Sony Rootkit - Take II

[SpywareDr]

Sony faces renewed security woes
http://news.bbc.co.uk/1/hi/technology/6968234.stm

...

The latest vulnerability affects Sony's MicroVault USB sticks with fingerprint readers.

Software packaged with the memory sticks creates a hidden directory on a computer's hard drive according to researchers at F-secure.

The software, known as a "rootkit", could allow a hacker to infect a computer as any files stored on the hidden directory would not only invisible to the user, but also from some virus scanners and security software.

F-secure said they had alerted the electronics firm to the flaw.

...

According to F-Secure, the affected MicroVault software is an older product and is being phased out.

http://www.sony.net/Products/Media/M...ult/usm-c.html

http://www.google.com/search?hl=en&q...=Google+Search

[bistro]

Software packaged with the memory sticks creates a hidden directory on a computer's hard drive according to researchers at F-secure.

What if one has their config set to show all hidden files/folders? Is this directory still hidden?

[SuperSparks]

Rootkits normally hide thingts at such a low level that the files and folders are always hidden, regardless of what settings you have. That's what makes them so nasty.

[HAN]

I read about this yesterday a bit. Is it technically a rootkit (which I define as a running process hidden from Windows itself?) Or just a hidden folder? In my mind, there is a BIG difference...

[SpywareDr]

Here's a bit more detail:

Researchers Root Out New Sony Rootkit
http://www.technewsworld.com/story/59071.html

...
The software included with the MicroVault USB Latest News about USB stick, according to F-Secure, installs a driver that hides a directory under "c:\windows\." The files contained in the directory are not visible through the Windows application programming interface unless users already know the name of the directory.

However, an enterprising individual can find ways to run files from this directory. This poses a danger to computer users, as the files contained in the directory cannot be detected by some antivirus programs, depending on the techniques employed by the antivirus software. That is good news for the criminals and bad news for MicroVault owners.

"It is therefore technically possible for malware to use the hidden directory as a hiding place," F-Secure reported.

This time around, researchers said they believe the directory has been cloaked to maintain a secure authentication and avoid detection from those who would try to meddle with or circumnavigate the software's thumb print protections.

"It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass," F-Secure said. "However, we feel that rootkit-like cloaking techniques are not the right way to go here."

F-Secure contacted Sony regarding the company's concerns, it said, but decided to go public after the electronics maker failed to respond.

Sony is "still receiving information in this and should have more details shortly," Sony spokesperson Tom Di Nome told TechNewsWorld.
...

Sony Investigates Reports Of Fingerprint Reader Software Installing Rootkit On PCs
http://www.informationweek.com/news/...leID=201803047

...
On Wednesday, F-Secure said that the Micro Vault application was not as serious as the previous CD software, but still presented a security risk since hackers could hide malware in the hidden folder. The folder is used to protect fingerprint authentication from tampering.

In general, the software is less onerous because it does not hide its folder deeply in the system, and probably wouldn't hide malware as effectively from anti-virus scanners, F-Secure said. In addition, the Micro Vault software does not hide processes or registry keys, and can be removed through a standard installation process.

But while Sony said it no longer offers the software with its fingerprint reader, F-Secure said the rootkit-carrying application was still available for download from Sony.net.
...