Some Rootkits Are Worse Than Others

By Larry Seltzer  |  Posted 2006-01-12 Print this article Print

Opinion: I got really mad at Sony for its rootkit, but I can't get upset at Symantec, even though a company like that should have been able to see the implications earlier.

When you first learn about rootkits its easy to see the sinister applications of them, and theyre pretty scary. A really well-written rootkit, if you can deliver it to the system, can be very difficult to detect while the software is running. Fortunately, the very best rootkits exist only in theory (Or do they? How would we know?) But developers can also talk themselves into using rootkits for legitimate purposes. Im sure the people at Sony and First 4 Internet (the company that actually wrote the DRM rootkit Sony used) considered their motivations pure: to protect the music on the CD from unauthorized copying. I can sympathize to a point with this, but they handled so many things badly that it was impossible give them any credit for having a legitimate goal.

Security vendors were clueless over the rootkit invasion. Click here to read more.

Now it turns out that Symantec, of all companies, has been using a kind of rootkit as part of its SystemWorks product. As part of the "Norton Protected Recycle Bin" feature, it stored files in a directory that it kept hidden from the user and other programs through basic rootkit techniques.

I used SystemWorks on one of my main desktops for several years, and I remember coming across this when doing offline scans of the system. I should have known better, even if it was maybe three years ago, but I quickly realized what they were up to and said to myself that I understood why they did what they did.

I wasnt the only one who should have known better. Symantec should have known better too. Im pretty sure that Norton Protected Recycle Bin, which tries to be a safety net for users who too casually delete files, has been around for many years. I remember it from a long time ago, and I suspect it goes back almost all the way to Windows 95. I dont know if the directory-hiding nonsense goes back that far; perhaps earlier versions were less "sophisticated."

There really is a legitimate goal behind this feature: to protect users. The original unerase relied simply on the fact that the FAT system only marked files in the directory as deleted and their clusters in the FAT as available, and it was possible to re-create the entry and reallocate the clusters. But under Win32 it was possible to go a step further: save deleted files in a special cache, structured as a queue so that the most recently deleted would stay alive the longest.

And because Norton SystemWorks instills in its users an obsessive-compulsive desire to neaten and tidy-up their systems, perhaps even to their detriment, they decided to hide the actual directory. You could empty it out using what seems like a redundant option for emptying the Protected folder, but you have to go through multiple warnings.

Next page: How did they come to this?

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel