<<< Date Index >>>     <<< Thread Index >>>

Re: Sony: The Return Of The Rootkit



This is what Paul was referring to, I sent it out but bugtraq bounced
it, so only he saw it:

There's a number of reasons why this isn't actually a rootkit... The
problem with calling everything by the same name is that you degrade
the original meaning of the world

More of my thoughts on the subject here: http://www.computerdefense.org/?p=380

Tyler.

On 8/31/07, Paul Sebastian Ziegler <psz@xxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> > Also, the article by f-secure that you're having a go at,
>
> I'll have to protest here - I never hit at the original article. As you
> can read in the blog entry (this is also why I posted the link) I think
> that they have done everything alright.
>
> > says "This USB
> > stick with rootkit-like behavior" and openly acknowledges that the
> > purpose of hiding files by the device is probably to try and prevent
> > tampering with the fingerprint authentication.
>
> Which is why I agree with them.
>
> > Their main point is that:
> >
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) — depending on the
> > techniques employed by the antivirus software. It is therefore
> > technically possible for malware to use the hidden directory as a hiding
> > place."
>
> That is correct. It could be abused that way. Just like several other
> folders on e.g. Vista could be as well since they share that exact
> functionality. Still that doesn't make it technically a rootkit. It is a
> pretty dumb idea, I totally agree. However AV really shouldn't be fooled
> by something like this anymore. Some still is, but they'll grow out of it.
>
> But just as Tyler Reguly phrased it just a few minutes earlier:
> > There's a number of reasons why this isn't actually a rootkit... The 
> > problem with calling everything by the same name is that you degrade the 
> > original meaning of the world
>
> This is the problem I was hitting at. And I am not trying to defend Sony.
>
> Many Greetings
> Paul
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq
> UCgAjhn7CN0ApBMbOc+3WvM=
> =p7Ye
> -----END PGP SIGNATURE-----
>