FYI:
First Trojan using Sony DRM spotted
http://www.theregister.co.uk/2005/11/10/sony_drm_trojan/
________________________________________________
Stephen Bogdanski Network Support, MSU-CVM
Michigan State University [log in to unmask]
A227 VetMed Center Phone: (517) 353-5551
East Lansing, MI 48824 Fax: (517) 432-2937
>>> Steve Bogdanski <[log in to unmask]> 11/09/05 10:38AM >>>
Another reported issue is with the patch that Sony will give you for this issue (once you jump through numerous hoops with them). What it effectively does is stop the service that is running which hides file with "$sys$" as the extension. Instead of having the user reboot to disable the service the patch issues a "net stop" command. Because of the way this app/drm/rootkit/whatever hooks into the system, stopping it while windows is running can lead to a BSOD and system crash. Here is a good set of articles on the issue:
Sony, Rootkits and Digital Rights Management Gone Too Far
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home
http://www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html
Sony's Rootkit: First 4 Internet Responds
http://www.sysinternals.com/blog/2005/11/sonys-rootkit-first-4-internet.html
________________________________________________
Stephen Bogdanski Network Support, MSU-CVM
Michigan State University [log in to unmask]
A227 VetMed Center Phone: (517) 353-5551
East Lansing, MI 48824 Fax: (517) 432-2937
>>> Jeff Domeyer <[log in to unmask]> 11/09/05 10:24AM >>>
I wouldn't go so far as to call it a rootkit (at the moment). It just
has functionality that many rootkits employ. As to my knowledge, it
doesn't actually give administrative rights to a user, it only allows
for files/folders to be hidden from the normal mechanisms people use to
view them, plus a nifty call home feature which hasn't been fully probed
yet.
This doesn't mean in the future that someone couldn't find a way to
misuse this functionality, and I'm not saying that this is a "good"
thing, I'm just pointing out that it is incorrectly labeled as a rootkit
(at the moment).
What people should actually be worried about is the possibility of this
program to break currently existing software. It will currently hose a
Windows Vista system, and should throw off alarms from antivirus
software that detects rootkits. Since the software hasn't been fully
tested on machines in the real world, there is not a full understanding
of what it could break.
-Jeff
> -----Original Message-----
> From: MSU Network Administrators Group [mailto:[log in to unmask]] On
> Behalf Of John Resotko
> Sent: Wednesday, November 09, 2005 9:54 AM
> To: [log in to unmask]
> Subject: [MSUNAG] Fwd: Security Watch: Sony CDs Make Your PC Play the
> Blues
>
> This was news on a lot of the online tech sites for the last week or
so,
> but in case anyone didn't see it, there's a link to one of the
articles
> about the Sony DRM software which installs a rootkit on WindowXP
machines.
> At least one article I've read indicates that there is an effort to
see if
> Sony violated the Computer Fraud and Abuse act with this software...
> Since most people don't read the fine print of end user licenes
> agreements, I don't expect it to get very far. FYI, especially if you
> have users in your environment who frequently bring music CDs from
home to
> play on their office PCs and laptops.
>
>
>
> John A. Resotko
> Head of Systems Administration
> Michigan State University College of Law
> 208 Law College Building
> East Lansing, MI 48824-1300
> email: [log in to unmask]
> Phone: 517-432-6836
> Fax: 517-432-6861
>
> Current Chairperson of the
> MSU Network Communications Committee
