Sony Rootkit On USB Software

Both F-Secure and McAfee are reporting that Sony is at it once more. This time Sony is including a rootkit in their software for some of their USB drives. It is hard to believe, but this has been verified. Over at F-Secure they reported:

Sony’s software installs a driver that creates a hidden folder using rootkit techniques.

This raises the question – while the techniques employed are similar – is this case as bad as the Sony BMG XCP DRM case
(i.e. the music rootkit)?

In a nutshell, the USB case is not as bad as the XCP DRM case. Why? Because…

The user understands that he is installing software, it’s on the included CD, and has a standard method of uninstalling that software.

The fingerprint driver does not hide its folder as “deeply” as does the XCP DRM folder. The MicroVault software probably wouldn’t hide malware as effectively from (some) real-time antivirus scanners.

The Microvault software does not hide processes or registry keys. XCP DRM did.

It’s also trickier to run executables from the hidden directory than with XCP. However, it can be done.

And lastly, there seems to be a use-case: The cloaking is most likely used to protect fingerprint authentication from tampering. Sony is attempting to protect the user’s own data. In the DRM case, Sony was attempting to restrict you – the user – from accessing the music on the CD you bought. So their intent was more beneficial to the consumer in this case.

However – this new rootkit (which can still be downloaded from sony.net) can be used by any malware author to hide any folder. We didn’t want to go into the details about this in our public postings, but we suppose the cat’s out of the bag now that our friends at McAfee blogged about this yesterday. If you simply extract one executable from the package and include it with malware, it will hide that malware’s folder, no questions asked.

We still haven’t received any kind of response from Sony International. Sony Sweden did however confirm in a public IDG Story that the rootkit is indeed part of their software.

Over at McAfee they state:

File this one under “Déjà vu all over again”. After learning from F-Secure of shady rootkit-like activities noticed in the software packaged with several Sony USB drives, we were first a bit amazed. After all that had occurred with the audio CD episode, could this really be true? Well, it was.

In the class of nasty rootkits the ones that top the chart are those that use blended techniques to hide or protect themselves. I/O request packet filtering is one kernel mode rootkit technique that is gaining popularity along with the already common SDT hooking.

I guess the question I have is the rootkit necessary to protect the USB drives encryption technique employed by Sony?

F-Secure article here.

McAfee article here.

Comments welcome.

[tags]sony, rookit, usb, software, [/tags]