Thursday, December 24, 2009

Sandisk Pulls a Sony Rootkit. News at 11.

My brother just bought a Sandisk flash drive, planning to put some sort of cute auto-run holiday greeting on it and give it as a white-elephant gift (the greeting would be a surprise to the recipient, but it would remove itself after first run so as not to be annoying). He stuck the drive into his computer and it installed some crazy junk onto his hard drive. Hoisted by his own petard, I guess. But here's the nature of what it installed:

  • There's a small partition that Windows recognizes as a virtual CD-ROM drive for some reason. On this partition is the autorun script that installs the junk onto your hard drive. Because it's detected as a virtual CD-ROM you can't delete or modify it easily from Windows.
  • If you manage to delete this partition from the drive and zero-out the whole thing, then put it in a Windows machine that already has the software installed on it, the software re-installs the partition onto the flash drive.
  • The software that's installed on your hard drive isn't installed as a service and isn't registered with Add/Remove Programs. So it can't be disabled un-installed through any of the standard channels. There is an un-install feature within the software itself. I'm not really sure I'd trust it.

The takeaways:

  • Sandisk: This is evil. And Sandisk (or whoever wrote the software) knows it. When you're writing software that you intend to be genuinely useful to users you don't install without permission, you don't make it hard to delete, you don't make it come back when the user clearly wants it gone. You do this because you want the software running and the user probably doesn't.
  • Microsoft: Why still autorun CDs without confirmation? Why allow flash drive partitions to show up as CDs? Why make it so ridiculously hard to disable autorun (apparently the obvious controls don't always work on Vista/7 and you have to use Group Policy Editor or Regedit).
  • People: If you must run Windows, disable auto-run. If Mac has an auto-run feature, disable that. If one of the Unix desktops wants to do auto-run, disable that. It's a mind-numbingly stupid idea from a security perspective.

No comments: