Didier Stevens

Monday 19 November 2007

The Sony Rootkit V2.0

Filed under: Malware — Didier Stevens @ 10:14

Rest assured, this is not another Sony rootkit rant…

Back in August, F-Secure blogged about another Sony Rootkit. And McAfee was quick with posting additional info on their blog (they produced a screencast of the rootkit in action, saving me some analysis time).

I downloaded the software when F-Secure blogged about it, and since then I’ve been scanning the rootkit regularly with VirusTotal, to see how the detection rate evolved in time.

At first, as was to be expected, not a lot of AV products detected this rootkit:virustotal-fsm-20070830.png

I take this opportunity to illustrate once more that you have to pay attention when analysing VirusTotal’s results. Did you notice that F-Secure doesn’t detect the rootkit? How come, they announce this new Sony Rootkit but they don’t detect it? If you read their blogpost carefully, you’ll see that they detected this with their HIPS and anti-rootkit technology. But there are no specific signatures to detect this, hence the F-Secure AV on VirusTotal doesn’t detect it.

The detection rate is higher at the time of writing: 13 out of 32.

Some of the names given to this rootkit might surprise you:

  • Potentially harmful program HackTool.CIB
  • potentially unwanted program HideVault
  • Filesystem Monitor

You’ve to understand that a program exhibiting rootkit-like behavior and published by a company, is more likely to be handled differently by AV companies than a program from a criminal.

There is a higher probability that customers object to the fact that their AV product removes these company-issued programs. Removal could hamper the correct operation of the system (or device in this case). Some AV companies will label this kind of program (e.g. the nice euphemism potentially unwanted program) and even provide an option to exclude them from removal.

There is also a higher probability that companies developing these unwanted fight the detection by AV software, and even go as far as taking legal action against the AV companies.

All this is reflected in the rather low detection rate of this rootkit by the AV products on the VirusTotal site. After all, it’s almost 3 months since F-Secure broke this.

Blog at WordPress.com.