Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Sony Rootkit?

Posted by ScuttleMonkey on from the slow-learners dept.

An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

3 of 317 comments (clear)

  1. Re:Sony by harrkev · · Score: 5, Informative

    Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit


    Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:

    A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.


    If it looks like a duck, quacks like a duck, yada yada yada.
    --
    "-1 Troll" is the apparently the same as "-1 I disagree with you."
  2. Re:This article is retarded by LarsG · · Score: 5, Informative

    First, the article has so many grammatical errors, that it's laughable.

    F-Secure is from Finland. You try writing Finnish some time.

    My "Windows API" as this article calls Explorer, is already set to view hidden folders.

    Turn in your geek card at the door when you leave.

    This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.

    --
    If J.K.R wrote Windows: Puteulanus fenestra mortalis!
  3. Re:This article is retarded by deftcoder · · Score: 5, Informative

    Hi.

    They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.

    This is quite different than simply toggling a flag for a given directory.

    --
    Peace sells, but who's buying?