Another Sony Rootkit?

← Back to Stories (view on slashdot.org)

Posted by ScuttleMonkey on Monday August 27, 2007 @02:40AM from the slow-learners dept.

An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

91 of 317 comments (clear)

Sony by jshriverWVU · 2007-08-27 02:42 · Score: 4, Interesting

What happened to Sony? Growing up they always seemed like a great tech company, pumping out quality products that most people liked. When did politics and this kinda crap really start. It's sad.
1. Re:Sony by Prof.Phreak · 2007-08-27 02:46 · Score: 5, Interesting
  
  It started when they became an entertainment corp, rather than a technology corp.
  
  --
  "If anything can go wrong, it will." - Murphy
2. Re:Sony by FatAlb3rt · 2007-08-27 02:46 · Score: 2, Interesting
  
  Seems like they've been pushing their own proprietary stuff for the past 20 yrs - most recently Blue Ray, but then there was that miniDisc that went nowhere. Not sure...did they have a roll in VHS/Beta? I used to be a fanboy, but it seems they get more negative press anymore.
3. Re:Sony by plover · 2007-08-27 02:47 · Score: 4, Insightful
  
  It happened when they added a movie studio and a recording label to the corporation. The media side of the house demanded copy protection from the technical side of the house, without understanding the technical limitations.
  
  --
  John
4. Re:Sony by king-manic · 2007-08-27 02:50 · Score: 3, Interesting
  
  Seems like they've been pushing their own proprietary stuff for the past 20 yrs - most recently Blue Ray, but then there was that miniDisc that went nowhere. Not sure...did they have a roll in VHS/Beta? I used to be a fanboy, but it seems they get more negative press anymore.
  
  MD disks were actually very successful across asia. They didn't find a market in North America. In the same span they have also created the 3.5 inch floppy, the CD, and had a bit of input on the DVD. It's be more accurate to describe their format strategies as being hit and miss since they have been part of some huge dogs (beta, UMD) and some very successful formats (CDs, 3.5 inch floppies).
  
  --
  "There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
5. Re:Sony by morgan_greywolf · 2007-08-27 02:53 · Score: 2, Informative
  
  Not sure...did they have a roll in VHS/Beta? Yes. Beta was a proprietary Sony product, while VHS was what was being produced by almost everyone else.
  
  --
  My blog
6. Re:Sony by Otter · 2007-08-27 02:54 · Score: 4, Insightful
  
  When did politics and this kinda crap really start.
  Hype here notwithstanding, this is not a "rootkit". It seems to be a bizarre form of write-protection.
  
  --
  What I'm listening to now on Pandora...
7. Re:Sony by Andy+Dodd · 2007-08-27 02:55 · Score: 4, Informative
  
  CD was Philips, not Sony.
  
  As to DVD - Not sure about the original DVD format, but Sony effectively created the recordable DVD format war with the + series of formats.
  
  And yes, Sony had a role in VHS vs. Beta - Beta was Sony's format.
  
  --
  retrorocket.o not found, launch anyway?
8. Re:Sony by omeomi · 2007-08-27 02:59 · Score: 4, Informative
  
  Philips and Sony collaborated on the CD specification.
  
  --
  ZuluPad, the wiki notepad on crack
9. Re:Sony by omeomi · 2007-08-27 03:01 · Score: 2, Funny
  
  Don't forget about Memory Stick, the solution to a problem that nobody has...a lack of choices among removable flash storage media.
  
  --
  ZuluPad, the wiki notepad on crack
10. Re:Sony by SenseiLeNoir · 2007-08-27 03:03 · Score: 2, Insightful
  
  Yes, they were very successful with the 3.5 inch floppy.. also Trinitron screens, and the CD, which was co-developped with philips. They were also very successfull at putting DV/Firewire video in the hands of ordinary customers.
  
  yeah they made some lemons too, but like any tech company, that actually tries to invent stuff.
  
  --
  Have a nice day!
11. Re:Sony by hackstraw · 2007-08-27 03:05 · Score: 3, Funny
  
  It started when they became an entertainment corp, rather than a technology corp.
  
  So, are rootkits entertainment or technology?
12. Re:Sony by ajs · 2007-08-27 03:07 · Score: 3, Insightful
  
  I posted this on the firehose version of this article. Thought I should do so here too:
  
  Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit, just using one of the many tools of the trade of rootkits. The concern is that the hidden directory is hidden from all of the Windows API, including virus scanners, and thus could be used by malicious software to hide infected files.
  
  I'm not sure that it's reasonable to accuse Sony of distributing a rootkit when they've simply distributed software which uses a technique that could accidentally help malicious software.
  
  It's also probably a bad thing to keep swinging the rootkit-bat around like this. The next time some large corporation really tries to root all of their customers' machines, no one will believe the story.
13. Re:Sony by Anonymous Coward · 2007-08-27 03:09 · Score: 5, Funny
  
  I'm finding this all quite entertaining, I must say. So I think that's your answer.
14. Re:Sony by AKAImBatman · 2007-08-27 03:15 · Score: 4, Informative
  
  Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user. There are better ways of doing such a thing, but a rootkit has the advantage of keeping the files hidden from common methods of hidden-file detection. Something like a virus or trojan would tend to use a kit like this to make sure that it couldn't be found by antivirus software. Such kits also tend to mask the presence of their processes, just to make sure that they REALLY can't be detected.
  
  --
  Javascript + Nintendo DSi = DSiCade
15. Re:Sony by harrkev · 2007-08-27 03:19 · Score: 5, Informative
  
  Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit
  
  Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:
  A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.
  
  If it looks like a duck, quacks like a duck, yada yada yada.
  
  --
  "-1 Troll" is the apparently the same as "-1 I disagree with you."
16. Re:Sony by Harmonious+Botch · 2007-08-27 03:24 · Score: 4, Insightful
  
  If it is a rootkit or not seems to me an academic question. I prefer to be asking: is my computer more vulnerable?
17. Re:Sony by morgan_greywolf · 2007-08-27 03:28 · Score: 2, Interesting
  
  No, it doesn't. I remember the VHS vs. Beta wars. Sony pulled out all the marketing stops, whlie VHS had virtually nothing. If there's one thing Sony has always been very good at, it's marketing.
  
  All it proves is that since you could get porn on VHS and you couldn't on Beta, people like porn, so they stuck with VHS.
  
  --
  My blog
18. Re:Sony by king-manic · 2007-08-27 03:30 · Score: 3, Interesting
  
  Like someone else pointed out, CD was a Sony/Philips collaboration and if you look at the spec and who contributed what it's nearly 50/50.
  
  --
  "There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
19. Re:Sony by Anonymous Coward · 2007-08-27 03:34 · Score: 2, Funny
  
  Which shows that better marketing beats better technology...
  
  The proliferation of Windows and the proliferation of x86 processors is the ultimate proof of that statement.
20. Re:Sony by AKAImBatman · 2007-08-27 03:40 · Score: 2, Informative
  
  is my computer more vulnerable?
  
  Generally, yes. A virus could check for the existence of one of these rootkits, and abuse its hidden locations to hide itself. Which means that a virus can hide from even rootkit detectors in the shadow of "legitimate" software.
  
  --
  Javascript + Nintendo DSi = DSiCade
21. Re:Sony by tsa · 2007-08-27 03:47 · Score: 2, Informative
  
  Yes it does. Remember video 2000? It was by far the best video system out there. It could show stationary pictures that were really stationary, fast-forward and -backward without the annoying lines in the picture, and you could swap the cassette like an audio cassette and record on the other side. The story goes that it failed because Philips refused to put porn on the cassettes, which is of course very bad marketing :)
  
  --
  -- Cheers!
22. Re:Sony by jandrese · 2007-08-27 03:58 · Score: 4, Informative
  
  But the Memory Stick had all sorts of advantages, like a useless DRM system and twice the price per bit of all of the competing flash solutions. It also capped out on capacity a lot quicker than its contemporaries. Who wouldn't want one?
  
  --
  
  I read the internet for the articles.
23. Re:Sony by OldeTimeGeek · 2007-08-27 03:59 · Score: 2, Informative
  
  I bought my first VCR in 1977, so I was there. Sony marketed Beta to people that were willing to pay a premium for quality (just like they did with their TVs). JVC licensed VHS to every other manufacturer and let them do the marketing. And new development. It would have been a good trick for Sony when they still owned the professional market and could have lived with a smaller portion of the whole pie. Sony would live with the high end and concede the rest of the market to VHS. Unfortunately for them, the "rest of the market" became huge.
  I think that nobody really considered how much people would trade tapes between themselves. You can live with incompatibility when you keep stuff to yourself, but if you want to watch a TV show that someone else taped and you have a different system, well, you're SOL.
  Of course you could get porn on Beta. Long before you could get prerecorded Hollywood movies (at least the ones that *weren't* made from midnight showings before a video camera), you could get porn. A friend of mine bought an early model Sony in 1976 and he seems to have found porn tapes easily enough.
24. Re:Sony by mattpalmer1086 · 2007-08-27 04:06 · Score: 5, Interesting
  
  God, memory stick. I have a Sony phone, which is quite nice. I was recently in Tokyo, and I wanted some extra memory for my phone, so I went to Akihabara - geek central. All the sales assistants in about 20 shops I visited just looked at my phone, shrugged their shoulders and said "Sony!". My Japanese is pretty poor, but I got the message. So I went to the big Sony building at Ginza. No deal. They said they only sold memory sticks in the European market - they were using something else in Japan.
  
  Since I was there, I pulled out a Sony camera I was trying to get a USB cable for. Again, no deal. This camera was North American Sony, and they didn't have those kinds of Sony cables in Japan.
  
  Sigh. This insistence on ignoring standards and doing everything themselves - not even consistently across the world - bugs me like hell. I doubt I'll buy any more Sony consumer electronics until they get it. Hope they do - they know how to make nicely designed bits of technology.
25. Re:Sony by dougmc · 2007-08-27 04:06 · Score: 2, Informative
  
  Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user. That's not what a rootkit [definition] does. It might be one part of what many rootkits do, but it's not the purpose of a rootkit.
  
  The purpose of a rootkit is to let you get back in easily later, or once you're in, to let you get `root' easily. The Bioshock SecuROM thing *is* a rootkit -- the service it installs is there to let the SecuROM stuff run as a privileged account, and that's what rootkits do (it's also what things like `su' do.) But merely hiding a directory doesn't make it a rootkit. (It's probably still malware, but a different kind of malware.)
  Rootkits often do attempt to hide themselves, but merely hiding yourself doesn't make you a rootkit.
26. Re:Sony by AKAImBatman · 2007-08-27 04:07 · Score: 3, Informative
  
  According to TFA (which could be wrong, I suppose) this isn't a malformed directory. It's one that's being explicitly hidden from listings by a rootkit. The files are still there, but they're completely invisible to any and all tools. If you uninstall the rootkit, suddenly they'd pop back into visibility.
  
  --
  Javascript + Nintendo DSi = DSiCade
27. Re:Sony by spikedvodka · 2007-08-27 04:18 · Score: 2, Insightful
  
  at this point, where it "looks like a duck, quacks like a duck, and smells like a duck"
  
  I'm almost tempted to buy one, just so that I can submit the software to clamav, symantec, mcafee, et. al.
  
  It looks like a virus, quacks like a virus, and smells like a virus, lets treat it like a virus
  
  --
  I will not give in to the terrorists. I will not become fearful.
28. Re:Sony by Anonymous Coward · 2007-08-27 04:24 · Score: 2, Informative
  
  Basically none of what you wrote above has anything to do with reality.
  
  - a Sony Ericsson employee
29. Re:Sony by AKAImBatman · 2007-08-27 04:25 · Score: 3, Insightful
  
  Your definition is the original definition, but it's not how it's currently used. By your definition, the BMG CDs were not rootkits either. These days "rootkit" is used on Windows systems to refer to software which modifies the kernel space for nefarious purposes.
  
  --
  Javascript + Nintendo DSi = DSiCade
30. Re:Sony by ajs · 2007-08-27 04:27 · Score: 4, Informative
  
  Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:
  A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.
  
  If it looks like a duck, quacks like a duck, yada yada yada. This is a naive definition (I'll edit it later, with appropriate sources). Many programs attempt to conceal files which are not rootkits. Rootkits are the core of a type of software that seeks to hide its own existence. This Sony software does no such thing. You can see the software. You can remove the software. You can view every one of the software's files. Even F-Secure said that they believed the software was designed only with the security of the thumbnail drive data in mind, not with any subversion of the host (like the real Sony rootkit that got them in so much trouble). It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API. Again, I'm not defending how they did this. It's poor design, as it has huge security implications. However, it's not a rootkit, but a poorly designed driver.
  
  We need to be more careful to cry wolf when there's, you know... a wolf. Otherwise, when some company decides to deploy a real rootkit again, no one is going to listen to us.
31. Re:Sony by Anonymous Coward · 2007-08-27 05:03 · Score: 2, Informative
  
  Sony Ericsson is owned 50% by Sony, 50% by Ericsson. All phones, all over the world, are sold under the Sony Ericsson brand. The technical input comes from both parents.
  
  This would take, what, one minut to find out using that thing called the Internet?
32. Re:Sony by ZorroXXX · 2007-08-27 05:20 · Score: 2, Informative
  
  The company Sony Ericsson is a separate company where Ericsson and Sony owns 50% each (joint-venture), started six years ago. Notice that Ericsson still kind of produces mobile phones, but in the form of reference designs (with the basic functionality) which then is sold to Sony Ericsson who takes this as a basis for making the finished phone (adding applications, menus, mechanics, etc). We also sells this to other companies, although Sony Ericsson is our largest customer.
  
  --
  When you are sure of something, you probably are wrong (search for "Unskilled and Unaware of It").
33. Re:Sony by Alioth · 2007-08-27 05:31 · Score: 2, Funny
  
  Where have all the rootkits gone?
  Long time passing
  Where have all the rootkits gone?
  Long, long ago
  Sony picked them, every one.
  When will they ever learn?
  When will they ever learn.
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
34. Re:Sony by lordofthechia · 2007-08-27 06:58 · Score: 2, Informative
  
  A remnant in that collaboration and be seen the form of the acronym for the digital hookups on CD-Roms - SPDIF (Sony Philips Digital Interface).
  
  --
  Georgia Tech, the leader in Chia(tm) technology.
35. Re:Sony by saigon_from_europe · 2007-08-27 07:45 · Score: 3, Interesting
  
  I had their laptop. After some time, its transformer stopped working. I live in Serbia, and it is a bit tricky to get decent technical support/service here, but Sony has huge store in Belgrade downtown.
  
  I went there, but no luck. They do not sell laptops in Serbia (mine was brought from UK), so they gave me the telephone of one repair shop, but they were not sure if they could help me. Repair shop sent me to another repair shop, and so on... After three hops, they explained me what's the issue. Sony has very rigid standards for their repair shops. To be their certified repairmen, you have to guarantee that you'll solve all problems in 24 hours. They were not able to find anyone capable of that in Serbia, so they don't have any repair shop in Serbia.
  
  That's very interesting policy. Instead to give second class service to your customers, you give them - none.
  
  --
  No sig today.
36. Re:Sony by Harik · 2007-08-27 13:45 · Score: 2, Insightful
  
  Actually, "rootkit" told me all I ever needed to know about their "security". It's nothing but a USB image aqusition device and PC-side software to handle the matching and authorization. In other words - completely useless from a security standpoint. Think DRM - plug in the USB stick, it copies the decryption software, image matcher AND THE SECRET KEY to your harddrive, then uses a rootkit to "obscure" it.
  
  The trick here is it's cheap as shit. Doing it properly on the keychain costs money - you'll need a decent processor to handle image aquisition and processing. Why bother with that when there's a 2+ghz CPU right next door on the bus? Worse, because they sell this crap as "security devices", they undercut everyone who spends the money to do it right. And of course they lie about how it really works, throwing buzzwords like "biometrically encrypted data storage" out.
  
  tl;dr: snake oil.
37. Re:Sony by DigiShaman · 2007-08-27 13:47 · Score: 3, Insightful
  
  That's very interesting policy. Instead to give second class service to your customers, you give them - none.
  
  Which in turn provides first class metrics applauded by upper management.
  
  --
  Life is not for the lazy.
Consider by nlitement · 2007-08-27 02:43 · Score: 4, Insightful

It is therefore technically possible for malware to use the hidden directory as a hiding place. Isn't software behaving like that already considered malware?
1. Re:Consider by wizardforce · 2007-08-27 02:52 · Score: 4, Insightful
  
  Isn't software behaving like that already considered malware?
  yes and no. it depends on what and how you use it. if you use the property of hiding directories as a simple way of keeping data from less experienced people [eg. slashdotters hiding the porn from their parents] then it isn't malware; in this case sony's software doesn't seem to be hding a directory for any good purpose, so yes it is malware.
  
  --
  Sigs are too short to say anything truly profound so read the above post instead.
2. Re:Consider by B'Trey · 2007-08-27 02:59 · Score: 5, Insightful
  
  No. The distinction is WHO's doing the hiding. If a user on the computer intentionally hides files or directories from other possible users on the computers, it's not malware. It may or may not be ethical, depending on who's doing the hiding and why. Presumably, it's the owner of the computer and they have a right to hid info from prying eyes. If not, the issue is with the user's actions and not with the software. If, however, a program creates files or directories and hides them (by means other than simply using the H attribute, at least) from the owner/user of the computer, it's malware. It's understandable for a content owner to wish to protect their content, but that doesn't justify them altering the behavior of a computer without the owner's express understanding and permission for what they're doing.
  
  --
  "The legitimate powers of government extend only to such acts as are injurious to others." Thomas Jefferson.
3. Re:Consider by Tom9729 · 2007-08-27 04:09 · Score: 2, Insightful
  
  Agreed. When I do an ls of my home directory, I don't really want to see 50+ config files/directories.
  
  I think the fact that Sony isn't hiding this directory with conventional means proves they're up to something shady...
Hidden files by king-manic · 2007-08-27 02:43 · Score: 4, Insightful

Is root kit now the new buzzword for "please send me traffic"? This isn't the same as a rootkit, it's just a annoyingly hidden directory. Can we tag this as FUD?

--
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
1. Re:Hidden files by j00r0m4nc3r · 2007-08-27 02:48 · Score: 4, Insightful
  
  It doesn't matter what their intent is, they are using rootkit techniques to hide shit on your computer. This allows other parties to piggyback on that tech and install other nastier UNDETECTABLE malware. It would be like if your house cleaning lady leaves your front door wide open when she leaves. Someone could stroll in, fuck your shit up, and leave undetected. Definitely something to seriously worry about.
2. Re:Hidden files by Applekid · 2007-08-27 02:50 · Score: 5, Insightful
  
  Hiding from the API is pretty important, actually. That's done by pulling the rug under the pointers to the functions that retreives lists of files/directories. If that's not a Windows rootkit, what is?
  
  And much like their last rootkit, this one can easily be used to cloak files on your system and is pretty much a fantastic place to put your virus. Way to really push the limits, guys.
  
  --
  More Twoson than Cupertino
3. Re:Hidden files by MontyApollo · 2007-08-27 02:50 · Score: 4, Informative
  
  First sentence from wikipedia article:
  
  "A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system"
  
  So, it sounds like a rootkit as described by wikipedia.
4. Re:Hidden files by projectmalamute · 2007-08-27 03:04 · Score: 3, Insightful
  
  Those are not hidden from the operating system, try ls -a (twat)
5. Re:Hidden files by chad.koehler · 2007-08-27 03:04 · Score: 2, Informative
  
  While the '.' prefix will "hide" a file from plain view of a user, it is hardly hidden from the operating system.
6. Re:Hidden files by aztracker1 · 2007-08-27 03:10 · Score: 4, Informative
  
  If it doesn't show up in nautilus via ctrl+h it is... if it doesn't show up in windows with "show hidden files and folders" checked it is.... simply setting an *intended* file system attribute isn't the same as hiding from the operating system.
  
  --
  Michael J. Ryan - tracker1.info
Format before use by VincenzoRomano · 2007-08-27 02:44 · Score: 3, Interesting

Maybe formatting USB memories before usage would be a good move.
And using OS that won't run anything from the newly attached memry as a default would also help.

--
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
1. Re:Format before use by djdbass · 2007-08-27 03:05 · Score: 2, Insightful
  
  Yeah just stick it in your pc and format it before you stick it in your....
  
  Wait...
2. Re:Format before use by penix1 · 2007-08-27 03:37 · Score: 2, Informative
  
  On a side note: has anyone seriously investigated how secure these biometric memory sticks are?
  
  Well, if it is anything like the ones for security doors that are being pushed as "unbeatable" on Homeland Security then yes. The Myth Busters did a whole thing on it and beat it not once, not twice, but ALL the tries they did.
  
  http://www.youtube.com/watch?v=LA4Xx5Noxyo
  
  --
  This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
3. Re:Format before use by Bob+of+Dole · 2007-08-27 03:42 · Score: 2, Funny
  
  "If these USB memory cards are just like doors, then this mythbusters episode is relevant!"
  
  Come on man, I know mythbusters is cool and all, but whaaaaaaaaaaaaat
  
  --
  I respond to your sigs
Why? by thatskinnyguy · 2007-08-27 02:46 · Score: 2, Insightful

How many lawsuits is it going to take before Sony gets it into their head that rootkit=bad? I, for one, am going to fight against our new malware overlords.

--
The game.
tsk tsk tsk... by JazzyMusicMan · 2007-08-27 02:47 · Score: 4, Insightful

They are simply conditioning a public growing weary of dishonest tactics and policies to steer clear of any products they produce. Sony has many divisions and has a presence in many markets, and they are royally screwing all of them up. First the music cd fiasco, now this, no wonder they were prematurely blasted for the SecuROM program that was talked about on here a few days ago. Most people automatically saw it as a rootkit or something they didn't want on their computer because of the record that Sony is establishing for itself. It doesn't matter that maybe it wasn't a rootkit or something malicious, if the public starts thinking that everything you produce is going to create security vulnerabilities and screw up their machine, they'll simply stay away without giving you a second (or third, [or fourth]) chance...
kiosk by SolusSD · 2007-08-27 02:47 · Score: 5, Insightful

It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?
1. Re:kiosk by jshriverWVU · 2007-08-27 02:58 · Score: 2, Insightful
  
  that's why some people are moving to linux and OS X. No matter what your believe on open vs closed source code. Linux is more "free" as in "freedom" than Windows, you don't hear people complaining about putting in a CD/DVD/USB key and having their system owned by some root-kit or DRM system that was installed w/o intervention. The freedom to own and do what I want with my hardware makes Linux a necessity. I agree with you. Running windows anymore is like running a kiosk. You pay for the hardware, and the software companies dictate what you do with that hardware. With linux, I dictate what I do with my hardware. It's that simple.
2. Re:kiosk by swb · 2007-08-27 03:19 · Score: 2, Insightful
  
  You're not kidding.
  
  I keep trying to convince my customers they'll pay me less money in the long run to do clean setups on new machines versus the time spent both uninstalling conflicting software they won't/can't use (ie, Symantec AV, PDF Complete, etc) and the problems they inevitably run into down the road when the factory installed crapware craps the machine out, requiring a clean load anyway.
  
  I've pretty much quit gaming due to all the copy protection crap that gets installed with most modern games (and interferes with legitimate software).
  
  Another followup to your post mentions migrating to OS X/Linux, where I guess you're less victim to this kind of nonsense, but you're still locked in (to Jobs/Apple) or dealing with a lot less functionality (Linux zealots aside).
Wow... by shoptroll · 2007-08-27 02:49 · Score: 4, Interesting

Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."

This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.

--
Insert Sig Here
1. Re:Wow... by makomk · 2007-08-27 03:08 · Score: 2, Informative
  
  That depends on your definition of "rootkit". It's using a driver to conceal the existence of a directory from standard Windows APIs and programs, which is very definitely a rootkit technique.
2. Re:Wow... by Idaho · 2007-08-27 03:28 · Score: 3, Insightful
  
  Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass.
  
  The intent is irrelevant w.r.t. the fact whether or not it uses rootkit-like behavior to implement it.
  
  It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication.
  
  This is why file access permissions/restrictions where invented in the 1970's.
  This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.
  
  That is a completely different technique at about 10 different levels. Of course the driver of some USB device may chose to reserve parts of the storage on said USB device for internal usage such that it cannot be (easily) accessed by normal means (i.e. the API offered by said driver). However, "cloaking" parts of the driver itself using rootkit-like mechanisms has, well, about nothing in common with such techniques.
  
  --
  Every expression is true, for a given value of 'true'
3. Re:Wow... by The+MAZZTer · 2007-08-27 04:04 · Score: 2, Insightful
  
  This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.
  That's different. Windows can't "see" more than one partition on a USB flash drive... which is why the Disk Management MMC snap-in won't let you create more. If you make more than one partition Windows only mounts the first one it sees.
  
  Of course this assumes you're talking about actual partitions. More likely you're confusing a virtual drive for a real partition; I'm thinking TrueCrypt, which is promoted by many as a way to keep files safe and encrypted on your thumb drive. You enter a password and an encrypted file on the first and only partition on the drive is mounted as a virtual partition on it's own drive letter. Nothing is ever hidden from Windows; Windows never knows that the simple file is supposed to be a partition, nor what the encryption key is that is needed to decrypt it. TrueCrypt supplies the first function, while the user's password or keyfile supplies the second. The only things hidden are the things the user explicitly wanted hidden by making the TrueCrypt Volume and putting files in there.
Re:Is there a way to permanantly disable this? by BronsCon · 2007-08-27 02:49 · Score: 2, Funny

Is there anything that would break if one was to find a way to nullify this functionality in OS calls?
No. But, the universe would begin to unravel as Windows became more secure.

Yes. That flushing sound you hear is my karma going down the toilet.

--
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
A Nasty Trick by Sigismundo · 2007-08-27 02:56 · Score: 5, Interesting
It reminds me of the time that some friends and I discovered that a labmate had left himself logged in as root on a virtual console at his Linux workstation. Here's what we did:
1. Created a directory with the name " " (single space)
2. Added that directory to his path
3. Wrote a Perl script that would spit out a random quote from zippy 1/3 of the time, and then execute the program pointed to by argv[0]
4. Populated the special hidden directory with symlinks to the perl script, each given the name of a common command like ls, ps, and so on.
So whenever he ran a common command from his shell, he would first get a random quote from fortune appearing, followed by normal command output. He figured it out pretty quickly, but I like to think that there were a few moments where he entertained the idea of his workstation gaining sentience.
1. Re:A Nasty Trick by MrBulwark · 2007-08-27 03:19 · Score: 2, Insightful
  
  See, if you had a real OS like Windows, this kind of security problem wouldn't...oh...nevermind.
2. Re:A Nasty Trick by sholden · 2007-08-27 04:12 · Score: 2, Funny
  
  Whenever people left themselves logged in (not as root, since no one used root...) we'd always add
  
  echo sleep 1 >>$HOME/.bash_profile
  
  to their .bash_profile
SUCKERS! What did you expect? by Anonymous Coward · 2007-08-27 02:58 · Score: 2, Insightful

Fool me once, shame on you. Fool me twice, shame on me.

How fucking stupid can you people be? Stop buying Sony!

-mcgrew
You can't solve this on a single system. by argent · 2007-08-27 03:08 · Score: 3, Insightful

The issue here is the biometric stuff.

This is an inherent problem in biometrics: you have to trust every scanner that takes a reading not to be trapdoored.

The entire authentication process has to be performed verifiably in the scanner hardware and firmware, and the scanner itself had to be trusted - either it's your scanner or it belongs to someone you have to trust anyway.

But no reversible form of the biometric information can be transferred to potentially untrusted storage.
what a bunch of weasels by swschrad · 2007-08-27 03:15 · Score: 2, Insightful

down around the courthouse, they have some terms for mutts who don't learn and keep on doing the same crimes.

the classy term is "recidivist."

of the others, we can probably safely post "weasel," "snake," "bastard," "crook," and "lowlife."

HDTV is around the bend, and I'm remodelling the basement soon to accomodate its new wiring requirements. Sony, the snake-in-a-box company, is not going to be a part of this undertaking.

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
Desensitized by Dachannien · 2007-08-27 03:19 · Score: 4, Interesting

The overuse of the term "rootkit" points to (at least) one thing: we've become so desensitized to security hazards that it takes a new buzzword for nefariousness to grab people's attention. Regardless of whether this is itself a rootkit or not, it's still a security hazard, and what's perhaps more ironic, that hazard was created in an attempt to effect "security through obscurity".
Re:This article is retarded by LarsG · 2007-08-27 03:20 · Score: 5, Informative

First, the article has so many grammatical errors, that it's laughable.

F-Secure is from Finland. You try writing Finnish some time.

My "Windows API" as this article calls Explorer, is already set to view hidden folders.

Turn in your geek card at the door when you leave.

This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.

--
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
Re:Rootkits aside... by deftcoder · 2007-08-27 03:24 · Score: 5, Insightful

A malicious driver is being installed that patches the Win32 API ( FindFirstFile() and FindNextFile() ) not to report the presence of a directory when enumerating through your C:\Windows folder.

How is this *NOT* a rootkit? This is the very definition of one!

--
Peace sells, but who's buying?
Re:This article is retarded by deftcoder · 2007-08-27 03:28 · Score: 5, Informative

Hi.

They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.

This is quite different than simply toggling a flag for a given directory.

--
Peace sells, but who's buying?
Wikipedia? by Spy+der+Mann · 2007-08-27 03:32 · Score: 5, Funny

So, it sounds like a rootkit as described by wikipedia.

Not for long! *rushes to edit wikipedia*

"A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system, except when it's with Sony products"

There! Now by definition, sony's isn't a rootkit anymore! :D

(Legal Disclaimer: This was actually a joke, I didn't vandalize wikipedia or the like. <-- you can't never be too sure these days)
1. Re:Wikipedia? by Spy+der+Mann · 2007-08-27 04:19 · Score: 2, Funny
  
  Just remember your IP is recorded :P
Oversimplification by Phil+John · 2007-08-27 03:34 · Score: 2, Informative

It wasn't just the availability of adult titles. What really scuppered BETA was the short length of the tapes compared to what was available with VHS.

--
I am NaN
Last straw for me... by SlashdotCrackPot · 2007-08-27 03:48 · Score: 3, Interesting

I just had to go admit to my damn boss that I (a diligent (also been referred to as 'anal') security minded individual) that thanks to my "handy" pen-drive that at LEAST 25-30 of our client's servers, not to mention our office equipment now have root-kits on them. That was it for me, now I just have to find a replacement product for the several ux380 we were looking at for toys for the boys.

I imagine though, that an outburst of uncontrollable laughter from my boss while telling him about this is a sign of job security.

Is there an anti-rootkit utility that would be updated/recent enough to facilitate this infection? Or the fact that I can view it from command line mean that I can remove it manually from there? I don't have to worry about re-infection because I already threw 2 of them straight in the trash, no use even giving them to a friend.....
Re:Wow..., double Wow. by MontyApollo · 2007-08-27 03:53 · Score: 2, Insightful

It all depends on your definition. What was described in the article satisfies many people's definition of a rootkit, no matter how the authors chose to word it.

Everybody saying it is not a rootkit needs to define rootkit.

The example you used in your earlier post about partitions on memory sticks is completely different than what is happening here (the windows API is being modified to hide a directory on the c: drive)
If it looks like a duck... by IBBoard · 2007-08-27 04:22 · Score: 4, Funny

If it looks like a duck, quacks like a duck,...

Then lawyers for some large corporation will argue that it's actually some previously rare form of feathered marsupial?
You're missing the point. by KingSkippus · 2007-08-27 04:47 · Score: 4, Informative

It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API.

The intentions behind the software are irrelevant. The only thing that matters is what it does. What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden.

Why shouldn't it be hidden? Because as has already been pointed out, malicious software can take advantage of the rootkit—which is what this is—as an attack vector to control someone's machine without their knowledge, and with damn little they can do about it.

Please remember also that a lot of computer viruses and worms didn't start out with people saying, "I'm going to write a computer virus today!" They started out with someone saying, "Hmmm... I wonder if that would work..." and it goes from there. In fact, the guy who is credited with writing the first computer virus said, "It was a practical joke combined with a hack. A wonderful hack." Maybe, but it's stupid to deny what it was, a virus, just as it is to deny what this is, a rootkit.
1. Re:You're missing the point. by ajs · 2007-08-27 06:10 · Score: 2, Informative
  
  It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API.
  
  The intentions behind the software are irrelevant. The only thing that matters is what it does.
  Correct.
  What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden. Mostly True. I'm not sure I agree with "should not and need not," but I'll grant that they did it the wrong way. No question.
  
  The bottom line is that this is not a rootkit. It's simply not. The term rootkit refers to a class of software that hides its existence from the OS, and this software does not do that. There's also the matter of the goal (you mentioned intent, but I think goals are more quantifiable and measurable). Rootkits have as their goal the subversion of system security. It doesn't matter if their DRM-enforcement modules from Sony CDs or virus delivery vectors. They exist to prevent the system from being aware of their installation and preventing their deinstallation. This software does not have any such goal. Its goal is to prevent casual API calls from accessing sensitive biometric data. Period.
  
  I'm all for slapping Sony around over distributing software that has a security problem (e.g. it can provide safe harbor for malicious code), but let's not throw around the word "rootkit" unless we really mean a piece of software that tries to mask its existence on the system. Otherwise, we'll just have to come up with a new word for that.
2. Re:You're missing the point. by ajs · 2007-08-27 08:02 · Score: 2, Informative
  
  Rootkits have as their goal the subversion of system security And that's exactly what this software is supposedly doing. No. There's a difference between making a boneheaded security gaffe and subverting security. If you can't see the difference between the two, then I suppose this conversation is moot, and we'll have to declare every piece of Linux software a rootkit if it's ever had a security issue that wasn't just a bug, but a deliberate design choice that turned out to have security implications.
  
  That said, I'm actually not sure that this is as much of a problem as F-Secure has claimed.
  
  What the software is doing is creating a hidden directory that the standard Windows API can't access except by explicit path name (e.g. it doesn't show up in the directory contents). So, here's the question: what does this gain a malicious program? Sure, such a directory is handy, but your friendly neighborhood worm or spyware could just create such a directory itself. It doesn't help the software in question get past local virus scanners in the first place, only hide from them subsequently... so what's the issue, here? What has Sony done that actually improves the situation for any malware?
  
  I'm not saying it's a good policy to have such directories, but I'm also not sure that this is a serious security problem especially since, obviously, F-Secure's software was able to detect it.
But it doesn't work for security, either! by dpilot · 2007-08-27 04:49 · Score: 2, Insightful

For a moment get past the Rootkit or Registry thing.

I just plain isn't good security. If they're really counting on Registry entries to "protect" the "secure" data, there must be a thousand ways to get around that in Windows, let along just plugging it into a Linux machine. Real security is HARD to do, and promoting something like this as "secure" when it really isn't is a disservice. I read one review a while back that indicated that *none* of these "secure USB" flash plugins were really secure.

Incidentally, I have a USB flash plugin. The data I really care about is AES-encrypted in a container file that I can loopback mount and use the kernel crypto stuff to access.

--
The living have better things to do than to continue hating the dead.
A propos... by Mr_Icon · 2007-08-27 04:54 · Score: 2, Funny

A humorous story about what would happen if porn had "root kits." (SFW)

--
If you open yourself to the foo, You and foo become one.
Karma Abuse Poetry by MightyMartian · 2007-08-27 05:22 · Score: 2, Funny

Let's see if I can get even more karma by posting this old poem I wrote on Sony last year:

Well the Devil had a brand new plan,
"I don't want any ordinary DRM!"
So he called his boys at Sony Corp,
"I'll make this fast and I'll make it short."

"There's a Limey company, as evil as hell,
They've got a rootkit they're waiting to sell.
So grab some cash, make it quick,
There's a half million networks we just gotta fix."

Now Sony knew the Devil well,
Why these guys were already half way to Hell.
So off they went to England fair,
And bought themselves a rootkit there.

To protect themselves and their evil scheme,
They wrote a EULA that would make you scream.
"No problem," they said, "we can do as we please,
We're all scummy bastards, so what's some more sleaze?"

But not all were asleep when they played Van Zant,
And the racket grew so loud Sony just had to recant.
"We'll take back all those discs, we really were wrong,
Oh, and you Mac users, your turn's coming before long."

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
Re:How to hide files by Bou · 2007-08-27 06:13 · Score: 2, Interesting

Or, you could always use NTFS's build in root kit 'feature': Alternate Data Streams.
Virtually undetectable for the casual user:
They don't show up in explorer and other file managers and task manager even shows the name of the host file.
Re:Rootkits aside... by deftcoder · 2007-08-27 06:43 · Score: 2, Informative

Rootkit doesn't necessarily imply 'backdoor'. A rootkit CAN open a backdoor, but it's possible to rootkit a system for other reasons.

Example: Daemon Tools, a popular virtual drive program, uses rootkit-esque behavior to hide its drivers from the various game copy protections it aims to defeat. It's a rootkit for a legitimate purpose. This is not.

It's a malicious driver attempting to hide things from the user without their consent. QED.

--
Peace sells, but who's buying?
Re:Rootkits aside... by Skiron · 2007-08-27 06:54 · Score: 2, Insightful

OK, I see what you are saying, but the point is NOTHING gets changed on the system - it uses MS code handles to employ the 'rootkit' - there is no subterfuge involved on the system at all!

I think MS built in all this from trying to keep the innards so secret squirrel it is now coming back to bit them. Mark Russinovich, remember, was the one who sussed the secret squirrel stuff on the first Sony attempt at this - he (and Company) was very soon bought by MS to SHUT UP about it.
Re:A virus could put its files in the hidden folde by nschubach · 2007-08-27 07:44 · Score: 4, Interesting

A virus wouldn't put itself in this hidden folder instead?

%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5

Or this one?
%USERPROFILE%\Local Settings\Temporary Internet Files\OLK6F

Maybe one this windows built in rootkit folder?

c:\$Extend

..or maybe one of these hidden files?
c:\$AttrDef

c:\$BadClus

c:\$Bitmap

c:\$Boot

c:\$LogFile

c:\$Secure

c:\$Volume

All which the handy SysInternals hides as "Standard NTFS Metadata Files" by default.

The existence of these files/folders are hidden to most users and most of them don't even know about them. You think virus scanners check the c:\$Extend folder? Is someone willing to drop in a known virus and see if it detects it? Honestly, I'm curious as to how many actually check this folder...

--
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
About Sony and rootkits by Boycott+BMG · 2007-08-27 07:49 · Score: 2, Insightful

I feel like I finally have to create a user account to correct a misconception I see a lot on the internet. It wasn't Sony that put a rootkit on the music CDs, it was Sony-BMG which is a separate company that is 50/50 owned by Sony and Bertelsmann (BMG stands for Bertelsmann Music Group). Furthermore, the top executives at Sony-BMG all come from the BMG side, like that guy Thomas Hesse who made those stupid remarks that consumers shouldn't care about rootkits. If anything, all the anger toward Sony should be directed at the entity involved, which is Sony-BMG. Just boycott their music.
Re:Sony/Phillips by FauxReal · 2007-08-27 10:37 · Score: 2, Informative

They also created the Sony/Phillips Digital Interface for audio known as SPIDF. It's been around for a while but is only now picking up momentum in the consumer market. It's been in use for professional audio for a long time. Though, my Archos Jukebox Recorder has a SPIDF interface. (It was the first USB 2.0 hdd based mp3 player on the market.)

--
Deltron 3030 - Virus (music video)