Re: Sony: The Return Of The Rootkit

["John Hammond" <josephhammond () hotmail com>]

There are many other options outside of the sony key without the rootkit 
problem. One of the best devices that I have read about is from stealth. 
While I have yet to personally evaluate this product as I understand it 
there is no software outside of the standard USB driver needed to recognize 
and use a standard usb key outside of the initial device programming or a 
lockout state.

http://www.gcn.com/print/26_14/44484-1.html





> From: Paul Sebastian Ziegler <psz () observed de>
> To: Jason Brooke <jason () qgl org>
> CC: bugtraq () securityfocus com
> Subject: Re: Sony: The Return Of The Rootkit
> Date: Sat, 01 Sep 2007 00:48:49 +0200
> MIME-Version: 1.0
> Received: from outgoing.securityfocus.com ([205.206.231.26]) by 
> bay0-mc10-f20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 
> 1 Sep 2007 08:46:28 -0700
> Received: from outgoing.securityfocus.com by outgoing.securityfocus.com     
>      via smtpd (for bay0-mc9-f.bay0.hotmail.com [65.54.245.8]) with ESMTP; 
> Sat, 1 Sep 2007 08:39:16 -0700
> Received: from lists2.securityfocus.com (lists2.securityfocus.com 
> [205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid 
> 92BF0143814; Sat,  1 Sep 2007 08:52:53 -0600 (MDT)
> Received: (qmail 15667 invoked from network); 31 Aug 2007 22:21:09 -0000
> X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
> X-Message-Info: 
> JGTYoYF78jEJJSXcFk0NH6H2SWDavuwx7zBAbu09QKc2wfCvlGFYYsunEZhyLfyhQaxxb5avDEAJpQf0p0jr0g==
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> User-Agent: Thunderbird 2.0.0.6 (X11/20070809)
> References: <69D384433B57A14D837F7EC9760895F70E2676@sbs.QuarkGroup.local> 
> <46D6EBF1.104 () observed de> <46D88BE9.7090902 () qgl org>
> X-Enigmail-Version: 0.95.2
> Return-Path: 
> bugtraq-return-33484-josephhammond=hotmail.com () securityfocus com
> X-OriginalArrivalTime: 01 Sep 2007 15:46:28.0341 (UTC) 
> FILETIME=[428E6A50:01C7ECAF]
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> > Also, the article by f-secure that you're having a go at,
>
> I'll have to protest here - I never hit at the original article. As you
> can read in the blog entry (this is also why I posted the link) I think
> that they have done everything alright.
>
> > says "This USB
> > stick with rootkit-like behavior" and openly acknowledges that the
> > purpose of hiding files by the device is probably to try and prevent
> > tampering with the fingerprint authentication.
>
> Which is why I agree with them.
>
> > Their main point is that:
> >
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) — depending on the
> > techniques employed by the antivirus software. It is therefore
> > technically possible for malware to use the hidden directory as a hiding
> > place."
>
> That is correct. It could be abused that way. Just like several other
> folders on e.g. Vista could be as well since they share that exact
> functionality. Still that doesn't make it technically a rootkit. It is a
> pretty dumb idea, I totally agree. However AV really shouldn't be fooled
> by something like this anymore. Some still is, but they'll grow out of it.
>
> But just as Tyler Reguly phrased it just a few minutes earlier:
> > There's a number of reasons why this isn't actually a rootkit... The 
> problem with calling everything by the same name is that you degrade the 
> original meaning of the world
>
> This is the problem I was hitting at. And I am not trying to defend Sony.
>
> Many Greetings
> Paul
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq
> UCgAjhn7CN0ApBMbOc+3WvM=
> =p7Ye
> -----END PGP SIGNATURE-----