Rootkit found in older Sony USB device

By Bill Brenner, Senior News Writer 28 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Nearly two years after Sony faced a storm of criticism for using a rootkit-like program in its digital rights management (DRM) technology, security researchers at F-Secure Corp. say they've discovered something similar in Sony's Micro Vault USM-F fingerprint reader software.

It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. Mika Stahlberg. researcher, F-Secure Corp.

The latest example of rootkit use was found in software that's part of an older line of USB drives sold by Sony Electronics Inc., according to Mika Stahlberg, a researcher for the Helsinki, Finland-based security firm.

In the F-Secure blog, Stahlberg wrote that the Sony Micro Vault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under 'c:windows.' When enumerating files and subdirectories in the Windows directory, he said, the directory and files inside it are not visible through Windows API. If someone knows the name of the directory, it is possible to enter the hidden directory using a command prompt and it is possible to create new hidden files.

"It is our belief that the Micro Vault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass," he said. "It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."

He did note, however, that Micro Vault with fingerprint authentication appears to be an older product Sony may no longer be manufacturing. Nevertheless, Stahlberg said, F-Secure researchers did manage to find the product on sale.

Rootkits: Black Hat 2007: Rootkit hunters caught in cat-and-mouse game: Is Joanna Rutkowska's infamous Blue Pill rootkit really undetectable? Researchers at Black Hat USA explain how to find it, but there's a catch: their method may not always work. Rootkit dangers at an 'all-time high' The rootkit problem is not going away any time soon. In fact, it's likely to get much worse before it gets better, according to the members of a panel on the topic at RSA Conference 2007. Sony settles DRM rootkit lawsuit for cash, 'clean' music: The entertainment giant agrees to give away millions of free music and stop using the prying software that got it into legal trouble.

F-Secure said it contacted Sony before going public with its latest discovery, but that Sony hasn't responded. Sony did not immediately respond to a request for comment from SearchSecurity.com.

Graham Cluley, senior technology consultant for UK-based security software company Sophos, said his organization has been unable to locate one of the USB devices in question, and that they don't seem to be readily available in Australia and the UK. But he did find that they can be purchased online via such sources as Amazon.com. He declined to comment on the specifics of F-Secure's findings, but he did express concern over the general practice of using hidden technology as Sony has in the past.

"Hopefully, this new rootkit is not going to be as widespread as when Sony shipped one on popular music CDs," Cluley said in an email exchange.

In late 2005, Sony BMG Music Entertainment Inc. found itself at the center of a media firestorm when a researcher discovered the company was using a rootkit-based digital rights management (DRM) system to prevent CD copying.

Experts at the time worried that if more companies used the technology the way Sony has, hackers could hijack such rootkits and cause all kinds of trouble. Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers, they noted.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary