Slashdot Mirror
Rootkit-like Feature Found in Norton Systemworks
GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."
I have always been suspect of Symantec.
I am sure the DHS knows what it is doing when it gives Symantec money to "secure" linux.
Gawd help us.
The truth about Led Zep should never be told on
For those of us who dislike the pre-installed Symantec software and uninstall it first chance we get, is there still a vulnerability?
The world is made by those who show up for the job.
This is not the Sony rootkit. It's just a directory that's not scanned by antivirus/antispyware.
And, now that it's potential vulnerability has been exposed, Symantec is releasing a new version without the protected recycle bin.
In other words, too bad they had to have their wrists slapped to fix it, but there was no malicious attempt.
Obligatory Soundbite Catchphrase
I just think its ridicules to hide stuff for me on MY Computer.
Julien. http://free.hostdepartment.com/8/81fortune/
They did it so users couldn't accidentally delete important files?? Sure would be nice if there was such thing as "root" on Windows so you could have files that every day users couldn't delete...
Rootkits in windows are becoming more and more of a problem. I found this interesting site the other day when looking for a rootkit detector: www.rootkit.com
Heh, my "confirm you're not a script" image is "sanity."
The cloaked directory is intended to prevent users from accidentally deleting important files
There's thousands of important files on a Windows system, and they don't need a rootkit to protect them. What's special about Norton files that make them extra-specially important?
I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work.
So, I had to go to this link and do it manually....talk about a pain in the #*$%.
He who knows best knows how little he knows. - Thomas Jefferson
Apparently insecure and/or incompetent sysadmins are behind the boom in "all-in-one-fix-'em-all" suites. Why not tackle the problems head-on yourself rather than relying on third party software which might actually jeopardise your entire system without you knowing it? And I found Norton Anti-virus to be a serious hog on system resources. It's safe to assume their other products are in the same league.
From what I can tell, if you uninstall it, you lose the system protected recycle bin (designed to prevent you from deleting your pr0n, actually it provides a hidden place for viruses to hide). Therefore, you're safe.
If you are still paranoid, reinstall it and run the update patch with fixes it.
Or, check out BlackLight Rootkit Elimination Technology, which is supposed to eliminate (or at least detect) the rootkit.
Obligatory Soundbite Catchphrase
Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole.
Sony's rootkit was done entirely under good intentions as well (like it or not DRM is not a bad intention), and look how that turned out.
What's funny is everybody will blow this over because it's Symantec not the RIAA. It really is just as severe if not more so, coming from a software company that deals in security.
I trust Russinovich's technical analysis, but I don't his moral opinion.
I've never much liked Norton Antivirus, and this just adds more fuel to the fire.
"...Symantec's update further protects computers by displaying the directory,"
That's great! Our product is now better, because we turned off something bad we were previously doing!
Now that's a nice spin!
My real problem is that my mom bought a PC at Christmas. While visiting (she's a couple time zones away), I did a little tuning (firewall, firefox, openoffice, etc.) Symantecs pisses me off so it got uninstalled (replaced with Avast). But ... did the uninstall really clean everything up? I can't check in person and I'm not going to walk my mom through rootkit detection unless neccessary.
The world is made by those who show up for the job.
Maybe slightly off topic, but I'll speak my mind anyways. Systemworks is Very dangerous, for those that have observed how it actually installs onto a system its a scary sight, A VERY tight intergration with the OS. If a "User" rm's one of these "files" without a doubt the computer will suffer. Their intentions were good to "protect" the files, since meny users who install "Systemworks" have no clue anyways. A patch was issued (not ignored), Sony should learn from its mistakes.
-- I Dont Deserve A Sig I Have Bad Karma
will all this media attention bring about a "rule" that honest companies follow-- "Dont hide things from your customers." ? its nice to see that we will, at least in the short term, retain absolute control over our computers.
Steps of action when joe six-pack brings me a windoz box: 1. Uninstall Norton 2. Install AVG 3. Delete all "e"'s from everywhere 4. Install Firefox 5. Install Opera 6. Delete all Outlook shortcuts 7. Install Thunderbird 8. Install VLC and associate all media with it 9. Teach the guy to right-click/scan with AVG everything he downloads from the internet It worked nice in most occasions My 2p
www.lemonodor.com A mostly Lisp weblog
The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.
Also, according to Symantec's own writeup on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.
Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue
Batou: Hey, Major... You ever hear of "human rights"? Major: I understand the concept, but I've never seen it in action
Why? Anyone who's in wherever/whoever/application settings/ or wherever/Norton/whatever is probably there for a reason, and knows what they're doing and aren't numb enough to delete something. Either that or they're doing something they don't want people to see. Of course, I don't use any of their products, so I don't know.
In TFA F-Secure staff are quoted saying they have known about this since March 2005? So, I guess they believe it is ok? Why didn't F-Secure announce they had discovered this problem?
I must have missed something in the article. All it refers to is a "cloaked" directory. Now this shouldn't surprise anyone here. This is no different than how XP works normally. By default XP hides or "cloaks" protected system directories too, namely the System Volume Information folder in the root of each partition. The only way you can find them is by selecting to show hidden files and folders and to uncheck the "hide protected operating system files" option.
Now what is interesting is that even if you have administrative privileges, you by default do not have access to that folder. You have to manually add yourself to the security on it just to open it. From the article this seems to be the exact deal with the Symantec product. They are worried that an intruder may use the location to stash files. Well guess what? That is exactly what attackers do with the System Volume Info folder. It happened to me on a system that I had an older version of the Backup Exec remote client installed on. A well known hole, thankfully it was on a test system with no access. I noticed a huge amount of outgoing connects from the box and used disk space that I could not account for. After some minor digging around I managed to find everything stashed in that hidden system folder.
So what I would really like to know, and the article doesn't specify, is Symantec actually hooking into the kernel to hide the folder from Windows, or is it just setting the permissions on the folder in a way that is similar to the System Volume Information folder? If it is the later this is not a rootkit, it's just being sneaky. If they are hooking in, well shame on them.
I always knew that Norton guy was shady. Just look at the smug picture on the back of his books and other products. Plus he went and trademarked his name.
I only need the Preview button when I haven't used the Preview button.
I remember a couple years ago when I still bought and used Norton/Symantec anti-virus; it kept claiming my subscription ran out and wouldn't update the definitions. So I uninstalled and reinstalled. Same problem. After doing some searching, I realized it had installed itself all over the registry and wouldn't get out. It took a good 2 hours of hand-editing to remove all traces of Symantec from my registry.
So much for "uninstall".
Which is why I never use their stuff anymore. Truth be told, I don't think they've done anything good since. Well. Since Peter Norton still loosened his tie and programmed for a living.
I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
malware authors from simply creating their own "cloaked" directory? Why is it that they must use one already created by a piece of legitimate software?
I don't get it.
"Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue"
"Rootkit" is to geeks, what "terrorists" is to the common man.
--
BTW What's wrong with "/." today? Someone put in the wrong CSS file?
Given the way Norton will not uninstall without downloading a separate removal tool (and the fact they've known about this for five years but continue to ship versions that won't uninstall) I have zero confidence in Symantec having had good intentions with this.
I am trolling
I was getting directions to someplace the other day, the guy said the road there was paved with "good intentions". Damn, I can't remember the name of the place... think, think...
I may have missed something, but I saw nothing whatsoever in the article that sends information or provides external access without the users knowledge.
Isn't that what a rootkit does - allow unauthorized access?
Of course, it's hiding a directory, but as mentioned by other posters, Symantec has never been very secretive about that, they just didn't come out and announce in big flashing red letters that they were creating a hidden directory. Not a lie at all, as was the case with Sony.
Now, apparently there are a few folks here that seem to consider Symantec only a couple notches away from M$ on the slimeball ladder, but the fact is they write software that attempts to protect computers (typically from the gifts M$ has bestowed on the world). Personally, I only use their antivirus SW, since Windows does just fine bogging the one machine I run it on without any unnecessary help. To date, I have had far fewer issues with Windows machines using Norton Antivirus than those without it. In fact, it seems to me Norton AV is as important for Windows machines as a network connection.
Not that this isn't something to be aware of, but at best this is a potential security hole, not a rootkit. While I don't want anyone "hiding" stuff on my system, I know very well there are users out there that can be easily convinced to delete important system files - or doesn't anyone remember the SULFNBK virus?
Not to take up for symantec, but they do offere a free utility for removing all traces of their software. They have one for each piece of software as far as I know.
d /2001092114452606
http://service1.symantec.com/SUPPORT/nav.nsf/doci
The best argument against democracy is a five-minute conversation with the average voter.
- Winston Churchill
Ghost has saved my life so often that I seriously love that tool. Apart from that, you're right.
I just found out that Sygate has been acquired by Symantec and they discontinued the free for home use firewall.... Bummed!
Symantec has never even made anything, they just buy the competition.
Good thing the DHS is giving them a grant
Religion and politics, without the flame. godgab.org
I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.
Ghost, that is the only product of thiers I can think of that is even remotely worth getting. Even though the need to install it to make a boot disk seems a bit strange...
But if I ever have a need to image a disk I'd recommend Knoppix and use partimage if you have the capacity to read simple instructions and learn without pictures...otherwise I tell the lamaas to spend the $70 on Ghost (or whatever it is these days)
But Ghost is great if you have to roll out 20+ machines on a network, I've also used it to make a bootable CD that contains the image...but for someone that needs it once or twice, it's a waste of money
"Some things have to be believed to be seen." - Ralph Hodgson
Although you are an anonymous troll I think you are somewhat right:
The actual real (for the end user) problem I see for Windows, that other OSS do not have is that you require to install certain "security" software after installing the O.S. The software is among others:
- Antivirus (Like McAffee or Norton or AVG or Sophos)
- System security programs: Kind of like Norton System works or SANDRA or Diskkeeper
- Another browser (like firefox or opera)
The bad thing about that is not the number of software programs you have installed but the number of programs that must stay RESIDENT on RAM from the beginning.
That slows PC a lot, and it is something that (at least in my experience) you do not need to do when using Linux.
As an example, my current machine has the Sweepsrv.sys (Sophos AV) with 25,796 private Bytes. Then I have Firefox with 141,188 Bytes and on my laptop I have AVG free version and perfectdisk monitor.
Sure, I know how to disable all those things but that is one of me most common problems why people have to reinstall windows after several months.
On Linux you dont need a running antivirus so that memory (and processing time) can be used for something better. Oh, and it is also annoying that if you are Moving large files, you have to wait after selecting and pressing CTRL+X to cut it and CTRL+V to paste it on another side because the antivirus is checking the file.
Ubuntu is an African word meaning 'I can't configure Debian'
I know they have that now, but they didn't at the time.
Worse, I don't trust Symantec to really remove their software. Why doesn't uninstall remove the software? Why do I need to uninstall then run "really uninstall" to really uninstall it?
You were mistaken. Which is odd, since memory shouldn't be a problem for you
The current Ghost products are simply rebadged products they gained through their purchase of PowerQuest. Ghost was dying a slow drawn out death until this move. I was very bummed when I heard the news, since I respected PowerQuest and I'm familar with Symantec's strategy of just buying out the competitors and then letting the new software acquisitions die a horrible death by not continuing to develop them. Look at WinFax - Dead. Look at Act! - I think they sold it off after killing it through neglect. Look at pcanywhere - going absolutley nowhere. Now they have Veritas in their pocket, and I have no doubt I'll be forced to use alternative products once Symantec have done their work with BackupExec. Oh, I'll also add that North Internet Security is the biggest load of horse crap I've ever seen. I can configure enterprise level firewalls and security products with ease, and yet I find NIS difficult to use, unintuitive, inconsistant, contradictory, a huge resource hog, and sometimes difficult to remove. I have a pet hate against it and I won't bother trying to help anyone using it unless they agree to unistall it. Symantec sucks.
Non-issue. There are better things to hyperventilate about. Move on...
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Try Acronis True Image and leave the dark side behind entirely. ;-) It's definately better than Ghost.
Entrepreneur : (noun), French for "unemployed"
Agreed. Acronis was the best alternative to PowerQuest when they were eaten by Symantec, and now in my opinion they're the ones at the forefront of disk imaging software.
Thanks! I WILL have to keep Acronis in mind, looks good and is cheaper (less expensive) then Symantec...now to teach people that brand names mean nothing :)
"Some things have to be believed to be seen." - Ralph Hodgson
Snip
---
Mikko Hypponen, director of anti-virus research at the F-Secure Corp., said his company's BlackLight Rootkit Elimination Technology also detected the NProtect directory, which was hidden from the Windows FindFirst/FindNext APIs.
---
So yes, it does hook windows functions
From the fine article:
"When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It's impossible to manage the security and health of that system if the owner is not in control."
Full control of the machine? As far as I know, in Windows you don't have full control of the machine.
I love Ghost too... it's a lifesaver. However it can get expensive if you need many copies. You should also consider using the (obviously free) linux partimage which can do the same things. In fact, it can make images of a greater variety of filesystem types (at least compared to the last version of Ghost I used). Even if you're running Windows boxes, you can still boot off of a Linux LiveCD, and use partimage to backup/restore partitions (in fact, there is a Linux LiveCD specifically optimized for rescuing your PC: System Rescue CD, which includes partimage).
...the norton recycle bin extension?
I know that nowadays norton products are mostly crap with near-to-none options, and all non-basic funtionality removed successively in every version, but this recycle bin extension comes from the good days and already saved my ass may times. (every time i typed something like Ctrl-N, Ctrl-S, Enter, and overwrote my just finished huge file with an EMPTY file.)
The direcory it used was not cloakrd in any other way than setting it to "hidden". I don't know if that changed in very recent versions (haven'T RTFA), but last time i used it (system works 2005) i could simply go into the directory and look what's inside it.
So maybe this is a common bug of virus scanners...
I even implemented something like this for my samba-shares. srue someone will come up with the "well, maybe it's a PEBCAK"-argument. but don't tell me you never did such an error and then whished to have the data back?
Any sufficiently advanced intelligence is indistinguishable from stupidity.
That's great Symantec. But when are you going to fix this other flaw that affects RAR files?
Indeed, I'm puzzled why we haven't heard anything more about that problem beyond the initial report. It has been nearly three weeks.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
The symantec web site report on this states that it only affects 2005 and 2006, but I am running 2003 and it is also affected! The update fixes (supposedly) the issue. Nprotect can now be seen in the RECYCLED directory.
u rity/Content/2006.01.10.html
Info can be found here:
http://securityresponse.symantec.com/avcenter/sec
Another feature added to the already bloated Norton family of software. Is it just me, or is Norton making themselves more and more useless every time they release a new version of there software?
...of the computer by providing a safer "Recycle Bin" to protect their files better (e.g. more difficult to accidentally delete, or indeed for other software to delete). The Norton Recycle Bin also protects for example files deleted from a network share, which the standard Windows one doesn't (although this is a seperate issue.)
Sony's rootkit offered no benefit to the user, only to Sony.
Disclaimer: I don't and wouldn't run Norton, it's a massive hog and really gets into the depths of your system, the point is just that their intention is not so bad here.
After spending days cleaning out obscure HEX GUIDs from the registry, it still didn't work. In the end my googling for the GUIDs they'd used unearthed a registry file that appeared to remove every Symantec entry from the registry that's I'd found. More importantly, it had some additional obscure ones I would never have found. Things who's key values made me think WTF? This is my AV software?
Backed up the registry, ran the strange clean.reg I found on the net (what harm could it do... ;-) and all seems well now. Symantec stuff seems to install itself using techniques similar to a nail bomb.
When you install Symantec (works with McAfee too I've been told) just set the system clock forward a few years. If it installs in 2010, but then finds itself in 2006, it'll think you have a 4 year subscription. I did this when I was still in the 'give me free stuff script kiddie' mode a few years back. A friend of mine just did it and confirmed that it still works. I switched to Debian and haven't had a problem with ClamAV.
Silly Symantec, not getting a real date online.
I bought a new compaq a few months ago and removed Norton AV (so I believe) from it as I wanted to go as freeware as I could. I'm not a noob when it comes to PCs and the net, and it always annoys me when I read about how these security holes are going to open up your pc to all manners of naughty trojans and stuff.
Let's face it - 99% of these infections come from stupid users who don't have a firewall/av protection in the first place (a trojan still has to come in somehow and a good firewall and AV should be able to stop it/grab it as it comes in piggybacking on whatever). The same users are the people who click on any attachment in an email whether or not they trust the sender, visit porn websites or warez/mp3 sites, download Smilie Central type things because they look "cute", still use unpatched pcs and IE with no pop up blockers/spyware stoppers...well, you know the deal.
Christ alone only knows if I have this vulnerability, but you could drive yourself crazy worrying over every security hole that appears. Just use the net wisely and you should be fine.
The problem im having with finding a linux backup tool (somthing like ghost which makes nice convienent images and you just click to restore) is that none of them tend to support my RAID-0 (software) array. Would anyone know of a nice convienent way to backup a complete image for my array. Im running 2 old HDD's linked together cause im too cheap to buy one big one and since the nature of RAID-0 I wouldn't mind somthing that could be clicky clicky fixed.
:)
I googled it up but all the apps didn't like my raid array maybe you guys know a way.
It's a Dual Pentium Pro 200MHz with 192mb EDO RAM running Debian Linux
Solosoft.org - Your Online Resource to Nothing
They have gaping holes in their firewall, so why not in more products?
Explanation: a fresh install of Windows XP on my father machine, SP1 because that was the CD that came with the machine, then an install of the Norton firewall that also came with the purchase - firewall set on as paranoid as the settings allowed... plug in network, and bam! Instant infection. There aren't any settings in the stupid product for "block everything" or anything either, just security levels or whatever it was. In any case, highest whatever apparently still left ports open... impressive.
The reinstall was because their firewall and antivirus had already failed to protect the computer btw. Why anyone would use thir products is way beyond comprehension. It's utter crap.
Spine World
it doesn't completly hide it from the user by subverting the windows kernel like the sony root kit.
all it does is create a normal hidden directory on the root of every rive you have called 'RECYCLER' in which it place a copy of the rycleling bin.
if you don't like that it hides the directory from you then just go to.
Tools --> Folder options --> 'view' tab --> and checkmark 'display contents of system folders'
Uncheck 'hide protected operating system files'
select the radial button for 'show hidden files and folders'
if this was a rootkit you would not be able to see it even after this.
Are the applications you require unavailiable? How will that situation ever get better if you ignore any advice involving alternate OS's? Do you enjoy living in denial?
What about it? http://www.symantec.com/avcenter/security/Content/ 2005.12.21b.html
... and some rootkits.
I've used this a lot lately when upgrading NAV, this is a removal tool which will nuke all traces of many Norton programs off a computer. Not as useful if you have, say, NAV and Ghost and just want to remove NAV, but if you only have NAV, this works for different versions. (As my family all uses NAV, but everyone always seems to have a different version, sticking this on my usb drive has been invaluable.)
f /docid/2005033108162039?Open&src=&docid=2001092114 452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&os v=&osv_lvl=&seg=
http://service1.symantec.com/SUPPORT/tsgeninfo.ns
The SymNRT.exe remover will remove ALL installs of:
* Norton AntiVirus 2004/2005/2006
* Norton AntiVirus Professional 2004
* Norton AntiVirus 3, 5 and 10 User Pack 2004/2005/2006
* Norton GoBack 3.1/3.5/3.6/4.0/4.1
* Norton SystemWorks 2004 Professional Edition
* Norton SystemWorks 2005/2006 Premier
* Norton SystemWorks 2004/2005/2006
* Norton SystemWorks 2006 Basic Edition
* Norton Password Manager 2004
* Norton Internet Security 2004/2005/2006
* Norton Internet Security 5 and 10 User Pack 2004/2005/2006
* Norton Internet Security 2005 AntiSpyware Edition 8.2
* Norton Personal Firewall 2004/2005/2006
* Norton AntiSpam 2004/2005
* Norton Ghost 2003/9.0/10.0
Exactly. I'm not too sure at which point their software became counterproductive trash, but lately on every system I've seen it on it seems to do more harm than good. I've lately seen a lot of XP computers with quite a lot of power and RAM which are slowed to an absolute crawl (as in, takes 5 minutes of thrashing to start IE), and the common thread is that they all seem to run Symantec anti-virus software. Now I'm not sure if it's because they're infested with malware and Symantec completely failed to offer any protection, or if actually Symantec itself is directly causing the problem with all its hooks into system functions, but at any rate I would never install that crap.
I don't know if there is a relationship or not, but when the company was known as Norton (for Peter Norton), they had good products. When they transitioned to Symantec they seemed to make whatever they touched worse.
Norton's utilities were great, tiny, fast little tools that did what you wanted in a predictable way. A must have in the DOS days, and even early Window days. As Symantec the tools seemed to get more and more bloated. Then some of the tools had to be bought separately, costing more money. They took over PC Anywhere at some point, and made the tool so large that it was all but impossible to load into some DOS based systems (with plenty of RAM) and still be able to run the rest of the system properly. They took over WinFax and took out some of the best features and seemed to make it more prone to failures.
It's a pattern of theirs. And a great disappointment. And why I, also, no longer buy or use anything from them. First thing I do on new equipment that has their software is uninstall it. Same thing I tell others.
. 62,400 repetitions make one truth -- Brave New World, Aldous Huxley
Hmmm, IS Dr. Russinovich absolutely right on this?
:(
I.E. -> YES, The mechanism for hiding the rootkit's files from detection are there because of how the folder is "hidden from view" from antivirus programs (specifically/only Symantec's, or is it others' too? I haven't read the article in its entirety yet, so I must ask here now (on lunchbreak & in a hurry))...
BUT, it's not a rootkit in & OF itself.
Now, something to think about, provided I am not 'off' here on the mechanisms employed (their NOT quite the same here, but still imo, would possibly allow files of this type to escape detection by programs run under a current user's security context in memory, & even if a local system admin usergroup member, typically? They're not allowed access to the folder I mention next)...
So, to hide rootkit files (on disk, not in memory or by altering a key/critical system file/service memory image while loaded OR on disk prior to its loading/being called by the OS or other progs)... ??
Well - What about the "System Volume Information" folder on YOUR drives, that Windows itself makes & ONLY the "SYSTEM" userentity SID for your OS has rights to it, via NTFS & being hidden, by default!
(By default, iirc, not only is it hidden from view, but NTFS filesystem security ONLY allows the SYSTEM entity SID ingress/entry to that folder... wouldn't that ALSO be considered such a risk?)
* I hope not on that last account - because if it is, then MS is just as "guilty" as Symantec/Norton here!
APK
P.S.=> PLUS, I do NOT like giving the "Pro-Linux Penguins" here ammunition to shoot @ Microsoft with, period...
I see TOO MUCH of that here @ slashdot, but other than that, it's a GREAT website for news/info. on things computing & sciences...
HOWEVER, on the 'flip-side'?
That type of argument/controversy/conflict (Windows vs. Linux stuff)?
Heh, It's GREAT for the webmasters/owners here, because it gets them pageviews/hits! apk
"The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware..."
Is it just me, or does that sound like the Windows Registry?
I'd give my right arm to be ambidextrous.
Go get Rootkit Revealer (http://www.sysinternals.com/Utilities/RootkitReve aler.html). That's the one that was used to find this rootkit and the Sony one. The guy who writes it, Mark Russonivich, is quite good at this kind of thing. HE wrote the book, literally, on Windows (Windows Internals).
EDIT OF MY FIRST REPLY (quoted above dotted line below for quick-reference), WITH ADDED POINTS (after reading the article) BELOW THE DOTTED LINE BELOW:
:(
.exe files in Win32, once into the Explorer shell, could be done IN REALMODE/BOOTSTRAP EXECUTION TIME imo)!
"Hmmm, IS Dr. Russinovich absolutely right on this?
I.E. -> YES, The mechanism for hiding the rootkit's files from detection are there because of how the folder is "hidden from view" from antivirus programs (specifically/only Symantec's, or is it others' too? I haven't read the article in its entirety yet, so I must ask here now (on lunchbreak & in a hurry))...
BUT, it's not a rootkit in & OF itself.
Now, something to think about, provided I am not 'off' here on the mechanisms employed (they're NOT the same here from this idea of mine vs. what M.R. of SysInternals found & used as his bloodhound/detection technique flag to look for, but still imo, would possibly allow files of this type to escape detection by programs run under a current user's security context in memory, & even if a local system admin usergroup member, typically? They're not allowed access to the folder I mention next)...
So, to hide rootkit files (on disk, not in memory or by altering a key/critical system file/service memory image while loaded OR on disk prior to its loading/being called by the OS or other progs)... ??
Well - What about the "System Volume Information" folder on YOUR drives, that Windows itself makes & ONLY the "SYSTEM" userentity SID for your OS has rights to it, via NTFS & being hidden, by default!
(By default, iirc, not only is it hidden from view, but NTFS filesystem security ONLY allows the SYSTEM entity SID ingress/entry to that folder... wouldn't that ALSO be considered such a risk?)
* I hope not on that last account - because if it is, then MS is just as "guilty" as Symantec/Norton here!
APK
P.S.=> PLUS, I do NOT like giving the "Pro-Linux Penguins" here ammunition to shoot @ Microsoft with, period...
I see TOO MUCH of that here @ slashdot, but other than that, it's a GREAT website for news/info. on things computing & sciences...
HOWEVER, on the 'flip-side'?
That type of argument/controversy/conflict (Windows vs. Linux stuff)?
Heh, It's GREAT for the webmasters/owners here, because it gets them pageviews/hits! apk" - by Anonymous Coward on Thursday January 12, @01:03PM
==========
ADDENDUM TO THE ABOVE (my original post reply to this topic):
I see I was a 'bit off' on how its hidden from the Win32 API & thus, ALL programs that leverage it (& not the NtNative API which operates console mode apps @ system bootstrap for instance & iirc, but if you put a rootkit to work on programs that run here, to 'instance' your rootkit/virus/malware to me, this = problem - the patching of OS system files for instance, or other often called dlls/libs or
They hide their folder, not via other mechanisms I mention above (NTFS rights/security) for the folder I mention above but via hiding from the Win32 API...
Also - AND, & how the Norton Protected Recycle Bin works, I was aware of but never thought of it as Mark Russinovich did - very GOOD on his part imo!
(Plus, iirc, as an "added note" on that account & how NProtect works? IIRC, Execsoft's Undelete/Recovery Bin works the same way also!)
However, please - DON'T QUOTE ME ON IT (again, I'm in a hurry here @ home from work on lunch replying now, & did a bit more reading from the article ala "RTFA")!
Anyhow!
Comments appreciated on my noting how "system volume information" folder works & is by default, a way of hiding rootkit files possibly also - since ONLY the SYSTEM entity SID (iirc) has rights to that folder on the root of ANY NTFS FORMATTED DISK you have, by default!
Could it also be used in that capacity, albeit via diff. means (NTFS security defaults)?
NTFS is great, but
Norton Protected Recycle Bin has always been a service that could be accessed by the owner of the machine. It's turned on by default, however it can be turned off with ease. I always turn it off as it's a memory hog. If I delete something it's because I want the god damned thing deleted. I don't want Microsoft, Symantec, State and Federal government or myself to bring the bitch back to life.
Why does Symantec require you to go download their 'real' uninstaller? Why doesn't the uninstaller do a full uninstall?
This is clearly not an accident. They obviously have the 'technology' to do a full uninstall. And yet they choose leave their refuse all over your computer.
What's their goal in making it hard to remove their crap?
passetspike!
I would recommend you actually READ your links.
From your linked page: Symantec Response Symantec is currently building, testing and distributing product updates for all supported affected products.
Their suggested workaround? Don't scan RAR files for viruses. Awesome!
Tsk tsk. Who modded itninja's post? Offtopic? Hmmmm...Symantec employee perhaps?
When the author comments that Symantech's intentions were honorable, he's making a statement that may or may not be true. He's trusting Symantech to not have intended to go beyond what he has detected.
This can only be trusted to be a true statement to the extent that you trust Symantech (and the author, of course). I remember a time when I was comfortable trusting not only their intentions, but also their skills and software. Then they totally destroyed a system of mine. Twice, separated by months. And it was basically unrecoverable, though many text files were recoverable. Well, it wasn't too important a system, I only used it for game playing. But it did lead me to be more skeptical about their technical skills. That, somehow, also lead to their being more skeptical about their honesty...partially because they never did admit that their software had caused the problem.
Well, someone was probably playing CYA while claiming to represent the company. There's no real evidence that the company as a whole is intentionally evil. But this does markedly decrease the amount of trust that I have in any action claimed to be an action of the company. That definitely includes hidden directories (though there's nothing particularly strange about hiding a directory...but not uninstalling it on request is something a bit beyond the average hidden directory).
It finally all comes down to trust. Do you trust that Symantech is being honest with you?
I think we've pushed this "anyone can grow up to be president" thing too far.
Anyone reading this site ought to be technical enough to be able to learn how to secure their system and understand the importance of practicing safe computing. I know that Windows doesn't need AV software and security monitoring software, and using IE all the time is fine, because that's how I run, and I've never caught anything. Norton et al are for people who don't know and don't want to know about security, who cannot resist anything offered to be installed to them for free, and who already have their machines so bogged down with and unstable from things like AOL software, consumer-grade HP printer drivers, etc., that they'd hardly notice the extra load.
Attention zealots and haters: 00100 00100
"It's a pattern of theirs. And a great disappointment. And why I, also, no longer buy or use anything from them. First thing I do on new equipment that has their software is uninstall it. Same thing I tell others."
:-)
The first thing I do, on new equipment that Norton software installed, is send it back for not following my instructions
Grogan
Bill? Is that you?
Ah, the good old ostrich argument. Proven wrong many a time.
"Up my ass! Help, quick! apk" - by Anonymous Coward on Thursday January 12, @03:07PM
:)
Well, as you see, judging from your being 'modded down' with that rude reply and pretending to me me posting?
YOU GOT YOURS FOR THAT!
(The mods doubtless can see your IP Address & such, so they KNOW it wasn't me posting that garbage... thus, you got your mod-down!)
*
(Above all - Man, if you don't have anything useful to say about my hypothesis/theory up there, then don't saying anything @ all... how about that, ok?)
Sheesh...
APK
And if you look at the table of affected products, you will see on the right-hand side a column called "Update To" that lists the version of the product that you can update to to fix the issue. So maybe it is you who should read.
I ran into the Norton thing a few years ago. It was annoying. Took awhile to get rid of that folder.
*It's not what you can do for the Dark Side but what the Dark Side can do for you!*
Makes about as much sense as clicking "Yes, dammit, I'm sure!" when you want to delete this file, then it doesn't delete it, it sends it to the recycle bin so you have to chase it there and re-delete it and answer "Yes, dammit, I'm sure!" again, doesn't it?
No, people, this is not Flamebait that our good friend anonymous posted. Look past your precious pride for a minute: he is telling you that you have a right to demand BETTER for yourselves! Of course, so have a gazillion others...
*sigh* I don't wanna do this anymore: I'm bored.
Indeed you are correct. My blood sugar must be low or something. I being a real dick today.
And pray tell me where I can buy this "cloaking device"?
I need one for my starfighter
I've never much liked icecream, and this just adds more leaves to the tree.
C'mon then --- where's my "Insightful" mod??!?
How is that an ostrich argument? I do much the same as GP, with the exception of the ZoneAlarm firewall (love it, never going back to MS' built-in firewall), and I use Firefox not because it's safer -- the extra security's a nice bonus -- but because, IMO, it's simply much better than IE in terms of functionality and reliability. I don't run AV software because, as mostly everyone here knows, it bogs the system down to being nearly useless for anything beyond surfing and email (I play and program 3D games as hobbies, which AV software makes a frustrating experience). I don't catch spyware or viruses because, quite simply, I don't click every Shiny Widget(tm) that flashes before me. I've had this XP installation for nearly two years, and it's never been hosed. Yes, I download a lot of stuff (new LPB!), I simply think before I click.
Disclaimer: I'm not a MS apologist, I use Windows because that's where my apps of choice are at, and I'm familiar with XP so there's no learning curve for me. I have nothing against OSS (hello? Firefox?), nor any non-MS OS -- that's simply a matter of preference. I'm just saying that the OS is not (entirely) to blame when someone catches a new virus every five minutes; clearly, the user is doing something very wrong.
Just my two cents.
Heh, my "confirm you're not a script" image is "sanity."
...and my last X-Bender header was "Aw, this bends!". Why the hell do people feel the need to share these things?
This uninstaller probably deletes anything they know are related to them, whereas an Uninstaller for Symantec Product A would be careful enough to leave some things installed so that Symantec Product B doesn't get broken, in case you have Product B installed.
:)
That's what you call dependency hell.
What time is it/will be over there? Check with my iPhone app!
I'm just saying that the OS is not (entirely) to blame when someone catches a new virus every five minutes; clearly, the user is doing something very wrong.
The truth is, Microsoft Windows XP is responsible. First, Microsoft WinXP lets their users run with Administrator privileges, meaning that they, or any program they run (remember this) can corrupt the operating system.
Now, some people MAY run windows with non- administrator privileges but from my experience, you can not do too much without it.
Besides for that, because (I told you to remember) the user is running Internet Explorer as ADMINISTRATOR, it means any exploit makes the whole computer vurnerable (in contrast with say... FreeBSD where only the current user home gets compromised).
Now, you can tell me you do not "click" on untrusted links but if you know the WMF vulneravility or about the Jpeg buffer overrun, you just have to SEE the images (like... an add one of your so trusted pages) or open an email (or the preview in gmail) to be vulnerable.
And there is where the difference between a "secure by design" operating system against a "not secure by design" one strives, in FreeBSD the attacker could at most take control of the users ~/ data while on Microsoft Windows the attacker has control over all your computer.
So, that is why Antivirus, anti-malware, etc etc are there on Microsoft Windows.
Ubuntu is an African word meaning 'I can't configure Debian'
"I have to let users run on a machine Administrator level to run half of their software"
Sorry, that's not dominion, that's life. They will use the computer, and there are too many common application that will not run correctly when the account is only running with user privileges. Palm, I'm giving you a particularly nasty look.
Meanwhile, learn to use capitalization, punctuation, complete sentences, and actual words. Your writing style screams "I'm a 14 year old loser".
content over style
I'd rather sound 14 than sound like someone who can't tick 'run with different credentials' on a few of his wife's desktop icons.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Secondary credentials are not the cure-all for this problem. Need I list all the posts describing why this is a poor hack? Plus, and this is the best flaw of all, the File/Open and File/Save dialogs in that application then run at the Administrator privilege, so that the 'protected' files can still be 'accidentally' deleted.
But thank you for that invaluable -- meaning, in this case, worthless -- advice.
Content over style. More like vacuousness in combination with ineptitude.
like I said
quit yer bitching
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Slick, you relied to your own post to write quit your bitching. Does that mean that you intend to take your own advice?
I don't see hot it applies to me. The entire point of the original post was that the NProtect feature was flawed, but served a useful purpose. This was not bitching. Notably, you have yet to suggest anything that approaches the usefulness of the NProtect feature that wa removed to solve this rather common problem.
You're right about the admin privileges, of course. It is damn near impossible to get any real work done in XP without admin or power user privs. However, 3rd-party software developers are (mostly) to blame for that sorry state. There are many, many rants all over /. about top-tier games (among many other apps) from major publishers that simply will not even install without admin rights, and that practice will only continue to make limited/restricted user access on XP all but pointless. While Microsoft have failed miserably to discourage this practice on the part of 3rd-party devs, those 3rd-party devs must also be held accountable for their software's requirements.
Of course IE is a gigantic security hole that should never have been tied into the OS itself. I never suggested otherwise. That is 100% Microsoft's fault. No argument there. (My recommendation to those who seem to get a lot of viruses is, as always, "use Firefox".)
Having said that...
The truth is, Microsoft Windows XP is responsible.
Again, not entirely. That's like saying that every time there's an automobile accident, it's the car's fault. Clearly that's not true. Barring a malfunction or defect causing the crash, it is a fault of one of the drivers involved. it's the responsibility of all drivers to keep their cars on the road, in the proper lane, and avoid collisions, and generally use common sense. If there's a defect in my car's electrical system that makes the car prone to catching fire, that's the manufacturer's fault. If I'm fiddling with the stereo while yapping on my cell and subsequently wrap my car around a phone pole or collide with another vehicle, that's MY fault.
sigh. This argument gets old, so I'll sum it up by saying that not everyone places the security of their home PC at the very top of their priorities list. (Oh no, shocking!) There are no 'classified secrets' on my system, nor data that must be 'locked-down'. I have unneeded system services disabled, email auto-preview disabled, and a few other small but very helpful measures taken. Sure, it's not bullet-proof, but it doesn't need to be, not for playing games, writing fiction, and doing the occasional hobbyist programming. Personally, I'll take my chances, if only because it's the OS I'm familiar with, not that it's necessarily the best -- I just know how to make a few tweaks to tighten up the leaks and avoid most major (non-hardware) problems.
Again, just my two cents, and your mileage may certainly vary.
According to the page you linked to (http://service1.symantec.com/SUPPORT/nav.nsf/doci d/2001092114452606) the "removal" tool, rnav2003.exe does not remove everything:
f /docid/2005033108162039
.reg file to clean out your registry.
.reg file in the above link, perhaps their most useful removal instructions can be found here:
f /docid/2004110113064039
b ;en-us;290301) which is extremely helpful in removing programs that used the Microsoft Windows Installer.
"Rnav2003.exe does not remove the following items:
* The files or registry keys for the virus definitions
* Subscription information
* Entries in Windows Scheduled Tasks
* Other shared files"
Go through the manual removal instructions on that page to remove what rnav2003.exe does not get.
Also, if you want to "[r]emove Norton AntiVirus 2005/2004 installed as a stand-alone product or as a part of Norton SystemWorks 2005/2004 or Norton Internet Security 2005/2004" "[f]ollow the instructions in [r]emoving your Norton program using SymNRT to remove these program versions":
http://service1.symantec.com/SUPPORT/tsgeninfo.ns
There, you will also find a
In addition to the
http://service1.symantec.com/SUPPORT/tsgeninfo.ns
Among several things, they link to Microsoft's Windows Installer CleanUp utility (http://support.microsoft.com/default.aspx?scid=k