Posted on 09/03/2007 2:54:28 PM PDT by Swordmaker
Sony can't catch a break after its infamous rootkit scandal back in 2005. In fact, we know from talking to security researchers and black hats alike that Sony is under the careful eye of many as a result of that major screwup. Now, a new story has come out involving Sony's biometric Micro Vault USM-F thumb drive, which apparently contains a rootkit that could potentially allow hackers to compromise users' PCs. The presence of the rootkit was first discovered by F-Secure, and was confirmed by Aditya Kapoor and Seth Purdy, researchers at McAfee, and posted on their blog.
FTC finally settles with Sony BMG over rootkit
Security paper shows how application can steal CPU cycles Sony BMG tries to settle rootkit scandal in Canada; everyone objects Texas, California settle Sony BMG lawsuits; consumers win? "The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives," Kapoor and Purdy wrote. "However, in this case (*cough* AGAIN! *cough*) the authors apparently did not keep the security implications in mind."
The software installs itself as a driver on top of Windows' file system stack. It does this to deliberately hide the directory in which the fingerprint verification executable resides. Unfortunately, it does this to any directory it happens to be run from, which means that a malicious program could simply move it to a convenient directory—or even hide within the default program directory itself—and remain virtually undetectable by both users and many malware scanners.
The software for the drive was written by Taiwanese company FineArt, and Sony is claiming that they had no knowledge of this particular rootkit and did not intend for it to be released. Sony Sweden spokesman Fredrik Fagerstedt told ZDNet that "sometimes even actions undertaken with 'good will' can go wrong."
In this case, the "good will" was a security program that tried to keep itself secure from would-be hackers but ended up becoming a security risk itself. This is a little bit different from the original Sony BMG rootkit fiasco, where the intent was to deliberately add protection software to music CDs that consumers did not ask for or want and make that protection software hard or impossible to detect and uninstall. In this case, the intent was to actually provide something that the consumer wanted—biometric security—and the rootkit may indeed have been unintentional on Sony's part. Yet in the eyes of many, it's "yet another Sony rootkit."
When the original Sony rootkit scandal hit, a Sony executive originally dismissed it by saying that "most people, I think, don't even know what a rootkit is, so why should they care about it?"
It's clear now that many more people know what rootkits are; even if they lack a technical understanding of the software, they know that rootkits are "bad" for one reason or another. And consumers have increasingly had a sense that rootkits and Sony go hand in hand. This is likely why rumors related to Bioshock having a rootkit exploded so quickly; Sony owned the anti-copying tech involved in the dust-up (and to be clear, it was not a rootkit in that case).
ping
See my tagline. I don't buy Sony.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.