Sony + Rootkits = Trouble (again!)

Sony + Rootkits = Trouble (again!)

Summary: Somebody over at Sony must have a thing about rootkits because once again the company is caught trying to cloak files on systems using what security company F-Secure describe as "rootkit-like behavior." This time the product afflicted is Sony's MicroVault USM-F fingerprint reader software that is supplied with fingerprint-protected USB flash drives.

SHARE:
TOPICS: Hardware
21

Somebody over at Sony must have a thing about rootkits because once again the company is caught trying to cloak files on systems using what security company F-Secure describe as "rootkit-like behavior."  This time the product afflicted is Sony's MicroVault USM-F fingerprint reader software that is supplied with fingerprint-protected USB flash drives.

The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place. [emphasis added]

Frankly, I'm surprised that Sony is caught up in yet another rootkit mess.  After the whole Sony BMG fiasco from a few years ago I would have thought that it would be a no-no to use rootkits of do anything that looked vaguely rootkit-like.  Apparently not.  Maybe someone didn't get the memo ...

Some companies just don't seem to learn.

Needless to say, steer clear of these Sony MicroVault USB flash drives, at least until this mess is sorted out.

Topic: Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Getting the lesson across...

    IANAL, but my reading of the (Federal) Computer Fraud and Abuse Act says that at least the first of the Sony rootkit episodes is a serious felony. Since Kaspersky documented that many DOD computers were in fact involved, someone at Sony should have been doing at least ten years in Leavenworth.

    [b]That[/b] is how to get them to stop...
    cjcoats
    • I doubt it

      I doubt that even if a few highly placed people at Sony were put in prison for the rest of their lives, that Sony would learn their lesson.
      I mean, for goodness sakes, what in the world would a FINGERPRINT CONFIRMING SYSTEM need a rootkit for? I can't think of any reason, unless they want to make absolutely sure that someone can't change files connected with that service. Even then, there are better ways in Windows XP and Vista to do that.
      Leria
  • Thanks F-Secure

    You know there may be some folks out there that take companies like F-Secure for granted. I on the otherhand do not.

    Sony is off my list of manufactorers in my household since the first time they got caught with their pants down on the Rootkit thing.

    It's all fun and games until someone goes to jail and maybe that's the way it should be. But even then, I don't think that will stop them. One sure way is cutting their profit margins to shreds, sue them for millions and millions of dollars -- I know they took a hit on PSP III
    Kromaethius
  • Who gives a crap about Sony flash drives anyway?

    Sandisks seem to work fine and last quite a long time.
    Taz_z
  • M$ is as quilty as $ony

    [i]So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API.[/i]
    Only windoze is that dumb not to show the files, and $ony the crook eager to exploit it.
    Linux Geek
    • You're not helping, Geek.

      *ix operating systems (including Linux, probably BSD-based OS X, and, I expect, most others) include ways to hide directory contents. In Linux, clearing any of the three "x" bits in the permissions field of a directory (using, e.g., "chmod -x dirname") makes the directory unscannable. It's a routine security precaution.

      <p>The difference, I suspect, between Linux and Windows is that Windows filesystems appear to be less well protected from the actions of "ordinary" (I don't know what the real Windows term is) Windows users than Linux filesystems are from the actions of non-root/non-group Linux users.
      Henrik Moller
      • it's not merely an attribute change....

        It is about hacking the kernel to change the win32 API behaviour.
        Linux Geek
    • The Sony driver modifies the Windows kernel

      Sorry to feed the troll, but...

      When you install the Sony driver, that driver modifies (patches) the Windows kernel so that it skips over the directory in question. PatchGuard, aka kernel patch protection, which is available on x64 versions of Windows would have stopped this cold in its tracks.

      So don't say Microsoft isn't trying to do something about this itself--it is, via PatchGuard. Which, stupidly, anti-virus companies are *against*.
      PB_z
  • All your hyperventilating doesn't make it a rootkit

    It's not a rootkit. It's barely even "rootkit-like behavior" -- it's a freaking hidden directory. Have you inherited Little Davie Berlind's position of official hyperventilator?
    Vesicant
    • Eh?

      Here's what F-Secure had to say:

      "The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under 'c:\windows\'."

      The crucial part being;

      "installs a driver that is hiding a directory under 'c:\windows\'"

      If that's not rootkit-like, care to explain what is?
      Adrian Kingsley-Hughes
      • Think they'll give the same deflection again?

        Remember this choice quote: "Most people don't know what a rootkit is, so why should they care?"
        Tony Agudo
      • Technically...

        ... a "rootkit" is the installed software that, presumably, interacts with the computer in ways ordinary users can't. Nothing says it has to be installed in a hidden directory. I haven't a clue what Sony's driver does, but just because it's in a hidden directory doesn't mean it's malevolent, though I agree that hiding it was a lousy thing to do from a PR point of view.
        Henrik Moller
  • Not Just Sony

    According to posts I've read regarding BioShock, it's validation program, SecuROM, does the same thing. Hidden folder and a null entry registry key. Neither of which are removed with an uninstall. The registry key can't be changed through Regedit, but a fix has been found and posted.

    I don't mind a publisher validating a program or, if I want something badly enough, enforcing DRM.

    I do not like any company that dumps a hidden folder on my system, makes it invisible (but able to be used/manipulated), and adds registry entries that are invisible.

    It's a very gray area of overlap between publisher's rights and what they're permitted to do to my computer. Basically, once I'm done with their program and remove it, it should be completely gone - no hidden crap left behind. It's my computer and I do my best to protect it against malware, botware, viruses, etc. without them doing crap like this to a system I own. And I don't buy the crap like "well you don't need to accept the EULA." The EULA shouldn't give them unknown/unwanted access to my system. Period.
    DaffyDuck
  • Ummm...

    Okay, so it looks and acts like a rootkit. I'll give them that. Bad Sony.

    But how exactly else is a company supposed to provide a SECURE method of fingerprint scanning that isn't able to be blocked by a hacker? I mean, that's the whole reason for the fingerprint device, right?

    By integrating themselves into the Kernel, just like rootkits, it becomes very hard to interfere with their operation, thus making them as secure as they can short of direct bios support.

    Their problem was in making the directory openly accessible by anything other than the driver itself.

    I'm by no means a Sony flag raiser. I haven't bought an sony-bmg disc since the earlier debacle, or and CD's for that matter as part of my DRM protest. Maybe I'm reading the article wrong, but how else were they supposed to do it?

    The only way I could think is that the devices themselves would have to provide a hard-coded driver as part of their presence announcement on the USB bus. But I don't think USB supports that, nor would it be foolproof as a virus could just try to block all usb device detection. It would also mean that the hardware manufacturers would have to program a driver correctly, the first time, for once, since the only way to make it truly secure would be to have the driver be unmodifiable in the hardware.
    Zorched
    • ever heard of signing the binaries or certificates?

      Any self respecting security software would create a cryptographic hash or certificate that would stop the software from running if it was tampered.
      Heck, even M$ is ahead of $ony on this topic!
      Linux Geek
      • The driver itself is not the exact issue...

        It's the directory that it's hiding in. According to the articles, the directory that is hidden and unscanable yet accessible is what is the problem. Malware could hide and run in that directory with impunity. Placing the driver somewhere else apparently makes it vulnerable... Why else would they place it there and not somewhere else?

        Okay, playing devil's advocate, say we have a hash... how do you update the driver then? If a different hash is provided by sony with the upgrade then what's to keep a hacker from devising his own 'patch' and providing a hash? Granted, I haven't done much cryptographic study so I'm just tossing out ideas...
        Zorched
  • One Less to Choose From

    No more Sony products for me. No Vaio, no Cyber-shot, no BRAVIA.
    DarienHawk67
  • Some never learn.

    Given what their attitude was after the first rootkit fiasco, I don't expect any better from Sony. A company that considers users on par with pond scum or amoeba does not get my money.
    kraterz
  • Poor design standards.

    I don't know for sure, since I don't work for Sony. But this kind of thing smacks of poor design standards and sloppy programming more than some kind of "evil" intent by Sony.

    They probably outsourced the code to some no-name inexperienced subcontractor who came up with this back-door scheme because they didn't know (or care) about more conventional trust chains that are not as subversive as they technique they threw together.

    But it does point out a basic security failure in the Windows paradigm and the suppliers who operate in it: 99.999% of software packages for Windows are installed using administrator privileges, and can modify anything they want in Windows. Even the most innocuous software can cause instability in the Windows kernel. And there's absolutely nothing the user can do about it before or afterwards. There nothing that FORCES the software developer to consider security or stability as design factors, and nothing that truly PROTECTS the operating system from negligent design or coding practices.

    Is it Microsoft's fault? Maybe, but PC users bear responsibility as well. In the mainframe and mini days, administrators were more diligent about installing software on their machines, often demanding detailed inspections of the software and doing their own testing for design and coding flaws that could affect system reliability, security, and performance. But PC users have grown accustomed to slapping any old software on their computer with little regard for the after-effects. They either don't even consider the consequences, or they expect the OS and maybe their virus scanner to "protect" them from their own actions.

    So who's to blame, the fool who creates the crappy software, or the fool who installs crappy software on his system?
    terry flores
    • Crappy Software

      It's pretty obvious who's to blame, sloppy programmers. 99.999% of computer users expect properly and securely coded software, nay demand it, that's why we pay a premium for our software. We buy it, install it and expect it to work, without crashing or putting our O/S at risk (whatever the O/S we choose). It's not down to us to inspect it for bugs, that's down to the programmer.
      taskman