Slashdot Mirror
Another Sony Rootkit?
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
Is root kit now the new buzzword for "please send me traffic"? This isn't the same as a rootkit, it's just a annoyingly hidden directory. Can we tag this as FUD?
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
How many lawsuits is it going to take before Sony gets it into their head that rootkit=bad? I, for one, am going to fight against our new malware overlords.
The game.
They are simply conditioning a public growing weary of dishonest tactics and policies to steer clear of any products they produce. Sony has many divisions and has a presence in many markets, and they are royally screwing all of them up. First the music cd fiasco, now this, no wonder they were prematurely blasted for the SecuROM program that was talked about on here a few days ago. Most people automatically saw it as a rootkit or something they didn't want on their computer because of the record that Sony is establishing for itself. It doesn't matter that maybe it wasn't a rootkit or something malicious, if the public starts thinking that everything you produce is going to create security vulnerabilities and screw up their machine, they'll simply stay away without giving you a second (or third, [or fourth]) chance...
It happened when they added a movie studio and a recording label to the corporation. The media side of the house demanded copy protection from the technical side of the house, without understanding the technical limitations.
John
It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?
Hype here notwithstanding, this is not a "rootkit". It seems to be a bizarre form of write-protection.
What I'm listening to now on Pandora...
Fool me once, shame on you. Fool me twice, shame on me.
How fucking stupid can you people be? Stop buying Sony!
-mcgrew
Yes, they were very successful with the 3.5 inch floppy.. also Trinitron screens, and the CD, which was co-developped with philips. They were also very successfull at putting DV/Firewire video in the hands of ordinary customers.
yeah they made some lemons too, but like any tech company, that actually tries to invent stuff.
Have a nice day!
Yeah just stick it in your pc and format it before you stick it in your....
Wait...
I posted this on the firehose version of this article. Thought I should do so here too:
Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit, just using one of the many tools of the trade of rootkits. The concern is that the hidden directory is hidden from all of the Windows API, including virus scanners, and thus could be used by malicious software to hide infected files.
I'm not sure that it's reasonable to accuse Sony of distributing a rootkit when they've simply distributed software which uses a technique that could accidentally help malicious software.
It's also probably a bad thing to keep swinging the rootkit-bat around like this. The next time some large corporation really tries to root all of their customers' machines, no one will believe the story.
The issue here is the biometric stuff.
This is an inherent problem in biometrics: you have to trust every scanner that takes a reading not to be trapdoored.
The entire authentication process has to be performed verifiably in the scanner hardware and firmware, and the scanner itself had to be trusted - either it's your scanner or it belongs to someone you have to trust anyway.
But no reversible form of the biometric information can be transferred to potentially untrusted storage.
down around the courthouse, they have some terms for mutts who don't learn and keep on doing the same crimes.
the classy term is "recidivist."
of the others, we can probably safely post "weasel," "snake," "bastard," "crook," and "lowlife."
HDTV is around the bend, and I'm remodelling the basement soon to accomodate its new wiring requirements. Sony, the snake-in-a-box company, is not going to be a part of this undertaking.
if this is supposed to be a new economy, how come they still want my old fashioned money?
See, if you had a real OS like Windows, this kind of security problem wouldn't...oh...nevermind.
If it is a rootkit or not seems to me an academic question. I prefer to be asking: is my computer more vulnerable?
A malicious driver is being installed that patches the Win32 API ( FindFirstFile() and FindNextFile() ) not to report the presence of a directory when enumerating through your C:\Windows folder.
How is this *NOT* a rootkit? This is the very definition of one!
Peace sells, but who's buying?
The intent is irrelevant w.r.t. the fact whether or not it uses rootkit-like behavior to implement it.
It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication.
This is why file access permissions/restrictions where invented in the 1970's.
That is a completely different technique at about 10 different levels. Of course the driver of some USB device may chose to reserve parts of the storage on said USB device for internal usage such that it cannot be (easily) accessed by normal means (i.e. the API offered by said driver). However, "cloaking" parts of the driver itself using rootkit-like mechanisms has, well, about nothing in common with such techniques.
Every expression is true, for a given value of 'true'
It all depends on your definition. What was described in the article satisfies many people's definition of a rootkit, no matter how the authors chose to word it.
Everybody saying it is not a rootkit needs to define rootkit.
The example you used in your earlier post about partitions on memory sticks is completely different than what is happening here (the windows API is being modified to hide a directory on the c: drive)
That's different. Windows can't "see" more than one partition on a USB flash drive... which is why the Disk Management MMC snap-in won't let you create more. If you make more than one partition Windows only mounts the first one it sees.
Of course this assumes you're talking about actual partitions. More likely you're confusing a virtual drive for a real partition; I'm thinking TrueCrypt, which is promoted by many as a way to keep files safe and encrypted on your thumb drive. You enter a password and an encrypted file on the first and only partition on the drive is mounted as a virtual partition on it's own drive letter. Nothing is ever hidden from Windows; Windows never knows that the simple file is supposed to be a partition, nor what the encryption key is that is needed to decrypt it. TrueCrypt supplies the first function, while the user's password or keyfile supplies the second. The only things hidden are the things the user explicitly wanted hidden by making the TrueCrypt Volume and putting files in there.
at this point, where it "looks like a duck, quacks like a duck, and smells like a duck"
I'm almost tempted to buy one, just so that I can submit the software to clamav, symantec, mcafee, et. al.
It looks like a virus, quacks like a virus, and smells like a virus, lets treat it like a virus
I will not give in to the terrorists. I will not become fearful.
Your definition is the original definition, but it's not how it's currently used. By your definition, the BMG CDs were not rootkits either. These days "rootkit" is used on Windows systems to refer to software which modifies the kernel space for nefarious purposes.
Javascript + Nintendo DSi = DSiCade
For a moment get past the Rootkit or Registry thing.
I just plain isn't good security. If they're really counting on Registry entries to "protect" the "secure" data, there must be a thousand ways to get around that in Windows, let along just plugging it into a Linux machine. Real security is HARD to do, and promoting something like this as "secure" when it really isn't is a disservice. I read one review a while back that indicated that *none* of these "secure USB" flash plugins were really secure.
Incidentally, I have a USB flash plugin. The data I really care about is AES-encrypted in a container file that I can loopback mount and use the kernel crypto stuff to access.
The living have better things to do than to continue hating the dead.
OK, I see what you are saying, but the point is NOTHING gets changed on the system - it uses MS code handles to employ the 'rootkit' - there is no subterfuge involved on the system at all!
I think MS built in all this from trying to keep the innards so secret squirrel it is now coming back to bit them. Mark Russinovich, remember, was the one who sussed the secret squirrel stuff on the first Sony attempt at this - he (and Company) was very soon bought by MS to SHUT UP about it.
I feel like I finally have to create a user account to correct a misconception I see a lot on the internet. It wasn't Sony that put a rootkit on the music CDs, it was Sony-BMG which is a separate company that is 50/50 owned by Sony and Bertelsmann (BMG stands for Bertelsmann Music Group). Furthermore, the top executives at Sony-BMG all come from the BMG side, like that guy Thomas Hesse who made those stupid remarks that consumers shouldn't care about rootkits. If anything, all the anger toward Sony should be directed at the entity involved, which is Sony-BMG. Just boycott their music.
Actually, "rootkit" told me all I ever needed to know about their "security". It's nothing but a USB image aqusition device and PC-side software to handle the matching and authorization. In other words - completely useless from a security standpoint. Think DRM - plug in the USB stick, it copies the decryption software, image matcher AND THE SECRET KEY to your harddrive, then uses a rootkit to "obscure" it.
The trick here is it's cheap as shit. Doing it properly on the keychain costs money - you'll need a decent processor to handle image aquisition and processing. Why bother with that when there's a 2+ghz CPU right next door on the bus? Worse, because they sell this crap as "security devices", they undercut everyone who spends the money to do it right. And of course they lie about how it really works, throwing buzzwords like "biometrically encrypted data storage" out.
tl;dr: snake oil.
That's very interesting policy. Instead to give second class service to your customers, you give them - none.
Which in turn provides first class metrics applauded by upper management.
Life is not for the lazy.