Use a Sony USB Fingerprint Reader and Thumbdrive, Get a Rootkit Free!

Posted 08/29/2007 at 9:40am | by By Mark Soper

10

Comments

Print

In 2005, Sony added "rootkit" to the vocabulary of computer users across the world when it added hidden copy protection software to its music CDs. Two years later, history seems to be repeating itself.

Rootkits 101

What's a rootkit? In case you slept through the Sony music CD debacle, a rootkit is a program that hides its presence from normal operating system interfaces. A Windows rootkit, for example, will not show up in Windows Explorer. Depending upon its design, a rootkit can hide files and folders, registry keys, or other system components.

Rootkits can be used in a variety of ways: Sony used two different rootkits to prevent copying of music CDs by computer users in 2005, while other rootkits have been used to run security programs, run malware to attack systems, and so forth. While some users will object to any rootkit, no matter its purpose, others will be more concerned if the rootkit makes it easy for others to attack your PC.

What's Wrong with Rootkits

Sony's 2005 rootkits provided a vivid demonstration of everything a company that uses rootkit technology can do wrong:

• Users weren't notified of the presence of the rootkit by the end-user license agreement
• The copy-protection programs Sony installed as rootkits didn't prevent malware such as Backdoor.Ryknos.B (also known as Breplibot.C and others) from hiding themselves in the rootkits' own folders
• The programs hiding in the rootkit degraded system performance
• The programs could not be removed with normal uninstall routines

Sony eventually wound up recalling over 100 music CD titles that used the rootkits and shelled out millions of dollars in settlements.

Sony Rootkit, Part Deux

Monday, anti-malware vendor F-Secure announced that Sony's MicroVault USM-F line of USB flash drives with onboard fingerprint readers create a folder invisible to Windows that is used for the fingerprint reader's software and data files. While this method helps protect the reader from tampering, F-Secure points out that the hidden folder can also be accessed from the command prompt, can be used to store additional files, and could be exploited by hackers as a location for storing malware. In other words, whether Sony intended it or not, the MicroVault fingerprint readers install a rootkit on your PC that can be exploited as a security risk.

Sony - Slightly Smarter...

However, in a follow-up analysis two days later, F-Secure also points out that Sony has learned a few things from its 2005 fiasco:

• The fingerprint driver software can be uninstalled easily
• The program does not hide software or registry keys

...But Not Smart Enough 

Unfortunately, the driver can be used to hide any (!) folder (McAfee's AVERT Labs used it to hide the Windows folder and all subfolders). How long will it be before some malware writer comes up with a nasty piece of "ransomware" to take advantage of this 'feature?'

Time for a "Bill of Rootkit Rights"?

Right now, the way that some rootkits are designed and used by legitimate companies makes it easy for the bad guys to abuse a rootkit by using it to attack users' computers - and users who don't know about a particular rootkit (and don't use anti-rootkit programs) are sitting ducks. Here's my modest proposal to set up a "Bill of Rootkit Rights" for PC users:

• Vendors should use rootkits only if other methods for protecting files and programs are not feasible
• Users need to be notified that a rootkit will be installed when a program or device containing a rootkit is being installed or connected
• Users should be given the option to opt-out of installing a program that uses a rootkit
• Vendors should provide an alternative to a program that provides a rootkit whenever possible, and explain the potential security risks of not using the rootkit-enabled version
• Vendors should provide effective uninstallers for rootkits they distribute
• Vendors should clearly explain what the rootkit does and why they believe it's necessary to the operation of the program or device
• Vendors should use rootkits only if the rootkits cannot be used in ways other than what the vendor intended

Sony's Micro Vault driver quite clearly fails to meet most of these proposed rules - especially the last one.

Some may argue that this level of disclosure would harm the effectiveness of a rootkit designed to perform legitimate tasks. I disagree: right now, the bad guys know about what rootkits can do - and all I'm advocating is the same level of knowledge for legitimate users. Nobody wants to install a program that can be turned into a weapon against their system or their information.

-------------------

Discover what features are great, what works, and what needs work in Windows Vista with Mark's new book Maximum PC Microsoft Windows Vista Exposed. It's now available at Amazon.com and other fine bookstores.