Sony DRM

[el cpu]

Agent O reinforces the need for SB to include the Sony rootkit in it's detections. By now it is clear that the antispyware/antivirus community regards the Sony DRM as a serious vulnerability, in fact from CA's PestPatrol today, quote: "These CDs install the pest XCP.Sony.Rootkit, which is a trojan that opens security vulnerabilities through rootkit functionality." http://www3.ca.com/securityadvisor/p...aspx?cid=76345

While PestPatrol detects the presence of the rootkit it is not clear to me that they will remove it. I had read that they would be able to do so with their November 11 defs but this is to be confirmed and may have referred to the cloaking aspect only.

McAfee is now "detecting and removing" the cloaking (as of Nov 9, 2005 defs) http://vil.nai.com/vil/content/v_136855.htm
but note their caveat about potential crashes in doing so, quote: "System crashes may also occur during repair using McAfee products due to issues in the First4Internet code itself." I belive that McAfee leaves the DRM software in place with the associated risks that have been identified and mentioned previously.

Symantec has started to detect the presence of the rootkit but it does not remove it. They simply suggest to the user to obtain the so called SonyBMG patch which uncloaks the files but leaves the DRM in place (replaces some files).

[J_Rey]

Besides being rootkit and other objectionable methods, the Sony BMG software now is being used to hide the Stinx-E trojan! See the related news article.

[el cpu]

Just read the following on Computer Associate's site (http://www3.ca.com/securityadvisor/p...x?id=453096362)

XCP.Sony.Rootkit installs a DRM executable as a Windows service, but misleadingly names this service "Plug and Play Device Manager", employing a technique commonly used by malware authors to fool everyday users into believing this is a part of Windows. Approximately every 1.5 seconds this service queries the primary executables associated with all processes running on the machine, resulting in nearly continuous read attempts on the hard drive. This has been shown to shorten the drive's lifespan.

Any word from Team Spybot regarding inclusion on SB detections? How about removal? While most antispy/antivirus program are now set to detect the Sony DRM, no program may yet be able to remove it. Does anyone know?

[J_Rey]

After all the bad press, "SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology." See the Sony BMG Statement for their official acknowlegement of the trojan/virus and a link to the link to the patch/uninstall request.

[AplusWebMaster]

FYI...

Troj/RKProc-Fam and Troj/Stinx disinfection instructions
- http://www.sophos.com/support/disinfection/rkprf.html
"Resolve is the name for a set of small, downloadable Sophos utilities designed to remove and undo the changes made by certain viruses, Trojans and worms. They terminate any virus processes and reset any registry keys that the virus changed. Existing infections can be cleaned up quickly and easily, both on individual workstations and over networks with large numbers of computers. This version of the tool detects and disables the Sony DRM cloaking copy protection technology (which Sophos refers to as Troj/RKProc-Fam). It also detects and disables other Trojans, including Troj/Stinx variants, which are stealthed by Troj/RKProc-Fam.

Windows 95/98/Me and Windows NT/2000/XP/2003
The Trojans can be removed from Windows 95/98/Me and Windows NT/2000/XP/2003 computers automatically with the following Resolve tools.

Windows disinfector
RKPRFGUI is a disinfector for standalone Windows computers
open RKPRFGUI, run it, then click GO.
If you are disinfecting several computers; download it, save it to floppy disk, write-protect the floppy disk and run it from there.

Command line disinfector
RKPRFSFX.EXE is a self-extracting archive containing RKPRFCLI, a Resolve command line disinfector
for use by system administrators on Windows networks. Read the notes enclosed in the self-extractor for details on running this program..."

[Nick-YF19]

Sunbelt dosn't plan to include this rootkit in it's removal capability.

from here
We do not intend to have this removal capability in CounterSpy, simply because it is incredibly hard to remove this rootkit without disabling the CD-ROM player. Suggestion: Either use Sony’s uninstaller or check out Sophos’.

We'll see what Spybot does.

By the way, that StinxE trojan looks like it's more of a proof of concept thing than anything really meant to do harm. First it's targetted at British web users where there is limited distribution of the DRM CDs. Second, the trojan is buggy

from here
The first Trojan to exploit this flaw, Stinx.E, doesn't properly decrypt the registry keys needed to allow the Trojan to load when Windows is restarted. The Stinx.E Trojan also fails to load if the Sony DRM cloaking technology is active, despite its deliberate attempts to exploit it. Additionally, the IP addresses used to connect to the IRC server are invalid. In effect, the Sony Stinx Trojan is impotent.