The polemic anti-piracy system
that Sony has incorporated on several music CDs is being used by malicious
code to carry out attacks. PandaLabs has detected the appearance of Ryknos.A
and Ryknos.B, two new Trojans that exploit this system to avoid being detected
on the computers they infect. TruPrevent Technologies — more
specifically, the Genetic Heuristic Engine — have proactively neutralized
both of these Trojans and, therefore, users have been protected from these
threats. Additionally, TruPrevent Technologies prevent any new threat
from exploiting this anti-copy system to hide on computers.
“Whenever a new security risk is uncovered, it doesn’t take long for
malware writers to start spreading their creations,” says Luis Corrons,
director of PandaLabs. “The short time it has taken for this problem to be
exploited suggests that it is highly probable that many more specimens that
try to use this anti-piracy system through conventional music CDs will appear.
For this reason, it is important to have proactive technologies, like
TruPrevent, which can block threats by studying their behavior and not
because they have previously been identified. This avoids the risk of
infection during the time it takes for security companies to prepare the
vaccine.”
Sony’s anti-piracy system is installed on computers when a protected music
CD is run and hides any file whose name starts with the characters $SYS$.
Under this methodology, it can control the number of copies made of the CD,
without user knowledge. It is precisely this cloaking feature that the Ryknos
Trojans exploit. When a user runs a file containing one of these malicious
codes, it will copy itself to the computer under the following names
$sys$drv.exe (Ryknos.A) or $sys$xp.exe (Ryknos.B). This makes these Trojans
difficult to locate and eliminate.
When installed on computers, these Trojans connect to port 8080 of certain
IP addresses, allowing them to receive and run commands from a remote
attacker. These commands could include downloading and executing files and
deleting certain files.
However, due to a programming error, Ryknos.A cannot execute when the
computer starts up. Ryknos.B, however, is fully functional.
Panda Software has made the updates to detect and eliminate the Ryknos
Trojans available to all its users. To help as many users as possible scan
and disinfect their systems, Panda Software offers its free, online
anti-malware solution, Panda ActiveScan, which now also detects spyware, at
http://www.pandasoftware.com/home/default.asp. Webmasters who would like to
include ActiveScan on their websites can get the HTML code, free from
http://www.pandasoftware.com/partners/webmasters.
