NEWS FROM THE LAB - November 2005


Tuesday, November 29, 2005

Tinfoil Hat Required? Posted by Era @ 11:23 GMT

Radio shielded lab -- no tinfoil hat requiredWhen you have already used "the dog ate my homework" and "my baby sister pulled the plug just when I was about to save", try the latest excuse from Fermilab: "an alien virus from space hacked into my computer".

In summary, a researcher at Fermilab warns that the risk that aliens would hack SETI is "non-zero".

While we are eager to support bleeding-edge research, sometimes you just have to wonder ...

Seriously, though: If, for argument's sake, we assume that intelligent life on another planet only 25 light-years away registered our first television broadcasts 25 years ago (with a 25-year lag, mind you), and immediately decided that the progenitors of I Love Lucy must be annihilated, what are the chances that, in 1980, they were able to predict (again, mind you, based on information only up to 1955) that in 2005, we would be using 32-bit Intel processors on von Neumann architectures, let alone the details of, say, the current version of the Win32 API? And if they were able to predict (or guess) that the SETI client were vulnerable to a particular stack-smashing attack before any hacker here on Earth, would they be able to pull that off within the first few packets we received from them, before we would declare SETI a success based on the appearance of coherent signals from their planet?

We leave our tinfoil hats outside the lab, thank you very much. (Good thing it's shielded, though!)


Monday, November 28, 2005

Preinstalled trojans Posted by Mikko @ 17:18 GMT

hdp-u driveHere's an interesting one. Peripherals manufacturer I-O Data has shipped a series of nice-looking portable hard drives in the 40GB to 120GB range - carrying the Backdoor.Win32.Tompai trojan on them.

This simple trojan isn't particularily new - we added detection for it in September 2004. However, somehow it managed to find it's way to the master image that was preinstalled to every new hard drive. The manufacturer is now replacing them under warranty.

Previously, we've seen similar cases with preinfected laptops, floppy disks, USB memory sticks and even preinfected MP3 players.



Thursday, November 24, 2005

Remember Mafiaboy? Posted by Mikko @ 17:51 GMT

Remember Mafiaboy? The Canadian teenager hacker who launched the first mainstream DDoS attacks in 1999, against targets like Yahoo and eBay? The guy who - after CNN run a story on the attacks - took down CNN.COM? Who had his attacks categorized in the "top 10 hacks of all time" (!)?

Well, turns out he's nowadays a columnist for a newspaper in Montreal. In fact, he's covering some of his old attacks in his articles.




If bagles start eating, eat a bagel. Posted by Jusu @ 15:00 GMT

This is becoming somewhat of an tradition already, for a bagle storm the only cure is a storm of bagels.

Bagels on a table

Just collect the team and enjoy.

People eating bagels


Gold, now Posted by Mikko @ 09:11 GMT

Well, it's not all just Bagle that we're seeing lately.

Here's an interesting way to distribute a new trojan.

Somebody has been sending out significant amounts of fake emails, claiming to be from "GOLDNOW SHOP Billing Team". No such company exists. Also credit card merchant CCBill is mentioned, but they are not related to this case in any way.

The mail warns that your ring order of $277.50 has been denied and instructs you to get details from the attachment. The attachment (surprise, surprise) contains an executable called GSBILL.EXE

When scanning the file you'll find out that:

 gsbill.exe Infection: Trojan-Proxy.Win32.Agent.hx

This trojan doesn't replicate by itself, so this email has simply been spammed out by the attackers, hoping that people are fooled by the fake bill and launch the trojan while searching for more info.







Bagles just keep coming Posted by Jarkko @ 08:09 GMT

Starting from yesterday evening, we have received samples of six new Bagle downloaders, mass-mailer components for three of them and some other malware related to Bagle botnet. Latest update version 2005-11-24_04 detects all of them.

Wednesday, November 23, 2005

...and more Bagles Posted by Katrin @ 16:38 GMT

We are now publishing the 5th update for today to detect a mass-mailer that sends out one of the downloaders and also a second level downloader of the Bagle mass-mailer. We are calling them W32/Bagle.EQ and W32/Bagle.ER@mm.

P.S. During writing this weblog entry another new Bagle arrived. This one goes as W32/Bagle.ES


And another Bagle.. Posted by Jarkko @ 15:14 GMT

Just some minutes after we added detection for W32/Bagle.EO, we got another Bagle downloader. This one is almost identical, only thing that changes is a slightly different set of download URLs. It is detected as W32/Bagle.EP in update version 2005-11-23_04.

New Bagle has been spammed Posted by Katrin @ 14:33 GMT

In the last 30 minutes we received submissions of a new Bagle downloader. Seem it has been spammed. We just released an urgent update to detect it as W32/Bagle.EO. The FSAV update is version number 2005-11-23_03.

Tuesday, November 22, 2005

Sober.Y becoming huge Posted by Mikko @ 22:14 GMT

fbi warning on soberWe just took Sober.Y to a Radar Level 1 alert. Level 1 is the highest alert we have. And this is the first Level 1 alert we've done in months.

Several millions of infected emails have been seen by internet operators over the last hours.

One of the reasons why this email worm seems to be so successful in spreading is that some of the messages it sends are fake warnings from FBI, CIA or from the German Bundeskriminalamt (BKA). FBI has even put out a a public warning on the case.

First Sober was found in October 2003, over two years ago. We believe all 25 variants of this virus have been written by the same individual, operating from somewhere in Germany. Unlike most of the other widespread viruses nowadays, Sober doesn't seem to have a clear financial motive behind it.

Some Sober variants have displayed neo-nazi messages, but the latest version of the virus does not do this. However, all Sober variants send German messages to German email addresses and English messages to other addresses.

The numbers we're now seeing with Sober.Y are just huge. This is the largest email worm outbreak of the year - so far!


Most people don't even know what a t-shirt is Posted by Mikko @ 11:17 GMT

After this DRM rootkit mess we decided to print a batch of t-shirts for the lab staff...see below:

Now, we have a handful of these left. So if you're interested, drop us a mail at We'll pick a few winners by random and will DHL a free t-shirt to them on Friday.


Jigsaw Piece - 713 Posted by Gergo @ 09:35 GMT


Internet Explorer 0-day Posted by Mika @ 07:30 GMT

A group called "Computer Terrorism" has released a Proof-of-Concept exploit for an unpatched Microsoft Internet Explorer vulnerability. The exploit allows remote code execution on most Windows systems including XP sp2. This vulnerability can e.g. be exploited if a user visits a web site controlled by the attacker.

The flaw is related to the JavaScript functionality in IE. So, one solution to this problem is to disable Active Scripting in IE. Another solution would be to use some other web browser. Also, as always, running as a restricted user greatly limits the damage these kinds of attacks can cause.

Apparently Microsoft was informed about this bug in May. Earlier it was seen as a denial-of-service vulnerability. MS has not released a patch yet but a Security Advisory on the issue is available.


Monday, November 21, 2005

Another week, another Sober Posted by Katrin @ 21:43 GMT

A new Sober variant became widespread today. This variant is similar to Sober.K and some of the latest variants that were found in the middle of November 2005. The new Sober.Y variant is detected with the update published on November 16th - FSAV update version 2005-11-16_03.

Sober has been spammed in various different mails, including fake FBI warning like the one below:


Friday, November 18, 2005

Money laundering Posted by Mikko @ 10:56 GMT

Somebody has been sending fake "" job applications last night. These link to two sites: and, which are fake look-a-likes, offering an open job position.


The job description talks about moving money from foreign accounts to your account and you transferring it to elsewhere for a 3% cut. So the bad boys are hiring money launderers, possibly to wash money gained via phishing or via credit card fraud.

To reduce the tranfer cost we are looking for Financial Managers all over the world. When we get an order from another country, the Financial Manager in this country gets the payment and sends it to us through Western Union. Commission rate of Financial Managers is 3%. This way we reduce expences for international bank transfer twice.

The domains and were registered two days ago and are hosted at which is in South Korea. For the actual job application the site points to

Site seems to be a slightly modified copy of the website of a real company callled The copy site runs at which is in Russia.

velocityglobal, fake & real

Abuse messages on the domains have been sent and and Velocity Global has been notified.


Wednesday, November 16, 2005

Sony, DRM, Rootkits, Bugs and You Posted by Antti @ 10:40 GMT

Van Zant CD with XCP
The Sony DRM case seems to be getting more and more twisted. Our readers might be wondering what the actual risks are at this point and what they should be doing about them. Here's a short recap.

If you have the Sony DRM with the rootkit (aries.sys) still active, you should consider getting the update to remove the rootkit. Do this by using the standalone executable available here. There are already several malware variants that try to hide with the help of the Sony DRM cloaking.

After this you're left with the rest of the Sony DRM software, which might be vulnerable to local privilege escalation attacks reported by ISS X-Force. To remove the DRM software entirely, you will have to wait for Sony to fix their uninstaller and carefully consider using the new version once it's released.

If you have already used the ActiveX uninstaller that was available until Sony stopped distributing it, you are vulnerable to a remote code execution attack. You should remove the vulnerable ActiveX component. If you want, set a kill-bit for it (the CLSID is {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}) just to be sure.


Tuesday, November 15, 2005

Yet another new Sober Posted by Katrin @ 18:11 GMT

Sober.zWe upgraded the recent four Sober variants found during the last 24 hours to Radar level 2.

Meanwhile another new Sober arrived. We are publishing detection right now to detect it as Sober.X
Edited to add: The attack continues. We just got multiple customer submissions of another variant with variable MD5. Detection is being added as Sober.Z.



CAPTCHA spam / phish incident Posted by Era @ 11:33 GMT

We have received reports from a lot of different places that they have received apparent phishing messages, including a couple of Finnish banking sites who have also published phishing alerts.

It appears, though, that these phishing messages are always targeted to the domain of the recipient. In other words, if your address is, you would receive a message which looks like it's from, with a subject of " ID:", urging you to click on a link in order to verify your account details (if you can make this out from the message ... the samples we have received are so obfuscated as to be nearly unintelligible).

So if you work at a bank, the message would appear to be from your bank, but recipients in other organizations would see a message similarly pretending to be from their own organization. But it's understandable, and prudent of the banks, that they issue alerts.

Example CAPTCHA image

As with most phishing messages, these contain a masqueraded link which looks legitimate, but in fact takes you to another site. If you click on the link in one of these phishing messages, you are redirected to a site which opens up the "real" target site in the main window, but in front of this, it throws up a popup with a CAPTCHA — a distorted image which contains text which you are asked to type into a box. A lot of webmail sites use these to prevent automated systems from registering a large number of free accounts; they hope that deciphering the text in the distorted images will be relatively easy for a human, but hard for a computer.

In this case, it seems that the phisher is merely trying to get unwitting victims to help him crack the CAPTCHAs, apparently in order to be able to register "throwaway" accounts with a particular Russian webmail provider, probably to be used for spamming. Or rather, was trying, because the sites which hosted the popup pages appears to be gone now.


They got it right Posted by Mikko @ 07:02 GMT

Three Sober variants have been found over last four hours. One of them (detected by us as Email-Worm.Win32.Sober.v) matches the description predicted yesterday by the Bavarian police (see below).

Hmm. Spooky.


Monday, November 14, 2005

New Sober to be released tomorrow? Posted by Mikko @ 22:37 GMT

lka In a surprise move, the Bavarian Police is warning on a worm outbreak that will happen - tomorrow.

Bayerisches Landeskriminalamt has today put out a press release. In the release they warn of a possible new Sober variant that would be launched tomorrow (Tuesday 15th of November).

The new variant should be spreading in emails like this:

 Subject: Registration Confirmation
 Body: Thanks for your registration. Your data are saved in the zipped Word.doc file!

The German police is basing their information on a year-long investigation into the Sober case (the author of the virus is German). They also say they can not provide more details at this time ("N�here Einzelheiten k�nnen zum jetzigen Zeitpunkt noch nicht mitgeteilt werden.")

Thanks to Micha for the tip.


More than 100 known mobile malware variants Posted by Jarno @ 13:24 GMT

On previous week, we breached the mental barrier of 100 known variants of Mobile malware. While from a technical point of view, it doesn't really matter whether there is a bit less or more than 100 known variants. 100 is a figure that makes quite a few people to think about it. So this might be a good time for a short summary what we have seen so far.


When looking at the graph that shows the total number of known variants in relation with time, one can see that most of the variants have been discovered during 2005 and that the rate of discovery has been rather constant.

The current total count of mobile malware is 103 known variants, the latest one being Skulls.U. Exactly 98 of the known variants are for Symbian Series 60 devices, of which 75 were stopped by generic detection in F-Secure Mobile Anti-Virus. Which means that the Anti-Virus was already able to stop the malware before we got the first sample.

The largest malware family is Cabir, with 27 variants, followed by Skulls that has 21 variants.

All in all, the situation in mobile malware bears strong resemblance to the early days of PC malware.
All of the currently known malware cases are created by hobbyists and amateurs, no signs of profit motivated malware or other organized crime has been seen yet.

Most of the currently known cases are technically rather primitive, but the latest cases have shown increasing level of sophistication.

Also most of the currently known cases are variants of some existing malware family, not something that would require a new family name. Which means that there is a small group of malware authors that create something new and a large group who take existing samples and modify them to create new variants.

So far most of the known cases have not caused large scale outbreaks, but Cabir and Commwarrior have spread globally and have caused significant local outbreaks. By our knowledge there has already been tens of thousands of mobile phone infections worldwide.

As of now there are four ways of getting infected with a mobile phone virus
 1) Via Bluetooth
 2) Via MMS
 3) Via web download (either from the phone or via a PC)
 4) Via memory cards

The only case where malware can infect the device without user acceptance is via memory cards, for example with Commwarrior.C. But as people don't swap cards very often, this infection vector is rather limited.

In conclusion, the situation in mobile malware is not yet too serious, but has been getting steadily worse.

The best protection against mobile malware is user education and Anti-Virus software in the end user devices. Also the telecom operators who have taken active stance in preventing and limiting local outbreaks, have helped to keep the situation calm.


Sunday, November 13, 2005

Once more on the Sony rootkit case Posted by Mikko @ 20:46 GMT

It would seem the Sony rootkit case is mostly over, at least for now. Several people probably learned valuable lessons over the last two weeks.

Click to listen - snippet from

There's a nice wrap-up at The Inquirer. We especially liked this quote:

  But enough ranting. Let me end this with a couple of up notes. If you want
  to find a trustworthy security vendor, I would recommend looking for ones
  that stood up on the Sony malware DRM infection issue and said 'this is bad'
  early and loudly. F-Secure comes to mind, but there are others. The ones that
  said 'grumble, mumble, maybe, sorta' a week later are not what you want to
  have protecting your machines.


Friday, November 11, 2005

Breplibot Stinx Posted by Mika @ 12:12 GMT

There are variants of Breplibot (aka Stinx aka Ryknos) trying to hide under the cloak provided by the Sony DRM software. However, none of the variants we have so far analyzed are successful in installing on a machine that has an unpatched Sony DRM running.

To elaborate, here are the different scenarios when Breplibot.B, Breplibot.C, or Breplibot.D is run on a host (using Administrative rights):

1) A clean system: The bot is activated and compromises the system. However, the bot ($sys$XXX.exe) is visible as a file and as a process, and thus is easily detected by any up-to-date anti-virus software.

2) Sony DRM is hiding on the system: The bot will completely fail to install

3) Sony DRM has been installed, but the anti-cloaking patch has been applied: Same result as in 1)

4) Bot is already active on the system when the user installs Sony DRM and its hiding component (rootkit): The bot keeps on running and it is cloaked by the Sony DRM.

Above: F-Secure BlackLight beta detecting files hidden by the rootkit in scenario 4. "$sys$drv.exe" is the hidden bot process. Note that F-Secure IS2006 suite already has an integrated BlackLight engine that detects files and processes hidden by rootkits.

So, at the moment the malware is not really successful in exploiting the presence of the Sony DRM. Obviously this situation might change very soon.

The Sony DRM case has gained a lot of attention. However, keep in mind that there are numerous different rootkits out there. Rootkit hiding techniques are becoming more and more popular among malware authors. Lately we have especially seen a large increase in BlackLight feedback reports of Apropos rootkit spyware. Also, numerous bot variants are still dropping rootkits onto systems to hide themselves.


Thursday, November 10, 2005

One more Bot trying to hide under Sony DRM Posted by Katrin @ 21:29 GMT

Soon after the first Bot using Sony rootkit technology was found another one appeared - Breplibot.C.

This new variant fixes some bugs found in the previous Breplibot.B variant. It uses file '$sys$xp.exe' instead of '$sys$drv.exe' when copy to Windows System folder.


Bot trying to hide under Sony DRM Posted by Mika @ 14:02 GMT

We wouldn't like to say "we told you so" but unfortunately this is one of those times you just have to do it.

We have just analyzed the first malware (Breplibot.b) that is trying to hide on machines that have Sony DRM software installed.

Luckily, the bot has a design flaw. If the Sony DRM rootkit is active (hiding) in the system during infection, the bot will not run at all. Moreover, the bot cannot survive a reboot because of a programming error. In any case, this is a very good example of why software should not use rootkit hiding techniques.


Wednesday, November 9, 2005

Microsoft Security Bulletin MS05-053 Posted by Antti @ 07:26 GMT

Microsoft has released a security update that fixes three vulnerabilities. All of them are related to how Windows Metafile (WMF) and Enhanced Metafile (EMF) image formats are rendered. An attacker can exploit these vulnerabilities to remotely run arbitrary code and take over the affected computer. This can be done by using a malicious web page that the user visits, embedding a malicious image into an Office document or simply sending an HTML e-mail message with a specifically crafted image attached, to name a few alternatives. So, there seem to be a lot of venues for attack.

Although we haven't yet seen any indication that the vulnerabilities are being exploited in the wild, it's a really good idea to patch your systems - now.



Tuesday, November 8, 2005

Symbian Anti-Virus Bundled with Symbian trojan Posted by Jarno @ 12:19 GMT

Today we received rather interesting Symbian malware sample.

SymbOS/Doomboot.G is a new variant of Doomboot family. This malware also contains a pirated version of the ExoVirusStop antivirus application.

foneWe have seen Symbian trojans that pretend to be antivirus application from some company or another. But I believe that Doomboot.G is the first case that actually contains a fully working pirate copy.

In addition to the antivirus application, the Doomboot.G contains corrupted system binaries from Doomboot.A and empty files that have the same file name and path that the virus SymbOS/Lasco.A uses.

The goal of the virus author has probably been that user installs the ExoVirusStop and later updates the Anti-Virus to a version that detects Lasco.A. Then the user scans a his phone and gets report about Lasco.A, and with that report a request to reboot his phone.

If the phone is booted while the Doomboot files are still in the system, the phone cannot start up again. The phone can be reformatted with special key code, which of course will erase all data.

We have contacted exoSyphen Studios that makes the ExoVirusStop product, and their latest version is able also to remove the Doomboot files.

Like any other Symbian trojan, the Doomboot.G and it's close variant SymbOS/Doomboot.H are danger only to people using pirate copied software.

Both Doomboot.G and Doomboot.H are already detected by F-Secure Mobile Anti-Virus using generic detection.


Saturday, November 5, 2005

Linux backdoor Posted by Mikko @ 16:46 GMT

lupiiIt's been fairly quiet on the Linux malware front, but something interesting is going on now.

Two days ago we added detection of This one targets a vulnerability in the XML-RPC for PHP 1.x system, which is common in many Wiki systems for example.

So far we haven't received too many reports but we'll keep our eyes open.


Friday, November 4, 2005

A chilling though about CDs that have rootkit DRM Posted by Jarno @ 08:13 GMT

A member of our IT security team pointed out quite chilling thought about what might happen if record companies continue adding rootkit based copy protection into their CDs.

In order to hide from the system a rootkit must interface with the OS on very low level and in those areas theres no room for error.

It is hard enough to program something on that level, without having to worry about any other programs trying to do something with same parts of the OS.

Thus if there would be two DRM rootkits on the same system trying to hook same APIs, the results would be highly unpredictable. Or actually, a system crash is quite predictable result in such situation.

So imagine a situation where Joe Customer buys CD from label A and another CD from label B. Label A uses third party DRM from company X and Label B uses from company Y.

Then our user first plays one of the CDs in his PC, and everything works fine. But after he starts playing the second CD, his computer crashes and wont boot again. This is something I would not like to associate with buying legal CDs.

I think that record companies should stop playing with rootkits and other Blackhat techniques while they have not yet caused major grief to the customers.

Also while being on the topic of real world effects of DRM, check out user ratings of Van Zant CD that got pinpointed as CD with DRM in it.

At the moment of writing this blog entry, it has 97 review entries and 1,5 stars. I actually feel sorry for Van Zant, as they certainly don't have anything to do with the DRM on their CD.


Thursday, November 3, 2005

Sony releases update for DRM software Posted by Antti @ 09:47 GMT

We wrote on Tuesday about the DRM software from Sony that used rootkit technologies. The company behind the technology, First 4 Internet, has now released an update for the software. After visiting the web site, downloading and installing the update, it now seems that the DRM software no longer attempts to hide anything on the computer. The rootkit driver (aries.sys) is removed from the system during the update.

BlackLight beta and updated XCP

The update from Sony is available here

We sincerely hope that the updated version will make it to the CD's in stores as soon as possible. Many people that buy copy-protected music will not be aware of the programs that get installed on their computers, let alone worry about updating them.

Automatic uninstallation of the software is still not possible without additional tools, and removing it manually is difficult. If you want to remove the software from your computer, we still recommend that you contact Sony BMG using their web form and ask for permission to uninstall it.


Wednesday, November 2, 2005

Please stop flaming us Posted by Mikko @ 13:28 GMT

We've been getting lots of hate mail today. People are accusing us for stealing the (quite excellent) research work done by Mark Russinovich at Sysinternals relating to the "Sony rootkit" incident.

This is not the case at all.

We published our technical description and blogged about the case yesterday, several hours after Mark had broken the news in his site. So to some it looked like we were just recycling his work without credit.

In reality we started working on this case on 30th of September when a user of our F-Secure BlackLight rootkit detector started discovering these files on his system and contacted us. They provided us with Blacklight logs like the one below:

  (Blacklight log dated 30th of September 2005)

( receipt dated 3rd of October 2005)The customer suspected a specific audio CD to be the source of these files. To investigate further, we bought two CDs from on October 3rd and did a technical analysis of them around that time.

We didn't go public with the info right away as we were worried with the implications (especially with the info on how virus writers can use this to hide files which have names starting with "$sys$"). So we were in the middle of discussions with Sony BMG and First 4 Internet when Mark broke the news on Monday.

After this we decided to make our research on the topic public.

So that's the story. I'm a bit disappointed for people who jumped to conclusions, and a bit sorry for our rootkit research team who did the hard work on analysing the whole thing only to end up getting accused for plagiarism.




Yet Another eBay Phish Posted by Era @ 12:45 GMT

A new kind of eBay phishing attempt is going around. It's only going to fool people who have something for sale on eBay, because it's disguised as a question from another eBay member about shipping costs for "your item".

It even includes the boilerplate from a genuine eBay message which says "Your registered name is included to show this message originated from eBay", although it does not in fact contain your registered eBay screen name, for obvious reasons. The phishers only have your email address, not your eBay screen name. (Of course, they might be the same, or at least similar. One more reason to invent a truly unique screen name for all the on-line services you subscribe to.)

Screen shot of an eBay phish message

Because the message contains a number of fingerprints which are typical for forged messages, both spam and phish, it's already detected by our existing phishing rules.

This brings up another point, though. The majority of these fingerprints are based on header analysis. But when we get a spam or phishing sample, we frequently only get the body of the message (and sometimes only something like a copy-paste of what the user actually sees, or even just a screen shot).

In fact, a number of "modern" email clients make it very very hard indeed to forward a message with the full original headers intact. If you are connected to an Exchange server, it's not even possible. (Fortunately, we hear Microsoft is finally working on this.)

An example of what takes in Outlook to send a proper sample is at, but see your own ISP's abuse pages, they probably have something quite similar ... and similary complex.

If you want to send us a proper spam or phishing sample, it would actually be a fairly good idea to install a third-party plug-in to help extract the full headers. We are aware of such plug-ins for Outlook and Eudora.

Ironically, those of us who still live in the "stone age" don't have such problems. In classical email clients such as Mutt and Gnus (and, ${dmr} bless you, Pine, if you configure it correctly) this is not a problem at all.


Three new Bagle-related downloaders spammed lately Posted by Alexey @ 10:29 GMT

EE/EF/EGDuring past 18 hours we have found 3 different Bagle-related droppers/downloaders. They were spammed to a large amount of people as e-mail attachments named LOADER.EXE, TEXT.EXE and T_535475.EXE. All these droppers contained a differently packed downloader DLL that was programmed to download and run a file from a website (the list of websites is located in the downloader's body).

We have added detection for these droppers and downloaders as Bagle.EE, Bagle.EF and Bagle.EG.


Tuesday, November 1, 2005

The "Sony rootkit" case Posted by Mikko @ 11:25 GMT

There's been some recent developments in digital rights management systems (DRM) that have security implications. Some DRM systems have started to use rootkit technology. Rootkits are normally associated with malware but in this case a rootkit is used to enforce the copy control policies of audio CDs!

Some CDs from Amazon

Rootkit is technology that hides software from the user and security software. This kind of technology is normally used by malware authors that want their presence to remain undetected in the system as long as possible. DRM software is not malicious but it has other reasons for hiding from the user. DRM software restricts the user's ability to make copies of a record and for that reason uses technology that prevents removal and modification of the software.

EULASony BMG is currently using a rootkit-based DRM system on some CD records sold in USA. As far as we know, this system has been in use since March 2005. We've made some test purchases for Sony BMG records from and can confirm that they contained this technology.

When you insert such a CD to a Windows-based PC, the record will display a license agreement and then it will seem install a song player software - while it really installs a rootkit to the system. Once the rootkit is there, there's no direct way to uninstall it. The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has got updated antivirus software installed.

F-Secure has implemented an anti-rootkit scanner in F-Secure Internet Security 2006. The F-Secure BlackLight scanner is able to detect both this Sony DRM rootkit system and any malware that hides using it.

We've just published a technical description on this rootkit, with details on how to distinguish hidden items belonging to the DRM system from potentially harmful malware.

Blacklight in actionSo: if you've recently used CD releases from Sony BMG that state that they are content protected on your Windows computer, the "Scan for Rootkits" function in our product will detect this program on your system. Same happens with our free BlackLight beta that you can download from our web site.

If you find this rootkit from your system, we recommend you don't remove it with our products. As this DRM system is implemented as a filter driver for the CD drive, just blindly removing it might result in an inaccessible CD drive letter. Instead, we recommend you contact Sony BMG directly via this web form and ask for directions on how to remove the software from your system. We've test driven this and they will provide you with tools to do this. However, they will install additional ActiveX components to your system while they are doing this so be adviced.