The uproar about the Digital Rights Management (DRM) technology in use on some CDs distributed by Sony BMG is set to heat up again following the confirmation that a trojan has now appeared that takes advantage of the DRM's file hiding capabilities. It was picked up by Sophos in an email that poses as an email from a British magazine. Here is what the body of the text is...
"Hello, Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here."
On opening the attachment, a file with the name $sys$drv.exe is copied to the victims Windows system directory, if the XCP copy protection has been installed on the system. "This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit," warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro.
Finnish anti-virus company F-Secure Corp. said that the trojan is a "bot program" which is designed to force the victims machine to connected to an IRC server. The attacker then has complete control over the system with the ability to create, edit and delete files and directories, install new software etc. Commonly, these bots are used in huge numbers to carry out attacks. They are also commonly used to serve pirated material on IRC "warez" channels.