Some Rootkits Are Worse Than Others

Opinion: I got really mad at Sony for its rootkit, but I can't get upset at Symantec, even though a company like that should have been able to see the implications earlier.

When you first learn about rootkits its easy to see the sinister applications of them, and theyre pretty scary. A really well-written rootkit, if you can deliver it to the system, can be very difficult to detect while the software is running. Fortunately, the very best rootkits exist only in theory (Or do they? How would we know?)

But developers can also talk themselves into using rootkits for legitimate purposes. Im sure the people at Sony and First 4 Internet (the company that actually wrote the DRM rootkit Sony used) considered their motivations pure: to protect the music on the CD from unauthorized copying. I can sympathize to a point with this, but they handled so many things badly that it was impossible give them any credit for having a legitimate goal.

/zimages/5/28571.gifSecurity vendors were clueless over the rootkit invasion. Click here to read more.

Now it turns out that Symantec, of all companies, has been using a kind of rootkit as part of its SystemWorks product. As part of the "Norton Protected Recycle Bin" feature, it stored files in a directory that it kept hidden from the user and other programs through basic rootkit techniques.

I used SystemWorks on one of my main desktops for several years, and I remember coming across this when doing offline scans of the system. I should have known better, even if it was maybe three years ago, but I quickly realized what they were up to and said to myself that I understood why they did what they did.

I wasnt the only one who should have known better. Symantec should have known better too. Im pretty sure that Norton Protected Recycle Bin, which tries to be a safety net for users who too casually delete files, has been around for many years. I remember it from a long time ago, and I suspect it goes back almost all the way to Windows 95. I dont know if the directory-hiding nonsense goes back that far; perhaps earlier versions were less "sophisticated."

There really is a legitimate goal behind this feature: to protect users. The original unerase relied simply on the fact that the FAT system only marked files in the directory as deleted and their clusters in the FAT as available, and it was possible to re-create the entry and reallocate the clusters. But under Win32 it was possible to go a step further: save deleted files in a special cache, structured as a queue so that the most recently deleted would stay alive the longest.

And because Norton SystemWorks instills in its users an obsessive-compulsive desire to neaten and tidy-up their systems, perhaps even to their detriment, they decided to hide the actual directory. You could empty it out using what seems like a redundant option for emptying the Protected folder, but you have to go through multiple warnings.

Next page: How did they come to this?