Trojan Horse Exploits Sony DRM Copy Protection Vulnerability
Experts at SophosLabs, Sophos’s global network of virus and spam analysis centres, have detected a new Trojan horse that exploits the controversial Sony DRM (Digital Rights Management) copy protection included on some of the music giant’s CDs.
The Stinx-E Trojan horse appears to have been deliberately spammed out to email addresses with filenames such as Article+Photos.exe, posing as a message from a British business magazine.
Typical emails look as follows:
“Subject: Photo Approval Deadline
Message body:
Hello,
Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here.”
If users run the attached program, the Trojan horse copies itself to a file called $sys$drv.exe. Any file with $sys$ in its name is automatically cloaked by Sony’s copy-protection code, making it invisible on computers which have used CDs carrying Sony’s copy protection.
“Despite its good intentions in stopping music piracy, Sony’s DRM copy protection has opened up a vulnerability which hackers and virus writers are now exploiting,” said Graham Cluley, senior technology consultant for Sophos. “We wouldn’t be surprised if more malware authors try and take advantage of this security hole, and consumers and businesses alike should protect themselves at the earliest opportunity.”
Sophos plans to issue a tool later today which will detect the existence of Sony’s DRM copy-protection on Windows computers, disable it, and prevent it from re-installing.
“Sophos is acting on customers’ concerns that the software on Sony’s CDs is introducing a vulnerability which hackers and virus writers are able to exploit,” explained Cluley. “We will give customers the ability to determine if their computers suffer from the vulnerability and remove it if necessary.”
Sophos advises companies to adopt an email gateway policy which can protect against new email threats – even before anti-virus updates are available. It also recommends that businesses ensure their computers are kept automatically