Sony has done plenty of damage to its already tarnished reputation for going with proprietary formats that ultimately fail (Betamax, BluRay?), and for hardware issues (flaming laptop batteries), and security issues (CD rootkit scandal). Now they are at it again, putting a rootkit on a USB key drive. See the following article.
Nutshell, Finnish security company F-Secure has reported to have found software with rootkit-like behaviour supplied with Sony USB sticks with a built-in fingerprint reader.
"The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:windows", So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g.
possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files," Mikko Hypponen, chief research officer at F-Secure wrote in the company blog.
"There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."
However, in a follow up blog posting Hypponen says the USB case is not as bad as the CD DRM case," Hypponen writes.
"The user understands that he is installing software, it’s on the included CD, and has a standard method of uninstalling that software.
"The fingerprint driver does not hide its folder as "deeply" as does the XCP DRM folder. The MicroVault software probably wouldn’t hide malware as effectively from (some) real-time antivirus scanners."
However, Hypponen does say it is possible to run executable malware from the hidden directory. What’s more, the new rootkit which can still be downloaded from sony.net can be used by any malware author to hide any folder.
"If you simply extract one executable from the package and include it in malware, it will hide that malware’s folder, no questions asked," Hypponen says.
It appears that Sony is not interested in talking about the issue with the security company that contacted the company before outing this case.
"We still haven’t received any kind of response from Sony International," Hypponen writes.