Another Sony Rootkit?

An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

Consider

[nlitement]

It is therefore technically possible for malware to use the hidden directory as a hiding place. Isn't software behaving like that already considered malware?

Re:Consider

[wizardforce]

Isn't software behaving like that already considered malware?

yes and no. it depends on what and how you use it. if you use the property of hiding directories as a simple way of keeping data from less experienced people [eg. slashdotters hiding the porn from their parents] then it isn't malware; in this case sony's software doesn't seem to be hding a directory for any good purpose, so yes it is malware.

Re:Consider

[B'Trey]

No. The distinction is WHO's doing the hiding. If a user on the computer intentionally hides files or directories from other possible users on the computers, it's not malware. It may or may not be ethical, depending on who's doing the hiding and why. Presumably, it's the owner of the computer and they have a right to hid info from prying eyes. If not, the issue is with the user's actions and not with the software. If, however, a program creates files or directories and hides them (by means other than simply using the H attribute, at least) from the owner/user of the computer, it's malware. It's understandable for a content owner to wish to protect their content, but that doesn't justify them altering the behavior of a computer without the owner's express understanding and permission for what they're doing.

Hidden files

[king-manic]

Is root kit now the new buzzword for "please send me traffic"? This isn't the same as a rootkit, it's just a annoyingly hidden directory. Can we tag this as FUD?

Re:Hidden files

[j00r0m4nc3r]

It doesn't matter what their intent is, they are using rootkit techniques to hide shit on your computer. This allows other parties to piggyback on that tech and install other nastier UNDETECTABLE malware. It would be like if your house cleaning lady leaves your front door wide open when she leaves. Someone could stroll in, fuck your shit up, and leave undetected. Definitely something to seriously worry about.

Re:Hidden files

[Applekid]

Hiding from the API is pretty important, actually. That's done by pulling the rug under the pointers to the functions that retreives lists of files/directories. If that's not a Windows rootkit, what is?

And much like their last rootkit, this one can easily be used to cloak files on your system and is pretty much a fantastic place to put your virus. Way to really push the limits, guys.

Re:Hidden files

[projectmalamute]

Those are not hidden from the operating system, try ls -a (twat)

tsk tsk tsk...

[JazzyMusicMan]

They are simply conditioning a public growing weary of dishonest tactics and policies to steer clear of any products they produce. Sony has many divisions and has a presence in many markets, and they are royally screwing all of them up. First the music cd fiasco, now this, no wonder they were prematurely blasted for the SecuROM program that was talked about on here a few days ago. Most people automatically saw it as a rootkit or something they didn't want on their computer because of the record that Sony is establishing for itself. It doesn't matter that maybe it wasn't a rootkit or something malicious, if the public starts thinking that everything you produce is going to create security vulnerabilities and screw up their machine, they'll simply stay away without giving you a second (or third, [or fourth]) chance...

Re:Sony

[plover]

It happened when they added a movie studio and a recording label to the corporation. The media side of the house demanded copy protection from the technical side of the house, without understanding the technical limitations.

kiosk

[SolusSD]

It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?

Re:Sony

[Otter]

When did politics and this kinda crap really start.

Hype here notwithstanding, this is not a "rootkit". It seems to be a bizarre form of write-protection.

Re:Sony

[ajs]

I posted this on the firehose version of this article. Thought I should do so here too:

Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit, just using one of the many tools of the trade of rootkits. The concern is that the hidden directory is hidden from all of the Windows API, including virus scanners, and thus could be used by malicious software to hide infected files.

I'm not sure that it's reasonable to accuse Sony of distributing a rootkit when they've simply distributed software which uses a technique that could accidentally help malicious software.

It's also probably a bad thing to keep swinging the rootkit-bat around like this. The next time some large corporation really tries to root all of their customers' machines, no one will believe the story.

You can't solve this on a single system.

[argent]

The issue here is the biometric stuff.

This is an inherent problem in biometrics: you have to trust every scanner that takes a reading not to be trapdoored.

The entire authentication process has to be performed verifiably in the scanner hardware and firmware, and the scanner itself had to be trusted - either it's your scanner or it belongs to someone you have to trust anyway.

But no reversible form of the biometric information can be transferred to potentially untrusted storage.

Re:Sony

[Harmonious+Botch]

If it is a rootkit or not seems to me an academic question. I prefer to be asking: is my computer more vulnerable?

Re:Rootkits aside...

[deftcoder]

A malicious driver is being installed that patches the Win32 API ( FindFirstFile() and FindNextFile() ) not to report the presence of a directory when enumerating through your C:\Windows folder.

How is this *NOT* a rootkit? This is the very definition of one!

Re:Wow...

[Idaho]

Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass.

The intent is irrelevant w.r.t. the fact whether or not it uses rootkit-like behavior to implement it.


  It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication.


This is why file access permissions/restrictions where invented in the 1970's.

This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.

That is a completely different technique at about 10 different levels. Of course the driver of some USB device may chose to reserve parts of the storage on said USB device for internal usage such that it cannot be (easily) accessed by normal means (i.e. the API offered by said driver). However, "cloaking" parts of the driver itself using rootkit-like mechanisms has, well, about nothing in common with such techniques.

Re:Sony

[AKAImBatman]

Your definition is the original definition, but it's not how it's currently used. By your definition, the BMG CDs were not rootkits either. These days "rootkit" is used on Windows systems to refer to software which modifies the kernel space for nefarious purposes.

Re:Sony

[DigiShaman]

That's very interesting policy. Instead to give second class service to your customers, you give them - none.

Which in turn provides first class metrics applauded by upper management.