Network News

X My Profile
View More Activity

Virus Writers Exploit Sony Anti-Piracy Software

This was bound to happen.

Anti-virus maker Sophos is reporting that it has spotted an e-mail going around that tries to exploit the controversial file-hiding abilities of anti-piracy software embedded on some of Sony BMG's music CDs.

According to Sophos, the e-mail, posing as a message from a British business magazine, begins:

"Hello, Your photograph was forwarded to us as part of an article we are publishing for our December edition of Total Business Monthly. Can you check over the format and get back to us with your approval or any changes? If the picture is not to your liking then please send a preferred one. We have attached the photo with the article here."

If the recipient has Sony's anti-piracy installed on his or her machine and happens to click on the file attached to the e-mail, the computer is infected with a Trojan horse that copies a file to the victim's machine -- "$sys$drv.exe."

As Security Fix has noted in past posts, the Sony software successfully hides any file with the "$sys$" convention in it.

Sophos, which is based in the United Kingdom, said it would issue a tool later today to detect the existence of Sony's DRM copy-protection on Windows computers, disable it, and prevent it from re-installing.

Sony could be in big trouble soon. The emergence of this virus should provide ample fodder to the class action suit that was recently filed in California against Sony.

UPDATE, 12:36 p.m. EST: Finnish anti-virus company F-Secure Corp. says the nasty bug in question is a bot program designed to force the infected computer to connect to an Internet relay chat server where the attacker who created it can update the infected PC with additional software, delete files, or command the machine to attack other computers online. According to F-Secure, the bot program does not work due to a programming flaw. However, given the enormous amount of public attention paid to the Sony anti-piracy software, working variants are likely to emerge within a short time.

UPDATE, 3:22 p.m. ET: Trend Micro has detected at least one more variant of this bot program, thought it looks like the company is still trying to figure out what all it does. No doubt whoever created it is trying to correct the mistakes they made with the last version that caused it to fail. Either that or other virus writers are jumping on the bandwagon now. But, hey, it wouldn't be an outbreak without dueling virus names: Symantec says it now detects this bugger, though it calls it "Rkynos."

By Brian Krebs  |  November 10, 2005; 11:57 AM ET
Categories:  Latest Warnings , Piracy  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Sony's Attitude Has a History
Next: FTC Says It Has Shut Down Spyware Ring


"Sophos, which is based in Denmark, said it would issue a tool later today to detect the existence of Sony's DRM copy-protection on Windows computers, disable it, and prevent it from re-installing."

Good for Sophos.

You know, Kaspersky, F-Secure, and Sophos come out of this really well; Symantec and Microsoft come out of it really badly.

There is clear evidence - including crytic comments at itself - that indicate that Microsoft has known about the rootkit for quite some time. However, Microsoft has said very little and recent inquirers have been told that the Malicious Software Removal Tool will *not* flag the Sony rootkit.

Here are people messing around with the Windows kernel and hiding what they're doing and Microsoft knows and JUST DOES NOT CARE. It would sooner suck up to Sony than protect its own customers.

Likewise, First 4 Internet has said that Symantec, the makers of Norton "antivirus" helped them develop the rootkit. Symantec has not denied this.

Symantec has now bowed to pressure and says that some of its products will detect the rootkit but not remove it. And it actually declares on its site that the Sony spyware is "a legitimate application". Legitimate! What a joke Symantec! What you say; let's see what the courts say, huh?

I'll never buy another Norton anti-virus product. You simply can't rely on Symantec to protect you. They should re-name the Norton AV product to "Norton anti-some-viruses-and-pro-some-others".

Posted by: Brett | November 10, 2005 12:27 PM | Report abuse

Well said.

You know, I used to spend a good percentage of my annual income on tapes and cd's in the past. I'm 32 now and much smarter. I wouldn't give these rats a nickel. I don't know if they have their greedy hands in satellite radio or not (i'm sure they do) but that seems like a better way to go, and you can record whatever you want to listen to later like the old days.

Boycott all these punks

Posted by: @Brett | November 10, 2005 1:02 PM | Report abuse

This whole incident is appalling. Let's hope Sony takes a bashing where it hurts - in it's deep, deep pockets. The only way to bring the big boys back into line is to let them know our outrage by boycotting their products.

As for Norton, well their products are a cynical joke. Overpriced products that often don't remove or even detect problems and tend to stop working properly when the company have a new version of a product on the market where a re-install or a new purchase is the only viable option for the average user. Coincidence? I doubt it.

It's about time someone reined these big corporations in. Sony's paranoid stance over illegal copying, in this case, only seems to affect people who have legitimately bought one of their copy protected cd's (well they aren't even CD according to phillips that owns the patent)

I can't think of many companies who punish their valued customers for purchasing a product.

Sony won't get any of my money again. The should issue an apology for this outrageous behaviour and bow their heads in shame.

Posted by: tim WWW | November 10, 2005 1:06 PM | Report abuse

Sony has officially made it safer to steal files over the net than to legally buy it!!

They are just attempting to keep an inflated market price that is not at a free market equilibrium point. I bought my 1st CD in 1995 for $14.00, all other technology based industries have reduced cost to compete (what was a computer worth then verse now?) They just have too much EMPIRE to feed and need to realize that anyone with a few thousand bucks can start a recording label and produce and market their own (or other's) content for much less. All they are protecting is a large marketing / production / distribution network that the internet can and has started to replace. My "Make / Buy" brake point cost is when the blank media + my opportunity cost (time and equipment deprecation) make it better to buy than make. At this point I would pay $4.00 to get a CD that I want with the artwork. I would still rip to my hard drive and use it where and how I want.

Bottom line, they are a dying old technology and they know it, but they are using their shear size and power to continue to breath. Death is near, look at General Motors!!

Posted by: Johnny Boy | November 10, 2005 1:41 PM | Report abuse

It is astounding that has said that Symantec helped First 4 Internet develop the rootkit. Not only is this a contractual confict of interest in its agreement with Norton Antivirus users but it is illegal in some states. People infected must complain to the FBI's Cyber Crime web site about this, its easy and will help the government agencies understand the importance of Sony's actions. Talk about Symantec and Sony opening the door for cyber criminals and terrosrist. Check out to let them know.

Posted by: DaveL | November 10, 2005 1:44 PM | Report abuse

When I first read of this whle incident happening with Sonys Rootkit, I sent a mail to my Congresswoman Rosa Delauro and informed her of this.

I asked her to actually look at what is happening in the world of software and copywrites and that we, the consumers are being not only treated as if we were criminals but also looked upon as dumb sheep, willing to be lead along whatever paths the BIG Corporations want to take us.

Needless to say I havent recieved word one back from her offices. Not, mind you that Im really expecting anything of substance since that last letter I wrote regarding similar issues got a reply of "Thank you for your interest in learning how to receive a free copy of your credit report".

Is it any wonder why we have so little confidence in our elected "leaders"?

Posted by: Peter | November 10, 2005 1:52 PM | Report abuse

For those of you who have an interest in such things, here's the low-down on the EULA that comes with Mr. Sony's 'DRM Rooter'

...I lolled!

Posted by: El Tonno | November 10, 2005 1:56 PM | Report abuse

Brett wrote:
Likewise, First 4 Internet has said that Symantec, the makers of Norton "antivirus" helped them develop the rootkit. Symantec has not denied this.

Proof of this statement? I would love to see it...

Posted by: Todd Towles | November 10, 2005 2:11 PM | Report abuse

Sure, Todd. Here is the proof that First 4 said that:

"The creator of the copy-protection software, a British company called First 4 Internet, said the cloaking mechanism was not a risk, and that its team worked closely with big antivirus companies such as Symantec to ensure that was the case."

If Symantec wants to step forward and say, "No, First 4 told a lie there", then I shall chalk it up to yet more lying on First 4's part. But, so far, Symantec has not denied this. The silence is deafening.

Symantec still states that the Sony spyware is a legitimate application. They've slightly changed the wording on this page: currently, it reads:

"This rootkit was designed to hide a legitimate application"

That's somewhat hardened language from earlier in the day BUT it still claims that the spyware is "a legitimate application".

Who knows what it will read in a while? I hope they toughen their stance yet more, and I'll be all for that. But bear in mind that that will only have occurred as a result of their getting the wind up and realizing the public are on to them.

Their security software is bloated, hungry for system resources, unstable, and generally useless anyway. But, after this, I think we all know where they are coming from.

Use Kasperky, Eset NOD 32, F-secure, or AVG. Don't use Norton products. Symantec cannot be trusted - simple as that.

Posted by: Brett | November 10, 2005 2:34 PM | Report abuse

This smacks of a Mafia protection shakedown scheme just like back in the days of Al Capone. Sell you protection from threats that they are actually creating.

Posted by: Joe Gagliardo | November 10, 2005 3:44 PM | Report abuse

Nice work, Mr. Krebs. I nominate you and the Post as Defendants in the class action, based on your publishing the details on how to use the Sony DRM software to write a virus.

Posted by: JDS | November 10, 2005 4:46 PM | Report abuse

> Nice work, Mr. Krebs. I nominate you and the Post as Defendants in the class action, based on your publishing the details on how to use the Sony DRM software to write a virus

Hmm... my blood pressure is going up. Why dontcha get informed BEFORE sounding off?

*Here*'s the deal, buddy:

Not that anything in there would be "restricted info" except maybe in DMCAland.

Posted by: El Tonno | November 10, 2005 5:03 PM | Report abuse

Good article. Just a side note, Sophos is not based in Denmark - they are headquartered in the UK, but have major offices in Vancouver, Boston, and Sydney, as well as sales offices around the world (see

(Disclaimer: I work in the Sophos Vancouver office)

Posted by: Chris | November 10, 2005 5:25 PM | Report abuse

Chris -- Zoikes! *blush*. Sorry, I have fixed that. Thanks for writing, and for the kind words.

Posted by: Bk | November 10, 2005 5:53 PM | Report abuse

JDS -- Weren't you the guy who threatened to have me "terminated"? (Still not sure what exactly you mean by that) for merely telling people what security experts were already saying to anyone who would listen: that Sony's ill-conceived anti-piracy technology could be used by attackers who had already broken into your system to then hide files on your system?

So let me get this straight: by your way of thinking, if we just didn't talk about security vulnerabilities at all, maybe the bad guys would just go away? The truth is, they don't need my help, and security flaws are exploited most times because companies either fail to find them before the bad guys do, or they sit on them/take their time fixing them in the vain hope that maybe the bad guys aren't as smart as they are.

Posted by: Bk | November 10, 2005 6:00 PM | Report abuse

"Here are people messing around with the Windows kernel and hiding what they're doing and Microsoft knows and JUST DOES NOT CARE. It would sooner suck up to Sony than protect its own customers"

Another reason to switch to Linux...

Posted by: G | November 10, 2005 6:17 PM | Report abuse

Mr. Krebs: You obviously don't understand the difference between writing a column on tech security (which is badly needed) and pandering to the Tech-nut Community by publishing how-to instructions on writing a virus. You did the latter and I definitely advocate that the Post should fire you for it, since you once again gratuitously republished the same instruction manual-type data to further promote the virus spawners.

Posted by: JDS | November 10, 2005 6:30 PM | Report abuse

JDS: Like anyone would wait for the Post to get instructions on how to muck up a little evil code. This is ridiculous. Are you, like, trolling? If not, I can assure you that I would not need M. Krebs' column to tell me how become a Blackhat (with apologies to M. Krebs of course). But I certainly would appreciate the Music Industry to do a good part of the job for me. BWAHAHAHA!

Not that I am a Blackhat, perish the tought.

Posted by: El Tonno | November 10, 2005 7:10 PM | Report abuse

I have no problems with a company doing everything it can to protect it's copyrights. If you purchased the rights to music, you sould be allowed to copy and record it for your own personal use for the rest of your life. If I decide the sell those rights or trade it (figuratively) speaking, that should not interfer with anything the company puts in place. I also don't want to deal with any spyware, programs from the music I listen to in order to support their copyrights on my computer. All copyright protection should be on the CD and stay there. There's plenty of room on a CD or information that can be embedded with music tgo protect copyrights legally.

Posted by: Harrier | November 10, 2005 7:33 PM | Report abuse

Aren't all Anti virus developers like Norton side by side creating viruses and then creating a new patch of norton to have it removed? Isn't that an OLD fact? Whats all the HOO HAA about now?

Posted by: Nader | November 10, 2005 10:54 PM | Report abuse are running an online petition - would be a good idea to add your weight to it

Posted by: Podboy | November 11, 2005 6:01 AM | Report abuse

An ironic twist to this story is emerging on SlashDot: The Sony software that installs itself appears to contain code from another program, the Linux LAME MP3 encoder. The twist is, this code is distributed under an Open Source License Agreement (LGPL). If Sony used this code, in original or modified form, they were obliged to meet the terms of the LGPL ( They should have distributed their version under the same open source license. They should provide free access to the modified source code. They should include prominent notices in the redistributed code that the code is under the LGPL. So far, no evidence has been uncovered that Sony complied with the license.

So, in a clumsy, useless, damaging attempt to protect their own intellectual property rights, Sony casually violates those of others.

I hope this goes before a court that appreciates the irony.

Posted by: BigNick | November 11, 2005 9:29 AM | Report abuse

Anything that does things behind your back is spyware. Disloyal software, and disloyal software vendors that let their clients get backdoored, deserve similar respect.

Manage this comotion they may, but the real question is whatelse have they remained silent on?

Posted by: Chris | November 21, 2005 5:24 AM | Report abuse

Story has been corrected to not include "Symantec" in the quote.

Correction: This story originally implied that Symantec approved First 4 Internet's "rootkit" software. It did not.

Posted by: Todd Towles | November 22, 2005 5:58 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company