Sony CDs continue to cause controversy as an unrelated
threat emerges, and black hats are ramping up for the holidays with a new
instant messaging worm designed to trick more security-conscious users.


It turns out that the rootkit disaster perpetrated by Sony
in an effort to prevent users from actually playing the music on the CDs they
purchased wasn’t the only threat posed by CDs from Sony. Just when you thought
it was safe to play holiday carols over the office network, a new malware threat has surfaced on even
more Sony CDs.

The latest threat—caused
this time by SunnComm Technologies’ anti-copying software—is unrelated to the
Sony BMG digital rights management malware, hidden by the company on millions
of CDs released in early 2005 and reported by Mark
Russinovich in November
. But after someone wrote and distributed a worm to take advantage of
the First 4 Internet malware
discovered in nearly 5 million Sony BMG CDs, the
Electronic Frontier Foundation decided to investigate other Sony CDs.

This is a serious threat—it can allow an attacker to gain
complete control of a PC that merely played the CD. The new threat apparently
only applies to CDs sold in the United States and Canada; Sony has posted a list of titles infected by the
SunnComm MediaMax software threat

While Sony has also posted a patch, I’d be a
bit cautious about applying the fix right away. The first patch Sony released
turned out to have a bug of its own, according to a Princeton computer
science professor’s blog
. According to the blog post, an interesting aspect
of this malware is that it installs “even if you decline the MediaMax
license agreement.”

Sony has purportedly fixed the patch,
but at this point, my advice would be to just say no to playing any Sony CDs in
your computer—stick to playing them in your vehicle’s sound system!

In other news, that old adage, “A fool and his money
are soon parted,” has always applied to people who click links in e-mails
and instant messages from strangers, but even these users are slowly catching
on to the threats. Never ones to rest on their laurels, black hats have been
quick to adapt.

A new IM worm,
, actually sports some built-in responses. Those responses can
lull even somewhat cautious individuals into following a tempting link, thereby
downloading a tool that disables security software and plants a backdoor on the

Now, I have nothing against IM. (OK, actually I do—I think
it’s stupid to permit IM in most business situations.) However, it can be
useful if you’re smart about how you manage it.

For example, I have, on occasion, used IM when working with
some of my TechRepublic editors, but I’ve never published my address elsewhere,
and I’ve never had more than two addresses in my approved contact list.
Remember: The major threat from IM isn’t the software but how people use it.

Finally, just as Hurricane Katrina spawned a flood of
malware-loaded e-mails and instant messages, the season for malicious greeting
cards is now upon us. Warn your users about this impending threat, but be
prepared for a flood of infections just in case.

Final word

I’ve never understood why most companies refuse to place the
proper blame when an employee brings down the corporate network because he or
she just had to see a video of a naked teenage actress and clicked a highly
suspicious link. When will organizations learn that their network is vital and
that the only way to stop people from crashing it—not to mention incurring
costs of billions of dollars each year from cleaning up malware—is to publish
and enforce severe penalties for such dumb moves?

No sensible management would tolerate employees leaving
alarms turned off or doors unlocked over the weekend. However, these same
companies fail to appropriately discipline employees who actively invite
malware into the network. Is it any wonder we continue to see networks brought
to their knees by stupid employee tricks?

The latest Sony debacle shows once again that you can’t be
too paranoid. A month ago, I personally would have never given a second thought
to playing a new brand-name music CD in an office computer—now I wouldn’t even
duplicate one for personal backup.

And isn’t that interesting? Could it be that Sony planned this
whole thing just to stop people from making backups of their favorite CDs by
scaring them out of even putting CDs in their PCs?

Even those users who only made backups and ignored DRM
threats will now be extremely cautious about putting any Sony CD in their PC. Could
there be something even more sinister to this story than mere incompetence?

Also watch for…

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.