Sony Uninstaller Exploits

Date:11.16.2005

Threat Type: Malicious Website

Websense® Security Labs™ has received reports of websites that are using the Sony DRM uninstaller as a means to perform malicious actions on end user machines.

 

Security researchers discovered that the recently released Sony DRM uninstaller included a COM object that it dropped on the machine in order to uninstall the highly publicized rootkit that gets installed as part of some Sony Music DRM software. The COM objects are not removed after installation and leave the machine open to malicious websites using them as an attack vector.

 

Websense Security Labs added detection mechanisms to its data classification and internet mining techniques soon after discovery of the possible vulnerability was reported. Although we have not seen many sites to date, the potential for sites using this to exploit end users is high.

 

The included site example infects users when they visit the website. Any user who has downloaded and run the Sony uninstaller program is susceptible to this attack. In the example below, users' machine are restarted upon accessing the site. However, there is the potential for more nefarious actions to have been done.

 

The site is hosted in the United States.

 

Website Screenshot: