Re: Sony: The Return Of The Rootkit
There are many other options outside of the sony key without the rootkit
problem. One of the best devices that I have read about is from stealth.
While I have yet to personally evaluate this product as I understand it
there is no software outside of the standard USB driver needed to recognize
and use a standard usb key outside of the initial device programming or a
lockout state.
http://www.gcn.com/print/26_14/44484-1.html
>From: Paul Sebastian Ziegler <psz@observed.de>
>To: Jason Brooke <jason@qgl.org>
>CC: bugtraq@securityfocus.com
>Subject: Re: Sony: The Return Of The Rootkit
>Date: Sat, 01 Sep 2007 00:48:49 +0200
>MIME-Version: 1.0
>Received: from outgoing.securityfocus.com ([205.206.231.26]) by
>bay0-mc10-f20.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat,
>1 Sep 2007 08:46:28 -0700
>Received: from outgoing.securityfocus.com by outgoing.securityfocus.com
> via smtpd (for bay0-mc9-f.bay0.hotmail.com [65.54.245.8]) with ESMTP;
>Sat, 1 Sep 2007 08:39:16 -0700
>Received: from lists2.securityfocus.com (lists2.securityfocus.com
>[205.206.231.20])by outgoing2.securityfocus.com (Postfix) with QMQPid
>92BF0143814; Sat, 1 Sep 2007 08:52:53 -0600 (MDT)
>Received: (qmail 15667 invoked from network); 31 Aug 2007 22:21:09 -0000
>X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
>X-Message-Info:
>JGTYoYF78jEJJSXcFk0NH6H2SWDavuwx7zBAbu09QKc2wfCvlGFYYsunEZhyLfyhQaxxb5avDEAJpQf0p0jr0g==
>Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@securityfocus.com>
>List-Help: <mailto:bugtraq-help@securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>Delivered-To: mailing list bugtraq@securityfocus.com
>Delivered-To: moderator for bugtraq@securityfocus.com
>User-Agent: Thunderbird 2.0.0.6 (X11/20070809)
>References: <69D384433B57A14D837F7EC9760895F70E2676@sbs.QuarkGroup.local>
><46D6EBF1.104@observed.de> <46D88BE9.7090902@qgl.org>
>X-Enigmail-Version: 0.95.2
>Return-Path:
>bugtraq-return-33484-josephhammond=hotmail.com@securityfocus.com
>X-OriginalArrivalTime: 01 Sep 2007 15:46:28.0341 (UTC)
>FILETIME=[428E6A50:01C7ECAF]
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
> > Also, the article by f-secure that you're having a go at,
>
>I'll have to protest here - I never hit at the original article. As you
>can read in the blog entry (this is also why I posted the link) I think
>that they have done everything alright.
>
> > says "This USB
> > stick with rootkit-like behavior" and openly acknowledges that the
> > purpose of hiding files by the device is probably to try and prevent
> > tampering with the fingerprint authentication.
>
>Which is why I agree with them.
>
> > Their main point is that:
> >
> > "The Sony MicroVault USM-F fingerprint reader software that comes with
> > the USB stick installs a driver that is hiding a directory under
> > "c:\windows\". So, when enumerating files and subdirectories in the
> > Windows directory, the directory and files inside it are not visible
> > through Windows API. If you know the name of the directory, it is e.g.
> > possible to enter the hidden directory using Command Prompt and it is
> > possible to create new hidden files. There are also ways to run files
> > from this directory. Files in this directory are also hidden from some
> > antivirus scanners (as with the Sony BMG DRM case) 霠depending on the
> > techniques employed by the antivirus software. It is therefore
> > technically possible for malware to use the hidden directory as a hiding
> > place."
>
>That is correct. It could be abused that way. Just like several other
>folders on e.g. Vista could be as well since they share that exact
>functionality. Still that doesn't make it technically a rootkit. It is a
>pretty dumb idea, I totally agree. However AV really shouldn't be fooled
>by something like this anymore. Some still is, but they'll grow out of it.
>
>But just as Tyler Reguly phrased it just a few minutes earlier:
> > There's a number of reasons why this isn't actually a rootkit... The
>problem with calling everything by the same name is that you degrade the
>original meaning of the world
>
>This is the problem I was hitting at. And I am not trying to defend Sony.
>
>Many Greetings
>Paul
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.7 (GNU/Linux)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq
>UCgAjhn7CN0ApBMbOc+3WvM=
>=p7Ye
>-----END PGP SIGNATURE-----
討論串 (同標題文章)
完整討論串 (本文為第 8 之 8 篇):