Double Whammy! Another Sony Case

Found on F-Secure on Sunday, 26 August 2007

We received a report that our F-Secure DeepGuard HIPS system was warning about a USB stick software driver. The USB stick in question has a built-in fingerprint reader. The case seemed unusual so we ordered a couple of USB sticks with fingerprint authentication. We installed the software on a test machine and were quite surprised to see that after installation our F-Secure BlackLight rootkit detector was reporting hidden files on the system.

This USB stick with rootkit-like behavior is closely related to the Sony BMG case. First of all, it is another case where rootkit-like cloaking is ill advisedly used in commercial software. Also, the USB sticks we ordered are products of the same company - Sony Corporation.

The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API.

Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) - depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.

As with the Sony BMG case we, of course, contacted Sony before we decided to go public with the case. However, this time we received no reply from them.

As if their last rootkit usage wasn't enough of a fiasco already.

Browse all articles« Previous « » Next »