Sony’s Rootkit Scandal, Part Two

By Max Brenn
15:52, August 28th 2007

Finish security firm F-Secure has just spotted another trace of Sony’s bad habit to install malware on users’ computers, reigniting the scandal the plagued the Japanese company’s brand two years ago.

As usual, F-Secure tried to deal with Sony first, because of the stakes involved, but apparently got no answer. This determined F-Secure to go ahead with their blog posting, in which they detail the discovery and the potential threats of the rookit-like software.

The story goes like this: F-Secure’s DeepGuard HIPS system warned the company’s engineers of a potential threat coming from a driver for a USB stick, endowed with a fingerprint reader.

This intrigued technicians, who decided to take a closer look at this awkward discovery, ordering more sticks and testing them more thoroughly. Well, surprise, surprise: it turns out that the company’s rootkit detector did indeed signal the presence of hidden files on the tested system.

This brought out bad memories from 2005, when Sony’s XCP DRM scandal made so many people aware of the dangers they expose themselves by installing otherwise “neutral” software, but which contains the now-famous and infamous rootkit-like code. Anyway, the good part here is that, well, they became aware…Or, in Mika’s words (Mika Tolvanen works for F-Secure): “In any case, a lot more people now know what a "rootkit" is than back then.”

Technically speaking, by installing the software drivers for the USB stick with the fingerprint access, you get a very nice hidden file, almost impossible to detect by regular antivirus programs, which can fairly be used for…you guessed it, malware.

“The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.”

Moreover, it’s not only the software included in the MicroVault USB package that creates the hidden folder, but also the latest version of drivers available from www.sony.net/Products/Media/Microvault/.

“It is our belief that the MicroVault software hides this folder to somehow protect the fingerprint authentication from tampering and bypass. It is obvious that user fingerprints cannot be in a world writable file on the disk when we are talking about secure authentication. However, we feel that rootkit-like cloaking techniques are not the right way to go here,” writes Mika Tolvanen.

F-Secure suspects that the MicroVault USB stick is no longer in the manufacturing circuit, since they had difficulties in finding additional units in Helsinki.

The 2005 Sony BMG CD copy protection scandal was a public scandal dealing with Sony BMG Music Entertainment's surreptitious distribution of rootkit software on audio compact discs.

As a copy protection measure, Sony BMG included the Extended Copy Protection (XCP) and MediaMax CD-3 software on music CDs. XCP was put on 52 titles and MediaMax was put on 50 titles. This software was automatically installed on desktop computers when customers tried to play the CDs. The software interferes with the normal way in which the Microsoft Windows operating system plays CDs, opening security holes that allow viruses to break in, and causing other problems. It is widely described as spyware.