Slashdot Mirror
Another Sony Rootkit?
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
What happened to Sony? Growing up they always seemed like a great tech company, pumping out quality products that most people liked. When did politics and this kinda crap really start. It's sad.
Is root kit now the new buzzword for "please send me traffic"? This isn't the same as a rootkit, it's just a annoyingly hidden directory. Can we tag this as FUD?
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
Maybe formatting USB memories before usage would be a good move.
And using OS that won't run anything from the newly attached memry as a default would also help.
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
They are simply conditioning a public growing weary of dishonest tactics and policies to steer clear of any products they produce. Sony has many divisions and has a presence in many markets, and they are royally screwing all of them up. First the music cd fiasco, now this, no wonder they were prematurely blasted for the SecuROM program that was talked about on here a few days ago. Most people automatically saw it as a rootkit or something they didn't want on their computer because of the record that Sony is establishing for itself. It doesn't matter that maybe it wasn't a rootkit or something malicious, if the public starts thinking that everything you produce is going to create security vulnerabilities and screw up their machine, they'll simply stay away without giving you a second (or third, [or fourth]) chance...
It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?
Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."
This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.
Insert Sig Here
So whenever he ran a common command from his shell, he would first get a random quote from fortune appearing, followed by normal command output. He figured it out pretty quickly, but I like to think that there were a few moments where he entertained the idea of his workstation gaining sentience.
The issue here is the biometric stuff.
This is an inherent problem in biometrics: you have to trust every scanner that takes a reading not to be trapdoored.
The entire authentication process has to be performed verifiably in the scanner hardware and firmware, and the scanner itself had to be trusted - either it's your scanner or it belongs to someone you have to trust anyway.
But no reversible form of the biometric information can be transferred to potentially untrusted storage.
The overuse of the term "rootkit" points to (at least) one thing: we've become so desensitized to security hazards that it takes a new buzzword for nefariousness to grab people's attention. Regardless of whether this is itself a rootkit or not, it's still a security hazard, and what's perhaps more ironic, that hazard was created in an attempt to effect "security through obscurity".
First, the article has so many grammatical errors, that it's laughable.
F-Secure is from Finland. You try writing Finnish some time.
My "Windows API" as this article calls Explorer, is already set to view hidden folders.
Turn in your geek card at the door when you leave.
This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.
If J.K.R wrote Windows: Puteulanus fenestra mortalis!
A malicious driver is being installed that patches the Win32 API ( FindFirstFile() and FindNextFile() ) not to report the presence of a directory when enumerating through your C:\Windows folder.
How is this *NOT* a rootkit? This is the very definition of one!
Peace sells, but who's buying?
Hi.
They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.
This is quite different than simply toggling a flag for a given directory.
Peace sells, but who's buying?
So, it sounds like a rootkit as described by wikipedia.
:D
Not for long! *rushes to edit wikipedia*
"A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system, except when it's with Sony products"
There! Now by definition, sony's isn't a rootkit anymore!
(Legal Disclaimer: This was actually a joke, I didn't vandalize wikipedia or the like. <-- you can't never be too sure these days)
I just had to go admit to my damn boss that I (a diligent (also been referred to as 'anal') security minded individual) that thanks to my "handy" pen-drive that at LEAST 25-30 of our client's servers, not to mention our office equipment now have root-kits on them. That was it for me, now I just have to find a replacement product for the several ux380 we were looking at for toys for the boys.
I imagine though, that an outburst of uncontrollable laughter from my boss while telling him about this is a sign of job security.
Is there an anti-rootkit utility that would be updated/recent enough to facilitate this infection? Or the fact that I can view it from command line mean that I can remove it manually from there? I don't have to worry about re-infection because I already threw 2 of them straight in the trash, no use even giving them to a friend.....
Then lawyers for some large corporation will argue that it's actually some previously rare form of feathered marsupial?
The intentions behind the software are irrelevant. The only thing that matters is what it does. What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden.
Why shouldn't it be hidden? Because as has already been pointed out, malicious software can take advantage of the rootkit—which is what this is—as an attack vector to control someone's machine without their knowledge, and with damn little they can do about it.
Please remember also that a lot of computer viruses and worms didn't start out with people saying, "I'm going to write a computer virus today!" They started out with someone saying, "Hmmm... I wonder if that would work..." and it goes from there. In fact, the guy who is credited with writing the first computer virus said, "It was a practical joke combined with a hack. A wonderful hack." Maybe, but it's stupid to deny what it was, a virus, just as it is to deny what this is, a rootkit.
A virus wouldn't put itself in this hidden folder instead?
..or maybe one of these hidden files?
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5
Or this one?
%USERPROFILE%\Local Settings\Temporary Internet Files\OLK6F
Maybe one this windows built in rootkit folder?
c:\$Extend
c:\$AttrDef
c:\$BadClus
c:\$Bitmap
c:\$Boot
c:\$LogFile
c:\$Secure
c:\$Volume
All which the handy SysInternals hides as "Standard NTFS Metadata Files" by default.
The existence of these files/folders are hidden to most users and most of them don't even know about them. You think virus scanners check the c:\$Extend folder? Is someone willing to drop in a known virus and see if it detects it? Honestly, I'm curious as to how many actually check this folder...
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.