Sony caught using rootkit – again

Some people don’t ever learn.

Sony came under fire in November 2005 when it was found to be using rootkit for its CD DRMs. Sony was mercilessly skewered by antivirus companies for such a stunt, and Sony had to issue an update to remove the rootkit.

Almost two years later, Sony is once again caught employing a questionable technology in one of its products, this time, a USB flash drive.

From F-Secure Weblog:

The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under “c:windows”. So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.

In addition to the software that was packaged with the USB stick, we also tested the latest software version available from Sony at www.sony.net/Products/Media/Microvault/ and this version also contains the same hiding functionality.

It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here.

Sony was contacted, but no reply was given at the time the blog post was published.

Why is rootkit dangerous? Rootkit technology enables a software to hide its files from ordinary Window view. It is possible to view these hidden files via command prompt, but you have to know the exact location and the exact file names. Several malware employ this technology to hide their files, to prevent primitive antivirus products and non-technical users from ever finding and deleting malware files.