F-Secure on Sony's Rootkit DRM

We've just published a technical description on this rootkit, with details on how to distinguish hidden items belonging to the DRM system from potentially harmful malware.

So: if you've recently used CD releases from Sony
BMG that state that they are content protected on your Windows
computer, the “Scan for Rootkits” function in our product will detect
this program on your system. Same happens with our free BlackLight beta
that you can download from our web site.

you find this rootkit from your system, we recommend you don't remove
it with our products. As this DRM system is implemented as a filter
driver for the CD drive, just blindly removing it might result in an
inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form
and ask for directions on how to remove the software from your system.
We've test driven this and they will provide you with tools to do this.
However, they will install additional ActiveX components to your system
while they are doing this so be adviced (sic).

Interesting situation for the antivirus crowd. 
It's easy to declare a virus as bad, but what do you do with this
monster?  Here is a software using a rootkit to get the job done,
but has a legal purpose.  I personally am outraged that Sony would
allow such activities and encourage the antivirus to continue to flag
this as malware.  Read the full blog post from F-Secure.  This is from F-Secure's technical description (emphasis mine):

The hiding techniques used by the DRM software can be abused by less technical
malware authors to hide their backdoors and other tools. If a malware names its
files beginning with the prefix '$sys$', the files will also be hidden by the
DRM software. Thus it is very inappropriate for commercial software to use these


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek. http://linkedin.com/in/xavierashe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s