Sony puts out ANOTHER rootkit

[wsuffa]

http://www.f-secure.com/weblog/archives/archive-082007.html#00001263

 

[KennyFlys]

Sneaky bastards.

 

[RJM62]

Sigh...

 

[mikea]

Sigh,. Setting the Hidden attribute on a file or directory is not being a rootkit. Just because you can't see it from brain damaged Explorer doesn't mean it's not there. Hint: You can see both from the *horrors* command line by typing:
dir /a

Hide a file with
attr +H filename


Bring it back with
attr -H filename

The rootkit puts code in the OS's functionality that prevents ANYTHING in the OS from seeing the files.

 

[RJM62]

Sigh,. Setting the Hidden attribute on a file or directory is not being a rootkit. Just because you can't see it from brain damaged Explore rdoesn't mean it's not there. Hint: You can see both from the *horrors* command line by typing:
dir /a

Hide a file with
attr +H filename


Bring it back with
attr -H filename

The rootkit puts code in the OS's functionality that prevents ANYTHING in the OS from seeing the files.

Not to mention often cloaking processes, as well.

(Ohh... sorry. Just mentioned it.)

Rich

 

[mikea]

From the discussions it's not clear if this is a true rootkit, or is just using he hidden attribute. FSecure claims the stuff is hidden from the "Windows API" but there are others who say it's hidden from all but the command line.

EVERYBODY PANIC! The anti-virus vendors don't mind people thinking it's a dangerous world out there.

 

[RJM62]

From the discussions it's not clear if this is a true rootkit, or is just using he hidden attribute. FSecure claims the stuff is hidden from the "Windows API" but there are others who say it's hidden from all but the command line.

EVERYBODY PANIC! The anti-virus vendors don't mind people thinking it's a dangerous world out there.

What bothers me about this article is that even even assuming the worst about the Sony app, it seems to me it would constitute a vulnerability that could be exploited, not a rootkit. An attacker could exploit that vulnerability to place a rootkit, but the worst I'm ready to say about this stick driver is that it may be an irresponsibly written piece of software that could be exploited by someone who wanted to place a rootkit.

But in fairness, a lot of the newer spyware does use rootkit-like technology; and the best (or worst) of it actually uses rootkit technology to its fullest potential to hide processes that are gathering information for identity theft and other forms of fraud. They run silent and deep. So yeah, it is a dangerous world out there.

But I don't think this stupid stick driver is part of that danger. A vulnerability, yes. Irresponsible? Probably. But a rootkit? I doubt it.