Another Sony Rootkit?

An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

Sony

[jshriverWVU]

What happened to Sony? Growing up they always seemed like a great tech company, pumping out quality products that most people liked. When did politics and this kinda crap really start. It's sad.

Re:Sony

[Prof.Phreak]

It started when they became an entertainment corp, rather than a technology corp.

Re:Sony

[FatAlb3rt]

Seems like they've been pushing their own proprietary stuff for the past 20 yrs - most recently Blue Ray, but then there was that miniDisc that went nowhere. Not sure...did they have a roll in VHS/Beta? I used to be a fanboy, but it seems they get more negative press anymore.

Re:Sony

[king-manic]

Seems like they've been pushing their own proprietary stuff for the past 20 yrs - most recently Blue Ray, but then there was that miniDisc that went nowhere. Not sure...did they have a roll in VHS/Beta? I used to be a fanboy, but it seems they get more negative press anymore.

MD disks were actually very successful across asia. They didn't find a market in North America. In the same span they have also created the 3.5 inch floppy, the CD, and had a bit of input on the DVD. It's be more accurate to describe their format strategies as being hit and miss since they have been part of some huge dogs (beta, UMD) and some very successful formats (CDs, 3.5 inch floppies).

Re:Sony

[morgan_greywolf]

No, it doesn't. I remember the VHS vs. Beta wars. Sony pulled out all the marketing stops, whlie VHS had virtually nothing. If there's one thing Sony has always been very good at, it's marketing.

All it proves is that since you could get porn on VHS and you couldn't on Beta, people like porn, so they stuck with VHS.

Re:Sony

[king-manic]

Like someone else pointed out, CD was a Sony/Philips collaboration and if you look at the spec and who contributed what it's nearly 50/50.

Re:Sony

[mattpalmer1086]

God, memory stick. I have a Sony phone, which is quite nice. I was recently in Tokyo, and I wanted some extra memory for my phone, so I went to Akihabara - geek central. All the sales assistants in about 20 shops I visited just looked at my phone, shrugged their shoulders and said "Sony!". My Japanese is pretty poor, but I got the message. So I went to the big Sony building at Ginza. No deal. They said they only sold memory sticks in the European market - they were using something else in Japan.

Since I was there, I pulled out a Sony camera I was trying to get a USB cable for. Again, no deal. This camera was North American Sony, and they didn't have those kinds of Sony cables in Japan.

Sigh. This insistence on ignoring standards and doing everything themselves - not even consistently across the world - bugs me like hell. I doubt I'll buy any more Sony consumer electronics until they get it. Hope they do - they know how to make nicely designed bits of technology.

Re:Sony

[saigon_from_europe]

I had their laptop. After some time, its transformer stopped working. I live in Serbia, and it is a bit tricky to get decent technical support/service here, but Sony has huge store in Belgrade downtown.

I went there, but no luck. They do not sell laptops in Serbia (mine was brought from UK), so they gave me the telephone of one repair shop, but they were not sure if they could help me. Repair shop sent me to another repair shop, and so on... After three hops, they explained me what's the issue. Sony has very rigid standards for their repair shops. To be their certified repairmen, you have to guarantee that you'll solve all problems in 24 hours. They were not able to find anyone capable of that in Serbia, so they don't have any repair shop in Serbia.

That's very interesting policy. Instead to give second class service to your customers, you give them - none.

Format before use

[VincenzoRomano]

Maybe formatting USB memories before usage would be a good move.
And using OS that won't run anything from the newly attached memry as a default would also help.

Wow...

[shoptroll]

Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."

This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.

A Nasty Trick

[Sigismundo]

It reminds me of the time that some friends and I discovered that a labmate had left himself logged in as root on a virtual console at his Linux workstation. Here's what we did:

1. Created a directory with the name " " (single space)
2. Added that directory to his path
3. Wrote a Perl script that would spit out a random quote from zippy 1/3 of the time, and then execute the program pointed to by argv[0]
4. Populated the special hidden directory with symlinks to the perl script, each given the name of a common command like ls, ps, and so on.

So whenever he ran a common command from his shell, he would first get a random quote from fortune appearing, followed by normal command output. He figured it out pretty quickly, but I like to think that there were a few moments where he entertained the idea of his workstation gaining sentience.

Desensitized

[Dachannien]

The overuse of the term "rootkit" points to (at least) one thing: we've become so desensitized to security hazards that it takes a new buzzword for nefariousness to grab people's attention. Regardless of whether this is itself a rootkit or not, it's still a security hazard, and what's perhaps more ironic, that hazard was created in an attempt to effect "security through obscurity".

Last straw for me...

[SlashdotCrackPot]

I just had to go admit to my damn boss that I (a diligent (also been referred to as 'anal') security minded individual) that thanks to my "handy" pen-drive that at LEAST 25-30 of our client's servers, not to mention our office equipment now have root-kits on them. That was it for me, now I just have to find a replacement product for the several ux380 we were looking at for toys for the boys.

I imagine though, that an outburst of uncontrollable laughter from my boss while telling him about this is a sign of job security.

Is there an anti-rootkit utility that would be updated/recent enough to facilitate this infection? Or the fact that I can view it from command line mean that I can remove it manually from there? I don't have to worry about re-infection because I already threw 2 of them straight in the trash, no use even giving them to a friend.....

Re:How to hide files

[Bou]

Or, you could always use NTFS's build in root kit 'feature': Alternate Data Streams.

Virtually undetectable for the casual user:
They don't show up in explorer and other file managers and task manager even shows the name of the host file.

Re:A virus could put its files in the hidden folde

[nschubach]

A virus wouldn't put itself in this hidden folder instead?

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5

Or this one?
%USERPROFILE%\Local Settings\Temporary Internet Files\OLK6F

Maybe one this windows built in rootkit folder?

c:\$Extend

..or maybe one of these hidden files?
c:\$AttrDef

c:\$BadClus

c:\$Bitmap

c:\$Boot

c:\$LogFile

c:\$Secure

c:\$Volume

All which the handy SysInternals hides as "Standard NTFS Metadata Files" by default.

The existence of these files/folders are hidden to most users and most of them don't even know about them. You think virus scanners check the c:\$Extend folder? Is someone willing to drop in a known virus and see if it detects it? Honestly, I'm curious as to how many actually check this folder...

Can't affect me ...

[Lou57]

This cannot affect me because I've refused to buy any Sony product since the last fiasco. Additionally, I will NOT deploy any Sony products for my customers, and I always explain to them why I don't trust Sony. This will add to my stack of evidence against Sony and will validate my concerns in the eyes of those customers.

Will you buy Sony products?