Jeremy's almost but not quite entirely moribund blog

Monday, July 10, 2006

Microsoft's "My Private Folder" uses rootkit techniques

So my boss told me about Microsoft's new "My Private Folder" applet that it's offering to "genuine" Windows XP customers, and I decided to take a look at it. It's kind of like TrueCrypt, only worse.

TrueCrypt (along with commercial tools like BestCrypt) do a loopback mount of an encrypted volume. Microsoft's "My Private Folder", on the other hand, creates a hidden folder and uses rootkit techniques to hide its contents from the Windows API (I verified this with Rootkit Revealer). It does encrypt file contents (not through EFS, interestingly enough), but it leaves names, sizes, timestamps, etc. unencrypted, so an attacker capable of circumventing the rootkit (such as by booting to Knoppix) can discover the names of all your hidden files.

I have at least three questions about this:
1. Microsoft already has EFS. Why reinvent the wheel?
2. Why use a rootkit in the first place, when using a loopback image is simpler and more secure?
3. How long before this rootkit gets exploited by malware? [EDIT: I did some more digging and this won't be as trivial to exploit as the Sony/XPC rootkit. The rootkit not only hides existing files in "My Private Folder", but it prevents you from creating them as well.]


Post a Comment

<< Home