This is what Paul was referring to, I sent it out but bugtraq bounced it, so only he saw it: There's a number of reasons why this isn't actually a rootkit... The problem with calling everything by the same name is that you degrade the original meaning of the world More of my thoughts on the subject here: http://www.computerdefense.org/?p=380 Tyler. On 8/31/07, Paul Sebastian Ziegler <psz@xxxxxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > Also, the article by f-secure that you're having a go at, > > I'll have to protest here - I never hit at the original article. As you > can read in the blog entry (this is also why I posted the link) I think > that they have done everything alright. > > > says "This USB > > stick with rootkit-like behavior" and openly acknowledges that the > > purpose of hiding files by the device is probably to try and prevent > > tampering with the fingerprint authentication. > > Which is why I agree with them. > > > Their main point is that: > > > > "The Sony MicroVault USM-F fingerprint reader software that comes with > > the USB stick installs a driver that is hiding a directory under > > "c:\windows\". So, when enumerating files and subdirectories in the > > Windows directory, the directory and files inside it are not visible > > through Windows API. If you know the name of the directory, it is e.g. > > possible to enter the hidden directory using Command Prompt and it is > > possible to create new hidden files. There are also ways to run files > > from this directory. Files in this directory are also hidden from some > > antivirus scanners (as with the Sony BMG DRM case) — depending on the > > techniques employed by the antivirus software. It is therefore > > technically possible for malware to use the hidden directory as a hiding > > place." > > That is correct. It could be abused that way. Just like several other > folders on e.g. Vista could be as well since they share that exact > functionality. Still that doesn't make it technically a rootkit. It is a > pretty dumb idea, I totally agree. However AV really shouldn't be fooled > by something like this anymore. Some still is, but they'll grow out of it. > > But just as Tyler Reguly phrased it just a few minutes earlier: > > There's a number of reasons why this isn't actually a rootkit... The problem with calling everything by the same name is that you degrade the original meaning of the world > > This is the problem I was hitting at. And I am not trying to defend Sony. > > Many Greetings > Paul > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFG2JrNaHrXRd80sY8RCnG7AKCmDOCpL50LXparVP/B7rYGwHJUBQCfVnYq > UCgAjhn7CN0ApBMbOc+3WvM= > =p7Ye > -----END PGP SIGNATURE----- >
