File this one under “Déjà vu all over again”. After learning from F-Secure of shady rootkit-like activities noticed in the software packaged with several Sony USB drives, we were first a bit amazed. After all that had occurred with the audio CD episode, could this really be true? Well, it was.

In the class of nasty rootkits the ones that top the chart are those that use blended techniques to hide or protect themselves. I/O request packet filtering is one kernel mode rootkit technique that is gaining popularity along with the already common SDT hooking.

Sony’s microvault USB media ‘Fingerprint Access’ software uses programs and device drivers developed by Fineart Technology Co. Ltd.. The Fineart device driver installs as a file-system filter driver on top of the existing driver stack. It also hooks the Service Descriptor Table in order to hook NtEnumerateKey. After establishing this, all file system information is filtered through this new device driver and thus it can easily hide any directory or file. Following is a snapshot of windbg showing the device stack.

Windbg snapshot
Figure 1 - \Driver\FG adds itself on top of the driver stack for file system IO.

The apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives. However, in this case (*cough* AGAIN! *cough*) the authors apparently did not keep the security implications in mind. The executable can be placed in potentially any directory and when executed will subsequently hide all the folders and files within that directory!

As a test we placed the binary in %windir%. Upon launch all the files and subdirectories including system32 were indeed hidden. None of the resources within the directories were accessible anymore. We could no longer run simple utilities like ‘regedit’ or ‘notepad’ or ‘cmd’ using the Run dialog box in start menu, as the path was not resolved due to cloaking. Although one could still access the files using fully qualified paths. Fortunately the executable by itself does not add an entry to the registry Run key or establish any other startup method, so the hidden objects are accessible again upon reboot. However the device driver component is loaded into memory after reboot, so at that stage it is a simple matter of re-executing the binary to hide directories and files:

The publisher may argue that the default installation path is %windir%\[some directory], but that does nothing to stop malware authors from copying the binary to an arbitrary directory of their choice and executing it in that location. Alternately they could simply hide their malicious creations in the default installation directory itself. Another easy hack for malware authors would be to launch the binary from their chosen directory and add a startup entry for the software to ensure it is hidden immediately on boot-up.

Here is the snapshot of VirusScan in action. VirusScan detects the device driver s HideVault!sys and removes it to disable any potential cloaking upon reboot.

VirusScan in Action

Sadly, it appears that expediency of function has again trumped forethought of consequences in one of Sony’s creations.