Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Another Sony Rootkit?

Posted by ScuttleMonkey on Mon Aug 27, 2007 09:40 AM
from the slow-learners dept.
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

Related Stories

[+] Games: BioShock Installs a Rootkit 529 comments
An anonymous reader writes "Sony (the owner of SecureROM copy protection) is still up to its old tricks. One would think that they would have learned their lesson after the music CD DRM fiasco, which cost them millions. However, they have now started infesting PC gaming with their invasive DRM. Facts have surfaced that show that the recently released PC game BioShock installs a rootkit, which embeds itself into Explorer, as part of its SecureROM copy-protection scheme. Not only that, but just installing the demo infects your system with the rootkit. This begs the question: Since when did demos need copy protection?"
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • Sony (Score:5, Interesting)

    by jshriverWVU (810740) on Monday August 27, @09:42AM (#20371527)
    What happened to Sony? Growing up they always seemed like a great tech company, pumping out quality products that most people liked. When did politics and this kinda crap really start. It's sad.
    • Re:Sony (Score:5, Interesting)

      by Prof.Phreak (584152) on Monday August 27, @09:46AM (#20371589)
      (http://www.theparticle.com/)
      It started when they became an entertainment corp, rather than a technology corp.
      [ Parent ]
      • Re:Sony (Score:4, Funny)

        by hackstraw (262471) on Monday August 27, @10:05AM (#20371873)
        (http://www.spamgourmet.com/)
        It started when they became an entertainment corp, rather than a technology corp.

        So, are rootkits entertainment or technology?

        [ Parent ]
        • Re:Sony (Score:5, Funny)

          by Anonymous Coward on Monday August 27, @10:09AM (#20371945)
          I'm finding this all quite entertaining, I must say. So I think that's your answer.
          [ Parent ]
          • 1 reply beneath your current threshold.
        • Re:Sony by Captain Splendid (Score:2) Monday August 27, @11:08AM
        • Re:Sony by Thingummywut (Score:1) Monday August 27, @04:51PM
    • Re:Sony by FatAlb3rt (Score:3) Monday August 27, @09:46AM
      • Re:Sony (Score:4, Interesting)

        Seems like they've been pushing their own proprietary stuff for the past 20 yrs - most recently Blue Ray, but then there was that miniDisc that went nowhere. Not sure...did they have a roll in VHS/Beta? I used to be a fanboy, but it seems they get more negative press anymore.

        MD disks were actually very successful across asia. They didn't find a market in North America. In the same span they have also created the 3.5 inch floppy, the CD, and had a bit of input on the DVD. It's be more accurate to describe their format strategies as being hit and miss since they have been part of some huge dogs (beta, UMD) and some very successful formats (CDs, 3.5 inch floppies).
        [ Parent ]
        • Re:Sony (Score:5, Informative)

          CD was Philips, not Sony.

          As to DVD - Not sure about the original DVD format, but Sony effectively created the recordable DVD format war with the + series of formats.

          And yes, Sony had a role in VHS vs. Beta - Beta was Sony's format.
          [ Parent ]
        • Re:Sony by omeomi (Score:3) Monday August 27, @10:01AM
          • Re:Sony (Score:5, Informative)

            But the Memory Stick had all sorts of advantages, like a useless DRM system and twice the price per bit of all of the competing flash solutions. It also capped out on capacity a lot quicker than its contemporaries. Who wouldn't want one?
            [ Parent ]
          • Re:Sony (Score:5, Interesting)

            by mattpalmer1086 (707360) on Monday August 27, @11:06AM (#20372737)
            God, memory stick. I have a Sony phone, which is quite nice. I was recently in Tokyo, and I wanted some extra memory for my phone, so I went to Akihabara - geek central. All the sales assistants in about 20 shops I visited just looked at my phone, shrugged their shoulders and said "Sony!". My Japanese is pretty poor, but I got the message. So I went to the big Sony building at Ginza. No deal. They said they only sold memory sticks in the European market - they were using something else in Japan.

            Since I was there, I pulled out a Sony camera I was trying to get a USB cable for. Again, no deal. This camera was North American Sony, and they didn't have those kinds of Sony cables in Japan.

            Sigh. This insistence on ignoring standards and doing everything themselves - not even consistently across the world - bugs me like hell. I doubt I'll buy any more Sony consumer electronics until they get it. Hope they do - they know how to make nicely designed bits of technology.

            [ Parent ]
            • Re:Sony by modecx (Score:1) Monday August 27, @12:09PM
              • Re:Sony by mattpalmer1086 (Score:2) Monday August 27, @01:14PM
            • Re:Sony by brundlefly (Score:2) Monday August 27, @12:41PM
              • Re:Sony (Score:4, Interesting)

                by saigon_from_europe (741782) on Monday August 27, @02:45PM (#20375341)
                I had their laptop. After some time, its transformer stopped working. I live in Serbia, and it is a bit tricky to get decent technical support/service here, but Sony has huge store in Belgrade downtown.

                I went there, but no luck. They do not sell laptops in Serbia (mine was brought from UK), so they gave me the telephone of one repair shop, but they were not sure if they could help me. Repair shop sent me to another repair shop, and so on... After three hops, they explained me what's the issue. Sony has very rigid standards for their repair shops. To be their certified repairmen, you have to guarantee that you'll solve all problems in 24 hours. They were not able to find anyone capable of that in Serbia, so they don't have any repair shop in Serbia.

                That's very interesting policy. Instead to give second class service to your customers, you give them - none.
                [ Parent ]
              • Re:Sony (Score:4, Insightful)

                by DigiShaman (671371) on Monday August 27, @08:47PM (#20379259)
                (http://www.fred08.com/)
                That's very interesting policy. Instead to give second class service to your customers, you give them - none.

                Which in turn provides first class metrics applauded by upper management.
                [ Parent ]
            • Re:Sony by Hatta (Score:2) Monday August 27, @03:07PM
            • Re:Sony by McFadden (Score:2) Monday August 27, @08:45PM
              • Re:Sony by mattpalmer1086 (Score:2) Tuesday August 28, @03:30AM
            • Re:Sony by Anonymous Coward (Score:2) Monday August 27, @11:24AM
              • Re:Sony by ZorroXXX (Score:2) Monday August 27, @11:30AM
                • Re:Sony by Anonymous Coward (Score:2) Monday August 27, @12:03PM
                  • Re:Sony by smitty_one_each (Score:2) Monday August 27, @06:22PM
                • Re:Sony by ZorroXXX (Score:3) Monday August 27, @12:20PM
                • 1 reply beneath your current threshold.
            • 2 replies beneath your current threshold.
        • Re:Sony by SenseiLeNoir (Score:3) Monday August 27, @10:03AM
          • Re:Sony by mrchaotica (Score:2) Monday August 27, @01:49PM
            • Re:Sony by SenseiLeNoir (Score:2) Monday August 27, @01:56PM
              • Re:Sony by tomofumi (Score:1) Friday August 31, @04:41AM
          • Re:Sony by InvalidError (Score:2) Monday August 27, @03:33PM
            • Re:Sony by chrish (Score:2) Tuesday August 28, @08:51AM
              • Re:Sony by InvalidError (Score:2) Tuesday August 28, @11:08AM
        • Re:Sony by Lord Pillage (Score:1) Monday August 27, @11:47AM
      • Re:Sony by morgan_greywolf (Score:2) Monday August 27, @09:53AM
        • Re:Sony by OldeTimeGeek (Score:2) Monday August 27, @10:21AM
          • Re:Sony by morgan_greywolf (Score:2) Monday August 27, @10:28AM
            • Oversimplification by Phil John (Score:3) Monday August 27, @10:34AM
            • Re:Sony by tsa (Score:3) Monday August 27, @10:47AM
              • Re:Sony by fastest fascist (Score:2) Monday August 27, @12:03PM
              • Re:Sony by CrossChris (Score:1) Monday August 27, @03:35PM
              • Re:Sony by nuzak (Score:2) Monday August 27, @12:15PM
              • Re:Sony by kwark (Score:1) Monday August 27, @05:08PM
            • Re:Sony by OldeTimeGeek (Score:3) Monday August 27, @10:59AM
          • Re:Sony by Anonymous Coward (Score:2) Monday August 27, @10:34AM
            • Re:Sony by jedidiah (Score:2) Monday August 27, @12:39PM
        • 1 reply beneath your current threshold.
      • 1 reply beneath your current threshold.
    • Re:Sony (Score:5, Insightful)

      by plover (150551) * on Monday August 27, @09:47AM (#20371613)
      (http://slashdot.org/ | Last Journal: Thursday April 12 2007, @09:41AM)
      It happened when they added a movie studio and a recording label to the corporation. The media side of the house demanded copy protection from the technical side of the house, without understanding the technical limitations.
      [ Parent ]
    • Re:Sony (Score:5, Insightful)

      by Otter (3800) on Monday August 27, @09:54AM (#20371717)
      (Last Journal: Thursday November 08, @06:00PM)
      When did politics and this kinda crap really start.

      Hype here notwithstanding, this is not a "rootkit". It seems to be a bizarre form of write-protection.

      [ Parent ]
      • Re:Sony (Score:5, Informative)

        Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user. There are better ways of doing such a thing, but a rootkit has the advantage of keeping the files hidden from common methods of hidden-file detection. Something like a virus or trojan would tend to use a kit like this to make sure that it couldn't be found by antivirus software. Such kits also tend to mask the presence of their processes, just to make sure that they REALLY can't be detected.
        [ Parent ]
        • Re:Sony (Score:5, Insightful)

          If it is a rootkit or not seems to me an academic question. I prefer to be asking: is my computer more vulnerable?
          [ Parent ]
          • Re:Sony by AKAImBatman (Score:3) Monday August 27, @10:40AM
          • A virus could put its files in the hidden folder by Joce640k (Score:2) Monday August 27, @11:16AM
            • by nschubach (922175) on Monday August 27, @02:44PM (#20375331)
              A virus wouldn't put itself in this hidden folder instead?

              %USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5

              Or this one?
              %USERPROFILE%\Local Settings\Temporary Internet Files\OLK6F

              Maybe one this windows built in rootkit folder?

              c:\$Extend

              ..or maybe one of these hidden files?
              c:\$AttrDef

              c:\$BadClus

              c:\$Bitmap

              c:\$Boot

              c:\$LogFile

              c:\$Secure

              c:\$Volume

              All which the handy SysInternals hides as "Standard NTFS Metadata Files" by default.

              The existence of these files/folders are hidden to most users and most of them don't even know about them. You think virus scanners check the c:\$Extend folder? Is someone willing to drop in a known virus and see if it detects it? Honestly, I'm curious as to how many actually check this folder...
              [ Parent ]
        • Re:Sony by dougmc (Score:3) Monday August 27, @11:06AM
        • Re:Sony by JoshHeitzman (Score:1) Monday August 27, @12:13PM
        • Re:Sony Windows only? by Technician (Score:2) Monday August 27, @01:08PM
        • 1 reply beneath your current threshold.
    • Re:Sony (Score:4, Insightful)

      by ajs (35943) <ajs@aj s . com> on Monday August 27, @10:07AM (#20371907)
      (http://www.ajs.com/~ajs/)
      I posted this on the firehose version of this article. Thought I should do so here too:

      Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit, just using one of the many tools of the trade of rootkits. The concern is that the hidden directory is hidden from all of the Windows API, including virus scanners, and thus could be used by malicious software to hide infected files.

      I'm not sure that it's reasonable to accuse Sony of distributing a rootkit when they've simply distributed software which uses a technique that could accidentally help malicious software.

      It's also probably a bad thing to keep swinging the rootkit-bat around like this. The next time some large corporation really tries to root all of their customers' machines, no one will believe the story.
      [ Parent ]
      • Re:Sony (Score:5, Informative)

        Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit


        Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:

        A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.


        If it looks like a duck, quacks like a duck, yada yada yada.
        [ Parent ]
        • Re:Sony by spikedvodka (Score:3) Monday August 27, @11:18AM
        • If it looks like a duck... (Score:5, Funny)

          by IBBoard (1128019) on Monday August 27, @11:22AM (#20372965)
          (http://www.ibboard.co.uk/)

          If it looks like a duck, quacks like a duck,...

          Then lawyers for some large corporation will argue that it's actually some previously rare form of feathered marsupial?
          [ Parent ]
        • Re:Sony (Score:5, Informative)

          by ajs (35943) <ajs@aj s . com> on Monday August 27, @11:27AM (#20373065)
          (http://www.ajs.com/~ajs/)

          Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:

          A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.


          If it looks like a duck, quacks like a duck, yada yada yada.
          This is a naive definition (I'll edit it later, with appropriate sources). Many programs attempt to conceal files which are not rootkits. Rootkits are the core of a type of software that seeks to hide its own existence. This Sony software does no such thing. You can see the software. You can remove the software. You can view every one of the software's files. Even F-Secure said that they believed the software was designed only with the security of the thumbnail drive data in mind, not with any subversion of the host (like the real Sony rootkit that got them in so much trouble). It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API. Again, I'm not defending how they did this. It's poor design, as it has huge security implications. However, it's not a rootkit, but a poorly designed driver.

          We need to be more careful to cry wolf when there's, you know... a wolf. Otherwise, when some company decides to deploy a real rootkit again, no one is going to listen to us.
          [ Parent ]
          • You're missing the point. (Score:5, Informative)

            by KingSkippus (799657) * on Monday August 27, @11:47AM (#20373297)
            (http://skippus.blogspot.com/ | Last Journal: Sunday June 19 2005, @07:25AM)

            It only seeks to protect sensitive biometric data which should not be visible to all programs) from the normal Windows API.

            The intentions behind the software are irrelevant. The only thing that matters is what it does. What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden.

            Why shouldn't it be hidden? Because as has already been pointed out, malicious software can take advantage of the rootkit—which is what this is—as an attack vector to control someone's machine without their knowledge, and with damn little they can do about it.

            Please remember also that a lot of computer viruses and worms didn't start out with people saying, "I'm going to write a computer virus today!" They started out with someone saying, "Hmmm... I wonder if that would work..." and it goes from there. In fact, the guy who is credited with writing the first computer virus [slashdot.org] said, "It was a practical joke combined with a hack. A wonderful hack." Maybe, but it's stupid to deny what it was, a virus, just as it is to deny what this is, a rootkit.

            [ Parent ]
        • Re:Sony by starnix (Score:1) Monday August 27, @03:13PM
        • 1 reply beneath your current threshold.
    • Re:Sony by Alioth (Score:3) Monday August 27, @12:31PM
    • Re:Sony by davecb (Score:2) Monday August 27, @12:38PM
    • 5 replies beneath your current threshold.
  • Consider (Score:4, Insightful)

    by nlitement (1098451) on Monday August 27, @09:43AM (#20371545)

    It is therefore technically possible for malware to use the hidden directory as a hiding place.
    Isn't software behaving like that already considered malware?
    • Re:Consider (Score:5, Insightful)

      by wizardforce (1005805) on Monday August 27, @09:52AM (#20371685)
      (Last Journal: Saturday August 25, @03:49PM)

      Isn't software behaving like that already considered malware?
      yes and no. it depends on what and how you use it. if you use the property of hiding directories as a simple way of keeping data from less experienced people [eg. slashdotters hiding the porn from their parents] then it isn't malware; in this case sony's software doesn't seem to be hding a directory for any good purpose, so yes it is malware.
      [ Parent ]
      • Re:Consider (Score:5, Insightful)

        by B'Trey (111263) on Monday August 27, @09:59AM (#20371793)
        No. The distinction is WHO's doing the hiding. If a user on the computer intentionally hides files or directories from other possible users on the computers, it's not malware. It may or may not be ethical, depending on who's doing the hiding and why. Presumably, it's the owner of the computer and they have a right to hid info from prying eyes. If not, the issue is with the user's actions and not with the software. If, however, a program creates files or directories and hides them (by means other than simply using the H attribute, at least) from the owner/user of the computer, it's malware. It's understandable for a content owner to wish to protect their content, but that doesn't justify them altering the behavior of a computer without the owner's express understanding and permission for what they're doing.
        [ Parent ]
        • Re:Consider by HTH NE1 (Score:2) Monday August 27, @10:44AM
          • Re:Consider by irc.goatse.cx troll (Score:2) Monday August 27, @12:24PM
      • Re:Consider by Tom9729 (Score:2) Monday August 27, @11:09AM
      • Re:Consider by Drgnkght (Score:1) Monday August 27, @02:49PM
      • 1 reply beneath your current threshold.
  • Hidden files (Score:5, Insightful)

    Is root kit now the new buzzword for "please send me traffic"? This isn't the same as a rootkit, it's just a annoyingly hidden directory. Can we tag this as FUD?
    • Re:Hidden files by Carewolf (Score:2) Monday August 27, @09:46AM
    • Re:Hidden files (Score:5, Insightful)

      by j00r0m4nc3r (959816) on Monday August 27, @09:48AM (#20371633)
      It doesn't matter what their intent is, they are using rootkit techniques to hide shit on your computer. This allows other parties to piggyback on that tech and install other nastier UNDETECTABLE malware. It would be like if your house cleaning lady leaves your front door wide open when she leaves. Someone could stroll in, fuck your shit up, and leave undetected. Definitely something to seriously worry about.
      [ Parent ]
    • Re:Hidden files (Score:5, Insightful)

      by Applekid (993327) on Monday August 27, @09:50AM (#20371653)
      Hiding from the API is pretty important, actually. That's done by pulling the rug under the pointers to the functions that retreives lists of files/directories. If that's not a Windows rootkit, what is?

      And much like their last rootkit, this one can easily be used to cloak files on your system and is pretty much a fantastic place to put your virus. Way to really push the limits, guys.
      [ Parent ]
    • Re:Hidden files (Score:5, Informative)

      by MontyApollo (849862) on Monday August 27, @09:50AM (#20371669)
      First sentence from wikipedia article:

      "A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system"

      So, it sounds like a rootkit as described by wikipedia.
      [ Parent ]
    • Re:Hidden files by The_mad_linguist (Score:1) Monday August 27, @10:08AM
    • 1 reply beneath your current threshold.
  • Format before use (Score:4, Interesting)

    by VincenzoRomano (881055) on Monday August 27, @09:44AM (#20371559)
    Maybe formatting USB memories before usage would be a good move.
    And using OS that won't run anything from the newly attached memry as a default would also help.
  • by RyanFenton (230700) on Monday August 27, @09:45AM (#20371571)
    I'd really rather not have this 'capability' when using windows, to allow software to hide files/directories on my system through these registry/filesystem techniques.

    Is there anything that would break if one was to find a way to nullify this functionality in OS calls?

    Ryan Fenton

  • Why? (Score:2, Insightful)

    by thatskinnyguy (1129515) on Monday August 27, @09:46AM (#20371591)
    How many lawsuits is it going to take before Sony gets it into their head that rootkit=bad? I, for one, am going to fight against our new malware overlords.
    • Re:Why? by JrOldPhart (Score:1) Monday August 27, @09:54AM
    • Re:Why? by theshowmecanuck (Score:2) Monday August 27, @10:00AM
    • Re:Why? by mtmra70 (Score:1) Monday August 27, @10:12AM
      • Re:Why? by Gravatron (Score:1) Monday August 27, @01:00PM
    • zero? by Kohath (Score:2) Monday August 27, @01:24PM
    • 1 reply beneath your current threshold.
  • tsk tsk tsk... (Score:4, Insightful)

    by JazzyMusicMan (1012801) on Monday August 27, @09:47AM (#20371609)
    They are simply conditioning a public growing weary of dishonest tactics and policies to steer clear of any products they produce. Sony has many divisions and has a presence in many markets, and they are royally screwing all of them up. First the music cd fiasco, now this, no wonder they were prematurely blasted for the SecuROM program that was talked about on here a few days ago. Most people automatically saw it as a rootkit or something they didn't want on their computer because of the record that Sony is establishing for itself. It doesn't matter that maybe it wasn't a rootkit or something malicious, if the public starts thinking that everything you produce is going to create security vulnerabilities and screw up their machine, they'll simply stay away without giving you a second (or third, [or fourth]) chance...
  • kiosk (Score:5, Insightful)

    by SolusSD (680489) on Monday August 27, @09:47AM (#20371615)
    (http://www.solussd.com/)
    It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?
    • Re:kiosk by jshriverWVU (Score:3) Monday August 27, @09:58AM
      • 1 reply beneath your current threshold.
    • Re:kiosk by Idaho (Score:2) Monday August 27, @10:18AM
      • Re:kiosk by dpilot (Score:2) Monday August 27, @11:43AM
        • Re:kiosk by xhrit (Score:1) Monday August 27, @02:29PM
      • Re:kiosk by SolusSD (Score:2) Wednesday August 29, @11:05AM
    • Re:kiosk by swb (Score:3) Monday August 27, @10:19AM
      • Re:kiosk by spikedvodka (Score:2) Monday August 27, @11:26AM
      • Re:kiosk by Explodicle (Score:1) Monday August 27, @11:26AM
        • Re:kiosk by Hatta (Score:2) Monday August 27, @03:04PM
          • Re:kiosk by ball-lightning (Score:1) Monday August 27, @04:37PM
            • Re:kiosk by Hatta (Score:2) Monday August 27, @05:34PM
              • Re:kiosk by Explodicle (Score:1) Thursday August 30, @11:16AM
            • Re:kiosk by ThinkGeek (Score:2) Monday August 27, @10:28PM
    • Re:kiosk by Obsidian Butterfly (Score:1) Monday August 27, @08:35PM
    • 2 replies beneath your current threshold.
  • Wow... (Score:5, Interesting)

    by shoptroll (544006) on Monday August 27, @09:49AM (#20371639)
    Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."

    This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.
    • Re:Wow... by sacrilicious (Score:2) Monday August 27, @10:02AM
    • Re:Wow... by LarsG (Score:2) Monday August 27, @10:04AM
    • Re:Wow... by empiricistrob (Score:1) Monday August 27, @10:04AM
      • Re:Wow... by MontyApollo (Score:2) Monday August 27, @11:00AM
    • Re:Wow..., double Wow. by whoever57 (Score:2) Monday August 27, @10:07AM
    • Re:Wow... by makomk (Score:3) Monday August 27, @10:08AM
      • Re:Wow... by Obsidian Butterfly (Score:1) Monday August 27, @08:59PM
    • Re:Wow... by gad_zuki! (Score:2) Monday August 27, @10:18AM
      • Re:Wow... by shoptroll (Score:2) Monday August 27, @10:47AM
    • Re:Wow... by Library Spoff (Score:2) Monday August 27, @10:20AM
    • Re:Wow... (Score:4, Insightful)

      by Idaho (12907) on Monday August 27, @10:28AM (#20372211)

      Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass.

      The intent is irrelevant w.r.t. the fact whether or not it uses rootkit-like behavior to implement it.


        It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication.


      This is why file access permissions/restrictions where invented in the 1970's.

      This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.


      That is a completely different technique at about 10 different levels. Of course the driver of some USB device may chose to reserve parts of the storage on said USB device for internal usage such that it cannot be (easily) accessed by normal means (i.e. the API offered by said driver). However, "cloaking" parts of the driver itself using rootkit-like mechanisms has, well, about nothing in common with such techniques.
      [ Parent ]
    • Re:Wow... by The MAZZTer (Score:3) Monday August 27, @11:04AM
    • Re:Wow... by kwikrick (Score:1) Monday August 27, @01:44PM
    • Re:Wow... by ivan256 (Score:2) Monday August 27, @05:38PM
    • 2 replies beneath your current threshold.
  • Rootkits aside... (Score:1)

    by Skiron (735617) on Monday August 27, @09:49AM (#20371649)
    (http://www.linicks.net/)
    ... which I still do not think should be called 'rootkit' in these instances, as this is what MS code allows for - it is part of the system and designed to be so.

    The issue here is the biometric stuff. If your CC number gets stolen, or your password gets hacked, you can simply cancel the old CC/reset your account etc.

    Now, what happens when your data 'fingerprint' [retina scan, whatever] gets hacked and compromised? Get new fingers? Get new eyeballs (ala Tom Cruise!)?. I think not. The sooner people learn not ot buy and trust this crap the better - but thinking, perhaps the people that buy this crap deserve a MS designed rootkit anyway.

  • by nlitement (1098451) on Monday August 27, @09:52AM (#20371691)
    You can now hide porn effectively, with little effort and money!
  • A Nasty Trick (Score:5, Interesting)

    by Sigismundo (192183) on Monday August 27, @09:56AM (#20371737)
    It reminds me of the time that some friends and I discovered that a labmate had left himself logged in as root on a virtual console at his Linux workstation. Here's what we did:
    1. Created a directory with the name " " (single space)
    2. Added that directory to his path
    3. Wrote a Perl script that would spit out a random quote from zippy 1/3 of the time, and then execute the program pointed to by argv[0]
    4. Populated the special hidden directory with symlinks to the perl script, each given the name of a common command like ls, ps, and so on.

    So whenever he ran a common command from his shell, he would first get a random quote from fortune appearing, followed by normal command output. He figured it out pretty quickly, but I like to think that there were a few moments where he entertained the idea of his workstation gaining sentience.

  • SUCKERS! What did you expect? (Score:2, Insightful)

    by Anonymous Coward on Monday August 27, @09:58AM (#20371781)
    Fool me once, shame on you. Fool me twice, shame on me.

    How fucking stupid can you people be? Stop buying Sony! [mcgrew.info]

    -mcgrew
  • what a bunch of weasels (Score:3, Insightful)

    by swschrad (312009) on Monday August 27, @10:15AM (#20372015)
    (http://slashdot.org/ | Last Journal: Monday April 16 2007, @01:18PM)
    down around the courthouse, they have some terms for mutts who don't learn and keep on doing the same crimes.

    the classy term is "recidivist."

    of the others, we can probably safely post "weasel," "snake," "bastard," "crook," and "lowlife."

    HDTV is around the bend, and I'm remodelling the basement soon to accomodate its new wiring requirements. Sony, the snake-in-a-box company, is not going to be a part of this undertaking.
  • Desensitized (Score:5, Interesting)

    by Dachannien (617929) on Monday August 27, @10:19AM (#20372079)
    (http://www.unity08.com/)
    The overuse of the term "rootkit" points to (at least) one thing: we've become so desensitized to security hazards that it takes a new buzzword for nefariousness to grab people's attention. Regardless of whether this is itself a rootkit or not, it's still a security hazard, and what's perhaps more ironic, that hazard was created in an attempt to effect "security through obscurity".

  • Not an Accident (Score:2)

    by Nom du Keyboard (633989) on Monday August 27, @10:31AM (#20372249)
    This is no longer an accident with Sony. No longer a simple lapse in judgment. This is a bad, ugly, habit on their part now, likely caused by the dichotomy of trying to be a content producer and a tech company at the same time.
  • Last straw for me... (Score:3, Interesting)

    by SlashdotCrackPot (1019530) on Monday August 27, @10:48AM (#20372491)
    I just had to go admit to my damn boss that I (a diligent (also been referred to as 'anal') security minded individual) that thanks to my "handy" pen-drive that at LEAST 25-30 of our client's servers, not to mention our office equipment now have root-kits on them. That was it for me, now I just have to find a replacement product for the several ux380 we were looking at for toys for the boys.

    I imagine though, that an outburst of uncontrollable laughter from my boss while telling him about this is a sign of job security.

    Is there an anti-rootkit utility that would be updated/recent enough to facilitate this infection? Or the fact that I can view it from command line mean that I can remove it manually from there? I don't have to worry about re-infection because I already threw 2 of them straight in the trash, no use even giving them to a friend.....
  • How about those MemorySticks that have no competition for filling the slots in Sony equipment (including PCs) that requires them?
  • by dpilot (134227) on Monday August 27, @11:49AM (#20373333)
    (http://slashdot.org/ | Last Journal: Thursday May 12 2005, @09:37AM)
    For a moment get past the Rootkit or Registry thing.

    I just plain isn't good security. If they're really counting on Registry entries to "protect" the "secure" data, there must be a thousand ways to get around that in Windows, let along just plugging it into a Linux machine. Real security is HARD to do, and promoting something like this as "secure" when it really isn't is a disservice. I read one review a while back that indicated that *none* of these "secure USB" flash plugins were really secure.

    Incidentally, I have a USB flash plugin. The data I really care about is AES-encrypted in a container file that I can loopback mount and use the kernel crypto stuff to access.
  • by Crazy Taco (1083423) on Monday August 27, @11:50AM (#20373351)
    I guess this just proves again that some companies unfortunately still believe in "Security through obscurity". Sony, quit trying to hide junk all over my drive!
  • A propos... (Score:3, Funny)

    by Mr_Icon (124425) on Monday August 27, @11:54AM (#20373395)
    (http://www.mricon.com/)
    A humorous story about what would happen if porn had "root kits." [google.com] (SFW)
  • by Viol8 (599362) on Monday August 27, @11:56AM (#20373409)
    I'm assuming this kit loads a driver which somehow intercepts kernel API request (or whatever , I'm just guessing). What I'm curious about is could this be done on linux /unix / OS/X or is this ability to intercept standard kernel API requests a bad design perculiar to Windows?
  • Karma Abuse Poetry (Score:3, Funny)

    by MightyMartian (840721) on Monday August 27, @12:22PM (#20373707)
    (Last Journal: Tuesday March 13 2007, @02:39PM)
    Let's see if I can get even more karma by posting this old poem I wrote on Sony last year:

    Well the Devil had a brand new plan,
    "I don't want any ordinary DRM!"
    So he called his boys at Sony Corp,
    "I'll make this fast and I'll make it short."

    "There's a Limey company, as evil as hell,
    They've got a rootkit they're waiting to sell.
    So grab some cash, make it quick,
    There's a half million networks we just gotta fix."

    Now Sony knew the Devil well,
    Why these guys were already half way to Hell.
    So off they went to England fair,
    And bought themselves a rootkit there.

    To protect themselves and their evil scheme,
    They wrote a EULA that would make you scream.
    "No problem," they said, "we can do as we please,
    We're all scummy bastards, so what's some more sleaze?"

    But not all were asleep when they played Van Zant,
    And the racket grew so loud Sony just had to recant.
    "We'll take back all those discs, we really were wrong,
    Oh, and you Mac users, your turn's coming before long."
  • About Sony and rootkits (Score:2, Insightful)

    by Boycott BMG (1147385) on Monday August 27, @02:49PM (#20375395)
    (Last Journal: Sunday August 26, @07:45PM)

    I feel like I finally have to create a user account to correct a misconception I see a lot on the internet. It wasn't Sony that put a rootkit on the music CDs, it was Sony-BMG which is a separate company that is 50/50 owned by Sony and Bertelsmann (BMG stands for Bertelsmann Music Group). Furthermore, the top executives at Sony-BMG all come from the BMG side, like that guy Thomas Hesse who made those stupid remarks that consumers shouldn't care about rootkits. If anything, all the anger toward Sony should be directed at the entity involved, which is Sony-BMG. Just boycott their music.

  • Can't affect me ... (Score:1, Interesting)

    by Lou57 (78812) on Monday August 27, @04:29PM (#20376565)
    This cannot affect me because I've refused to buy any Sony product since the last fiasco. Additionally, I will NOT deploy any Sony products for my customers, and I always explain to them why I don't trust Sony. This will add to my stack of evidence against Sony and will validate my concerns in the eyes of those customers.

    Will you buy Sony products?
  • by rtechie (244489) on Monday August 27, @07:20PM (#20378533)
    The clarify here: The issue is that the Sony MemoryVault USB drives (NOT MemorySticks) include a fingerprint reader, which combined with a driver and (presumably) encryption software, provides a "secure data vault" on the USB drive.

    The malware aspect comes in because the Sony software installs a driver for the fingerprint reader in a special hidden directory, presumably with the intention of making the driver more difficult to tamper with and/or bypass. The idea here is that if an attacker can tamper with the driver they can have the tampered driver send a false "correct read" signal to the vault which would expose the content to attackers. Vista's driver protection basically works the same way by preventing you from editing sections of the registry and editing/deleting certain files. So, in theory anyway, if Sony updates the driver for Vista this behavior shouldn't be necessary (not that it is now) beacuse Sony can make it a "signed" driver that this more difficult to tamper with. The driver might also contain some sort of obsucated code (I'm that familiar with this kind of driver hacking).

    On the grand scale of software that breaks Windows conventions, this is a rather petty example. There are anti-virus tools and debuggers that tamper with the kernel. There is DRM software that breaks other apps on your system. There are virtual disk drives that can destroy your entire Windows install, Really, one hidden driver ain't so bad.

    Here's a question: Does the uninstaller remove this hidden driver cleanly? If so, what's the problem?

    You shouldn't be using this Sony software anyway. Do you really want to stick you confidential data into a propretary database coobbled together in a weekend by a few chumps at Sony? There are far more robust and flexible password vaults out there. Many are free.

    Does any of you know if you can use the fingerprint reader without installing Sony's software?
     
  • Heh, heh... (Score:1)

    by hitmanWilly1337 (1034664) on Monday August 27, @08:37PM (#20379169)
    Good luck installing a rootkit on my gentoo box, sony. Or my kubuntu one.
  • DRM as well (Score:1)

    by eatont9999 (1036392) on Monday August 27, @10:47PM (#20380071)
    I bought the game Bioshock (which won't even load a splash screen). It installs the same kind of rootkit. I think it is just wonderful the way Sony thinks they can create directories in my system for themselves. After all, why not. It can only be compromised by the would be virus or data harvesting malware. Riiiight.... I don't think I will be buying anything Sony for quite a while.
  • by blad3runn69 (1022135) on Tuesday August 28, @01:18AM (#20380947)
    The answer is simple friends. Stop buying sony, they have shown time and again they can not be trusted.
    • 1 reply beneath your current threshold.
  • What to hide? (Score:1)

    by xororand (860319) on Tuesday August 28, @01:14PM (#20387517)
    (Last Journal: Saturday June 16, @09:32AM)
    It's not just that they hide the drivers but even if you find them, you can't look into it. Some may say this is for security's sake.
    But seriously, this device seems to be designed for securing your data. Would you trust a vendor who takes these measures to hide the inner workings of the device?
    It's not that obfuscation, hidden, binary code ever stopped ambitious crackers. On the contrary, I think it just gives a false feeling of security to the vendor.
  • Re:This article is retarded (Score:5, Informative)

    by LarsG (31008) on Monday August 27, @10:20AM (#20372093)
    (Last Journal: Friday October 25 2002, @11:31PM)
    First, the article has so many grammatical errors, that it's laughable.

    F-Secure is from Finland. You try writing Finnish some time.

    My "Windows API" as this article calls Explorer, is already set to view hidden folders.

    Turn in your geek card at the door when you leave.

    This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.

    [ Parent ]
  • Re:This article is retarded (Score:5, Informative)

    by deftcoder (1090261) on Monday August 27, @10:28AM (#20372197)
    Hi.

    They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.

    This is quite different than simply toggling a flag for a given directory.
    [ Parent ]
  • by Fooker (656693) on Monday August 27, @10:42AM (#20372407)
    Why would you want to goto another store to get a thumbdrive? That makes no sense, the company your mad at is sony, not the store you bought it from.
    [ Parent ]
  • by bitrot42 (523887) <bitrot42@hotmail.com> on Monday August 27, @12:00PM (#20373463)

    > when I looked at it the whole case was drooping and had his thumbprint in it

    Well, after all, it *is* a thumbprint reader!

    (I agree with other poster, there's no way a USB device can suck enough power to melt itself.)

    [ Parent ]
  • by WaXHeLL (452463) on Monday August 27, @02:21PM (#20375065)
    5V @ 500mA max == 2.5W. That's absolutely nothing in terms of power.
    [ Parent ]
  • It's possible. For particular known in advance kernel version. In other words, thanks to multitude of Linux configurations, such attack vector isn't practically feasible. Rootkits try to patch syscall table but it is not always trivial from user-space. And again - not reliable. Now with so short update cycle (about 3-6 month) I haven't seen Linux root-kits in a wild for very very long time. Before in 2.0/2.2 times there were root-kits as well as popular security systems against them.

    On other side, Linux file system API does support so called namespaces (or what windows calls mount points). IOW it is possible to remove something so it would be invisible to user and his/her applications. But then it is feature for user - not against user - so s/he can easily see that something was manipulated and undo the manipulations.

    [ Parent ]
  • 15 replies beneath your current threshold.