Slashdot Mirror
Another Sony Rootkit?
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
First sentence from wikipedia article:
"A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system"
So, it sounds like a rootkit as described by wikipedia.
CD was Philips, not Sony.
As to DVD - Not sure about the original DVD format, but Sony effectively created the recordable DVD format war with the + series of formats.
And yes, Sony had a role in VHS vs. Beta - Beta was Sony's format.
retrorocket.o not found, launch anyway?
Philips and Sony collaborated on the CD specification.
ZuluPad, the wiki notepad on crack
If it doesn't show up in nautilus via ctrl+h it is... if it doesn't show up in windows with "show hidden files and folders" checked it is.... simply setting an *intended* file system attribute isn't the same as hiding from the operating system.
Michael J. Ryan - tracker1.info
Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user. There are better ways of doing such a thing, but a rootkit has the advantage of keeping the files hidden from common methods of hidden-file detection. Something like a virus or trojan would tend to use a kit like this to make sure that it couldn't be found by antivirus software. Such kits also tend to mask the presence of their processes, just to make sure that they REALLY can't be detected.
Javascript + Nintendo DSi = DSiCade
Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:
If it looks like a duck, quacks like a duck, yada yada yada.
"-1 Troll" is the apparently the same as "-1 I disagree with you."
First, the article has so many grammatical errors, that it's laughable.
F-Secure is from Finland. You try writing Finnish some time.
My "Windows API" as this article calls Explorer, is already set to view hidden folders.
Turn in your geek card at the door when you leave.
This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
Hi.
They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.
This is quite different than simply toggling a flag for a given directory.
Peace sells, but who's buying?
But the Memory Stick had all sorts of advantages, like a useless DRM system and twice the price per bit of all of the competing flash solutions. It also capped out on capacity a lot quicker than its contemporaries. Who wouldn't want one?
I read the internet for the articles.
According to TFA (which could be wrong, I suppose) this isn't a malformed directory. It's one that's being explicitly hidden from listings by a rootkit. The files are still there, but they're completely invisible to any and all tools. If you uninstall the rootkit, suddenly they'd pop back into visibility.
Javascript + Nintendo DSi = DSiCade
If it looks like a duck, quacks like a duck, yada yada yada. This is a naive definition (I'll edit it later, with appropriate sources). Many programs attempt to conceal files which are not rootkits. Rootkits are the core of a type of software that seeks to hide its own existence. This Sony software does no such thing. You can see the software. You can remove the software. You can view every one of the software's files. Even F-Secure said that they believed the software was designed only with the security of the thumbnail drive data in mind, not with any subversion of the host (like the real Sony rootkit that got them in so much trouble). It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API. Again, I'm not defending how they did this. It's poor design, as it has huge security implications. However, it's not a rootkit, but a poorly designed driver.
We need to be more careful to cry wolf when there's, you know... a wolf. Otherwise, when some company decides to deploy a real rootkit again, no one is going to listen to us.
The intentions behind the software are irrelevant. The only thing that matters is what it does. What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden.
Why shouldn't it be hidden? Because as has already been pointed out, malicious software can take advantage of the rootkit—which is what this is—as an attack vector to control someone's machine without their knowledge, and with damn little they can do about it.
Please remember also that a lot of computer viruses and worms didn't start out with people saying, "I'm going to write a computer virus today!" They started out with someone saying, "Hmmm... I wonder if that would work..." and it goes from there. In fact, the guy who is credited with writing the first computer virus said, "It was a practical joke combined with a hack. A wonderful hack." Maybe, but it's stupid to deny what it was, a virus, just as it is to deny what this is, a rootkit.