Compliance Management, Critical Infrastructure Security, Privacy, Vulnerability Management

Rootkit redux: researchers find rootkit on another Sony product


Sony, which suffered through a rootkit debacle in 2005, is at it again, according to one prominent anti-virus vendor. Researchers at F-Secure have discovered a rootkit on another Sony product, the Sony MicroVault USM-F fingerprint reader.

F-Secure disclosed that the fingerprint-reader software that comes with the USB stick installs a driver in a hidden directory under "c:windows." The files in the directory are not visible through the Windows application programming interface (API), however, users who already know the name of the directory can access the files.

According to F-Secure, hackers could access the files and use them to install other hidden files on an unsuspecting user's computer. The files contained in the directory are undetectable by some anti-virus programs.

F-Secure researchers said Sony hid the directory to ensure secure authentication and avoid detection. Detection of the file could allow users to avoid the software's thumb-print protection mechanisms.

This harkens back to Sony's digital rights management (DRM) rootkit debacle of December 2005. Researchers then learned that Sony BMG CDs in the U.S. contained copyright-protection software that installed rootkit-like devices onto PCs when they played the music or "ripped" the tunes to their hard disks.

While the rootkit did have had legitimate uses - stopping CD owners from illegally copying music from the discs - they also made systems vulnerable to attacks.

In an online posting, F-Secure called Sony's latest use of a rootkit "another case where rootkit-like cloaking is ill advisedly used in commercial software."

"In addition to the software that was packaged with the USB stick, we also tested the latest software version available from Sony and this version also contains the same hiding functionality," F-Secure researchers said in the online posting.

According to Dave Marcus, security research and communications manager with McAfee Avert Labs, the files hidden by the latest Sony rootkit become uncloaked when the PC is rebooted.

He doubts that the latest Sony rootkit will find widespread use in the wild.

"I expect we'll see proof-of-concept code show up [that could put PC systems at risk], he told today. "It's hard to guess what's in the mind of malware writers - if they think there's an easier route, they'll take it…But there's enough rootkit code available that they don't need to go that route."

Click here to email West Coast Bureau Chief Jim Carr .

Click here for the latest SC Magazine Podcast – Aug. 27, 2007: A monster (.com) of a data theft

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.