Researchers spot rootkits on more Sony USB drives

Software, still on the Web, can be used by hackers to cloak malware

A second line of USB drives sold by Sony Electronics that uses rootkit tactics to hide files has been identified, and the devices' software remains on the Web, a researcher said Thursday.

Hackers using just one of the package's files can mask their attack code from some security scanners, said Mikko Hypponen, chief research officer at Helsinki, Finland-based F-Secure. "This new rootkit [which can still be downloaded] can be used by any malware author to hide any folder."

On Monday, F-Secure announced that the fingerprint-reader software included with Sony's MicroVault USM-F flash drives stores files in a hidden directory that could be used by hackers to cloak their malicious code. F-Secure noted that the USM-F models were difficult, but not impossible to find. Sony has since confirmed that the line has been discontinued.

But its replacement, the USM512FL, is widely available, and shares the rootkit-like techniques of its predecessor. "They have the same functionality in the latest as well," said Hypponen.

Sony has removed the download links for the USM-F and USM512FL software from its MicroVault support site, but Computerworld was easily able to locate a live link -- and download the software -- by searching through Google's cache.

Since F-Secure disclosed Sony's newest rootkit snafu, several other research teams have confirmed the company's findings. On Tuesday, McAfee Inc. analysts agreed that hackers could use one of the executable files in the USB drive software to hide any folder, and all the files in that folder, from the prying eyes of security scanners. "Alternately, attackers could simply hide their malicious creations in the default installation directory itself," McAfee researchers Aditya Kapoor and Seth Purdy said in a post to the Avert Labs' blog.

Kapoor and Purdy also identified FineArt Technology Co., a Taiwanese developer, as the makers of the fingerprint-reading MicroVault software. On its Web site, FineArt touts Fingerprint Disk, a suite of tools for authenticating fingerprint-access and encrypting files and folders. FineArt could not be reached Thursday because of time zone differences.

"Their apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives," said Kapoor and Purdy. "However, in this case the authors apparently did not keep the security implications in mind."

U.K.-based Sophos PLC also confirmed the presence of rootkit technologies in the FineArt-created software bundled with the MicroVault drives.

Sony, meanwhile, was still looking into the claims as of late Wednesday, said spokesman Tom Di Nome, who had little to share. "We are still investigating this and are taking the issue very seriously," he said.

These latest rootkit charges are not the first to be leveled against Sony. Nearly two years ago, security researchers spotted rootkit-like cloaking technologies used by the copy-protection software that Sony BMG Music Entertainment installed on PCs when customers played the label's audio CDs. The Federal Trade Commission later alleged that Sony had violated federal law and settled with the company earlier this year. Before that, Sony paid out nearly US$6 million to settle cases with the U.S.

The concern now is that attackers will use the FineArt/Sony files -- which can still be downloaded from Sony's Web site -- to add invisibility to their exploits.

But in a blog posting Thursday morning, F-Secure's Hypponen stressed that while the MicroVault and Sony BMG cases are similar, this newest security breakdown is not as flagrant. "The fingerprint driver does not hide its folder as 'deeply' as does the XCP (the rootkit-style software developed by Fortium Technologies for use by Sony BMG) folder," said Hypponen. "The MicroVault software probably wouldn't hide malware as effectively from some real-time antivirus scanners."

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?