First Trojan Using Sony DRM Detected

November 2005


A new trojan which uses the cover provided by the Sony DRM component to hide has been detected by BitDefender Labs at 12.15 PM GMT today and is in the wild. This is the first ever observed instance of malware using the Sony DRM rootkit detected and analysed by Mark Russinovich.

The trojan apparently installs an IRC backdoor on the affected system and may have other functions.

"We have been aware for some time that malware can be written which may exploit the Sony DRM component's hiding capabilities for its own good. Therefore, BitDefender software has been upgraded to include heuristic detection for all software trying to use this technique. We can confirm that the trojan is in the wild and spreading at this time. This is a worrying confirmation of our concerns." declared Viorel Canja, Head of BitDefender Labs.

BitDefender users are protected against this new threat, since it is detected proactively and blocked. A signature update is also underway, to aid administrators in identifying the new threat.

A full technical analysis of the malware, and an update to this article are forthcoming and will be published on the BitDefender corporate website in the following hours.


***UPDATED (14.02 pm GMT)***

Analysts at the BitDefender Labs have completed a technical description of the threat and published a signature update. A removal tool for the trojan and a detection tool for the Sony DRM component are in preparation at the BitDefender Labs and will be made available to the general public in the following hours.



RELATED INFO:
Technical analysis of the Backdoor.IRC.Snyd.a trojan by BitDefender Labs.

How to protect your computer from attacks exploiting the XCP DRM Software

Analysis of the Sony DRM by Mark Russinovitch
Share This ON: