Re: Sony: The Return Of The Rootkit
There are many other options outside of the sony key without the rootkit problem. One of the best devices that I have read about is from stealth. While I have yet to personally evaluate this product as I understand it there is no software outside of the standard USB driver needed to recognize and use a standard usb key outside of the initial device programming or a lockout state. http://www.gcn.com/print/26_14/44484-1.html From: Paul Sebastian Ziegler <[EMAIL PROTECTED]> To: Jason Brooke <[EMAIL PROTECTED]> CC: bugtraq@securityfocus.com Subject: Re: Sony: The Return Of The Rootkit Date: Sat, 01 Sep 2007 00:48:49 +0200 MIME-Version: 1.0 Received: from outgoing.securityfocus.com ([205.206.231.26]) by bay0-mc10-f20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 1 Sep 2007 08:46:28 -0700 Received: from outgoing.securityfocus.com by outgoing.securityfocus.com via smtpd (for bay0-mc9-f.bay0.hotmail.com [65.54.245.8]) with ESMTP; Sat, 1 Sep 2007 08:39:16 -0700 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid 92BF0143814; Sat, 1 Sep 2007 08:52:53 -0600 (MDT) Received: (qmail 15667 invoked from network); 31 Aug 2007 22:21:09 - X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w X-Message-Info: JGTYoYF78jEJJSXcFk0NH6H2SWDavuwx7zBAbu09QKc2wfCvlGFYYsunEZhyLfyhQaxxb5avDEAJpQf0p0jr0g== Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk List-Id: List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:[EMAIL PROTECTED]> List-Unsubscribe: <mailto:[EMAIL PROTECTED]> List-Subscribe: <mailto:[EMAIL PROTECTED]> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com User-Agent: Thunderbird 2.0.0.6 (X11/20070809) References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> X-Enigmail-Version: 0.95.2 Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 01 Sep 2007 15:46:28.0341 (UTC) FILETIME=[428E6A50:01C7ECAF] -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > Also, the article by f-secure that you're having a go at, I'll have to protest here - I never hit at the original article. As you can read in the blog entry (this is also why I posted the link) I think that they have done everything alright. > says "This USB > stick with rootkit-like behavior" and openly acknowledges that the > purpose of hiding files by the device is probably to try and prevent > tampering with the fingerprint authentication. Which is why I agree with them. > Their main point is that: > > "The Sony MicroVault USM-F fingerprint reader software that comes with > the USB stick installs a driver that is hiding a directory under > "c:\windows\". So, when enumerating files and subdirectories in the > Windows directory, the directory and files inside it are not visible > through Windows API. If you know the name of the directory, it is e.g. > possible to enter the hidden directory using Command Prompt and it is > possible to create new hidden files. There are also ways to run files > from this directory. Files in this directory are also hidden from some > antivirus scanners (as with the Sony BMG DRM case) depending on the > techniques employed by the antivirus software. It is therefore > technically possible for malware to use the hidden directory as a hiding > place." That is correct. It could be abused that way. Just like several other folders on e.g. Vista could be as well since they share that exact functionality. Still that doesn't make it technically a rootkit. It is a pretty dumb idea, I totally agree. However AV really shouldn't be fooled by something like this anymore. Some still is, but they'll grow out of it. But just as Tyler Reguly phrased it just a few minutes earlier: > There's a number of reasons why this isn't actually a rootkit... The problem with calling everything by the same name is that you degrade the original meaning of the world This is the problem I was hitting at. And I am not trying to defend Sony. Many Greetings Paul -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq UCgAjhn7CN0ApBMbOc+3WvM= =p7Ye -END PGP SIGNATURE-
Re: Sony: The Return Of The Rootkit
According to Mikko Hyppönen's post to F-Secure's blog Sony Electronics has confirmed that they received the research report this week: http://www.f-secure.com/weblog/archives/archive-082007.html#1266 The post says that companies have opened direct discussion channels and Sony will receive the internal technical report of the case. Maybe we will see an official response document from Sony later. - Juha-Matti Paul Sebastian Ziegler <[EMAIL PROTECTED]> wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Quark IT - Hilton Travis schrieb: > Hi All, > > Apparently Sony cannot learn from their past and have introduced another > rootkit with another of their devices. This time it is their Microvault > USB drive that has fingerprint security. That is not exactly new news. The devices are old and all that is "rootkit-like" about them is the fact that they interact with the kernel in order to hide their own files from corruption. Not everything that interacts with the kernel is a rootkit. Or would anyone want to classify GRSecurity as a rootkit? RBAC will let you hide parts of your filesystem as well... > Have a read of Have another one: http://observed.de/?entnum=101 Now I was outraged by Sony's Copyprotection Rootkit - but this is simply something different. Many Greetings Paul -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1uvsaHrXRd80sY8RCvegAJ9C8GDeUIi5maRExcLnjdV4w3pCLACg8iDU pM7XA3bdpQ81EMytNaMBre0= =yk5I -END PGP SIGNATURE-
Re: Sony: The Return Of The Rootkit
This is what Paul was referring to, I sent it out but bugtraq bounced it, so only he saw it: There's a number of reasons why this isn't actually a rootkit... The problem with calling everything by the same name is that you degrade the original meaning of the world More of my thoughts on the subject here: http://www.computerdefense.org/?p=380 Tyler. On 8/31/07, Paul Sebastian Ziegler <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > > Also, the article by f-secure that you're having a go at, > > I'll have to protest here - I never hit at the original article. As you > can read in the blog entry (this is also why I posted the link) I think > that they have done everything alright. > > > says "This USB > > stick with rootkit-like behavior" and openly acknowledges that the > > purpose of hiding files by the device is probably to try and prevent > > tampering with the fingerprint authentication. > > Which is why I agree with them. > > > Their main point is that: > > > > "The Sony MicroVault USM-F fingerprint reader software that comes with > > the USB stick installs a driver that is hiding a directory under > > "c:\windows\". So, when enumerating files and subdirectories in the > > Windows directory, the directory and files inside it are not visible > > through Windows API. If you know the name of the directory, it is e.g. > > possible to enter the hidden directory using Command Prompt and it is > > possible to create new hidden files. There are also ways to run files > > from this directory. Files in this directory are also hidden from some > > antivirus scanners (as with the Sony BMG DRM case) — depending on the > > techniques employed by the antivirus software. It is therefore > > technically possible for malware to use the hidden directory as a hiding > > place." > > That is correct. It could be abused that way. Just like several other > folders on e.g. Vista could be as well since they share that exact > functionality. Still that doesn't make it technically a rootkit. It is a > pretty dumb idea, I totally agree. However AV really shouldn't be fooled > by something like this anymore. Some still is, but they'll grow out of it. > > But just as Tyler Reguly phrased it just a few minutes earlier: > > There's a number of reasons why this isn't actually a rootkit... The > > problem with calling everything by the same name is that you degrade the > > original meaning of the world > > This is the problem I was hitting at. And I am not trying to defend Sony. > > Many Greetings > Paul > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq > UCgAjhn7CN0ApBMbOc+3WvM= > =p7Ye > -END PGP SIGNATURE- >
Re: Sony: The Return Of The Rootkit
On Thu, Aug 30, 2007 at 06:10:25PM +0200, Paul Sebastian Ziegler wrote: > > Not everything that interacts with the kernel is a rootkit. Or would > anyone want to classify GRSecurity as a rootkit? RBAC will let you hide > parts of your filesystem as well... Actually, the impression I got is that the term "rootkit" was being used correctly in this case -- in that it referred to software that can be used when one has rooted a machine to cover one's tracks. Whether or not software interacts with the kernel really has nothing to do with whether it's a rootkit, and I don't recall seeing anything in the linked discussions of Sony's software that suggested otherwise. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] W. Somerset Maugham: "The ability to quote is a serviceable substitute for wit."
Re: Sony: The Return Of The Rootkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 > Also, the article by f-secure that you're having a go at, I'll have to protest here - I never hit at the original article. As you can read in the blog entry (this is also why I posted the link) I think that they have done everything alright. > says "This USB > stick with rootkit-like behavior" and openly acknowledges that the > purpose of hiding files by the device is probably to try and prevent > tampering with the fingerprint authentication. Which is why I agree with them. > Their main point is that: > > "The Sony MicroVault USM-F fingerprint reader software that comes with > the USB stick installs a driver that is hiding a directory under > "c:\windows\". So, when enumerating files and subdirectories in the > Windows directory, the directory and files inside it are not visible > through Windows API. If you know the name of the directory, it is e.g. > possible to enter the hidden directory using Command Prompt and it is > possible to create new hidden files. There are also ways to run files > from this directory. Files in this directory are also hidden from some > antivirus scanners (as with the Sony BMG DRM case) — depending on the > techniques employed by the antivirus software. It is therefore > technically possible for malware to use the hidden directory as a hiding > place." That is correct. It could be abused that way. Just like several other folders on e.g. Vista could be as well since they share that exact functionality. Still that doesn't make it technically a rootkit. It is a pretty dumb idea, I totally agree. However AV really shouldn't be fooled by something like this anymore. Some still is, but they'll grow out of it. But just as Tyler Reguly phrased it just a few minutes earlier: > There's a number of reasons why this isn't actually a rootkit... The problem > with calling everything by the same name is that you degrade the original > meaning of the world This is the problem I was hitting at. And I am not trying to defend Sony. Many Greetings Paul -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq UCgAjhn7CN0ApBMbOc+3WvM= =p7Ye -END PGP SIGNATURE-
Re: Sony: The Return Of The Rootkit
Paul Sebastian Ziegler wrote: Have another one: http://observed.de/?entnum=101 Now I was outraged by Sony's Copyprotection Rootkit - but this is simply something different. Many Greetings Paul I can't see anything in your article that adds anything to your email, why did you want him to read it? Also, the article by f-secure that you're having a go at, says "This USB stick with rootkit-like behavior" and openly acknowledges that the purpose of hiding files by the device is probably to try and prevent tampering with the fingerprint authentication. Their main point is that: "The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
Re: Sony: The Return Of The Rootkit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Quark IT - Hilton Travis schrieb: > Hi All, > > Apparently Sony cannot learn from their past and have introduced another > rootkit with another of their devices. This time it is their Microvault > USB drive that has fingerprint security. That is not exactly new news. The devices are old and all that is "rootkit-like" about them is the fact that they interact with the kernel in order to hide their own files from corruption. Not everything that interacts with the kernel is a rootkit. Or would anyone want to classify GRSecurity as a rootkit? RBAC will let you hide parts of your filesystem as well... > Have a read of Have another one: http://observed.de/?entnum=101 Now I was outraged by Sony's Copyprotection Rootkit - but this is simply something different. Many Greetings Paul -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1uvsaHrXRd80sY8RCvegAJ9C8GDeUIi5maRExcLnjdV4w3pCLACg8iDU pM7XA3bdpQ81EMytNaMBre0= =yk5I -END PGP SIGNATURE-
Sony: The Return Of The Rootkit
Hi All, Apparently Sony cannot learn from their past and have introduced another rootkit with another of their devices. This time it is their Microvault USB drive that has fingerprint security. Have a read of http://hiltont.blogspot.com/2007/08/sony-rootkit-version-2.html for my "WHAT!?!?!? You're kidding?" on it and also http://www.f-secure.com/weblog/archives/archive-082007.html#1263 for the original report from F-Secure. -- Regards, Hilton Travis Phone: +61 (0)7 3344 3889 (Brisbane, Australia) Phone: +61 (0)419 792 394 Manager, Quark IT http://www.quarkit.com.au Quark AudioVisual http://www.quarkav.net War doesn't determine who is right. War determines who is left. This document and any attachments are for the intended recipient only. It may contain confidential, privileged or copyright material which must not be disclosed or distributed. Quark Group Pty. Ltd. T/A Quark Automation, Quark AudioVisual, Quark IT