Sony Rootkit Strikes Again... And Again

It was reported on Reuters that high-end memory sticks sold by Sony Corp can make personal computers vulnerable to attack by computer hackers, according to researchers with two Internet security firms. It's the attack of the Sony rootkit... part two... or is it part 3?

Sony's MicroVault USB memory stick and fingerprint reader comes with rootkit software that creates a hidden directory on the computer's hard drive. This was discovered by researchers with F-Secure Corp, the Finnish security software maker who also discovered the 2005 DRM-centric rootkit.

They say that the USB case is not as bad as the XCP DRM case, largely because users at least know they are installing software from a provided CD. There is also a way to uninstall the software, removing the rootkit. Additionally, the fingerprint reader's driver wasn't as deeply hidden as the XCP DRM folder. As a result compromising software wouldn't be made as invisible from antivirus scanners.

Some other differences listed on the blog of F-Secure Corp:

• The Microvault software does not hide processes or registry keys. XCP DRM did.
• It's also trickier to run executables from the hidden directory than with XCP. However, it can be done.
• With the DRM rootkit, Sony was attempting to restrict the user from accessing the music on a CD they bought. With the fingerprint reader they are simply attempting to guard against unauthorized use and access as part of the security process. Their intent is more beneficial to the consumer in this case.
  

The trouble is that this new rootkit (locally downloadable at sony.net) can be used by any malware author to hide any folder. If you extract one executable from the package and include it with malware, it will hide that malware's folder, no questions asked.

In general rootkits are neat pieces of software, however they carry the potential of being abused and allowing malicious software (malware) writers opportunities to infect personal computers. The invisible nature of rootkits makes them more difficult to detect by typical antivirus programs.

On Tuesday, researchers with McAfee Inc. said they had confirmed the vulnerability described by F-Secure.

“The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives,” said McAfee spokesman Dave Marcus. “However, software creators apparently did not keep the security implications in mind. The application could be used to hide arbitrary software, including malicious software.”

F-Secure is the company that found Sony software installing hidden directories on the drives of its customers in the 2005 case involving DRM software for Sony CDs.