Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Another Sony Rootkit?

Posted by ScuttleMonkey on Mon Aug 27, 2007 10:40 AM
from the slow-learners dept.
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
+ -
story

Related Stories

[+] Games: BioShock Installs a Rootkit 529 comments
An anonymous reader writes "Sony (the owner of SecureROM copy protection) is still up to its old tricks. One would think that they would have learned their lesson after the music CD DRM fiasco, which cost them millions. However, they have now started infesting PC gaming with their invasive DRM. Facts have surfaced that show that the recently released PC game BioShock installs a rootkit, which embeds itself into Explorer, as part of its SecureROM copy-protection scheme. Not only that, but just installing the demo infects your system with the rootkit. This begs the question: Since when did demos need copy protection?"
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More
Loading... please wait.
  • Sony (Score:5, Interesting)

    by jshriverWVU (810740) on Monday August 27 2007, @10:42AM (#20371527)
    What happened to Sony? Growing up they always seemed like a great tech company, pumping out quality products that most people liked. When did politics and this kinda crap really start. It's sad.
    • Re:Sony (Score:5, Interesting)

      by Prof.Phreak (584152) on Monday August 27 2007, @10:46AM (#20371589) Homepage
      It started when they became an entertainment corp, rather than a technology corp.
        • Re:Sony (Score:5, Funny)

          by Anonymous Coward on Monday August 27 2007, @11:09AM (#20371945)
          I'm finding this all quite entertaining, I must say. So I think that's your answer.
    • Re:Sony (Score:5, Insightful)

      by plover (150551) * on Monday August 27 2007, @10:47AM (#20371613) Homepage Journal
      It happened when they added a movie studio and a recording label to the corporation. The media side of the house demanded copy protection from the technical side of the house, without understanding the technical limitations.
    • Re:Sony (Score:5, Insightful)

      by Otter (3800) on Monday August 27 2007, @10:54AM (#20371717) Journal
      When did politics and this kinda crap really start.

      Hype here notwithstanding, this is not a "rootkit". It seems to be a bizarre form of write-protection.

      • Re:Sony (Score:5, Informative)

        Yes, it is a rootkit. It's modifying the kernel space to hide directories from the user. There are better ways of doing such a thing, but a rootkit has the advantage of keeping the files hidden from common methods of hidden-file detection. Something like a virus or trojan would tend to use a kit like this to make sure that it couldn't be found by antivirus software. Such kits also tend to mask the presence of their processes, just to make sure that they REALLY can't be detected.
      • Re:Sony (Score:5, Informative)

        by harrkev (623093) <kfmsdNO@SPAMharrelsonfamily.org> on Monday August 27 2007, @11:19AM (#20372091) Homepage

        Please note: this software simply creates a directory that is hidden from the Windows API for its fingerprint authentication. It's not actually a rootkit


        Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:

        A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system.


        If it looks like a duck, quacks like a duck, yada yada yada.
  • Hidden files (Score:5, Insightful)

    by king-manic (409855) on Monday August 27 2007, @10:43AM (#20371549)
    Is root kit now the new buzzword for "please send me traffic"? This isn't the same as a rootkit, it's just a annoyingly hidden directory. Can we tag this as FUD?
    • Re:Hidden files (Score:5, Insightful)

      by j00r0m4nc3r (959816) on Monday August 27 2007, @10:48AM (#20371633)
      It doesn't matter what their intent is, they are using rootkit techniques to hide shit on your computer. This allows other parties to piggyback on that tech and install other nastier UNDETECTABLE malware. It would be like if your house cleaning lady leaves your front door wide open when she leaves. Someone could stroll in, fuck your shit up, and leave undetected. Definitely something to seriously worry about.
    • Re:Hidden files (Score:5, Insightful)

      by Applekid (993327) on Monday August 27 2007, @10:50AM (#20371653)
      Hiding from the API is pretty important, actually. That's done by pulling the rug under the pointers to the functions that retreives lists of files/directories. If that's not a Windows rootkit, what is?

      And much like their last rootkit, this one can easily be used to cloak files on your system and is pretty much a fantastic place to put your virus. Way to really push the limits, guys.
    • Re:Hidden files (Score:5, Informative)

      by MontyApollo (849862) on Monday August 27 2007, @10:50AM (#20371669)
      First sentence from wikipedia article:

      "A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system"

      So, it sounds like a rootkit as described by wikipedia.
      • So, it sounds like a rootkit as described by wikipedia.

        Not for long! *rushes to edit wikipedia*

        "A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system, except when it's with Sony products"

        There! Now by definition, sony's isn't a rootkit anymore! :D

        (Legal Disclaimer: This was actually a joke, I didn't vandalize wikipedia or the like. <-- you can't never be too sure these days)
        • Re:Hidden files (Score:5, Informative)

          by aztracker1 (702135) on Monday August 27 2007, @11:10AM (#20371953) Homepage
          If it doesn't show up in nautilus via ctrl+h it is... if it doesn't show up in windows with "show hidden files and folders" checked it is.... simply setting an *intended* file system attribute isn't the same as hiding from the operating system.
  • kiosk (Score:5, Insightful)

    by SolusSD (680489) on Monday August 27 2007, @10:47AM (#20371615) Homepage
    It seems to me that our personal computers are becoming more and more like kiosks where "vendors" install software they want and the "end users", ie) us, have less and less control over our own PCs. Think about it- DRM, (truly) hidden folders, subscriptino software, product activation, ..vista?
  • Wow... (Score:5, Interesting)

    by shoptroll (544006) on Monday August 27 2007, @10:49AM (#20371639)
    Did anyone read the article before coming up with the post title? They say right in the middle of the article that it's not a rootkit, and "It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."

    This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.
  • A Nasty Trick (Score:5, Interesting)

    by Sigismundo (192183) on Monday August 27 2007, @10:56AM (#20371737)
    It reminds me of the time that some friends and I discovered that a labmate had left himself logged in as root on a virtual console at his Linux workstation. Here's what we did:
    1. Created a directory with the name " " (single space)
    2. Added that directory to his path
    3. Wrote a Perl script that would spit out a random quote from zippy 1/3 of the time, and then execute the program pointed to by argv[0]
    4. Populated the special hidden directory with symlinks to the perl script, each given the name of a common command like ls, ps, and so on.

    So whenever he ran a common command from his shell, he would first get a random quote from fortune appearing, followed by normal command output. He figured it out pretty quickly, but I like to think that there were a few moments where he entertained the idea of his workstation gaining sentience.

  • Desensitized (Score:5, Interesting)

    by Dachannien (617929) on Monday August 27 2007, @11:19AM (#20372079)
    The overuse of the term "rootkit" points to (at least) one thing: we've become so desensitized to security hazards that it takes a new buzzword for nefariousness to grab people's attention. Regardless of whether this is itself a rootkit or not, it's still a security hazard, and what's perhaps more ironic, that hazard was created in an attempt to effect "security through obscurity".

    • Re:Consider (Score:5, Insightful)

      by wizardforce (1005805) on Monday August 27 2007, @10:52AM (#20371685) Journal

      Isn't software behaving like that already considered malware?
      yes and no. it depends on what and how you use it. if you use the property of hiding directories as a simple way of keeping data from less experienced people [eg. slashdotters hiding the porn from their parents] then it isn't malware; in this case sony's software doesn't seem to be hding a directory for any good purpose, so yes it is malware.
      • Re:Consider (Score:5, Insightful)

        by B'Trey (111263) on Monday August 27 2007, @10:59AM (#20371793)
        No. The distinction is WHO's doing the hiding. If a user on the computer intentionally hides files or directories from other possible users on the computers, it's not malware. It may or may not be ethical, depending on who's doing the hiding and why. Presumably, it's the owner of the computer and they have a right to hid info from prying eyes. If not, the issue is with the user's actions and not with the software. If, however, a program creates files or directories and hides them (by means other than simply using the H attribute, at least) from the owner/user of the computer, it's malware. It's understandable for a content owner to wish to protect their content, but that doesn't justify them altering the behavior of a computer without the owner's express understanding and permission for what they're doing.
    • by LarsG (31008) on Monday August 27 2007, @11:20AM (#20372093) Journal
      First, the article has so many grammatical errors, that it's laughable.

      F-Secure is from Finland. You try writing Finnish some time.

      My "Windows API" as this article calls Explorer, is already set to view hidden folders.

      Turn in your geek card at the door when you leave.

      This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.

    • by deftcoder (1090261) on Monday August 27 2007, @11:28AM (#20372197)
      Hi.

      They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.

      This is quite different than simply toggling a flag for a given directory.
    • by deftcoder (1090261) on Monday August 27 2007, @11:24AM (#20372151)
      A malicious driver is being installed that patches the Win32 API ( FindFirstFile() and FindNextFile() ) not to report the presence of a directory when enumerating through your C:\Windows folder.

      How is this *NOT* a rootkit? This is the very definition of one!