Panda: TruPrevent, Trojans, and Sony's anti-piracy system

- Panda Software's TruPreventTM Technologies
prevent any new threat from exploiting Sony's anti-piracy system -
Virus Alerts, by Panda Software (http://www.pandasoftware.com) ​

Madrid, November 11 2005 - The polemic anti-piracy system that Sony has incorporated on several music CDs is being used by malicious code to carry out attacks. PandaLabs has detected the appearance of Ryknos.A and Ryknos.B, two new Trojans that exploit this system to avoid being detected on the computers they infect. TruPreventTM Technologies -more specifically, the Genetic Heuristic Engine- have proactively neutralized both of these Trojans and therefore, users have been protection from these threats from the moment they emerged. What's more, TruPreventTM Technologies prevent any new threat from exploiting this anti-copy system to hide on computers.

"Whenever a new security risk is uncovered, it doesn't take long for malware writers to start spreading their creations," says Luis Corrons, director of PandaLabs. "The short time it has taken for this problem to be exploited suggests that it is highly probable that many more specimens that try to use this anti-piracy system through conventional music CDs will appear. For this reason, it is important to have proactive technologies, like TruPreventTM, which can block threats by studying their behavior and not because they have previously been identified. This avoids the risk of infection during the time it takes for security companies to prepare the vaccine."

Sony's anti-piracy system is installed on computers when a protected music CD is run and hides any file whose name starts with the characters $SYS$. By doing this, it can control the number of copies made of the CD, without the user realizing. It is precisely this cloaking feature that the Ryknos Trojans exploit. When a user runs a file containing one of these malicious code, it will copy itself to the computer under the following names $sys$drv.exe (Ryknos.A) or $sys$xp.exe (Ryknos.B). This makes these Trojans difficult to locate and eliminate.

When installed on computers, these Trojans connect to port 8080 of certain IP addresses, allowing them to receive and run commands from a remote attacker. These commands could include downloading and executing files and deleting certain files.

However, due to a programming error, Ryknos.A cannot execute when the computer starts up. Ryknos.B on the other hand, is fully functional.

For further information about these and other computer threats, visit Panda Software's Encyclopedia: http://www.pandasoftware.com/virus_info/encyclopedia/