojan installs an IRC backdoor on affected Windows systems. Romanian anti-virus firm BitDefender confirms that the malware is in the wild but a full technical analysis of the Trojan is yet to be completed. The response of anti-virus firms, some of which have only promised to flag up rather than block system changes made by Sony-BMG's rootkit, remains unclear. " __________________