When you first learn about rootkits its easy to see the sinister applications of them, and theyre pretty scary. A really well-written rootkit, if you can deliver it to the system, can be very difficult to detect while the software is running. Fortunately, the very best rootkits exist only in theory (Or do they? How would we know?)
But developers can also talk themselves into using rootkits for legitimate purposes. Im sure the people at Sony and First 4 Internet (the company that actually wrote the DRM rootkit Sony used) considered their motivations pure: to protect the music on the CD from unauthorized copying. I can sympathize to a point with this, but they handled so many things badly that it was impossible give them any credit for having a legitimate goal.
Now it turns out that Symantec, of all companies, has been using a kind of rootkit as part of its SystemWorks product. As part of the “Norton Protected Recycle Bin” feature, it stored files in a directory that it kept hidden from the user and other programs through basic rootkit techniques.
I used SystemWorks on one of my main desktops for several years, and I remember coming across this when doing offline scans of the system. I should have known better, even if it was maybe three years ago, but I quickly realized what they were up to and said to myself that I understood why they did what they did.
I wasnt the only one who should have known better. Symantec should have known better too. Im pretty sure that Norton Protected Recycle Bin, which tries to be a safety net for users who too casually delete files, has been around for many years. I remember it from a long time ago, and I suspect it goes back almost all the way to Windows 95. I dont know if the directory-hiding nonsense goes back that far; perhaps earlier versions were less “sophisticated.”
There really is a legitimate goal behind this feature: to protect users. The original unerase relied simply on the fact that the FAT system only marked files in the directory as deleted and their clusters in the FAT as available, and it was possible to re-create the entry and reallocate the clusters. But under Win32 it was possible to go a step further: save deleted files in a special cache, structured as a queue so that the most recently deleted would stay alive the longest.
And because Norton SystemWorks instills in its users an obsessive-compulsive desire to neaten and tidy-up their systems, perhaps even to their detriment, they decided to hide the actual directory. You could empty it out using what seems like a redundant option for emptying the Protected folder, but you have to go through multiple warnings.
How Did They Come
Its a shame in a way. I was a customer of the earliest, original Norton Utilities. (I actually wrote fan mail to Peter Norton and he wrote back!) The applications had universal appeal, but it was very techie-oriented software. In later versions, trying to appeal to a larger audience, Symantec (which had bought out “Peter Norton Software”) essentially dumbed down the software, and this directory hiding stuff is a part of that.
How far back does the feature go? Its an important question, and one I posed to Symantec. Until last spring I was using a copy of SystemWorks 2002 on one of my computers. I could have upgraded, but there was never anything new and better in new versions of SystemWorks. If I were still using it, would I have an update available? What about 2001, 2000 and so on? According to Symantecs advisory the 2005 and 2006 versions are vulnerable, but Symantec tells me that it works for earlier versions as well, at least for 2002.
By the time security became a serious mainstream issue and malware writers became competent, the Norton Protected Recycle Bin was basically a legacy feature skating along from version to version, probably with little attention being paid to it. But Symantec, being a security company, should have caught this one many years ago, instead of being notified by a third party (once again we have F-Secure to thank for this, a competitor of Symantecs, and Mark Russinovich of Sysinternals).
I dont think theres much reason to worry about it. Ive never heard of any malware that tried to hide itself using this feature, and any that did would quickly be detected. Furthermore, its safe to assume that Norton SystemWorks users are much more likely than the average user to have anti-virus protection on their computers, and therefore to have some protection against any malware that attempted to utilize the hidden directory. Some versions of SystemWorks actually come with Norton Antivirus bundled.
So Im hoping that Symantec gets proactive with their users and reaches out to them to push out the update that unhides the directory, but Im not going to worry about this one. On the other hand, I hope it sends a signal through the industry to analyze your products for techniques like this that could be abused. Better to deal with it proactively than to be the subject of the next expose.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer