Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Symantec Caught in Norton Rootkit Flap

    By
    Ryan Naraine
    -
    January 11, 2006
    Share
    Facebook
    Twitter
    Linkedin

      Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers.

      The anti-virus vendor acknowledged that it was hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.

      Symantec, of Cupertino, Calif., is the second commercial company caught in the flap over the use of rootkit-type techniques to hide files on computers. Rootkits are programs that are used to give a remote user access to a compromised system while avoiding detection from security scanners.

      Music company Sony BMG faced a firestorm of criticism after anti-rootkit scanners fingered the use of stealthy rootkit-type techniques to cloak its DRM scheme. After malicious hackers used the Sony DRM rootkit as a hiding place for Trojans, the company suspended the use of the technology and recalled CDs with the offending copy protection mechanism.

      A spokesman for Symantec referenced the Sony flap in a statement sent to eWEEK, but downplayed the risk to consumers. “In light of current techniques used by todays malicious attackers, Symantec re-evaluated the value of hiding the [previously cloaked] directory. Though the chance of an attacker using [it] as a possible attack vector is extremely slim, Symantecs update further protects computers by displaying the directory,” the spokesman said.

      /zimages/2/28571.gifMicrosoft to zap Sony DRM rootkit. Click here to read more.

      He explained that the feature, called Norton Protected Recycle Bin, was built into Norton SystemWorks with a director called NProtect that is hidden from Windows APIs. Because it is cloaked, files in the NProtect directory might not be scanned during scheduled or manual virus scans.

      “This could potentially provide a location for an attacker to hide a malicious file on a computer,” the company admitted, noting that the updated version will now display the previously hidden directory in the Windows interface.

      Despite the very low risk of this vulnerability, Symantec is “strongly” recommending that SystemWorks users update the product immediately to ensure greater protection. “To date, Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder,” the spokesman added.

      Mark Russinovich, the Windows internals guru who blew the whistle on Sonys controversial DRM rootkit, was credited with the SystemWorks discovery along with researchers at Finnish anti-virus vendor F-Secure Corp.

      Russinovich, creator of the RootkitRevealer anti-rootkit utility, said the use of rootkit-type features by commercial vendors is “very worrisome.”

      “Its a bad, bad, bad idea to start hiding things in places where it presents a danger. Im seeing it more and more with commercial vendors,” Russinovich said in an interview with eWEEK.

      “When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. Its impossible to manage the security and health of that system if the owner is not in control.”

      Russinovich said Symantec was “very receptive” to the warnings that the hidden directory presented a real risk to computer users. “In Sonys case, it was meant as a benefit to Sony. In Symantecs case, they really believed it was a benefit to the consumer. I dont see the benefit but I think they had good intentions. They did the right thing by making this change,” he added.

      /zimages/2/28571.gifSecurity vendors clueless over rootkit invasion. Click here to read more.

      Russinovich, who plans to publish more evidence of commercial vendors using rootkits at Sysinternals.com, also pinpointed another big problem. “When you have different vendors changing the way Windows works, they start interfering with each other. Two or three rootkits on a machine could seriously change the way Windows behaves and thats another big concern,” he said.

      Mikko Hypponen, director of anti-virus research at the F-Secure Corp., said his companys BlackLight Rootkit Elimination Technology also detected the NProtect directory, which was hidden from the Windows FindFirst/FindNext APIs.

      “We found out about this when we shipped the first BlackLight beta in March 2005 and started getting reports back from users. Then we tested it in our own labs and confirmed the functionality in Symantec. Its not a huge problem, but Im glad theyve now fixed it,” Hypponen said in an interview.

      He confirmed Russinovichs contention that more and more legitimate commercial vendors are using cloaking mechanisms, warning that it is a “dangerous trend,” even if the its not an offensive, malicious rootkit.

      “The area is a little gray. Weve seen a dozen or so commercial vendors hiding folders. Some are actual folder-hiding applications to handle things like parental controls where the target audience actually wants the folder hidden. But, even so, the risk of someone malicious making use of that hiding place is not something to ignore,” Hypponen said.

      “Thats the big risk. For now, its completely a theoretical problem. But, as we saw in Sonys case, the bad guys figured it out within days that they could put a Trojan in the rootkit and sail by anti-virus scanners.”

      /zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×