Another Sony Rootkit? 317
An anonymous reader writes to tell us F-Secure is reporting that the drivers for Sony Microvault USB sticks uses rootkit techniques to hide a directory from the Windows API. "This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company — Sony Corporation. The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
Sony (Score:5, Interesting)
Format before use (Score:4, Interesting)
And using OS that won't run anything from the newly attached memry as a default would also help.
Re:Sony (Score:5, Interesting)
Re:Sony (Score:3, Interesting)
Wow... (Score:5, Interesting)
This is also nothing new in terms of USB drives. I have a USB flash drive, which I can't remember the name of, that essentially keeps a secure partition hidden from Windows unless you run a special app to put in a password to make it visible to Windows.
Re:Sony (Score:4, Interesting)
MD disks were actually very successful across asia. They didn't find a market in North America. In the same span they have also created the 3.5 inch floppy, the CD, and had a bit of input on the DVD. It's be more accurate to describe their format strategies as being hit and miss since they have been part of some huge dogs (beta, UMD) and some very successful formats (CDs, 3.5 inch floppies).
A Nasty Trick (Score:5, Interesting)
So whenever he ran a common command from his shell, he would first get a random quote from fortune appearing, followed by normal command output. He figured it out pretty quickly, but I like to think that there were a few moments where he entertained the idea of his workstation gaining sentience.
Desensitized (Score:5, Interesting)
Re:Sony (Score:2, Interesting)
All it proves is that since you could get porn on VHS and you couldn't on Beta, people like porn, so they stuck with VHS.
Re:Sony (Score:4, Interesting)
Last straw for me... (Score:3, Interesting)
I imagine though, that an outburst of uncontrollable laughter from my boss while telling him about this is a sign of job security.
Is there an anti-rootkit utility that would be updated/recent enough to facilitate this infection? Or the fact that I can view it from command line mean that I can remove it manually from there? I don't have to worry about re-infection because I already threw 2 of them straight in the trash, no use even giving them to a friend.....
Re:Sony (Score:5, Interesting)
Since I was there, I pulled out a Sony camera I was trying to get a USB cable for. Again, no deal. This camera was North American Sony, and they didn't have those kinds of Sony cables in Japan.
Sigh. This insistence on ignoring standards and doing everything themselves - not even consistently across the world - bugs me like hell. I doubt I'll buy any more Sony consumer electronics until they get it. Hope they do - they know how to make nicely designed bits of technology.
Re:How to hide files (Score:2, Interesting)
Virtually undetectable for the casual user:
They don't show up in explorer and other file managers and task manager even shows the name of the host file.
Re:A virus could put its files in the hidden folde (Score:4, Interesting)
%USERPROFILE%\Local Settings\Temporary Internet Files\Content.IE5
Or this one?
%USERPROFILE%\Local Settings\Temporary Internet Files\OLK6F
Maybe one this windows built in rootkit folder?
c:\$Extend
c:\$AttrDef
c:\$BadClus
c:\$Bitmap
c:\$Boot
c:\$LogFile
c:\$Secure
c:\$Volume
All which the handy SysInternals hides as "Standard NTFS Metadata Files" by default.
The existence of these files/folders are hidden to most users and most of them don't even know about them. You think virus scanners check the c:\$Extend folder? Is someone willing to drop in a known virus and see if it detects it? Honestly, I'm curious as to how many actually check this folder...
Re:Sony (Score:4, Interesting)
I went there, but no luck. They do not sell laptops in Serbia (mine was brought from UK), so they gave me the telephone of one repair shop, but they were not sure if they could help me. Repair shop sent me to another repair shop, and so on... After three hops, they explained me what's the issue. Sony has very rigid standards for their repair shops. To be their certified repairmen, you have to guarantee that you'll solve all problems in 24 hours. They were not able to find anyone capable of that in Serbia, so they don't have any repair shop in Serbia.
That's very interesting policy. Instead to give second class service to your customers, you give them - none.
Can't affect me ... (Score:1, Interesting)
Will you buy Sony products?