Malware Exploiting Sony’s Rootkit DRM

Sony-BMG’s rootkit DRM technology is known to mask/hide files whose filenames start with “$sys$”. Security experts were worried that a malware would come and exploit this known fact.

Their worries just came true.

A newly-discovered variant of Breplibot drops the file “$sys$drv.exe” in the Windows system directory. This means, that for systems infected by the Sony rootkit, the dropped file is entirely invisible to the user. It will not be found in any process and file listing. Only rootkit scanners, such as the free utility RootkitRevealer, can unmask the culprit.

Aside from the Sony rootkit-exploiting feature, this new malware also targets a specific audience: the business people. The malware arrives attached in an email, which pretends to come from a reputable business magazine, asking the businessman to verify his/her “picture” to be used for the December issue. Of course, this supposed picture is in fact the attached malware.

Here are sample emails:




This will be detected as BKDR_REPLIBOT.C


Update (Zobel, 10 November 2005 19:29:55)

Apparently, the BREPLIBOT family of backdoor-trojans are recently being spammed as attempts of targeted attacks. We have reported previously of the spammed email messages targeting student bodies and the academe. Now the attacks are directed to the Business sector.

As usual as a precautionary measure, scrutinize every email received especially those that have attachments with them. Do not be carried away with watever the email body is saying, no matter how good or flattering they may seem. And of course, keep those Antivirus Software (uhem… uhem from Trend I assume) always updated.


Update (JJ, 10 November 2005 23:49:08)

We have just received a new copy of this malware. Almost the same email details, but different MD5 for the attachment as well as different dropped files. We’ll be posting an equivalent advisory page on this in a while. Here’s a screenshot of the new copy:




BKDR_REPLIBOT.C’s MD5 = ebe94809b68675feddfe2a2fa889f243
New sample’s MD5 = fdd2846919364301b7483c039a6a1ccd