AfterDawn: Tech news

Trojan takes advantage of Sony BMG DRM

Written by James Delahunty @ 10 Nov 2005 11:29 User comments (33)

Trojan takes advantage of Sony BMG DRM The uproar about the Digital Rights Management (DRM) technology in use on some CDs distributed by Sony BMG is set to heat up again following the confirmation that a trojan has now appeared that takes advantage of the DRM's file hiding capabilities. It was picked up by Sophos in an email that poses as an email from a British magazine. Here is what the body of the text is...
"Hello, Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here."

On opening the attachment, a file with the name $sys$drv.exe is copied to the victims Windows system directory, if the XCP copy protection has been installed on the system. "This means, that for systems infected by the Sony DRM rootkit technology, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit," warns Ivan Macalintal, a senior threat analyst at security firm Trend Micro.

Finnish anti-virus company F-Secure Corp. said that the trojan is a "bot program" which is designed to force the victims machine to connected to an IRC server. The attacker then has complete control over the system with the ability to create, edit and delete files and directories, install new software etc. Commonly, these bots are used in huge numbers to carry out attacks. They are also commonly used to serve pirated material on IRC "warez" channels.

The Register
Washington Post

Previous Next  

33 user comments

110.11.2005 11:43

HOLY CRAP!!!! But honestly...we all saw this coming, did we not? Well Sony, you SO got some answering to do. Because you tried to prevent people from copying cd's that THEY BOUGHT, you have since jeopardized the security of consumers that buy your products. Great job there, Sony! Do I hear thunder wait...that's not thunder coming...that's their STOCK plummeting! Morons!

This message has been edited since its posting. Latest edit was made on 10 Nov 2005 @ 11:44

210.11.2005 12:18

Not only that but, won't it be nearly impossible to remove it as it protected via $ony's Dorky Remote Mush? This is IMHO a "Good" Trojan, although it DOES compromise your system it will get lawsuits like this one piled up and eventually $ony will have to get rid of Dorky Remote Mush. Peace, Pop Smith

310.11.2005 12:38

But honestly...we all saw this coming, did we not?

410.11.2005 12:46

Check out the AnyDVD site : In particular this quote :

Important Notice! AnyDVD tackles Sony DRM Rootkit Virus! If AnyDVD is installed and active on your PC, the new so-called "Sony DRM Rootkit Virus" has no access to your system and the affected audio CD appears unprotected regardless! Another good reason to get AnyDVD! Read more information about Sony DRM Rootkit Virus: Sony gone too far implications
Gotta love this software !!!

510.11.2005 12:50

Well, if you KNOW it is there and where and how to find it, it shouldn't be too hard to manually remove, the guy who did all the study into the whole rootkit mentions that if you know the directory path and file name they haven't patched those system calls to change directory and delete things. Problem is knowing exactly what your virus' filenames are, path, registry keys... That is just the danger of the rootkit, if you try to do anything to rectify it you are just stabbing in the dark and you don't know what damage you are doing in trying to fix things.

610.11.2005 13:00

For those interesred read: AnyDVD tackles Sony DRM Rootkit Virus ------------------------------------- Since March 2005, Sony BMG is using a rootkit-based DRM system on some newer audio CDs. This DRM system is a serious hazard to each Windows based PC. Well known websites like and (URLs below) are confirming this exposure. If AnyDVD is installed and active on a PC, this new so-called "Sony DRM Rootkit Virus" has no access to the operating system and the affected audio CD appears unprotected regardless! "What the heck Sony thought to themselves," SlySoft's CEO Giancarlo Bettini was kidding, "maybe they wanna build their own bot net?". This "anti rootkit protection" is not a new function of AnyDVD, rather it is the nature of AnyDVD to filter all undesired stuff between a CD/DVD drive and the operating system. It is just one example, how well AnyDVD's option to "Remove CD Digital Audio Protection" is working. AnyDVD v5.5.1.1 New: Added functionality to remove invalid VOBUs from a title set to the option to remove "Protection based on unreadable Sectors". This fixes the error message "Out of memory" from DVDShrink with some DVDs, which suffer from a certain mastering error. Fix: The option to remove "Protection based on unreadable Sectors" could cause DVDShrink to abort with an "invalid Navigation structure" error with some DVDs, which suffer from a certain mastering error. Fix: Setup program did not delete obsolete RegCheck.exe file from previous installations Fix: Undesired high CPU use for several minutes when checking for program update via internet connection

711.11.2005 03:27

When will Sony come to terms that no matter what type of infecting software that they try or do install on pc users machines, that they can be worked around? Sony is trying to be the big brother of PC's. This is not the way to market a product by no means. Just think of what kind of s&!t will try to be placed on the new Sony HD Disks. I know this I will not buy anything else from Sony!

811.11.2005 04:04

Sony also prevent you from copying your own PERSONAL MATERIAL. A few months ago I bought a Sony DVD recorder, Specifically to transfer my own personal 8mm camcorder footage onto DVD. I spent days transferring 6 hours onto DVD. Then the problem, I wanted to make copies of this DVD, REMEMBER ?, my footage, my camcorder, my contents, my tapes. The computer refused to copy it because of Sony's copy protection which had been automatically placed onto the DVD. When I contacted Sony and told them that I felt this was an infringement of my rights. they said that there were no plans in the foreseeable future to eliminate this copy protection, but suggested I could always make a new DVD from my original tapes. YEA spend days instead of minutes. Then they ended by saying " We hope that this experience has not affected your confidence in Sony products. WHAT DO YOU THINK SONY. STICK EM WHERE THEY FIT. I have since solved this problem with a clever little FREE program off the internet. UP YOURS SONY.

911.11.2005 05:40

You know back in the day when music came out on cassettes Sony/ BMG put them out of bussiness selling music on CD's only. After a while you could only get music on Cd's. And now go into any music store and try to find a tape, even a blank tape. You can't find them anywere. Now Bologne has come out with a program so you "can't" (ha ha) copy the stuff you buy. Even though you pay $15 for a Cd that really only cost about 2 cents to make. The the a$$bags have the nerve to sell burners and blanks. So to me it seems like they are tying to *uck up our computers. I have an idea, don't buy anything that they make. Look what happened to gas prices once everybody started buying less. I think the best thing for them to do is go by by. Besides Pioneer is much better anyway. And AnyDVD is the shit.

1011.11.2005 08:03

Use virus scanning in your e-mail...

1111.11.2005 10:17

Just because you can find it doesn't mean you can remove it easily. I had two zero length files dropped on my desktop when downloading a couple of files. They were Trojans that were attributed ASH. Since I enable viewing of hidden and system files it showed up faintly on my Desktop. I couldn't change the attributes or delete them even when booting into PURE DOS or booting using Sysinternals. In DOS I couldn't even see or find the files Sysinternal would find them but was not able to delete or change their attributes. I didn't try a raw disk editor I'm sure that would have worked instead I choose to reformat and install Windows all over.

1211.11.2005 11:20

Re: retec (Newbie) 11 November 2005 9:04 Slightly off-topic, but I had the same trouble with audio. Copied privately-recorded reel-to-reel tapes (good old analogue - obviously!) on to mini-disc. Did some rudimentary editing (as you can with Mini-Disc) and digitally copied it on to CD using a stand-alone CD recorder. Fine, until I tried to do a third-generation digital copy from that CD on my stand-alone kit and the SCMS (Serial Copy Management System) kicked in and arrogantly told me I couldn`t do it. Damn cheek! "That`s what you think", I thought and promptly did it on the PC. At what stage was the SCMS flag inserted, I wonder? And why should it have done so at all, if the original material was analogue?

1311.11.2005 11:33

It is possible you have your rights management set which would then do that on your PC. I turn off all protection schemes MS likes to invoke and is set by defualt.

1411.11.2005 12:16

Re: Mr-Movies (Junior Member) 11 November 2005 16:33 I think you mis-read my post. This all happened on stand-alone hi-fi equipment - not on the PC. I actually got my final third generation copy fine by doing it on the PC. No problem. My gripe is that the SCMS cut in on the hi-fi gear when the original material was my own, personal, private analogue recordings. (Of a birthday party as it happens!) Why the hell should the equipment deny me making as many copies as I wish of my own stuff? If I didn`t have a PC, I wouldn`t have been able to do it.

1511.11.2005 12:46

Sorry davolente, Your right I thought you had the same problem on the PC. So your SA recorder is inserting copy protection so that you can't make multiple copies, WONDERFUL you got to love that. I wonder if my LiteOn does that I've never tried doing that, Hummm you just have to love Sony. I wonder if you can get a modified firmware to fix your problem my guess is you can. It might be worth looking for a flash disc for that. Again my mistake on the misread sorry...

1611.11.2005 13:24

Mmmm. How did you guess the Mini-Disc recorder was a Sony, huh? Mind you, I have experimented with just my two stand-alone hi-fi CD recorders (Philips and Pioneer), connecting them to other play-back decks in the house and I still get the SCMS block on a third-generation digital copy, even though, once again, the original source was my old analogue tapes. I fail to see why that should be. I would assume that the SCMS flag would only come from a digital source, such as a commercial CD. The SCMS obviously assumes I`m up to no good, regardless!

1711.11.2005 14:08

retec could you tell me about this program you found on the internet, i have had the same problem i taped my sons allstar little league game and promised the parents copies on dvd i made one after hours only not to be able to copy it, i certainly dont want to do it from scratch for 12 other people. Thanks in advance.

1811.11.2005 14:09

I beleive it is your SA recorders that are putting the DRM on your copy and when you try to back them up again it is stopping you as if you are cheating, no matter if the original source was anolog or digital. If it was digital and had rights management then it might block you right away. I assumed you were talking about Sony because this is about Sony products you didn't say in your post of course.

1911.11.2005 14:25

sirenia, Try this it is free and should work well plus it is really simple to use. DVDFab Decrypter is a simple version of DVDFab Express . It copies entire DVD movie to hard disk, and removes all the protections (CSS, RC, RCE, Macrovision, UOPs and Sony ARccOS) while copying. DVDFab Decrypter v2.9.5.2 []

2011.11.2005 18:41

If you play a game on your PS3, it'll only work on that PS3? Sorry, but that's so bullshit it's not even funny. That's a rumour that shouldn't be spread.

2111.11.2005 19:14

Thanks I will give it a try it will be a blessing if it works, i dont want to have to make all these copies the hard way, and that is how i got to watch the game i bribed one of the other parents to tape it and i would make them all a copy yikes!!!!!!! thanks again.

2211.11.2005 19:27

anyone know that AnyDVD will prevent the rookit from download at the first place. god i love anydvd

2312.11.2005 05:48

"build it up, now take it apart... Climbed up real high, now fall down real far..." Never thought that NIN song Wish was about Sony, but it is. I'm done with Sony. My next ________ will be anything but Sony! Fill in the blank with anything they make. I hope they get their head handed to them over their deceat, hipocricy, and greed!

2412.11.2005 07:48

that's it. i officially hate Sony. F**k you, Sony, you're getting no more of my money.

2512.11.2005 10:54

Its funny Sony has been bad for years now, but no one was complaining before the DRM attack. My suggestion is to not just buy anything from anyone because once you had good luck with them. Also I have never found that one company does everything great but there are many people that consume in that fashion. If Sony wakes up and changes their ways Ill buy from them again however it will be some time before they will change enough. All companies seem to cycle in there product value and quality as it seems they get greedy when times are good and try to live off their laurels in which they get crappy.

2612.11.2005 11:57

Hey, there were more than a few of us who weren't buying from Sony a long time before this happened. Their attitude towards customers has been shithouse for a very long time. Nobody remembers the whole PSP faulty button problem with the original design. One of the buttons refused to work, and Sony's response was not to rectify the situation, but told people to stick it, that was how the device was designed, and they should adapt. And then there were the dodgy first releases of their DRU line of dual format burners... Then there is the crappy stereo I bought from them when I was like 12 that cost $450 and was pretty much a steaming piece of crap. Then the walkman I got with the dodgy laser 12 months later.....

2712.11.2005 13:29

OzMick, Please elaborate, What do you mean by the first DRU burners being dodgy. I have burnt over 700 on my DRU 500 with both formats, both recordable and rewriteble. It's the most amazing piece of equipment I've bought. That being said, it's one of my last from Sony. No more. No more. I will look to make sure that Sony will not profit from anything I buy from this day on. Quite a shame, I hope my aunt doesn't lose her job at the Sony plant nearby in Ranch Bernardo, Calfornia.

2812.11.2005 14:29

OzMick see what I mean, I agree with you the DRU-500 was doggy and very expensive I could get a LiteOn much cheaper and it is better but people still loved getting ripped off by Sony. One of my friends bought that burner and has had plenty of problems with it mean while my LiteOn kept doing what his couldn't. Then he even went out and bought the 700 as if he didn't learn on the last one.

2912.11.2005 19:37

I am not impressed with the overall quality of Sony products. To be fair, I will concede that their VAIO line of computers is reasonably decent. Other than that, in my opinion the performance level of Sony products is at the low end of the scale. Even their renowned Playstation has proven to be less than durable. I went through 3 Playstations and am currently on my 2nd PS2. The sound quality of Sony audio components is comparable to great brands such as "K-Pro" and "Valu-King". Sony is to Marantz and Denon as what MD 2020 and Thunderbird are to Dom Perignon. Having said that, Sony would be wise to rethink this arrogantly agressive strategy of infecting our computers and other electronic devices with their immoral cybervermin. These activities are a disgusting slap in the face to all consumers, and should in fact prove to be illegal, at least in a court not affected by corporate corruption.

3012.11.2005 20:18

I have a friend with a VAIO Intel 677MHz notebook and we tried to upgrade his RAM which is 144 pin standard stuff supposively but when we put the new memory in it wouldn't run. The memory that was in there was double sided cheap memory and this was single sided decent stuff. It ran in my Trogon AMD K6 300 no problem and my old notebook would run his memory. So you tell me is VAIO good?

3112.11.2005 22:04

I don't think that I ever used the word "good" in reference to Sony anywhere in my post. To answer your question, I can only go by my own experience but I am currently using a VAIO desktop. It runs XP with a P4 2.4 GHz cpu and 512 Meg of RAM. In the 2.5 years that I've used it I haven't had anything too terrible go wrong with it so I think that would qualify as "reasonably decent". If you take a glance back at my previous post you will find that I did not have anything good to say about Sony, and in fact Mr-Movies, I pretty much said that they are a company run by BLEEPheads, that produces a lot of low-grade crap.

3213.11.2005 10:49

What I mean by saying that they were dodgy: Back in the day when I was looking for a burner I made the decision that I was going to be patient and wait for the new dual-format (+/-) burners to come out before committing to one or the other. And then WOW! The Sony line was the first to hit the stores, and I almost got swept up and bought one at the markets straight away. Luckily, there was a bit of a lag between Australia receiving them, so I hit the forums and read up a bit and came across an absolute ton of people complaining about noisy drives or media incompatibilities. And seeing as media was still pretty expensive back then, I figured I could wait a little while. Then the Pioneer drives came out. Haven't had a worry in the world with that one, and they get recommended by me to everyone I know. But then yeah, LiteOn have theirs around now, so they're always a great option too.

3313.11.2005 13:15

Haven't checked this threa din awhile but, to the one who posted underneath mine- Virus scanning in your e-mail should show the virus, even id it's a rootkit, because it hasn't had a chance to hide itself yet, it's just a single file attachment.

Comments have been disabled for this article.

Latest user comments

News archive