Security company F-secure revealed on Monday that it had detected rootkit like behavior that is reminiscent of the 2005 fiasco. F-Secure says the culprit is the Sony MicroVault USM-F fingerprint reader software that comes with the USB stick that
installs a driver that is hiding a directory under "c:\windows\". So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files. There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place.
On Wedesday, F-Secure qualified its opinion, saying that the USB case is not as bad as the earlier XCP case:
Why? Because…
The user understands that he is installing software, it's on the included CD, and has a standard method of uninstalling that software.
The fingerprint driver does not hide its folder as "deeply" as does the XCP DRM folder. The MicroVault software probably wouldn't hide malware as effectively from (some) real-time antivirus scanners.
The Microvault software does not hide processes or registry keys. XCP DRM did.
It's also trickier to run executables from the hidden directory than with XCP. However, it can be done.
And lastly, there seems to be a use-case: The cloaking is most likely used to protect fingerprint authentication from tampering. Sony is attempting to protect the user's own data. In the DRM case, Sony was attempting to restrict you – the user – from accessing the music on the CD you bought. So their intent was more beneficial to the consumer in this case.