[Ir-l] Viruses use Sony anti-piracy CDs

Paul Mobbs mobbsey at gn.apc.org
Sat Nov 12 02:49:06 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://news.bbc.co.uk/1/hi/technology/4427606.stm

Viruses use Sony anti-piracy CDs

BBC News Online, Friday 11th November 2005


Virus writers are exploiting Sony's controversial anti-piracy software to hide 
their malicious creations.

In late October Sony was found to be using stealth techniques to hide software 
that stopped some of its CDs being illegally copied.

Now three virus variants have been found that use the Sony software to evade 
detection by anti-virus programs.

Sony has apologised, saying it is working with computer security firms to 
address the problems.


Viral trio

The stealthy methods that Sony BMG used to protect its anti-piracy system were 
uncovered by Windows programming expert Mark Russinovich on 31 October. 

 He discovered that the Sony XCP copy protection system is a so-called 
"root-kit" that hides itself deep inside the Windows operating system.

XCP uses these techniques to install a proprietary media player that allows PC 
users to play music on the 20 CDs Sony BMG is protecting with this system. 
The CDs affected are only being sold in the US.

Soon after Mr Russinovich exposed how XCP worked security experts speculated 
that it would be easy to hijack the anti-piracy system to hide viruses.

Now anti-virus companies have discovered three malicious programs that use 
XCP's stealthy capabilities if they find it installed on a compromised PC.

"The development we feared most from Sony's inclusion of rootkit technology to 
conceal its DRM software was its use to conceal malicious code," said David 
Emm from security firm Kaspersky Labs.

"Unfortunately, it seems our fears were well-grounded."


Backdoor virus

Security firm Sophos said it had found a virus attached to a spam message 
posing as an e-mail from a British business magazine. The subject line of the 
message is: "Photo Approval Deadline".

Those opening and running the program attached to the mail will have their 
computer infected with the Stinx-E trojan. The virus is also known as 
Breplibot and Ryknos. 

This virus opens a backdoor into infected machines and tries to download more 
malicious code from the net to further compromise an infected machine.

A bug in the code of the first variant of this virus prevented it working 
properly but now other versions of the malicious program are appearing that 
fix this problem.

So far the numbers of people caught out by the virus is thought to be very 
low.

"This leaves Sony in a real tangle," said Graham Cluley from security firm 
Sophos.

"It was already getting bad press about its copy-protection software, and this 
new hack exploit will make it even worse."

Mr Cluley said he expected other virus writers to start exploiting the Sony 
XCP code.

In response to the concerns, Sony has released a statement "deeply regretting 
any disruption that this may have caused." It added that it would work with 
anti-virus firms to ensure its anti-piracy system stayed safe.

As the news about the viruses was breaking, more legal challenges to Sony's 
use of the anti-piracy program were being launched.

At last count six class-action lawsuits have been started against the company.

As the Boycott Sony blog pointed out, the appearance of these viruses could 
make it much easier for lawyers to argue that the XCP software can cause real 
harm to a user's computer. 


- -- 

"We are not for names, nor men, nor titles of Government,
nor are we for this party nor against the other but we are
for justice and mercy and truth and peace and true freedom,
that these may be exalted in our nation, and that goodness,
righteousness, meekness, temperance, peace and unity with
God, and with one another, that these things may abound."
(Edward Burroughs, 1659 - from 'Quaker Faith and Practice')

Paul's new book, "Energy Beyond Oil", is out now!
For details see http://www.fraw.org.uk/ebo/book.html

Paul Mobbs, Mobbs' Environmental Investigations
3 Grosvenor Road, Banbury OX16 5HN, England
tel./fax (+44/0)1295 261864
email - mobbsey at gn.apc.org
website - http://www.fraw.org.uk/mobbsey/index.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFDdVgtpKOsa4QY6KURAhkUAJ0Vu7e+Illb3RKCmc/uxOJskaZZ9wCgq+G/
ZSnsQWSq8P21NyQzugrtD2Y=
=3BJl
-----END PGP SIGNATURE-----

More information about the Ir-l mailing list