August 30, 2007 (Computerworld) — A second line of USB drives sold by Sony Electronics Inc. that uses rootkit tactics to hide files has been identified, and the devices’ software remains on the Web, a researcher said today.
Hackers using just one of the package’s files can mask their attack code from some security scanners, said Mikko Hypponen, chief research officer at Helsinki, Finland-based F-Secure Corp. “This new rootkit [which can still be downloaded] can be used by any malware author to hide any folder.”
On Monday, F-Secure announced that the fingerprint-reader software included with Sony’s MicroVault USM-F flash drives stores files in a hidden directory that could be used by hackers to cloak their malicious code. F-Secure noted that the USM-F models were difficult, but not impossible to find. Sony has since confirmed that the line has been discontinued.
But its replacement, the USM512FL, is widely available, and shares the rootkit-like techniques of its predecessor. “They have the same functionality in the latest as well,” said Hypponen.
Sony has removed the download links for the USM-F and USM512FL software from its MicroVault support site, but Computerworld was easily able to locate a live link — and download the software — by searching through Google’s cache.
Since F-Secure disclosed Sony’s newest rootkit snafu, several other research teams have confirmed the company’s findings. On Tuesday, McAfee Inc. analysts agreed that hackers could use one of the executable files in the USB drive software to hide any folder, and all the files in that folder, from the prying eyes of security scanners. “Alternately, [attackers] could simply hide their malicious creations in the default installation directory itself,” McAfee researchers Aditya Kapoor and Seth Purdy said in a post to the Avert Labs’ blog.
Kapoor and Purdy also identified FineArt Technology Co., a Taiwanese developer, as the makers of the fingerprint-reading MicroVault software. On its Web site, FineArt touts Fingerprint Disk, a suite of tools for authenticating fingerprint-access and encrypting files and folders. FineArt could not be reached Thursday because of time zone differences.
“[Their] apparent intent was to cloak sensitive files related to the fingerprint verification feature included on the USB drives,” said Kapoor and Purdy. “However, in this case the authors apparently did not keep the security implications in mind.”
U.K.-based Sophos PLC also confirmed the presence of rootkit technologies in the FineArt-created software bundled with the MicroVault drives.
Sony, meanwhile, was still looking into the claims as of late Wednesday, said spokesman Tom Di Nome, who had little to share. “We are still investigating this and are taking the issue very seriously,” he said.
These latest rootkit charges are not the first to be leveled against Sony. Nearly two years ago, security researchers spotted rootkit-like cloaking technologies used by the copy-protection software that Sony BMG Music Entertainment installed on PCs when customers played the label’s audio CDs. The Federal Trade Commission later alleged that Sony had violated federal law and settled with the company earlier this year. Before that, Sony paid out nearly $6 million to settle cases with the U.S.
The concern now is that attackers will use the FineArt/Sony files — which can still be downloaded from Sony’s Web site — to add invisibility to their exploits.
But in a blog posting this morning, F-Secure’s Hypponen stressed that while the MicroVault and Sony BMG cases are similar, this newest security breakdown is not as flagrant. “The fingerprint driver does not hide its folder as ‘deeply’ as does the XCP [the rootkit-style software developed by Fortium Technologies Ltd. for use by Sony BMG] folder,” said Hypponen. “The MicroVault software probably wouldn’t hide malware as effectively from [some] real-time antivirus scanners.”
computerworld.com
![[Slashdot]](http://slashdot.org/favicon.ico)
![[Digg]](http://digg.com/favicon.ico)
![[Reddit]](http://reddit.com/favicon.ico)
![[del.icio.us]](http://del.icio.us/favicon.ico)
![[Facebook]](http://www.facebook.com/favicon.ico)
![[Technorati]](http://technorati.com/favicon.ico)
![[Google]](http://www.google.com/favicon.ico)
![[StumbleUpon]](http://www.stumbleupon.com/favicon.ico)
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.
The purposes:
The main purpose is to hide files, network connections, registry entries - in short, malicious codesĀ from other programs used by system administrators. Generally, rootkit is just a technology, it may be used for good or bad purposes. However, lately, lots of spyware used this technology in order to trick users.
Type:
There are different kinds of rootkits:
Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.
Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.
User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.
The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.
Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel’s list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.
But experts say new features still aren’t true anti-rootkit technologies
By Kelly Jackson Higgins
Senior Editor, Dark Reading
Intel today rolled out a new desktop processor for business machines with hardware-based security features that it says can help prevent stealth malware attacks and better secure virtual machines.
The new vPro 2007 Platform, which was code-named Weybridge by Intel, also comes with an upgraded feature that better tracks and logs network traffic for malicious patterns, as well as support for 802.1x and Cisco NAC platforms so that if the operating system is down, you can still manage the endpoints because network security credentials are stored in hardware. Intel’s new vPro platform also comes with new built-in management and energy-efficiency features.
Mike Ferrin-Jones, Intel’s director of digital office platform marketing, says attackers increasingly are writing stealthier malware that evades detection by software-based tools, and some that even disable them: “That gives them free rein over the system.” That has held some enterprises back from going with virtualization technology, he says.
Intel’s new processor — via its so-called Trusted Execution Technology (TXT) and Intel Virtualization Technology for Directed I/O features — can better protect virtualized software from these kinds of attacks by detecting any changes to the virtual machine monitor; restricting memory access by unauthorized software or hardware; and protecting virtual machines from memory-snooping software, according to the company.
Stealth malware expert Joanna Rutkowska, founder of Invisible Things Lab, says Intel’s new Trusted Execution Technology (TXT) and Intel Virtualization Technology for Directed I/O features sound like a step in the right direction for protecting against stealth malware attacks, as are AMD’s SKINIT and External Access Protection features, which were released last year.
“I don’t believe we can address some problems like kernel rootkits and especially virtualization-based rootkits, without help from the hardware vendors,” she says.
Rutkowska says based on what she could surmise from the press materials provided to her, Intel’s Virtualization for Directed I/O appears “to let you create more secure hypervisors and deploy secure micro kernel-based OSes, she says.
Still, these technologies aren’t true anti-rootkit technologies, she says. “They are, rather, technologies that [for example] would allow [you] to build better OSes, not prone that much to rootkit infections as the OSes we have today [are].”
The key, Rutkowska says, is for OS and software vendors to use Intel’s new hardware-based security, as well as AMD’s in its new Barcelona processors. “It’s all in the hands of software and OS vendors now,” she says. “If they don’t redesign their products to make use of those new technologies in a proper way, those new technologies will be pretty useless.”
Intel’s Ferrin-Jones says hardware-based security in the new platform, based on Intel’s Core 2 Duo processor and Q35 Express chipset, help where software-based security cannot. “Most security applications run inside the OS,” he says. “For the systems to be protected and secured, those apps have to be up and running, as does the OS.” Features such as “remote wakeup” capabilities aren’t secure or available if the OS goes down.
Meanwhile, major computer makers and resellers are now selling desktops with the new vPro processor, according to Intel, including Dell, HP, and Lenovo, and the company says 350 organizations have already deployed it.
Intel is also currently working with virtual machine monitor and security software vendors to enable their products to work with the new platform, Ferrin-Jones says.
source: http://www.darkreading.com
Overview:
SpyBot S & D is a famous anti-spyware program, and is developed as free project since 2000. This program had won lots of awards: World Class 2003 Awards, the PC Magazine Editors Choice and PC User Top Buy #1. Spybot has also been recommended by ZDNet, the Wall Street Journal, The Guardian, MSNBC, CNN. Trusted and recommended by many computer expert worldwide.
Main features:
-
Able to remove spyware, adware, trojan, tracking cookie, worm, dialer, keylogger, hijackers and some rootkits.
-
At the moment it scans at 433527 places in the system and makes comparisons there. Further SpyBot have 80647 detections rules and scan for 3250 single products.
-
Real-time protection will block known malicious applications.
- Allow/Block registry changes.
-
Weekly update.
-
Good support included. You’ll get the support either using forum or http://www.safer-networking.org/en/contact/index.html .
Additional Tools:
-
Secure shredder - delete selected private files so that it won’t be able to be recovered.
-
Guard system Startup to avoid malware starting up with your Windows.
-
Uninstaller info - information about all application that is already installed in your computer. You may uninstall any unwanted apps using this tool.
-
Host file - Block access to known malicious websites
-
Guard your browser and ActiveX objects.
-
Tea Timer - block malicious process. Allow/deny registry access.
-
Support different languages and even for blind users.
-
Lots of spyware definition in the database.
-
Lots of tools;
-
It is free
Contras:
-
The interface is not neat and attractive.
-
Each time, you’ll have to update from different mirror.
-
Only one type of scan, most anti-spyware these days have quick scan, custom scan or full scan.
-
Scan engine is not fast.
-
System resources can run extremely high with this product.
-
Since it is famous, lots of spyware is trying and able to avoid from being detected with this.
Bottomline:
If you experience spyware problem now, this one is worth trying, since it is free. But don’t expect too much from it. Sometimes, it missed lots of spyware. It’s better for you to find other anti-spyware program. My rating 3/5.
Download SpyBot
Watch Video Tutorial
If you can reach this post, you might be using Firefox as your browser. It is no doubt, that Firefox give you a new browsing experience - faster, safer, convenient. And perhaps more fun.
You can change the look of your browser using by selecting different colorful themes. Subscribe to your favorite blog/rss feed by adding certain extension. Download multiple files using DownloadThenAll!. Download your favorite Youtube video using Unplug.
As the internet threat on the rise, perhaps it is better for us to look for extension that can avoid malicious software and websites. Actually, there are lots of such extension. Some of you might already try McAffee Site Advisor toolbar. Another famous extension is No Script. However, this time, I’ll expose something different.
Finjan Secure Browsing is perhaps a better alternative than McAffe Site Advisor. For one thing, this extension doesn’t create a new toolbar in your browser - I already install Google Toolbar. Having more than one toolbar is a bit mess to your browser. This extension will scan all websites/links that appears in search engine result. So, before you click in, you’ll recognize, which one is bad, an avoid it. This is different from McAffee Site Advisor. Site Advisor will detect malicious/bad websites according users review on that site. To download this extension, log on to https://addons.mozilla.org/en-US/firefox/addon/4892 .
Another one is Dr Web anti-virus link checker. This extension allows you to check any link or files before clicking or downloading any file. This is not a complete anti-virus protection - it is the additional to your anti-virus protection. Log on to https://addons.mozilla.org/en-US/firefox/addon/938 to download this extension. Install, then restart your Firefox browser. Right-click on any link and a new option - scan with Dr Web will appear. You’ll find this extension useful. Before initiating any download, scan with Dr Web first.
If you’re using NOD32 anti-virus, or maybe Lavasoft Ad-Aware, you might want to add SafeDownload. It will prevent from threats of any downloaded files. Just after the download completed, this extension will automatically run and scan your downloads, using any anti-virus that is installed in your PC. However, it works well if you’re using NOD32 anti-virus. You need to configure the options, to make this extension works properly. To install this extension, simply log on to https://addons.mozilla.org/en-US/firefox/addon/3581 .
If you’re an active internet user, your browser would be the main source for virus, trojan and spyware. You should equip it with any of these add-ons to counter these threats.
Each and every time your surf the internet, your computer will be exposed to danger. Spyware, malware, virus are everywhere around the internet. Without proper attention, you’ll be easily fall into trap of these parasites.
So, how to guard your computer when you’re online? One simple advice; guard any application that connects to the internet. The one that you use most is - your browser, of course.
Years ago, Internet Explorer could be a relevant browser for you. However, as more threats rise these days, this browser is being exploited by lots of malware, due to flaws in the security architecture of Internet Explorer. Just by surfing certain websites, using IE, is enough to get infected with spyware.
So far, these are some flaws reported in IE browser, that can be exploited by malware:
-
Malware can display a fake URL in the address bar or to bypass certain security restrictions.
-
Malicious websites exploits the weakness in IE, making it displays content from trusted sites. This will trick users.
-
Irresponsible parties can exploit this browser to conduct spoofing attacks due to an unintended result of the IDN (International Domain Name) implementation in the HTTP Basic Authentication dialog.
-
Malicious website can display a fake URL in the address bar or to bypass certain security restrictions.
-
Can be exploited by malicious people to conduct cross-site scripting attacks. The vulnerability exist because pages that don’t specify a charset inherit the charset of the parent page.
-
Malware can spoof the pop-up address bar. When that pop-up appears, you might see different page, with trusted URL. For example, in that pop-up, you might see a website about mp3 download, but the URL is google.com.
Example of spoof URL in pop-up. The URL shows microsoft.com, but the content is not from microsoft itself.
So, how to counter all spyware threat these days? Consider using a better and safer browser such as Firefox or Opera. Especially Firefox. It has lots of add-ons that can block any script, scan any websites, scan any downloads, online scan and more.
Today, 90% computers are infected with spyware. Without proper protection, these threats could mess up your PC. There are lots of excellent anti-spyware around. One of them is Ashampoo anti-spyware 2. This program has been improved from its previous version. It is also Vista ready. With about 760.000 parasite definitions Ashampoo Anti-spyWare 2 sets up clearly from its competitors and ensures for the fact that nothing more stands to your internet appearance. Just like the previous one, this program can be customized, with three different skins.
Some important features:
- Free spyware scan, removal and more for 30 days trial period. Registration required.
- Remove all type of malware from your computer : spyware, hijackers, tracking cookies, hidden dialers, worms, keyloggers, trojan Horses and rootkits.
- Your computer is well secured. Ashampoo will guard lots of important process and host : Internet Explorer BHO, auto start entries, Windows Hostfiles, Winsock’s LSP
- Scan and remove any malware in your registry, memory, system folders, and any folders on your drives.
- Rescue your computer by stopping spyware activities; certain tools are provided to terminate suspicious process, stop autorun programs.
- Ensure your privacy with internet cleaner tool and file wiper.
What do you think about this software? Download, try and leave a comment.
Loading …