Previous entries
Next entries

January 11th, 2006

Symantec Admits Rootkit Usage in SystemWorks

By Michael Santo
Contributing Writer, RealTechNews

You would think that the Sony BMG rootkit would be the last rootkit we would see from a reputable software company, wouldn’t you? Apparently not, since Symantec fessed up today that it had been using a rootkit-type feature in Norton SystemWorks.

The anti-virus vendor acknowledged that it was deliberately hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.

A spokesman for Symantec referenced the Sony flap in a statement sent to eWEEK, but downplayed the risk to consumers. “In light of current techniques used by today’s malicious attackers, Symantec re-evaluated the value of hiding the [previously cloaked] directory. Though the chance of an attacker using [it] as a possible attack vector is extremely slim, Symantec’s update further protects computers by displaying the directory,” the spokesman said.

He explained that the feature, called Norton Protected Recycle Bin, was built into Norton SystemWorks with a director called NProtect that is hidden from Windows APIs. Because it is cloaked, files in the NProtect directory might not be scanned during scheduled or manual virus scans.

“This could potentially provide a location for an attacker to hide a malicious file on a computer,” the company admitted, noting that the updated version will now display the previously hidden directory in the Windows interface. Source: eWeek

We Say: Er, Symantec had to be warned by security experts? To most consumers, Symantec is a security expert. And despite assertions that the risk was low, how long did it take people to figure out how to use the Sony BMG rootkit features to their malware advantage? Not long. Come on, Symantec, I would expect a security vendor to do better than this!

Before you go…try these popular stories here on RealTechNews
Corvette-Shaped PC
Is 1000Tags the next Million Pixel Money-Maker?
Nikon To Stop Selling Film-Based Cameras
Terrestrial Eavesdropping
More RealTechNews

Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • digg
  • Fark
  • NewsVine
  • Reddit
  • YahooMyWeb
You can leave a comment, or trackback from your own site. RSS 2.0

37 comments to "Symantec Admits Rootkit Usage in SystemWorks"

  1. Kevin K says:

    Wait a second! I have been using Norton Utilities for years with the Norton Recycle Bin (currently still using Norton Utilities 2002) and I have never seen a directory for its use yet the “big news” today is that it’s in only System Works?!?! Are they just conveniently forgetting about all the previous versions and the fact it’s in Norton Utilities too?!?!?

    I have used various rootkit revealers and not one says anything about a directory called nprotect and I can’t confirm nor deny it exists. I guess it’s time to get out a DOS command line utility and look for it with a binary disk editor!

    Kevin

    January 11th, 2006 at 7:01 pm

  2. Dave M says:

    What about some of us who tried system works in the past and now do not have it. How do we know if there is a problem or not?

    January 11th, 2006 at 8:47 pm

  3. Michael Santo says:

    According to the Symantec website, it’s only in 2005 and 2006 versions, and can be eliminated by getting a LiveUpdate. You can also use the Rootkit Revealer at Sysinternals.

    http://www.sysinternals.com/Utilities/RootkitRevealer.html

    January 11th, 2006 at 8:52 pm

  4. Bill King says:

    Two points:
    1. It’s been around for donkeys years, so the symantec info’s bullshit.
    2. Apps like ZTreeGold display it (and the files underneath). True it’s hidden, but it can’t be that hidden, if ztree finds it.

    January 11th, 2006 at 8:58 pm

  5. Bidera says:

    Ztree is still around? I remember Ztree from around 1990 or so, if that’s the same program I am thinking of.

    Anyway, Symantec as one of the authority figures in software security industry should be held up to a more stringent standard than even Sony.

    January 12th, 2006 at 5:30 am

  6. scooby says:

    And let’s noforget one salient point in Symantec’s defense: this feature was intended to directly benefit users.

    January 12th, 2006 at 5:34 am

  7. Scott says:

    How is a hidden directory qualified as a rootkit? As stated by Symantec, they were hiding the directory from the API so dumb users wouldn’t delete the directory. Now, I agree they could have write protected it or thrown up a warning to the user, but come on…

    January 12th, 2006 at 5:54 am

  8. Steve says:

    The qualification for the rootkit in this instance is that it is not merely a standard hidden directory. It is a directory that is hidden not by adding the hidden bit to the directory information, but instead by actually altering the way Windows sees the directory at all.

    Normally, if a folder is hidden, then at least you can turn on View Hidden Files and Folders in folder options. However, it is not this simple. Now, if someone were to place a mailicious file on your computer in that location, then windows would get a little cross eyed trying to find the file, as would any spyware/av tool. At least, that is the standpoint that the other security experts are coming from.

    Between a folder that is hidden from windows completely, (but, yes, viewable using other file viewers, as mentioned), and someone being able to get a windows install to *not* display a running process, potentially there is a risk here. Granted it’s one that I don’t think has even been attempted to get used, but, still a potentially dangerous situation.

    And as for the simple stupidity (yes, as far as I’m concerned, this is just a case of “Oops, we missed that!” by Symantec) this could have been avoided more by merely making the folder hidden standard, and naming the folder something more direct, as it used to be, or make it so that the folder couldn’t be deleted (yes, you can lock the folder so it can’t be deleted). That would have been the better idea, but sometimes people make mistakes.

    January 12th, 2006 at 6:16 am

  9. Michael says:

    I always hated that stupid nprotect crap. I hate any program that presumes I want something done to/with my pc without my permission. I quit using any symantec product other than pcaw because they got “too big for their britches” and figured that it was their way or the highway. Screw that. It’s my pc, not theirs. I want full disclosure. I’m surprised anyone still uses their junkware now that there are so many other options.

    January 12th, 2006 at 6:31 am

  10. Steve says:

    Michael, I agree. When Norton Systemworks, designed to “Improve the speed and performance” of a computer, began slowing my computer down to a crawl more often than keep it steady, I got out of Sym/Norton products as well.

    AVG Personal keeps virals off my system, ZoneAlarm protects it from the outside, and both provide me more control, and better response than Norton *anything* ever did, while not bogging down my system in the least.

    January 12th, 2006 at 6:38 am

  11. Evan says:

    This is just stupid.
    This is not a rootkit, but merely a “rootkit-type feature”.
    What the hell does that mean?
    Answer: The media likes the buzzword “rootkit”
    Case closed.

    January 12th, 2006 at 7:04 am

  12. xaostica says:

    Prepare to be Embedded

    January 12th, 2006 at 7:07 am

  13. Rob says:

    Evan, yes, it is a rootkit. It changes things at the system level, modifying behavior of the APIs. Ergo, it is a rootkit.

    It just doesn’t happen to be (intentionally) malicious. There are other, non-malicious rootkits out there, some of which are used regularly by admins. They don’t know they’re rootkits, nor do the common ones have hiding functionality.

    January 12th, 2006 at 7:45 am

  14. Peter says:

    Buy a Mac!

    January 12th, 2006 at 7:50 am

  15. Steve says:

    Using the word “rootkit” every time someone puts in a cloaked directory makes Sony/First4Internet’s real rootkit look more and more trivial.

    A rootkit does a lot more than cloaking a directory, guys. Symantec cloaked a directory in a program you BUY that is supposed to hide in your system and protect it. Big deal.

    First4Internet/Sony cloaked directory, processes, and files, and made them unremovable, in a program that installed without your permission. That’s a little different. Don’t cry wolf so much.

    January 12th, 2006 at 8:06 am

  16. Mike says:

    Re: Media’s love affair with the word “rootkit”

    This, like so many other terms, is being used incorrectly. A rootkit is, put simply, something that allows an unauthorised user to gain root priveleges to the machine. That’s it. It is not associated with any specific methodology. The only similarity between a real rootkit (talk to any old school unix/linux user if you want details, i wont bore you with them here) and things like this is that you can not be totally sure you are rid of it without formatting your hard drive.

    PS - Unauthorised modification of system files is more viral than anything else. That act alone does not a rootkit make.

    January 12th, 2006 at 8:15 am

  17. Kevin K says:

    Hmmmm, I know that Symantec SAYS it’s only in 2005/2006 but it *must* be in previous versions because I’ll be damned if I can find my protected recycle bin anywhere on disk through standard Windows GUI methods.

    This is obviously how the Norton Protected Recycle Bin is supposed to work and I bought it and installed it so I expect it to work as it does; it’s not a big deal. It’s definitely not a “rootkit” nor is it intended to be *secretly* hidden for some nefarious means like Sony’s blunder. The hubub is just fear mongering in my opinion.

    It would be nice to be able to see it, but if a user could actually SEE it, that increases the likelihood that the user might accidentally delete it thus removing the protection the Norton Protected Recycle Bin is supposed to provide so it *should* be hidden. Otherwise, there’s no need to use that function.

    The key is that Symantec needs to make sure that the hidden folder is protected from use by any other third party that knows about it so hopefully they patch it if necessary. My 2002 version has not had official updates in a long time so I fear it won’t be patched at all leaving me possibly open to attack but as long as I maintain my router, software firewall, antivirus and spyware measures, I *should* be ok.

    Just my $.07…

    Kevin

    January 12th, 2006 at 9:00 am

  18. Peenie Wallie says:

    Norton (Symantec) Sucks!

    You really should not be using any Norton (Symantec) products. They suck, in a big kind of way. Norton Anti-Virus is a haven for viruses. Now, Symantec has admitted using Sony-Style Rootkits in Norton SystemWorks to hide files from the…

    January 12th, 2006 at 9:14 am

  19. Alex says:

    They should have disclose the ‘feature’ to users. I want no undiscloded invisible folders, period.
    What if Symantec decides that they should collect my CC info and monitor computers around the world to verify that no one else is using it?
    There should be no excuse.

    January 12th, 2006 at 9:27 am

  20. R. J. says:

    If you install (insert here any popular flavor of Linux) instead of Windows you won’t have this sort of problem.

    January 12th, 2006 at 10:03 am

  21. Jonathan says:

    Yay for R.J.’s ignorance. Rootkits started on unix and linux. Please know all the facts before posting.

    January 12th, 2006 at 10:32 am

  22. multineedia says:

    Symantec Caught in Norton ‘Rootkit’ Flap

    Symantec Caught in Norton ‘Rootkit’ Flap, via eWeek.
    Symantec Corp. has fessed up to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers.
    WHAAAT…

    January 12th, 2006 at 1:11 pm

  23. Scott says:

    Hi,

    Please don’t delete my posts. This is the second posting. A news site should be about freedom of speech, even if it is dissenting. You’ve only hurt your credibility now.

    Begin Re-post –

    Sorry for coming off rude, but you’re a bumbling idiot. Please delete this article and pretend you never wrote it.

    Instead, write an article about how Symantec used this technique for years (safely mind you), and now that a precedence has been set for taking advantage of this attack vector with other software, Symantec has wisened up and released an update (NOT FULL OF HOLES LIKE SONY’S) to correct their now attackable protection. I’d probably also suggest that the article take more of a tone of “encourage all users of Symantec software to update quickly” rather than “Symantec should go back in time and not use methodology that at the time was sound and theretofore unexploited”

    kthxbai

    January 12th, 2006 at 2:03 pm

  24. Alan says:

    Interesting info. I believe the author’s point is not whether or not it’s a rootkit. He is that Symantec should have corrected this a long time ago.

    January 12th, 2006 at 2:12 pm

  25. Michael Santo says:

    Scott, dissention is welcome, but name-calling is not. Your comment is fine aside from that remark. As far as deletion of comments, many people can delete comments, not just me. I’m not going to delete your comment, but the idiot part is really out-of-line.

    January 12th, 2006 at 2:12 pm

  26. Jay says:

    Rootkit. Sorry, just wanted to see that word one more time.

    January 12th, 2006 at 2:37 pm

  27. Jason says:

    For years now I’ve basically labelled Symantec products as malware for the simple fact they slow most machines to half their normal speed, chew up a good 60+ megs of memory, and completely change the behavior of windows in less than desirable ways.

    So needless to say, this is hardly a surprise. I swear the only way symantec stays in business is coasting on the Norton name and the ignorance of the average consumer, specifically preying on the willingness of most people to believe the advertising regardless of what total garbage the product actually is.

    January 12th, 2006 at 5:55 pm

  28. Mike says:

    I used to like Norton, but in the last few years of trying to repair virus infected computers, I always find Norton Anti-virus software damaged/corrupted and impossible to remove. They have a pretty extensive history of having incomplete removal software, often requiring tedious manual file and registry deletions.

    January 12th, 2006 at 6:36 pm

  29. Michael Santo says:

    I used to use Norton also. Heck, it was the biggest! But when they started activation … forget it. I will only use activated software if forced (e.g., Windows XP). Plus, I’d seen reputable reviews / tests that indicated how bloated and slow the software was. As a gamer, I want good protection, but minimal impact. So I switched, and I’m much happier.

    January 12th, 2006 at 7:12 pm

  30. Nate says:

    Mcafee is just as slow and heavy, go AVG, even the free version works twice as good as the other two.

    January 12th, 2006 at 7:37 pm

  31. dave c says:

    www.avast.com is better than Norton

    January 12th, 2006 at 11:49 pm

  32. Computerworld Blogs says:

    Symantec fesses up (and Seuss turns in grave)

    In today’s IT Blogwatch, we look at doing the rounds with Symantec Rootkit. Not to mention the scientists in Taiwan who claim to have bred green, glow-in-the-dark pigs — next stop: green eggs… [You’re fired - Ed-I-am.]

    January 13th, 2006 at 5:27 am

  33. Security expert says:

    Guys this IS a rootkit, here is the definition of a rootkit.

    A tool intended to conceal running processes, files or system data. (that hooks into the OS in a nonstandard way)

    Seems it falls into that category, concealing files….

    January 13th, 2006 at 10:19 am

  34. Aidle says:

    Cute….
    Wonder what the function of having rootkit and product activation? But anyway which version of SystemWork is having rootkit really make everybody puzzle.

    January 14th, 2006 at 6:05 am

  35. Bob Deloyd says:

    When someone comes to me with a slow computer to fix, one of the first things I do is get rid of Norton and put AVAST on!! Norton is bloatware!!!! //bob

    January 16th, 2006 at 12:07 am

  36. crue_30 says:

    A couple of good friends and I run a tech shop and we spend MANY tediuos hours a week (while customers are paying good money) to remove Norton from machines. It simply isn’t doing it’s job. The virus protection is missing many things and the internet securities package renders a simple office network machine almost useless. System Works has some nice features but windows has all those tools built in, you just have to take the time to learn how to use them. You also pay, what I call the ultimate price, when installing system works…..most of your system resources. This stuff makes an average machine crawl!!! To fins out that Norton is using a rootkit is just an “AH-HA” for me. This article will be made poster-size and posted all over my shop. There are GOOD tools out there that are free and do the job much better than Norton. Letting them continue to ride high in the future on the name they built for themselve back in the late 80’s and early 90’s can stop now. Force them to become good again because theyre product is inferior and has been for several years now. In my opinion, Ghost is the only product they have thats worth purchasing. With the release of Windows XP, PC Anywhere is obselete as well. Anti-Vir and some good spyware removing tool working aside a hardware router with a little bit of know-how is all you need!

    January 17th, 2006 at 7:19 am

  37. Erik says:

    Poorly researched article. The hiding never prevented a virus scan from scanning the contents. The comment of how long it would take a virus writer to take advantage is absurd. I know of about 50 viruses that have tried to use this folder, but not one has ever been able to “take advantage” fo this folder. It’s not a Rootkit and never has been. The definition of a rootkit is the following:
    “A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine. Actions performed by a rootkit, such as installation and any form of code execution, are done without end user consent or knowledge.

    Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an undetectable environment for malicious code to execute. Attackers will typically leverage vulnerabilities in the target machine, or use social engineering techniques, to manually install rootkits. Or, in some cases, rootkits can be installed automatically upon execution of a virus or worm or simply even by browsing to a malicious website.

    Once installed, an attacker can perform virtually any function on the system to include remote access, eavesdropping, as well as hide processes, files, registry keys and communication channels. ”

    The NProtect folder does not fit this definition at all.

    January 18th, 2006 at 1:02 pm

Leave a comment