Two days ago we blogged a report about Sony installing a rootkit with the purpose of protecting its digital property from piracy.
A concern was raised since this rootkit can be used by a malware to hide itself from the process. Now that concern has just been confirmed to be a real threat…
According to the analysis made by a Sysinternal Researcher, the concern lies in the device driver “aries.sys”, which was confirmed to patch several functions via the system call table and that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$” even if its not part of the Sony software.
A malware author can now just drop the file aries.sys load it in the system and add “$sys$” to the malwares filename and presto! instant rootkit malware.
Also we just received a report that this is now being used by World of Warcraft Hackers to hide their cheat programs from the warden (a controversial anti-cheating program from Blizzard Entertainment).
A concern was raised since this rootkit can be used by a malware to hide itself from the process. Now that concern has just been confirmed to be a real threat…
According to the analysis made by a Sysinternal Researcher, the concern lies in the device driver “aries.sys”, which was confirmed to patch several functions via the system call table and that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$” even if its not part of the Sony software.
A malware author can now just drop the file aries.sys load it in the system and add “$sys$” to the malwares filename and presto! instant rootkit malware.
Also we just received a report that this is now being used by World of Warcraft Hackers to hide their cheat programs from the warden (a controversial anti-cheating program from Blizzard Entertainment).