topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 2:11 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: SanDisk accused of "Shades of Sony Rootkit"  (Read 10270 times)

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
SanDisk accused of "Shades of Sony Rootkit"
« on: June 16, 2006, 02:37 AM »
The following is a summary of an article I read - unfortunately it isn't available without paid subscription but I thought it important enought to point out the issue here:

Sandisk Cruzer Micro 4GB flash drives.
Plug in the card reader, and up pops LaunchPad and wants to install Skype and other apps.
Not unusual Flash cards often come preinstalled with software.
But autoplay is off so how did it launch?

Deleted the files from the Flash drive. Insert the USB drive again - same thing happens.
Reformat the drive and it all happens again.

It is a "smart" Flash drive including U3 technology which emulates a CD-ROM drive (for part of its data area).
Autoplay is enabled by default for CD-ROM drives and you can't delete files from a CD-ROM.

There is an uninstall utility from U3.com to delete U3 technology (but SanDisk hide the fact) that makes the drive into a plain Flash drive again.

Shades of the Sony BMG rootkit!
No evidence to believe that Sandisk installed software, let alone installed a rootkit but I want to install software under control.

Beware of USB devices! If Flash drives can do this then it could any USB device next!

Orginal article by Ryan Russell in the WindowsSecret Newsletter.

The question left unanswered is what happens when a non-savvy user tries this - I would suspect that a lot of people would simply install Skype etc. if they have never heard of it assuming it was something to do with their new super duper flash card !!!
« Last Edit: June 16, 2006, 02:43 AM by Carol Haynes »

mrainey

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 439
    • View Profile
    • Website
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #1 on: June 16, 2006, 05:42 AM »
I got a kick out of the article he mentioned.  A company hired to test the security of a credit union network was able to gain access to password and login info by sprinkling trojan-containing USB flash drives in the parking lot and other employee areas.  Seems that the majority of them were soon found and plugged into credit union PC's.


http://www.darkreadi...amp;WT.svl=column1_1
Software For Metalworking
http://closetolerancesoftware.com

allen

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,206
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #2 on: June 16, 2006, 05:47 AM »
I find this a bit saddening, I've been a long time fan of SanDisk's thumb drives and portable mp3 players . . . with gimmicks like that, though, my next usb drive is likely to have a different watermark.

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #3 on: June 16, 2006, 04:32 PM »
Wow, seeding tojan infected USB drives, that's sneaky! The network admins at a credit union ought to have most access ports for that kind of thing blocked of course, but I'm sure there's always a way through...

- Oshyan

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #4 on: June 16, 2006, 04:37 PM »
Well, limit user accounts to non-admin privileges, use policies to turn autorun off... that should be one step closer. But of course stupid users click PamelaNude.jpg.exe containing a 0day virus/trojan, that's hard to stop.
- carpe noctem

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #5 on: June 16, 2006, 05:35 PM »
People finding cards in the car park deserve what they get if they plug them into their systems.

It really bothers me though the a manufacturer like SanDisk can do this sort of thing. Given the number of devices that need drivers (including flash cards and cardreaders on older systems) it seem irresponsible to me to have it pop up every time you insert it to try and install unrelated and unwanted software. Even worse SanDisk make no attempt (apparently) to tell users how to turn off this dubious benefit.

I can imagine many users thinking "brand new sealed product from a reputable company" and assuming that anything it suggests needs installing must be both necessary and OK. Like Sony I think they will have shot themselves in the foot on this one. I have bought SanDisk products in the past but I won't any more.

Some Lexar flash cards come with software loaded but at least it is related to card use (usually some free recovery software) and it doesn't demand you install something just because you put it in the card reader!

mrainey

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 439
    • View Profile
    • Website
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #6 on: June 17, 2006, 11:01 AM »
What is this new U3 technology, anyway?
Software For Metalworking
http://closetolerancesoftware.com

Ellycp

  • Participant
  • Joined in 2006
  • *
  • default avatar
  • Posts: 2
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #7 on: June 23, 2006, 10:03 AM »
U3 smart devices are USB drives on which you can carry applications with your own settings and access them from any compatible computer. 

Just to correct some misconceptions.  The U3 Launchpad does not automatically install any software – that’s the whole point!  Some software is pre-loaded on the drive but it doesn’t install onto the computer.  Files may be temporarily installed on the hard disk during runtime but are  cleaned up when the drive is removed.

You might be prompted to sign up, for say Skype, when you run a program, just as you would if you downloaded it and tried to run it.  You are not obligated to sign up unless you want to use it and you can remove the programs you don’t want or add ones you do. 

The U3 Launchpad makes no remote or hidden access of any kind.  It is true that some people purchase U3 smart drives when intending to buy regular USB devices.  There are a few options:
1. Try it out anyway and see how it can be useful to you,
2. Start up the drive as a normal mass storage decide by holding down the shift key while you insert the drive until windows recognizes it,
3. Make it so the U3 launchpad never runs on insertion (see directions at http://u3.com/suppor...aspx#U3%20Launchpad2
4. Uninstall the U3 launchpad - go to www.u3.com/uninstall
Best,
Ellycp

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #8 on: June 23, 2006, 10:20 AM »
welcome to the site ellycp  :up:

yeah i want to echo this - from what i understand, it would be a big mistake to associate u3 with any kind of rootkit crazyness.  basically as i understand it they use some clever tricks to get the software on the usb drive to run the software as if it were installed, and these tricks share some of the same approaches as the sony rootkit, but in the case of u3 it's being use for good and not evil.

Carol Haynes

  • Waffles for England (patent pending)
  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 8,066
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #9 on: June 23, 2006, 10:50 AM »
I don't think the article actually implies that U3 is actually a rootkit at all (it certainly captured my attention though).

The problem seems to be that programs/installers can be made to autorun when the flashcard is inserted - and it is not clear (at least from the SanDisk experience) how to get rid of or disable the U3 technology.

For the average non savvy user who just buys a flashcard to use in a digital camera and ends up with a U3 enable SanDisk card what are they to think when they put the card in and the offer to install Skype immediately pops up? You have a brand new product from a reputable manufacturer - it is not unreasonable to assume this is some kind of required software.

My problem with this is that if it is possible to get flash cards to do this with legitmate (if unnecessary and unwanted marketing) how easy would it be to have these cards infected with software that isn't so useful or benign? It strikes me as another potential vector for nasties to be transmitted from computer to computer.

Perhaps MS should issue a patch that stops AutoRun on all devices when you disable it for CDROMs etc.

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #10 on: June 23, 2006, 12:39 PM »
Perhaps MS should issue a patch that stops AutoRun on all devices when you disable it for CDROMs etc.
-Carol Haynes (June 23, 2006, 10:50 AM)
YES!

To do this now requires mucking around with a myriad of settings that sometime affect CD-ROMs, but not other media or vice versa.  You need to get 3rd party tools or unsupported downloads from MS (PowerToys) to deal with it effectively.

Then, something always seems to come along and re-enable autorun.

The best way for a user to limit the vulnerability is to not run as administrator (as f0dder indicates), but that's easier said than done in the Windows world.

Ellycp

  • Participant
  • Joined in 2006
  • *
  • default avatar
  • Posts: 2
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #11 on: June 23, 2006, 01:05 PM »
The U3 stuff *is* still new to many people, so as the information gets more wide spread (and accurate) hopefully that will help prevent a lot of the problems.  I don't know, but it seems unlikely a U3 smart drive would be available for digital cameras- just sounds wrong to me.

Ellycp

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #12 on: June 23, 2006, 01:47 PM »
Perhaps MS should issue a patch that stops AutoRun on all devices when you disable it for CDROMs etc.
-Carol Haynes (June 23, 2006, 10:50 AM)
The thing is: there actually isn't any autoplay in flash drives. There's no place in windows to disable it, as windows shouldn't even support it.

I found out about that last week, because i was trying to make an autorun for my flash drive, and couldn't find any way to do this.
What enables this autorun on U3-enabled is the pen itself (how that works i don't know), but i believe this happens without windows being "conscient" about that, as it shouldn't even support that!

My opinion is that:
  • The U3 flash drive should come with this functionality disabled, and could be activated after the first use.
  • The autorun data should be visible when exploring the data on the flash drive.
.

Other than that, i think U3 is a good concept, and might get even better when thumb drives become even bigger.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #13 on: June 23, 2006, 02:17 PM »
i was reading somewhere (forget where) that the way U3 drives work is they kind of simulate a cd rom, which windows will autoboot.

Tekzel

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 228
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #14 on: June 23, 2006, 02:21 PM »
The thing is: there actually isn't any autoplay in flash drives. There's no place in windows to disable it, as windows shouldn't even support it.

Actually there is a little bit of misinformation in this thread :)  All removable media supports "autoplay", since it is a windows thing and not device specific.  No, "autorun" is a different thing, this is where automatically, through the file autorun.inf, a program is automatically run.  Windows only supports this on CDROM devices, thus the emulated cdrom on U3 sticks.  AutoPLAY is just windows saying "Hey, found a removable media that was just plugged in, what do you want to do?" and it presents you with the box that has items like explore and several programs you can run on the media based on what kind of data it finds on the media. 

I have a 2gb Memorex U3 stick that I have had a few weeks and really like it a lot, I have several portable apps installed on the U3 launchpad and I use them.  Not sure about Sandisk's implementation, but on my Memorex the only thing it ran by default was the Oddcast thing that tells you about it.  You can specify apps that will autorun from the launchpad by managing the apps and checking the box to autorun them, but by default all mine were disabled. 

Edit: Bleh, I even put the wrong autosomething in one place :)

jgpaiva

  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 4,727
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #15 on: June 23, 2006, 03:08 PM »
Thanks Tekzel!
Yes, you're right, i meant "autorun", and not "autoplay" in my whole reply.
As for autoplay, it can be disabled by right-clicking the flash disk on explorer and seeing in it's properties.

mrainey

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 439
    • View Profile
    • Website
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #16 on: June 23, 2006, 03:10 PM »
From the U3 website:

"What is a U3 smart solution?

A U3 smart solution is one that travels with the user on a U3 smart USB flash drive. Once installed on the drive, the application can run on any computer—without further installation!"


All my applications are standalone executables that can be run from standard flash drives.  People have been using the term "portable applications" of late to describe programs like mine.

How do "portable applications" differ from "U3 smart solutions"?
Software For Metalworking
http://closetolerancesoftware.com

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,645
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #17 on: June 23, 2006, 10:25 PM »
Autorun and Autoplay are very much related - Autoplay also uses autorun.inf to control how it acts.  Microsoft seems to now call the older autorun behavior "Autoplay V1" and the new autoplay behavior "Autoplay V2".

However, it is true that removable media other than CD-ROM or DVD-ROM does act differently from CD/DVDs.  CD-ROM type devices will automatically launch the program specified in autorun.inf (at least with Autoplay V1), while other media and Autoplay V2 autorun.inf files will prompt for and get user consent before performing an action.

Added into the mix is "Auto Insert Notification" (AIN), which is the term used to describe the ability for the device hardware to notify the OS that media has been inserted.  AIN can be disabled for devices, but Autorun/Autoplay will still kick in in certain circumstances if you double-click on the drive in Explorer.

All of this terminology, differing behaviors for various devices, and barely documented registry settings for disabling/enabling various AutoRun/AutoPlay/AIN behaviors makes for a situation that easily confuses me.

I'm not sure what the preferable deafult behavior should be for these things, but at the minimum, CD-ROMs should behave the same as other media, and there should be a nice, single, standard control panel applet to turn the behavior on, off, or otherwise configure it.

That's my rant for the day.  If anyone wants to know more details on this stuff, here's some info straight from the horse's mouth:

    http://msdn.microsoft.com/msdnmag/issues/01/11/autoplay/default.aspx
    http://msdn.com/library/en-us/shellcc/platform/shell/programmersguide/shell_basics/shell_basics_extending/autorun/autoplay_reg.asp
   

Tekzel

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 228
    • View Profile
    • Donate to Member
Re: SanDisk accused of "Shades of Sony Rootkit"
« Reply #18 on: June 24, 2006, 10:41 PM »
How do "portable applications" differ from "U3 smart solutions"?

A portable application typically just means a program that does not have to be installed, it is self contained.  It puts all its settings in a file in its directory, usually an ini or xml file. 

A U3 application is different in that it is aware that it is being run from a removable media, usually a USB thumb drive, and can store its settings anywhere, including the registry.  It just has to observe the "shut down" U3 commands and clean up after itself, removing stuff added to the registry and from the hard drive.  U3 apps can run directly off the stick, or it can be installed to the hard drive in the temp directory and run from there.

I took a stab at modifying a little program I made to be U3 compliant, but wasn't all that successful. It was just too much of a pain in rear for me and no fun, so I abandoned it.