Slashdot Mirror

← Back to Stories (view on slashdot.org)

Another Sony Rootkit?

Posted by ScuttleMonkey on from the slow-learners dept.

An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

4 of 317 comments (clear)

  1. kiosk by SolusSD · · Score: 5, Insightful

    It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?

  2. Re:Hidden files by Applekid · · Score: 5, Insightful

    Hiding from the API is pretty important, actually. That's done by pulling the rug under the pointers to the functions that retreives lists of files/directories. If that's not a Windows rootkit, what is?

    And much like their last rootkit, this one can easily be used to cloak files on your system and is pretty much a fantastic place to put your virus. Way to really push the limits, guys.

    --
    More Twoson than Cupertino
  3. Re:Consider by B'Trey · · Score: 5, Insightful

    No. The distinction is WHO's doing the hiding. If a user on the computer intentionally hides files or directories from other possible users on the computers, it's not malware. It may or may not be ethical, depending on who's doing the hiding and why. Presumably, it's the owner of the computer and they have a right to hid info from prying eyes. If not, the issue is with the user's actions and not with the software. If, however, a program creates files or directories and hides them (by means other than simply using the H attribute, at least) from the owner/user of the computer, it's malware. It's understandable for a content owner to wish to protect their content, but that doesn't justify them altering the behavior of a computer without the owner's express understanding and permission for what they're doing.

    --

    "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.

  4. Re:Rootkits aside... by deftcoder · · Score: 5, Insightful

    A malicious driver is being installed that patches the Win32 API ( FindFirstFile() and FindNextFile() ) not to report the presence of a directory when enumerating through your C:\Windows folder.

    How is this *NOT* a rootkit? This is the very definition of one!

    --
    Peace sells, but who's buying?