PRIORITY: CRITICAL
UPDATE: Sony Recalls CDs Containing XCP Rootkit [FoxNews.com]
On Thursday, a Trojan that takes advantage of the Sony rootkit started appearing. A variation of the Breplibot Trojan installs the file $sys$drv.exe. The Sony rootkit hides files whose system filename begins with $sys$. Sony says it has distributed information to anti-virus companies that will allow their products to attack malicious programs using Sony's cloaking technology.
A lot has happened in the past week, so let me start by bringing everyone up to speed. Last week, a security expert discovered that copy-protection software on some Sony CDs installed a rootkit on Windows computers. A rootkit is a particularly destructive form of malware capable of cloaking itself and its actions.
Rootkits burrow deep into Windows. They hide by intercepting calls between the operating system and programs. They remove their file names from the calls. Rootkits can also tell Windows to hide files and programs. So they're difficult to detect. Users who tried to remove the rootkit manually encountered a nasty surprise. It rendered their CD drives inoperable. Users had to reformat and reinstall Windows to fix the problem.
Sony subsequently issued a patch it claims will uninstall the rootkit. Unfortunately, many people have encountered problems with the patch. It has caused lost data and computers to crash. Further, others have complained that it is difficult to get the patch. The company also said it would temporarily stop making disks with the rootkit.
Nonetheless, there is still a very real threat. If the rootkit is installed on a computer, hackers may be able to use it to do anything. They know how to exploit it.
Sony uses two different copy-protection programs on its CDs. Only one installs the rootkit, and it is included on about 20 titles. The Electronic Frontier Foundation has a list of the CDs on its site.
But don't take chances. Until we know more, I wouldn't play Sony-produced CDs on my computer. The risk is just too great. If your computer is infected, you can download a tool to disable the rootkit. It is available from Sony and from First 4 Internet, the company that developed the software.
