lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 01 Sep 2007 00:48:49 +0200
From: Paul Sebastian Ziegler <psz@...erved.de>
To: Jason Brooke <jason@....org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Sony: The Return Of The Rootkit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> Also, the article by f-secure that you're having a go at,

I'll have to protest here - I never hit at the original article. As you
can read in the blog entry (this is also why I posted the link) I think
that they have done everything alright.

> says "This USB
> stick with rootkit-like behavior" and openly acknowledges that the
> purpose of hiding files by the device is probably to try and prevent
> tampering with the fingerprint authentication.

Which is why I agree with them.

> Their main point is that:
> 
> "The Sony MicroVault USM-F fingerprint reader software that comes with
> the USB stick installs a driver that is hiding a directory under
> "c:\windows\". So, when enumerating files and subdirectories in the
> Windows directory, the directory and files inside it are not visible
> through Windows API. If you know the name of the directory, it is e.g.
> possible to enter the hidden directory using Command Prompt and it is
> possible to create new hidden files. There are also ways to run files
> from this directory. Files in this directory are also hidden from some
> antivirus scanners (as with the Sony BMG DRM case) — depending on the
> techniques employed by the antivirus software. It is therefore
> technically possible for malware to use the hidden directory as a hiding
> place."

That is correct. It could be abused that way. Just like several other
folders on e.g. Vista could be as well since they share that exact
functionality. Still that doesn't make it technically a rootkit. It is a
pretty dumb idea, I totally agree. However AV really shouldn't be fooled
by something like this anymore. Some still is, but they'll grow out of it.

But just as Tyler Reguly phrased it just a few minutes earlier:
> There's a number of reasons why this isn't actually a rootkit... The problem with calling everything by the same name is that you degrade the original meaning of the world

This is the problem I was hitting at. And I am not trying to defend Sony.

Many Greetings
Paul

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq
UCgAjhn7CN0ApBMbOc+3WvM=
=p7Ye
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ