NEWS FROM THE LAB - Wednesday, August 29, 2007

Sony's USB Rootkit vs Sony's Music Rootkit Posted by Mikko @ 14:45 GMT

Monday's post disclosed our investigation of Sony's MicroVault USM-F fingerprint reader software. Sony's software installs a driver that creates a hidden folder using rootkit techniques.

Spot the Van Zant Sony BMG music rootkit in the background!

This raises the question – while the techniques employed are similar – is this case as bad as the Sony BMG XCP DRM case
(i.e. the music rootkit)?

In a nutshell, the USB case is not as bad as the XCP DRM case. Why? Because…

The user understands that he is installing software, it's on the included CD, and has a standard method of uninstalling that software.

The fingerprint driver does not hide its folder as "deeply" as does the XCP DRM folder. The MicroVault software probably wouldn't hide malware as effectively from (some) real-time antivirus scanners.

The Microvault software does not hide processes or registry keys. XCP DRM did.

It's also trickier to run executables from the hidden directory than with XCP. However, it can be done.

And lastly, there seems to be a use-case: The cloaking is most likely used to protect fingerprint authentication from tampering. Sony is attempting to protect the user's own data. In the DRM case, Sony was attempting to restrict you – the user – from accessing the music on the CD you bought. So their intent was more beneficial to the consumer in this case.

However – this new rootkit (which can still be downloaded from sony.net) can be used by any malware author to hide any folder. We didn't want to go into the details about this in our public postings, but we suppose the cat's out of the bag now that our friends at McAfee blogged about this yesterday. If you simply extract one executable from the package and include it with malware, it will hide that malware's folder, no questions asked.

We still haven't received any kind of response from Sony International. Sony Sweden did however confirm in a public IDG story that the rootkit is indeed part of their software.