Dusting for fingerprints
Written by Rock, former SS:2845 dev and StarSiege guru.


I had gone as far as I could go with my typical bag of detective tricks. I needed new tools, different tools, BIGGER GUNS! I took the next few days to study and research anything and everything about detecting and eradicating trojans. If I screwed this up, my machine was going to be out for the count.

I stumbled on an alternate process viewer (like Task Manager) that not only displayed the processes, but also assessed the likelihood of it being malware. The tool is shareware, and it's called "Security Task Manager."

I ran the tool, and right up there at the very top of the threat list, ranked as 100% likelihood of malware, was 6topdsvc.exe! But wait! How come Task Manager didn't show it? So I pulled up Task Manager and sure enough, it was NOT THERE! Mental note... Don't Trust Task Manager. I also tried a very popular and similar tool called "Process Explorer." It didn't show 6topdsvc.exe either. Drat! I really liked Process Explorer, but not if it can't show ALL the friggen processes!

Now, here's the rub. If not for a stupid little bug in Security Task Manager (STM), I would've never been able to make the next leap. With STM, you can refresh the view with F5 whenever you want. But sometimes, it starts displaying phantom processes. I am certain that the processes weren't really there, but I think the bug caused the tool to read other data out of the processes that WERE there, and display it as more processes. I know this is the case because I couldn't manipulate the phantoms in any way, they did not change in any way, and the only way to get a correct view was to restart the tool.

One of the phantom processes/data that it displayed was Sony SecROM. So I Googled for it and found that SecROM is a CD copy protection and or encryption technology used by some games. But WAIT! A friend of mine mentioned, just the other day, that Sony was in major hot water for it's Digital Rights Management (DRM) technology that they put on their music CDs. Hmmmmm, maybe there's a connection.

A day or two of research revealed this little gem, only days old, about Sony's DRM:
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

You see, the problem is not that Sony's DRM puts a trojan on your PC, because it does not, although what it does is just as bad, and you should read that article and heed its warning. No, the problem is not Sony and their DRM.

The problem is that some yahoo has taken the technology and made the SPYWARE FROM HELL with it. This devil is CWS on steroids, and it looked like I had it in a bad way. Thanks to Sony's Digital Rights Management (DRM) copyright protection scheme, there now exists a new breed of malware!

"...And there before me was a pale horse! Its rider was named Death, and Hades was following close behind him."

That article put me onto another cool tool, called RootKitRevealer.

Read on for part 5: "Pay no attention to that man behind the curtain!"

Previous

---