Another Sony Rootkit? 317
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
Re:Hidden files (Score:5, Informative)
"A rootkit is a set of software tools intended to conceal running processes, files or system data from the operating system"
So, it sounds like a rootkit as described by wikipedia.
Re:Sony (Score:2, Informative)
Re:Sony (Score:5, Informative)
As to DVD - Not sure about the original DVD format, but Sony effectively created the recordable DVD format war with the + series of formats.
And yes, Sony had a role in VHS vs. Beta - Beta was Sony's format.
Re:Sony (Score:5, Informative)
Re:Hidden files (Score:2, Informative)
Re:Wow... (Score:3, Informative)
Re:Hidden files (Score:5, Informative)
Re:Sony (Score:5, Informative)
Re:Sony (Score:5, Informative)
Please note the defenition of "rootkit," ripped from the beginning of the rootkit wikipedia article:
If it looks like a duck, quacks like a duck, yada yada yada.
Re:This article is retarded (Score:5, Informative)
F-Secure is from Finland. You try writing Finnish some time.
My "Windows API" as this article calls Explorer, is already set to view hidden folders.
Turn in your geek card at the door when you leave.
This is a driver that patches the Windows APIs in order to hide a directory. It will not show in Explorer or in any other program for that matter, even if Explorer is set to show 'hidden files'. Rootkit hunters like Blacklight and Rootkit Revealer do not flag regular 'hidden directories'. They read and parse the raw on-disk directory structure (that is, they have their own NTFS parser) and compare that to what the Windows FS API reports.
Re:This article is retarded (Score:5, Informative)
They are patching 2 API functions, FindFirstFile() and FindNextFile(), not to report the presence of a directory. They are doing this by loading a malicious *DRIVER*.
This is quite different than simply toggling a flag for a given directory.
Oversimplification (Score:3, Informative)
Re:Format before use (Score:3, Informative)
Well, if it is anything like the ones for security doors that are being pushed as "unbeatable" on Homeland Security then yes. The Myth Busters did a whole thing on it and beat it not once, not twice, but ALL the tries they did.
http://www.youtube.com/watch?v=LA4Xx5Noxyo [youtube.com]
Re:Sony (Score:3, Informative)
Generally, yes. A virus could check for the existence of one of these rootkits, and abuse its hidden locations to hide itself. Which means that a virus can hide from even rootkit detectors in the shadow of "legitimate" software.
Re:Sony (Score:3, Informative)
Re:Sony (Score:5, Informative)
Re:Sony (Score:3, Informative)
I think that nobody really considered how much people would trade tapes between themselves. You can live with incompatibility when you keep stuff to yourself, but if you want to watch a TV show that someone else taped and you have a different system, well, you're SOL.
Of course you could get porn on Beta. Long before you could get prerecorded Hollywood movies (at least the ones that *weren't* made from midnight showings before a video camera), you could get porn. A friend of mine bought an early model Sony in 1976 and he seems to have found porn tapes easily enough.
Re:Sony (Score:3, Informative)
The purpose of a rootkit is to let you get back in easily later, or once you're in, to let you get `root' easily. The Bioshock SecuROM thing *is* a rootkit -- the service it installs is there to let the SecuROM stuff run as a privileged account, and that's what rootkits do (it's also what things like `su' do.) But merely hiding a directory doesn't make it a rootkit. (It's probably still malware, but a different kind of malware.)
Rootkits often do attempt to hide themselves, but merely hiding yourself doesn't make you a rootkit.
Re:Sony (Score:4, Informative)
Re:Sony (Score:2, Informative)
- a Sony Ericsson employee
Re:Sony (Score:5, Informative)
If it looks like a duck, quacks like a duck, yada yada yada.
We need to be more careful to cry wolf when there's, you know... a wolf. Otherwise, when some company decides to deploy a real rootkit again, no one is going to listen to us.
You're missing the point. (Score:5, Informative)
The intentions behind the software are irrelevant. The only thing that matters is what it does. What this software does is an end-run around the operating system, deliberately hiding things that should not and need not be hidden.
Why shouldn't it be hidden? Because as has already been pointed out, malicious software can take advantage of the rootkit—which is what this is—as an attack vector to control someone's machine without their knowledge, and with damn little they can do about it.
Please remember also that a lot of computer viruses and worms didn't start out with people saying, "I'm going to write a computer virus today!" They started out with someone saying, "Hmmm... I wonder if that would work..." and it goes from there. In fact, the guy who is credited with writing the first computer virus [slashdot.org] said, "It was a practical joke combined with a hack. A wonderful hack." Maybe, but it's stupid to deny what it was, a virus, just as it is to deny what this is, a rootkit.
Re:Sony (Score:2, Informative)
This would take, what, one minut to find out using that thing called the Internet?
Re:Sony (Score:3, Informative)
Re:Sony (Score:1, Informative)
As mentioned by other posters, both Philips and Sony developed the CD. But there's more, they also worked together on the SP/DIF, also known as toslink, digital audio standard. Sony also created the DAT, which you may be more familiar with as the DDS tapes found in my Unix systems.
They've had their shares of screwups, but also some very successful products. The MD was quite successful in Europe as well. I had one until the flash-based mp3 players become really cheap.
Why the rootkit fiascos I don't know. Probably conflict of interest by being both an entertainment conglomerate and a technology company. Thankfully those rootkits only affect Windows, so I don't really care :)
Glass
Re:You're missing the point. (Score:3, Informative)
The intentions behind the software are irrelevant. The only thing that matters is what it does.
The bottom line is that this is not a rootkit. It's simply not. The term rootkit refers to a class of software that hides its existence from the OS, and this software does not do that. There's also the matter of the goal (you mentioned intent, but I think goals are more quantifiable and measurable). Rootkits have as their goal the subversion of system security. It doesn't matter if their DRM-enforcement modules from Sony CDs or virus delivery vectors. They exist to prevent the system from being aware of their installation and preventing their deinstallation. This software does not have any such goal. Its goal is to prevent casual API calls from accessing sensitive biometric data. Period.
I'm all for slapping Sony around over distributing software that has a security problem (e.g. it can provide safe harbor for malicious code), but let's not throw around the word "rootkit" unless we really mean a piece of software that tries to mask its existence on the system. Otherwise, we'll just have to come up with a new word for that.
Re:Rootkits aside... (Score:3, Informative)
Example: Daemon Tools, a popular virtual drive program, uses rootkit-esque behavior to hide its drivers from the various game copy protections it aims to defeat. It's a rootkit for a legitimate purpose. This is not.
It's a malicious driver attempting to hide things from the user without their consent. QED.
Re:Sony (Score:3, Informative)
Re:You're missing the point. (Score:3, Informative)
That said, I'm actually not sure that this is as much of a problem as F-Secure has claimed.
What the software is doing is creating a hidden directory that the standard Windows API can't access except by explicit path name (e.g. it doesn't show up in the directory contents). So, here's the question: what does this gain a malicious program? Sure, such a directory is handy, but your friendly neighborhood worm or spyware could just create such a directory itself. It doesn't help the software in question get past local virus scanners in the first place, only hide from them subsequently... so what's the issue, here? What has Sony done that actually improves the situation for any malware?
I'm not saying it's a good policy to have such directories, but I'm also not sure that this is a serious security problem especially since, obviously, F-Secure's software was able to detect it.
Re:Sony/Phillips (Score:3, Informative)