lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1f313f070709010901p3319f696yec6d8db2e75ab9f9@mail.gmail.com>
Date: Sat, 1 Sep 2007 12:01:29 -0400
From: "Tyler Reguly" <ht@...puterdefense.org>
To: "Paul Sebastian Ziegler" <psz@...erved.de>
Cc: "Jason Brooke" <jason@....org>, bugtraq@...urityfocus.com
Subject: Re: Sony: The Return Of The Rootkit

This is what Paul was referring to, I sent it out but bugtraq bounced
it, so only he saw it:

There's a number of reasons why this isn't actually a rootkit... The
problem with calling everything by the same name is that you degrade
the original meaning of the world

More of my thoughts on the subject here: http://www.computerdefense.org/?p=380

Tyler.

On 8/31/07, Paul Sebastian Ziegler <psz@...erved.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> > Also, the article by f-secure that you're having a go at,
>
> I'll have to protest here - I never hit at the original article. As you
> can read in the blog entry (this is also why I posted the link) I think
> that they have done everything alright.
>
> > says "This USB
> > stick with rootkit-like behavior" and openly acknowledges that the
> > purpose of hiding files by the device is probably to try and prevent
> > tampering with the fingerprint authentication.
>
> Which is why I agree with them.
>
> > Their main point is that:
> >
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) — depending on the
> > techniques employed by the antivirus software. It is therefore
> > technically possible for malware to use the hidden directory as a hiding
> > place."
>
> That is correct. It could be abused that way. Just like several other
> folders on e.g. Vista could be as well since they share that exact
> functionality. Still that doesn't make it technically a rootkit. It is a
> pretty dumb idea, I totally agree. However AV really shouldn't be fooled
> by something like this anymore. Some still is, but they'll grow out of it.
>
> But just as Tyler Reguly phrased it just a few minutes earlier:
> > There's a number of reasons why this isn't actually a rootkit... The problem with calling everything by the same name is that you degrade the original meaning of the world
>
> This is the problem I was hitting at. And I am not trying to defend Sony.
>
> Many Greetings
> Paul
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq
> UCgAjhn7CN0ApBMbOc+3WvM=
> =p7Ye
> -----END PGP SIGNATURE-----
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ