Researchers spot rootkits on more Sony USB drives

Software, still on the Web, can be used by hackers to cloak malware

 

Gregg Keizer

August 30, 2007 (Computerworld) -- A second line of USB drives sold by Sony Electronics Inc. that uses rootkit tactics to hide files has been identified, and the devices' software remains on the Web, a researcher said today.

Hackers using just one of the package's files can mask their attack code from some security scanners, said Mikko Hypponen, chief research officer at Helsinki, Finland-based F-Secure Corp. "This new rootkit [which can still be downloaded] can be used by any malware author to hide any folder."

On Monday, F-Secure announced that the fingerprint-reader software included with Sony's MicroVault USM-F flash drives stores files in a hidden directory that could be used by hackers to cloak their malicious code. F-Secure noted that the USM-F models were difficult, but not impossible to find. Sony has since confirmed that the line has been discontinued.

But its replacement, the USM512FL, is widely available, and shares the rootkit-like techniques of its predecessor. "They have the same functionality in the latest as well," said Hypponen.

Sony has removed the download links for the USM-F and USM512FL software from its MicroVault support site, but Computerworld was easily able to locate a live link -- and download the software -- by searching through Google's cache.

Since F-Secure disclosed Sony's newest rootkit snafu, several other research teams have confirmed the company's findings. On Tuesday, McAfee Inc. analysts agreed that hackers could use one of the executable files in the USB drive software to hide any folder, and all the files in that folder, from the prying eyes of security scanners. "Alternately, [attackers] could simply hide their malicious creations in the default installation directory itself," McAfee researchers Aditya Kapoor and Seth Purdy said in a post to the Avert Labs' blog.

Kapoor and Purdy also identified FineArt Technology Co., a Taiwanese developer, as the makers of the fingerprint-reading MicroVault software. On its Web site, FineArt touts Fingerprint Disk, a suite of tools for authenticating fingerprint-access and encrypting files and folders. FineArt could not be reached Thursday because of time zone differences.

"[Their] apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives," said Kapoor and Purdy. "However, in this case the authors apparently did not keep the security implications in mind."

U.K.-based Sophos PLC also confirmed the presence of rootkit technologies in the FineArt-created software bundled with the MicroVault drives.

Sony, meanwhile, was still looking into the claims as of late Wednesday, said spokesman Tom Di Nome, who had little to share. "We are still investigating this and are taking the issue very seriously," he said.

These latest rootkit charges are not the first to be leveled against Sony. Nearly two years ago, security researchers spotted rootkit-like cloaking technologies used by the copy-protection software that Sony BMG Music Entertainment installed on PCs when customers played the label's audio CDs. The Federal Trade Commission later alleged that Sony had violated federal law and settled with the company earlier this year. Before that, Sony paid out nearly $6 million to settle cases with the U.S.

The concern now is that attackers will use the FineArt/Sony files -- which can still be downloaded from Sony's Web site -- to add invisibility to their exploits.

But in a blog posting this morning, F-Secure's Hypponen stressed that while the MicroVault and Sony BMG cases are similar, this newest security breakdown is not as flagrant. "The fingerprint driver does not hide its folder as 'deeply' as does the XCP [the rootkit-style software developed by Fortium Technologies Ltd. for use by Sony BMG] folder," said Hypponen. "The MicroVault software probably wouldn't hide malware as effectively from [some] real-time antivirus scanners."

 

Source:  http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9033798&taxonomyId=17&intsrc=kc_top

I like Sony. Their hardware are top quality. But shit like this is stopping me from buying their stuff. Altogether. Except maybe TV. Until they find a way to put rootkit there, too. 

Since it's round 2 and I have heard something about rootkit before this, what product did Sony put their rootkit in last time?

tiachopvutru said: Since it's round 2 and I have heard something about rootkit before this, what product did Sony put their rootkit in last time?

 

Here is a pretty good list of how Sony has screwed their customers up to January 07. The top two items are about the rootkit fiasco. 

Parokki said: tiachopvutru said: Since it's round 2 and I have heard something about rootkit before this, what product did Sony put their rootkit in last time?   Here is a pretty good list of how Sony has screwed their customers up to January 07. The top two items are about the rootkit fiasco.

 I see a whole bunch of blunders there, some of which I have read in vgchartz's forum. So their last rootkit was in an audio CD?

tiachopvutru said: Parokki said: tiachopvutru said: Since it's round 2 and I have heard something about rootkit before this, what product did Sony put their rootkit in last time?   Here is a pretty good list of how Sony has screwed their customers up to January 07. The top two items are about the rootkit fiasco.  I see a whole bunch of blunders there, some of which I have read in vgchartz's forum. So their last rootkit was in an audio CD?

Yes. And basically it fucked up your computer. How was it? It installed Sonys media player to your computer, and prevented the use of any other media player. The rootkit also couldn't be removed. I think that rootkit had some other features, which i don't remember, but what i remember, is what Sonys PR person said for an explanation: the rootkit was there, because most people don't even know what rootkit is. @Galaki: Sony makes quality HW? LOL

bdbdbd said: tiachopvutru said: Parokki said: tiachopvutru said: Since it's round 2 and I have heard something about rootkit before this, what product did Sony put their rootkit in last time?   Here is a pretty good list of how Sony has screwed their customers up to January 07. The top two items are about the rootkit fiasco. I see a whole bunch of blunders there, some of which I have read in vgchartz's forum. So their last rootkit was in an audio CD?   Yes. And basically it fucked up your computer. How was it? It installed Sonys media player to your computer, and prevented the use of any other media player. The rootkit also couldn't be removed. I think that rootkit had some other features, which i don't remember, but what i remember, is what Sonys PR person said for an explanation: the rootkit was there, because most people don't even know what rootkit is. @Galaki: Sony makes quality HW? LOL

 Wasn't it "Why should people care, they don't even know what that is" ? And meh, this shows they haven't learn their lesson yet, I guess. I'm quite surprised Sony is still big...

"A second line of USB drives sold by Sony Electronics Inc. that uses rootkit tactics to hide files has been identified, and the devices' software remains on the Web, a researcher said today."

 Is that saying that there is now a second group of usb keys on the market now that use these rootkits? I read on slashdot a few days ago about them and this seems as if they are on an another lot.

actually part three, since Bioshock has a rootkit as part of its copy protection, made by Securom, which is owned by Sony.

Sony is not going to make many friends with these tactics!

The original music CD rootkit fiasco didn't inherantly damage your machine, but it was possible for malicious code to use the rootkit to hide itself (an obvious and dangerous security hole). The rootkit was masking DRM code that would then prevent people from ripping the songs off the Sony CD's more than a certain number of times.

However, getting rid of the rootkit was much more problematic. Some of the first computer experts to find it discovered the removing it manually ended up creating other problems (for example the dudes cd-rom drive stopped working after he removed it, stuff like that). None of the problems were permanent obviously, but the more frustrating something is to fix, the more angry people get lol.

What really pissed people off (and what Sony did absolutely wrong) is they first denied it even existed, and then finally after being confirmed and labelled malicious code by the majority of the computer security firms, the Sony exec made his final blunder by telling people they shouldn't worry about it because they don't know what it is anyway.

Which leads me to wonder what the heck they were thinking about using any sort of cloaking techniques at all, even if it wasn't for the same purpose. You'd think that they would be super aware of things like this and make sure it didn't happen again...