NEWS FROM THE LAB - Friday, November 11, 2005

Breplibot Stinx Posted by Mika @ 12:12 GMT

There are variants of Breplibot (aka Stinx aka Ryknos) trying to hide under the cloak provided by the Sony DRM software. However, none of the variants we have so far analyzed are successful in installing on a machine that has an unpatched Sony DRM running.

To elaborate, here are the different scenarios when Breplibot.B, Breplibot.C, or Breplibot.D is run on a host (using Administrative rights):

1) A clean system: The bot is activated and compromises the system. However, the bot ($sys$XXX.exe) is visible as a file and as a process, and thus is easily detected by any up-to-date anti-virus software.

2) Sony DRM is hiding on the system: The bot will completely fail to install

3) Sony DRM has been installed, but the anti-cloaking patch has been applied: Same result as in 1)

4) Bot is already active on the system when the user installs Sony DRM and its hiding component (rootkit): The bot keeps on running and it is cloaked by the Sony DRM.

Above: F-Secure BlackLight beta detecting files hidden by the rootkit in scenario 4. "$sys$drv.exe" is the hidden bot process. Note that F-Secure IS2006 suite already has an integrated BlackLight engine that detects files and processes hidden by rootkits.

So, at the moment the malware is not really successful in exploiting the presence of the Sony DRM. Obviously this situation might change very soon.

The Sony DRM case has gained a lot of attention. However, keep in mind that there are numerous different rootkits out there. Rootkit hiding techniques are becoming more and more popular among malware authors. Lately we have especially seen a large increase in BlackLight feedback reports of Apropos rootkit spyware. Also, numerous bot variants are still dropping rootkits onto systems to hide themselves.