Tuesday 15 November 2005

Sony DRM Rootkit



Okay so Sony is now being accused of having digital media malware in their CD's.
It is a evil program that hides behind the os. That's why it is really hard to kill! And the scary news is that more than 500 000 people are infected now! This evil thingy also creates holes in your OS (making itself like the OS) so that other viruses can easily make your computer their new home (for a long time!)! :( The good news is sony doesn't make such disks any more, and no more DRM for furture PS3 disks!!!!! Also there are free ways of how to check wheather you have the rootkit on your computer or not...



If you wan't to check if you are infected or not here are some instructions (from AlexTheBeast):

1) Right click on you desktop
2) Go to the new option and click on create a new text file
3) Then create a new file that starts with $sys$ (for example $sys$something.txt)
4) If you can't see your file after you click anywhere else on your desktop you have the DRM Rootkit installed
5) If you have the DRM Rootkit on your computer then... sue sony and become rich etc... (or atleast this is what AlexTheBeast says)

What the rootkit does is screws your $sys$ files. That's why if you create anything that has $sys$ on it it gets screwed up. The people over at symantec say this:

When SecurityRisk.First4DRM is executed, it performs the following actions:

Copies itself as the following file:%System%\$sys$filesystem\aries.sys.

Creates the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services$sys$aries

which loads the risk as a device driver when the compromised computer is started.

Hides any processes, files, folders, or registry subkeys that begin with the following string:

$sys$

Checks the name of all processes attempting to access these processes, files, folders, or registry subkeys. If the name of the process begins with the following string, it allows access:$sys$

Otherwise, the risk prevents access to the process, file, folder, or registry subkey."

According to The Register Sony BGM "suspended" production of audio 'CDs' that use XCP. Sony being a big company has given out patches to all major anti-virus companies, but still a virus is a virus is a virus! You can view sony's statement here...

But you can also get some tools with which you can scan your computer/remove the rootkit over here:

free rootkit scanning software
you can also this update to unhide the rootkit



Got a question, tip or comment? Send them to beyondteck+question@gmail.com and we'll try to answer it in a blog post!

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)