Another Sony Rootkit?

An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

Re:Hidden files

[MontyApollo]

First sentence from wikipedia article:

"A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system"

So, it sounds like a rootkit as described by wikipedia.

Re:Sony

[morgan_greywolf]

Not sure...did they have a roll in VHS/Beta? Yes. Beta was a proprietary Sony product, while VHS was what was being produced by almost everyone else.

Re:Sony

[Andy+Dodd]

CD was Philips, not Sony.

As to DVD - Not sure about the original DVD format, but Sony effectively created the recordable DVD format war with the + series of formats.

And yes, Sony had a role in VHS vs. Beta - Beta was Sony's format.

Re:Sony

[omeomi]

Philips and Sony collaborated on the CD specification.

Re:Hidden files

[chad.koehler]

While the '.' prefix will "hide" a file from plain view of a user, it is hardly hidden from the operating system.

Re:Wow...

[makomk]

That depends on your definition of "rootkit". It's using a driver to conceal the existence of a directory from standard Windows APIs and programs, which is very definitely a rootkit technique.

Re:Hidden files

[aztracker1]

If it doesn't show up in nautilus via ctrl+h it is... if it doesn't show up in windows with "show hidden files and folders" checked it is.... simply setting an *intended* file system attribute isn't the same as hiding from the operating system.

Re:Sony

[AKAImBatman]

Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user. There are better ways of doing such a thing, but a rootkit has the advantage of keeping the files hidden from common methods of hidden-file detection. Something like a virus or trojan would tend to use a kit like this to make sure that it couldn't be found by antivirus software. Such kits also tend to mask the presence of their processes, just to make sure that they REALLY can't be detected.

Re:Sony

[harrkev]

Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit

Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:

A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.

If it looks like a duck, quacks like a duck, yada yada yada.

Re:This article is retarded

[LarsG]

First, the article has so many grammatical errors, that it's laughable.

F-Secure is from Finland. You try writing Finnish some time.

My "Windows API" as this article calls Explorer, is already set to view hidden folders.

Turn in your geek card at the door when you leave.

This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.

Re:This article is retarded

[deftcoder]

Hi.

They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.

This is quite different than simply toggling a flag for a given directory.

Oversimplification

[Phil+John]

It wasn't just the availability of adult titles. What really scuppered BETA was the short length of the tapes compared to what was available with VHS.

Re:Format before use

[penix1]

On a side note: has anyone seriously investigated how secure these biometric memory sticks are?

Well, if it is anything like the ones for security doors that are being pushed as "unbeatable" on Homeland Security then yes. The Myth Busters did a whole thing on it and beat it not once, not twice, but ALL the tries they did.

http://www.youtube.com/watch?v=LA4Xx5Noxyo

Re:Sony

[AKAImBatman]

is my computer more vulnerable?

Generally, yes. A virus could check for the existence of one of these rootkits, and abuse its hidden locations to hide itself. Which means that a virus can hide from even rootkit detectors in the shadow of "legitimate" software.

Re:Sony

[tsa]

Yes it does. Remember video 2000? It was by far the best video system out there. It could show stationary pictures that were really stationary, fast-forward and -backward without the annoying lines in the picture, and you could swap the cassette like an audio cassette and record on the other side. The story goes that it failed because Philips refused to put porn on the cassettes, which is of course very bad marketing :)

Re:Sony

[jandrese]

But the Memory Stick had all sorts of advantages, like a useless DRM system and twice the price per bit of all of the competing flash solutions. It also capped out on capacity a lot quicker than its contemporaries. Who wouldn't want one?

Re:Sony

[OldeTimeGeek]

I bought my first VCR in 1977, so I was there. Sony marketed Beta to people that were willing to pay a premium for quality (just like they did with their TVs). JVC licensed VHS to every other manufacturer and let them do the marketing. And new development. It would have been a good trick for Sony when they still owned the professional market and could have lived with a smaller portion of the whole pie. Sony would live with the high end and concede the rest of the market to VHS. Unfortunately for them, the "rest of the market" became huge.

I think that nobody really considered how much people would trade tapes between themselves. You can live with incompatibility when you keep stuff to yourself, but if you want to watch a TV show that someone else taped and you have a different system, well, you're SOL.

Of course you could get porn on Beta. Long before you could get prerecorded Hollywood movies (at least the ones that *weren't* made from midnight showings before a video camera), you could get porn. A friend of mine bought an early model Sony in 1976 and he seems to have found porn tapes easily enough.

Re:Sony

[dougmc]

Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user. That's not what a rootkit [definition] does. It might be one part of what many rootkits do, but it's not the purpose of a rootkit.

The purpose of a rootkit is to let you get back in easily later, or once you're in, to let you get `root' easily. The Bioshock SecuROM thing *is* a rootkit -- the service it installs is there to let the SecuROM stuff run as a privileged account, and that's what rootkits do (it's also what things like `su' do.) But merely hiding a directory doesn't make it a rootkit. (It's probably still malware, but a different kind of malware.)

Rootkits often do attempt to hide themselves, but merely hiding yourself doesn't make you a rootkit.

Re:Sony

[AKAImBatman]

According to TFA (which could be wrong, I suppose) this isn't a malformed directory. It's one that's being explicitly hidden from listings by a rootkit. The files are still there, but they're completely invisible to any and all tools. If you uninstall the rootkit, suddenly they'd pop back into visibility.

Re:Sony

Basically none of what you wrote above has anything to do with reality.

- a Sony Ericsson employee

Re:Sony

[ajs]

Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:

A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.

If it looks like a duck, quacks like a duck, yada yada yada. This is a naive definition (I'll edit it later, with appropriate sources). Many programs attempt to conceal files which are not rootkits. Rootkits are the core of a type of software that seeks to hide its own existence. This Sony software does no such thing. You can see the software. You can remove the software. You can view every one of the software's files. Even F-Secure said that they believed the software was designed only with the security of the thumbnail drive data in mind, not with any subversion of the host (like the real Sony rootkit that got them in so much trouble). It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API. Again, I'm not defending how they did this. It's poor design, as it has huge security implications. However, it's not a rootkit, but a poorly designed driver.

We need to be more careful to cry wolf when there's, you know... a wolf. Otherwise, when some company decides to deploy a real rootkit again, no one is going to listen to us.

You're missing the point.

[KingSkippus]

It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API.

The intentions behind the software are irrelevant. The only thing that matters is what it does. What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden.

Why shouldn't it be hidden? Because as has already been pointed out, malicious software can take advantage of the rootkit—which is what this is—as an attack vector to control someone's machine without their knowledge, and with damn little they can do about it.

Please remember also that a lot of computer viruses and worms didn't start out with people saying, "I'm going to write a computer virus today!" They started out with someone saying, "Hmmm... I wonder if that would work..." and it goes from there. In fact, the guy who is credited with writing the first computer virus said, "It was a practical joke combined with a hack. A wonderful hack." Maybe, but it's stupid to deny what it was, a virus, just as it is to deny what this is, a rootkit.

Re:You're missing the point.

[ajs]

It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API.

The intentions behind the software are irrelevant. The only thing that matters is what it does.

Correct.

What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden. Mostly True. I'm not sure I agree with "should not and need not," but I'll grant that they did it the wrong way. No question.

The bottom line is that this is not a rootkit. It's simply not. The term rootkit refers to a class of software that hides its existence from the OS, and this software does not do that. There's also the matter of the goal (you mentioned intent, but I think goals are more quantifiable and measurable). Rootkits have as their goal the subversion of system security. It doesn't matter if their DRM-enforcement modules from Sony CDs or virus delivery vectors. They exist to prevent the system from being aware of their installation and preventing their deinstallation. This software does not have any such goal. Its goal is to prevent casual API calls from accessing sensitive biometric data. Period.

I'm all for slapping Sony around over distributing software that has a security problem (e.g. it can provide safe harbor for malicious code), but let's not throw around the word "rootkit" unless we really mean a piece of software that tries to mask its existence on the system. Otherwise, we'll just have to come up with a new word for that.

Re:You're missing the point.

[ajs]

Rootkits have as their goal the subversion of system security And that's exactly what this software is supposedly doing. No. There's a difference between making a boneheaded security gaffe and subverting security. If you can't see the difference between the two, then I suppose this conversation is moot, and we'll have to declare every piece of Linux software a rootkit if it's ever had a security issue that wasn't just a bug, but a deliberate design choice that turned out to have security implications.

That said, I'm actually not sure that this is as much of a problem as F-Secure has claimed.

What the software is doing is creating a hidden directory that the standard Windows API can't access except by explicit path name (e.g. it doesn't show up in the directory contents). So, here's the question: what does this gain a malicious program? Sure, such a directory is handy, but your friendly neighborhood worm or spyware could just create such a directory itself. It doesn't help the software in question get past local virus scanners in the first place, only hide from them subsequently... so what's the issue, here? What has Sony done that actually improves the situation for any malware?

I'm not saying it's a good policy to have such directories, but I'm also not sure that this is a serious security problem especially since, obviously, F-Secure's software was able to detect it.

Re:Sony

Sony Ericsson is owned 50% by Sony, 50% by Ericsson. All phones, all over the world, are sold under the Sony Ericsson brand. The technical input comes from both parents.

This would take, what, one minut to find out using that thing called the Internet?

Re:Sony

[ZorroXXX]

The company Sony Ericsson is a separate company where Ericsson and Sony owns 50% each (joint-venture), started six years ago. Notice that Ericsson still kind of produces mobile phones, but in the form of reference designs (with the basic functionality) which then is sold to Sony Ericsson who takes this as a basis for making the finished phone (adding applications, menus, mechanics, etc). We also sells this to other companies, although Sony Ericsson is our largest customer.

Re:Sony

As mentioned by other posters, both Philips and Sony developed the CD. But there's more, they also worked together on the SP/DIF, also known as toslink, digital audio standard. Sony also created the DAT, which you may be more familiar with as the DDS tapes found in my Unix systems.

They've had their shares of screwups, but also some very successful products. The MD was quite successful in Europe as well. I had one until the flash-based mp3 players become really cheap.

Why the rootkit fiascos I don't know. Probably conflict of interest by being both an entertainment conglomerate and a technology company. Thankfully those rootkits only affect Windows, so I don't really care :)

Glass

Re:Rootkits aside...

[deftcoder]

Rootkit doesn't necessarily imply 'backdoor'. A rootkit CAN open a backdoor, but it's possible to rootkit a system for other reasons.

Example: Daemon Tools, a popular virtual drive program, uses rootkit-esque behavior to hide its drivers from the various game copy protections it aims to defeat. It's a rootkit for a legitimate purpose. This is not.

It's a malicious driver attempting to hide things from the user without their consent. QED.

Re:Sony

[lordofthechia]

A remnant in that collaboration and be seen the form of the acronym for the digital hookups on CD-Roms - SPDIF (Sony Philips Digital Interface).

Re:Sony/Phillips

[FauxReal]

They also created the Sony/Phillips Digital Interface for audio known as SPIDF. It's been around for a while but is only now picking up momentum in the consumer market. It's been in use for professional audio for a long time. Though, my Archos Jukebox Recorder has a SPIDF interface. (It was the first USB 2.0 hdd based mp3 player on the market.)