New Backdoor Program uses Sony Rootkit

Kaspersky Lab, a leading developer of secure content management solutions that protect against viruses, Trojans, worms, spyware, hacker attacks and spam announces that a new backdoor program has been detected. This is the first malicious program to use Sony rootkit technology to hide its presence in the system.

The media has already written extensively about how Sony BMG applied rootkit technology to hide and protect DRM components used to prevent disks from being copied. One highly unfortunate effect of Sony’s decision to use this rootkit was the possibility that malicious programs might implement the same technology. Kaspersky Lab virus analysts can confirm that this has now happened.

Today a backdoor program which utilizes the rootkit technology was detected. Kaspersky Lab classifies the program as Backdoor.Win32.Breplibot.b. The backdoor was mass mailed using spamming technologies, and attached to a message which uses classic social engineering techniques to entice the recipient into launching the attachment. The attachment allegedly contains a photograph. Once the user launches the attached file, the backdoor code will penetrate the victim machine.

Breplibot.b is a file 10240 bytes in size, packed using UPX. When launching, the backdoor copies itself to the Windows system directory as $SYS$DRV.EXE. Using this name makes it possible for the Sony rootkit technology to be used to hide the activity of the malicious program. Of course, the backdoor’s activity will only be hidden if DRM protection, as used on some Sony Audio CDs, functions on the victim machine.

As usual, Kaspersky Lab warns users to be careful, and not to open email from unknown senders, or open attachments to suspicious messages.

Kaspersky Anti-Virus databases have been updated to detect Backdoor.Win32.Breplibot.b. Further information about the backdoor is available in Analyst’s Diary (http://www.viruslist.com/en/weblog), the Kaspersky Virus Lab weblog.