Bugtraq mailing list archives
Re: Sony: The Return Of The Rootkit
From: "John Hammond" <josephhammond () hotmail com>
Date: Sat, 01 Sep 2007 11:16:22 -0500
There are many other options outside of the sony key without the rootkit problem. One of the best devices that I have read about is from stealth. While I have yet to personally evaluate this product as I understand it there is no software outside of the standard USB driver needed to recognize and use a standard usb key outside of the initial device programming or a lockout state.
http://www.gcn.com/print/26_14/44484-1.html
From: Paul Sebastian Ziegler <psz () observed de> To: Jason Brooke <jason () qgl org> CC: bugtraq () securityfocus com Subject: Re: Sony: The Return Of The Rootkit Date: Sat, 01 Sep 2007 00:48:49 +0200 MIME-Version: 1.0Received: from outgoing.securityfocus.com ([205.206.231.26]) by bay0-mc10-f20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 1 Sep 2007 08:46:28 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for bay0-mc9-f.bay0.hotmail.com [65.54.245.8]) with ESMTP; Sat, 1 Sep 2007 08:39:16 -0700 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid 92BF0143814; Sat, 1 Sep 2007 08:52:53 -0600 (MDT)Received: (qmail 15667 invoked from network); 31 Aug 2007 22:21:09 -0000 X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0wX-Message-Info: JGTYoYF78jEJJSXcFk0NH6H2SWDavuwx7zBAbu09QKc2wfCvlGFYYsunEZhyLfyhQaxxb5avDEAJpQf0p0jr0g==Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com User-Agent: Thunderbird 2.0.0.6 (X11/20070809)References: <69D384433B57A14D837F7EC9760895F70E2676@sbs.QuarkGroup.local> <46D6EBF1.104 () observed de> <46D88BE9.7090902 () qgl org>X-Enigmail-Version: 0.95.2Return-Path: bugtraq-return-33484-josephhammond=hotmail.com () securityfocus com X-OriginalArrivalTime: 01 Sep 2007 15:46:28.0341 (UTC) FILETIME=[428E6A50:01C7ECAF]-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 > Also, the article by f-secure that you're having a go at, I'll have to protest here - I never hit at the original article. As you can read in the blog entry (this is also why I posted the link) I think that they have done everything alright. > says "This USB > stick with rootkit-like behavior" and openly acknowledges that the > purpose of hiding files by the device is probably to try and prevent > tampering with the fingerprint authentication. Which is why I agree with them. > Their main point is that: > > "The Sony MicroVault USM-F fingerprint reader software that comes with > the USB stick installs a driver that is hiding a directory under > "c:\windows\". So, when enumerating files and subdirectories in the > Windows directory, the directory and files inside it are not visible > through Windows API. If you know the name of the directory, it is e.g. > possible to enter the hidden directory using Command Prompt and it is > possible to create new hidden files. There are also ways to run files > from this directory. Files in this directory are also hidden from some > antivirus scanners (as with the Sony BMG DRM case) depending on the > techniques employed by the antivirus software. It is therefore > technically possible for malware to use the hidden directory as a hiding > place." That is correct. It could be abused that way. Just like several other folders on e.g. Vista could be as well since they share that exact functionality. Still that doesn't make it technically a rootkit. It is a pretty dumb idea, I totally agree. However AV really shouldn't be fooled by something like this anymore. Some still is, but they'll grow out of it. But just as Tyler Reguly phrased it just a few minutes earlier:> There's a number of reasons why this isn't actually a rootkit... The problem with calling everything by the same name is that you degrade the original meaning of the worldThis is the problem I was hitting at. And I am not trying to defend Sony. Many Greetings Paul -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq UCgAjhn7CN0ApBMbOc+3WvM= =p7Ye -----END PGP SIGNATURE-----
Current thread:
- Re: Sony: The Return Of The Rootkit Jason Brooke (Sep 01)
- Re: Sony: The Return Of The Rootkit Paul Sebastian Ziegler (Sep 01)
- Re: Sony: The Return Of The Rootkit Tyler Reguly (Sep 01)
- Re: Sony: The Return Of The Rootkit John Hammond (Sep 01)
- <Possible follow-ups>
- Re: Sony: The Return Of The Rootkit Chad Perrin (Sep 01)
- Re: Sony: The Return Of The Rootkit Juha-Matti Laurio (Sep 01)
- Re: Sony: The Return Of The Rootkit Paul Sebastian Ziegler (Sep 01)