Rootkit found in older Sony USB device

Nearly two years after Sony faced a storm of criticism for using a rootkit-like program in its digital rights management (DRM) technology, security researchers at F-Secure say they have discovered something similar in Sony's Micro Vault USM-F fingerprint reader software.

It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. Mika Stahlberg. researcherF-Secure

The latest example of rootkit use was found in software that's part of an older line of USB drives sold by Sony Electronics , according to Mika Stahlberg, a researcher for the Finland-based security firm.

In the F-Secure blog, Stahlberg wrote that the Sony Micro Vault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under 'c:windows.' When enumerating files and subdirectories in the Windows directory, he said, the directory and files inside it are not visible through Windows API. If someone knows the name of the directory, it is possible to enter the hidden directory using a command prompt and it is possible to create new hidden files.

"It is our belief that the Micro Vault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass," he said. "It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here."

He did note, however, that Micro Vault with fingerprint authentication appears to be an older product Sony may no longer be manufacturing. Nevertheless, Stahlberg said, F-Secure researchers did manage to find the product on sale.

Rootkits: Black Hat 2007: Rootkit hunters caught in cat-and-mouse game: Is Joanna Rutkowska's infamous Blue Pill rootkit really undetectable? Researchers at Black Hat USA explain how to find it, but there's a catch: their method may not always work. Rootkit dangers at an 'all-time high' The rootkit problem is not going away any time soon. In fact, it's likely to get much worse before it gets better, according to the members of a panel on the topic at RSA Conference 2007. Sony settles DRM rootkit lawsuit for cash, 'clean' music: The entertainment giant agrees to give away millions of free music and stop using the prying software that got it into legal trouble.

F-Secure said it contacted Sony before going public with its latest discovery, but that Sony hasn't responded. Sony did not immediately respond to a request for comment from SearchSecurity.com.

Graham Cluley, senior technology consultant for UK-based security software company Sophos, said his organisation has been unable to locate one of the USB devices in question, and that they don't seem to be readily available in Australia and the UK. But he did find that they can be purchased online via such sources as Amazon.com. He declined to comment on the specifics of F-Secure's findings, but he did express concern over the general practice of using hidden technology as Sony has in the past.

"Hopefully, this new rootkit is not going to be as widespread as when Sony shipped one on popular music CDs," Cluley said in an email exchange.

In late 2005, Sony BMG Music Entertainment  found itself at the center of a media firestorm when a researcher discovered the company was using a rootkit-based digital rights management (DRM) system to prevent CD copying.

Experts at the time worried that if more companies used the technology the way Sony has, hackers could hijack such rootkits and cause all kinds of trouble. Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers, they noted.