Sony in a New Rootkit Scandal

Many people vividly remember the Sony rootkit scandal of 2005.  I still detect hosts on networks I monitor as being infected with the rootkit, prompting a system rebuild.  If you are not familiar with the 2005 scandal, Wikipedia has a pretty good summary here.  Essentially, Sony wanted to agressively protect its copyrights on its music, and to do so, it distributed music CD’s with software on it that auto-installed on PC’s, hiding software from the user and crippling PC functionality.  In addition, wily hackers knew how to exploit such code to install their own hidden backdoor into affected systems.

Now Sony has been caught by F-Secure using rootkits again, but this time the software is bundled with some high-end thumbdrives and biometric readers. 

From Reuters here:

Software included with high-end memory sticks sold by Sony Corp can make personal computers vulnerable to attack by computer hackers, according to researchers with two Internet security firms.
 
Sony’s MicroVault USB memory stick and fingerprint reader includes software that creates a hidden directory on the computer’s hard drive, researchers with Finnish security software maker F-Secure Corp reported on the company’s blog on Monday.

Such software that hides itself, which is known as a root kit, leaves room for hackers to secretly infect personal computers, they said.

F-Secure’s blog posting said it attempted to contact Sony before alerting the public about the software, but the company had not replied.

On Tuesday, researchers with McAfee Inc. said they had confirmed the vulnerability described by F-Secure.

“The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives,” said McAfee spokesman Dave Marcus. “However, software creators apparently did not keep the security implications in mind. The application could be used to hide arbitrary software, including malicious software.”

This is not the first time F-Secure has found Sony software installing hidden directories on the drives of its customers. In 2005 there was a similar situation involving the electronics maker’s digital rights management software, security experts say.

On F-Secure’s blog today, the security group confirms that the rootkit can be used by malware authors to hide any file folder.

This new rootkit (which can still be downloaded from sony.net) can be used by any malware author to hide any folder. We didn’t want to go into the details about this in our public postings, but we suppose the cat’s out of the bag now that our friends at McAfee blogged about this yesterday. If you simply extract one executable from the package and include it with malware, it will hide that malware’s folder, no questions asked.