Slashdot Mirror
Another Sony Rootkit?
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
What happened to Sony? Growing up they always seemed like a great tech company, pumping out quality products that most people liked. When did politics and this kinda crap really start. It's sad.
Is root kit now the new buzzword for "please send me traffic"? This isn't the same as a rootkit, it's just a annoyingly hidden directory. Can we tag this as FUD?
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
Maybe formatting USB memories before usage would be a good move.
And using OS that won't run anything from the newly attached memry as a default would also help.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
I'd really rather not have this 'capability' when using windows, to allow software to hide files/directories on my system through these registry/filesystem techniques.
Is there anything that would break if one was to find a way to nullify this functionality in OS calls?
Ryan Fenton
How many lawsuits is it going to take before Sony gets it into their head that rootkit=bad? I, for one, am going to fight against our new malware overlords.
The game.
They are simply conditioning a public growing weary of dishonest tactics and policies to steer clear of any products they produce. Sony has many divisions and has a presence in many markets, and they are royally screwing all of them up. First the music cd fiasco, now this, no wonder they were prematurely blasted for the SecuROM program that was talked about on here a few days ago. Most people automatically saw it as a rootkit or something they didn't want on their computer because of the record that Sony is establishing for itself. It doesn't matter that maybe it wasn't a rootkit or something malicious, if the public starts thinking that everything you produce is going to create security vulnerabilities and screw up their machine, they'll simply stay away without giving you a second (or third, [or fourth]) chance...
It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?
Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."
This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.
Insert Sig Here
There was a moderate buzz about Bioshock installing a rootkit that turned out to be false.
... which I still do not think should be called 'rootkit' in these instances, as this is what MS code allows for - it is part of the system and designed to be so.
The issue here is the biometric stuff. If your CC number gets stolen, or your password gets hacked, you can simply cancel the old CC/reset your account etc.
Now, what happens when your data 'fingerprint' [retina scan, whatever] gets hacked and compromised? Get new fingers? Get new eyeballs (ala Tom Cruise!)?. I think not. The sooner people learn not ot buy and trust this crap the better - but thinking, perhaps the people that buy this crap deserve a MS designed rootkit anyway.
You can now hide porn effectively, with little effort and money!
So whenever he ran a common command from his shell, he would first get a random quote from fortune appearing, followed by normal command output. He figured it out pretty quickly, but I like to think that there were a few moments where he entertained the idea of his workstation gaining sentience.
Fool me once, shame on you. Fool me twice, shame on me.
How fucking stupid can you people be? Stop buying Sony!
-mcgrew
I realize that this is an issue under Windows, but can this cause issues in Linux?
Also, can we see the directory and the contents and determine the reasons behind this?
The real "Libtards" are the Libertarians!
The issue here is the biometric stuff.
This is an inherent problem in biometrics: you have to trust every scanner that takes a reading not to be trapdoored.
The entire authentication process has to be performed verifiably in the scanner hardware and firmware, and the scanner itself had to be trusted - either it's your scanner or it belongs to someone you have to trust anyway.
But no reversible form of the biometric information can be transferred to potentially untrusted storage.
Since when is something x if it is x-like?
Insert Sig Here
Very sim poe
loot kit This
Buy products with your loot from some other company who doesn't loot kit
I wanted a new DVD burner recently. Some good reviews on Sony but then I remembered their infectious love for customers so no Sony drive for me. Just buy someone else's product.
down around the courthouse, they have some terms for mutts who don't learn and keep on doing the same crimes.
the classy term is "recidivist."
of the others, we can probably safely post "weasel," "snake," "bastard," "crook," and "lowlife."
HDTV is around the bend, and I'm remodelling the basement soon to accomodate its new wiring requirements. Sony, the snake-in-a-box company, is not going to be a part of this undertaking.
if this is supposed to be a new economy, how come they still want my old fashioned money?
The overuse of the term "rootkit" points to (at least) one thing: we've become so desensitized to security hazards that it takes a new buzzword for nefariousness to grab people's attention. Regardless of whether this is itself a rootkit or not, it's still a security hazard, and what's perhaps more ironic, that hazard was created in an attempt to effect "security through obscurity".
First, the article has so many grammatical errors, that it's laughable.
F-Secure is from Finland. You try writing Finnish some time.
My "Windows API" as this article calls Explorer, is already set to view hidden folders.
Turn in your geek card at the door when you leave.
This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
My 11-year-old bought one of these a couple of days ago.
It got so hot when he plugged into the USB port on his linux machine that the plastic casing literally melted. He took hold of it and yelled "Ow! it's hot!" and when I looked at it the whole case was drooping and had his thumbprint in it.
At the time, I was mildly annoyed, but now I'm going to tell him he didn't want that one anyway. We'll be returning it for cash and buy another brand at a different store.
Hi.
They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.
This is quite different than simply toggling a flag for a given directory.
Peace sells, but who's buying?
This is no longer an accident with Sony. No longer a simple lapse in judgment. This is a bad, ugly, habit on their part now, likely caused by the dichotomy of trying to be a content producer and a tech company at the same time.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Consider:
Most computer users just are consumers .
Purchase decisions are digital.
All they know is legit or not legit
One man or woman may be the technical guru for 50 people or more
I am such a man, and my answer to the 50 is,:
No! You don't want to buy that one
Get another brand instead
I think that I am not alone in my feelings and anger
So, it sounds like a rootkit as described by wikipedia.
:D
Not for long! *rushes to edit wikipedia*
"A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system, except when it's with Sony products"
There! Now by definition, sony's isn't a rootkit anymore!
(Legal Disclaimer: This was actually a joke, I didn't vandalize wikipedia or the like. <-- you can't never be too sure these days)
It wasn't just the availability of adult titles. What really scuppered BETA was the short length of the tapes compared to what was available with VHS.
I am NaN
Big difference between hidden due to file system settings (ie don't show 'hidden' files) and the os not being able to see there are files there in the first place.
I just had to go admit to my damn boss that I (a diligent (also been referred to as 'anal') security minded individual) that thanks to my "handy" pen-drive that at LEAST 25-30 of our client's servers, not to mention our office equipment now have root-kits on them. That was it for me, now I just have to find a replacement product for the several ux380 we were looking at for toys for the boys.
I imagine though, that an outburst of uncontrollable laughter from my boss while telling him about this is a sign of job security.
Is there an anti-rootkit utility that would be updated/recent enough to facilitate this infection? Or the fact that I can view it from command line mean that I can remove it manually from there? I don't have to worry about re-infection because I already threw 2 of them straight in the trash, no use even giving them to a friend.....
How about when the machine gets compromised, aka a file in the hidden directory gets infected, or a virus decides to nest in there. Are you virus-scanners going to find the file, or are they being prevented so because this thing UPDATES A CORE FRICKING API ON YOUR MACHINE. Yes, it's a rootkit. It might not be used for malicious purposes quite so much as the sony-CD's were some time ago, but that doesn't mean it's not compromising the overall security of your system. It's an attempt at security-through-obscurity that endangers the overall system.
Besides - to put it in your terms - if somebody get ahold of your "data fingerprint," what are they going to do? Make fake eyes? Fake fingers?
It all depends on your definition. What was described in the article satisfies many people's definition of a rootkit, no matter how the authors chose to word it.
Everybody saying it is not a rootkit needs to define rootkit.
The example you used in your earlier post about partitions on memory sticks is completely different than what is happening here (the windows API is being modified to hide a directory on the c: drive)
How about those MemorySticks that have no competition for filling the slots in Sony equipment (including PCs) that requires them?
--
make install -not war
I patently refuse to buy Sony products. Their quality went downhill way before all of this digital shenanigans. The only thing that I have that actually still works for 16 years is a My First Sony "Electric Etch-a-Sketch" that you plug into the TV. All the other Sony junk has died within one-two years of purchasing. At least my IBM laptop didn't have a Sony battery in it.
A virus could put its files in the hidden folder, so yes, you're more vulnerable. SONY is doing the virus writer's job for them.
No sig today...
Say you are a researcher, studying stuff. Like maybe viruses (the biological kind). You come across a new virus in the wild. You describe it as flu-like, until you are able to really study it and say yes, the virus really is a strain of influenza. Your argument is that the words "flu-like" precludes it from being the flu, when in certain situations "flu-like" means it is very likely to be an influenza virus.
Then lawyers for some large corporation will argue that it's actually some previously rare form of feathered marsupial?
-1 Retard
Try ls -a (show hidden files) Much like windows "show hidden files" option. This is not the same as hooking into the kernel driver to make sure that the hidden folder is never shown. If the OS can't see it then it is a rootkit, or at least rootkit-like
What's sad is that it's the same old "security hazard" that we've been hearing about for decades. The hazard is not Sony's software or any of the software's mechanisms. The hazard is that users decide to execute it. Why are people still desensitized to that, in spite of the fact that it's the cause of 99% of people's computer security problems?
If you don't have reason to trust it, then don't run it (unless you've got a damned good sandbox). And Sony already showed that they're not merely 'iffy' on trust -- they're known to the actively hostile. And people still ran it. Wow!
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
The intentions behind the software are irrelevant. The only thing that matters is what it does. What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden.
Why shouldn't it be hidden? Because as has already been pointed out, malicious software can take advantage of the rootkit—which is what this is—as an attack vector to control someone's machine without their knowledge, and with damn little they can do about it.
Please remember also that a lot of computer viruses and worms didn't start out with people saying, "I'm going to write a computer virus today!" They started out with someone saying, "Hmmm... I wonder if that would work..." and it goes from there. In fact, the guy who is credited with writing the first computer virus said, "It was a practical joke combined with a hack. A wonderful hack." Maybe, but it's stupid to deny what it was, a virus, just as it is to deny what this is, a rootkit.
For a moment get past the Rootkit or Registry thing.
I just plain isn't good security. If they're really counting on Registry entries to "protect" the "secure" data, there must be a thousand ways to get around that in Windows, let along just plugging it into a Linux machine. Real security is HARD to do, and promoting something like this as "secure" when it really isn't is a disservice. I read one review a while back that indicated that *none* of these "secure USB" flash plugins were really secure.
Incidentally, I have a USB flash plugin. The data I really care about is AES-encrypted in a container file that I can loopback mount and use the kernel crypto stuff to access.
The living have better things to do than to continue hating the dead.
I guess this just proves again that some companies unfortunately still believe in "Security through obscurity". Sony, quit trying to hide junk all over my drive!
Beware of bugs in the above code; I have only proved it correct, not tried it.
A humorous story about what would happen if porn had "root kits." (SFW)
If you open yourself to the foo, You and foo become one.
I'm assuming this kit loads a driver which somehow intercepts kernel API request (or whatever , I'm just guessing). What I'm curious about is could this be done on linux /unix / OS/X or is this ability to intercept standard kernel API requests a bad design perculiar to Windows?
I was in a store looking at several different cameras, and had pretty much narrowed it down to a Sony and A Canon. i had a somewhat difficult time deciding between the two, but than i remembered the root kit fiasco and chose accordingly. so I'm one of those folks that actually voted with their wallet. Somewhat related to your statement, so I'd thought I'd share it. maybe there ought to be a list somewhere of people who have actually voted with their wallets, and have a list of receipts and such to prove it.
What's wrong with attrib +h my_secret_file?
There are legitimate ways to hide files from casual inspection. There is no need to fuck with the user's system to do so.
...laura
It's not the article that's retarded... it's you.
Hidden files do not require a driver, nor are they 100% invisible to the Windows API.
Javascript + Nintendo DSi = DSiCade
Let's see if I can get even more karma by posting this old poem I wrote on Sony last year:
Well the Devil had a brand new plan,
"I don't want any ordinary DRM!"
So he called his boys at Sony Corp,
"I'll make this fast and I'll make it short."
"There's a Limey company, as evil as hell,
They've got a rootkit they're waiting to sell.
So grab some cash, make it quick,
There's a half million networks we just gotta fix."
Now Sony knew the Devil well,
Why these guys were already half way to Hell.
So off they went to England fair,
And bought themselves a rootkit there.
To protect themselves and their evil scheme,
They wrote a EULA that would make you scream.
"No problem," they said, "we can do as we please,
We're all scummy bastards, so what's some more sleaze?"
But not all were asleep when they played Van Zant,
And the racket grew so loud Sony just had to recant.
"We'll take back all those discs, we really were wrong,
Oh, and you Mac users, your turn's coming before long."
The world's burning. Moped Jesus spotted on I50. Details at 11.
All the sales assistants in about 20 shops I visited just looked at my phone, shrugged their shoulders and said "Sony!". My Japanese is pretty poor, but I got the message.
So I guess that explains the old "SEGA!" commercials. My Japanese is pretty poor too, but I get the message.
I could have sworn that it was actually 3M
Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user.
Has anybody tried one of these in a Ubuntu or other Linux machine? Do the hidden files show?
The truth shall set you free!
Since anyone can sue anyone else without regard to any merit or wrongdoing, lawsuits indicate nothing. Anyone who has a lot of money will be sued. Repeatedly.
Lawsuits indicate nothing -- nothing except that lack of lawsuits indicates you're too poor for it to be worthwhile for someone to sue you.
---
How many false rootkit stories will it take for Slashdot readers to "get it into their head" that Slashdot-news=uncertainty? Any news story posted on Slashdot may or may not be true. The more hyped, news-worthy or interesting, the less likely it is to be factual.
A virus wouldn't put itself in this hidden folder instead?
..or maybe one of these hidden files?
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5
Or this one?
%USERPROFILE%\Local Settings\Temporary Internet Files\OLK6F
Maybe one this windows built in rootkit folder?
c:\$Extend
c:\$AttrDef
c:\$BadClus
c:\$Bitmap
c:\$Boot
c:\$LogFile
c:\$Secure
c:\$Volume
All which the handy SysInternals hides as "Standard NTFS Metadata Files" by default.
The existence of these files/folders are hidden to most users and most of them don't even know about them. You think virus scanners check the c:\$Extend folder? Is someone willing to drop in a known virus and see if it detects it? Honestly, I'm curious as to how many actually check this folder...
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
I feel like I finally have to create a user account to correct a misconception I see a lot on the internet. It wasn't Sony that put a rootkit on the music CDs, it was Sony-BMG which is a separate company that is 50/50 owned by Sony and Bertelsmann (BMG stands for Bertelsmann Music Group). Furthermore, the top executives at Sony-BMG all come from the BMG side, like that guy Thomas Hesse who made those stupid remarks that consumers shouldn't care about rootkits. If anything, all the anger toward Sony should be directed at the entity involved, which is Sony-BMG. Just boycott their music.
Wow, thanks for the informative post.
Sounds like you could teach us a lot about the law, brain surgery and girls, too.
>>because I already threw 2 of them straight in the trash, no use even giving them to a friend...
/. boasting about throwing away perfectly good hardware.
If you really are a computer professional (and I really hope you are not) then you would have RTFA and would now not be making a fool of yourself by writing to
>>we were looking at for toys for the boys.
Says everything that needs to be said about you, your boss, and your company. I'm looking you up to make sure that you and your organization are NOWHERE NEAR any of our supply lines.
Print this out and give it to your boss.
This cannot affect me because I've refused to buy any Sony product since the last fiasco. Additionally, I will NOT deploy any Sony products for my customers, and I always explain to them why I don't trust Sony. This will add to my stack of evidence against Sony and will validate my concerns in the eyes of those customers.
Will you buy Sony products?
Lou
They also created the Sony/Phillips Digital Interface for audio known as SPIDF. It's been around for a while but is only now picking up momentum in the consumer market. It's been in use for professional audio for a long time. Though, my Archos Jukebox Recorder has a SPIDF interface. (It was the first USB 2.0 hdd based mp3 player on the market.)
Deltron 3030 - Virus (music video)
S/PDIF is a consumer interface, but is popular on "prosumer" equipment and PCs. Professionals tend use AES/EBU as it is both balanced and incorporates error correction - neither of which are supported on S/PDIF - and uses standard XLR cables for transmission, rather than non-standard coaxial cinch/rca/phono cables.
"There are also ways to run files from this directory."
What kind of idiot writes that? F-Secure are 101% hype and -1% brains. Always have been, always will be.
Actually, S/PDIF was designed for consumer devices. It's a slightly modified version of the AES/EBU digital interface used in professional equipment. They added SCMS serial copy protection and removed mandatory support for 24-bit audio. The connectors and cables are also different. S/PDIF uses either RCA or TOSLINK connectors, while AES/EBU typically uses XLR connectors. It's also not new at all, I had a Sony Minidisc recorder with optical S/PDIF inputs and outputs over ten years ago.
The clarify here: The issue is that the Sony MemoryVault USB drives (NOT MemorySticks) include a fingerprint reader, which combined with a driver and (presumably) encryption software, provides a "secure data vault" on the USB drive.
The malware aspect comes in because the Sony software installs a driver for the fingerprint reader in a special hidden directory, presumably with the intention of making the driver more difficult to tamper with and/or bypass. The idea here is that if an attacker can tamper with the driver they can have the tampered driver send a false "correct read" signal to the vault which would expose the content to attackers. Vista's driver protection basically works the same way by preventing you from editing sections of the registry and editing/deleting certain files. So, in theory anyway, if Sony updates the driver for Vista this behavior shouldn't be necessary (not that it is now) beacuse Sony can make it a "signed" driver that this more difficult to tamper with. The driver might also contain some sort of obsucated code (I'm that familiar with this kind of driver hacking).
On the grand scale of software that breaks Windows conventions, this is a rather petty example. There are anti-virus tools and debuggers that tamper with the kernel. There is DRM software that breaks other apps on your system. There are virtual disk drives that can destroy your entire Windows install, Really, one hidden driver ain't so bad.
Here's a question: Does the uninstaller remove this hidden driver cleanly? If so, what's the problem?
You shouldn't be using this Sony software anyway. Do you really want to stick you confidential data into a propretary database coobbled together in a weekend by a few chumps at Sony? There are far more robust and flexible password vaults out there. Many are free.
Does any of you know if you can use the fingerprint reader without installing Sony's software?
Good luck installing a rootkit on my gentoo box, sony. Or my kubuntu one.
I bought the game Bioshock (which won't even load a splash screen). It installs the same kind of rootkit. I think it is just wonderful the way Sony thinks they can create directories in my system for themselves. After all, why not. It can only be compromised by the would be virus or data harvesting malware. Riiiight.... I don't think I will be buying anything Sony for quite a while.
The answer is simple friends. Stop buying sony, they have shown time and again they can not be trusted.
The answer is simple friends. Stop using windows, they have shown time and again they can not be trusted.
World ends tomorrow?
Make millions without lifting a finger?
Slashdot commits to credibility and abandons sensationalism?
It's not just that they hide the drivers but even if you find them, you can't look into it. Some may say this is for security's sake.
But seriously, this device seems to be designed for securing your data. Would you trust a vendor who takes these measures to hide the inner workings of the device?
It's not that obfuscation, hidden, binary code ever stopped ambitious crackers. On the contrary, I think it just gives a false feeling of security to the vendor.