Slashdot Mirror
Rootkit-like Feature Found in Norton Systemworks
GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."
If you're using any product other than Norton SystemWorks, you're fine.
Don't take life so seriously. No one makes it out alive.
Symantec is releasing a new version without the protected recycle bin Correction, they are releasing an update via LiveUpdate that will remove the cloak from the protected recycle bin folder. The protected recycle bin will still be there. *So once you run LiveUPdate, you're fixed.
Don't take life so seriously. No one makes it out alive.
For those of us who dislike reading TFA, we'd never find out about the free utility linked in TFA to check if the rootkit is there.
From what I can tell, if you uninstall it, you lose the system protected recycle bin (designed to prevent you from deleting your pr0n, actually it provides a hidden place for viruses to hide). Therefore, you're safe.
If you are still paranoid, reinstall it and run the update patch with fixes it.
Or, check out BlackLight Rootkit Elimination Technology, which is supposed to eliminate (or at least detect) the rootkit.
Obligatory Soundbite Catchphrase
The article talks about Norton SystemWorks. Which if you ran LiveUpdate on already, you're fixed. This has nothing to do with Norton Antivirus.
Don't take life so seriously. No one makes it out alive.
Symantec's "NProtect" is a service similar to the recycle bin: when you delete a file, it is moved to a special directory and its metadata is preserved. This allows for easy undelete. As with any internal state of a program, users mucking about the special directory could cause problems (e.g. what should you do if the users deletes a file from the NProtect directory?). This has nothing to do with "root" privileges.
Maybe slightly off topic, but I'll speak my mind anyways. Systemworks is Very dangerous, for those that have observed how it actually installs onto a system its a scary sight, A VERY tight intergration with the OS. If a "User" rm's one of these "files" without a doubt the computer will suffer. Their intentions were good to "protect" the files, since meny users who install "Systemworks" have no clue anyways. A patch was issued (not ignored), Sony should learn from its mistakes.
-- I Dont Deserve A Sig I Have Bad Karma
The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.
Also, according to Symantec's own writeup on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.
Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue
Batou: Hey, Major... You ever hear of "human rights"? Major: I understand the concept, but I've never seen it in action
Ahhh - well I can sympathize with you in that case! While a straight answer would have been better, the tool that's linked in the article is very very simple to run. You hit download, open it to install, accept the EULA, and hit scan. The window is simple and well laid out, tells you if you found anything, hit next if it did, and hit exit. Should be pretty easy to walk anyone through (a lot easier than stuff like a virus scan or spyware scan).
I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work. So, I had to go to this link [symantec.com] and do it manually....talk about a pain in the #*$%.
f /docid/2005033108162039?Open&src=bar_sch_nam&docid =2004093015165236&nsf=tsgeninfo.nsf&view=docid&dty pe=&prod=&ver=&osv=&osv_lvl=
I have to admit that manually removing Norton is always a pain in the ass but Norton has provided a total removal tool for years. Before, it was called Rnav2003 and was available for free download on their website. Newer versions of Norton require SymNRT, which is also available free on their website:
http://service1.symantec.com/SUPPORT/tsgeninfo.ns
It works like a charm and means you don't have to sit there manually removing Norton for two hours, secretly and silenting wanting to find a pencil, sharpen it and shove it in your eye.
I did not dig the web to know if this is related, but I once discovered that you can not create a folder named "con" in any folder under Windows 2000 (and maybe XP too, don't use it, don't remember).
At least it is something weird, and that can give a headache to anyone trying to do some automatic folder creations based on some rules (for mail management for example) and that would have in some case (someone named con in my example) an abnormal behavior of the system that would be pretty difficult to diagnose. One could even blame some software for the problem while it is only MS fault of doing that.
Now that I think about it, maybe it is the real reason why they bloated exchange with a database, because the folder creation for accounts would have been bugged by design in the OS...
> Lets get one thing clear.
> This is not the Sony rootkit. It's just a directory that's not scanned
> by antivirus/antispyware.
Let's be completely clear. It appears to be more than "a directory that's not scanned by antivirus/antispyware"
It's a directory that is cloaked from the administrator. It's not merely bypassed by the antivirus and antispyware utilities, it is hidden from anything that uses the Windows FindFirst/FindNext APIs to view and scan files and folders.
It -potentially- opens a bigger security hole than merely software that hides from antivirus. It can hide from other tools as well. But is is different from the Sony Rootkit; it doesn't open up ridiculous holes. It seems most likely that this was a case of reusing code without understanding the security implications.
> And, now that it's potential vulnerability has been exposed, Symantec
> is releasing a new version without the protected recycle bin.
> In other words, too bad they had to have their wrists slapped to fix
> it, but there was no malicious attempt.
And, equally importantly, they didn't need to be dragged kicking and screaming, with the threat of lawsuits, into remediating the problem. That makes it a much smaller story.
it does way more than slow the machine to a crawl. it prevents it from working properly.
working for an ISP, we get a surprising number of users that can connect to the net (as in, the modem dial), but nothing works, no web, no email, nothing. everything checks out, configs are fine and all.
but they have norton antivirus with their crap security. the configs to that seems fine. as soon as you uninstall that crap, everything work.
do your users a favor, have them install AVG (www.grisoft.com)
Not to take up for symantec, but they do offere a free utility for removing all traces of their software. They have one for each piece of software as far as I know.
d /2001092114452606
http://service1.symantec.com/SUPPORT/nav.nsf/doci
The best argument against democracy is a five-minute conversation with the average voter.
- Winston Churchill
Don't forget about BitDefender. It has a free on-demand scanner, and I've found it to be excellent. I gave it a try this weekend on a few computers heavily infested with spyware and viruses and it found and removed things that Spybot, Ad-Aware, Microsoft AntiSpyware, AVG Free, F-Prot, and ClamWin didn't. I'm definatly going to be using this more often.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
It's another device name. "CON" stands for "console".
For instance, open cmd.exe, and type:
copy con test.txt
type some text, press
^Z (Ctrl+Z)
This is the DOS/Windows equivalent to cat > test.txt. Reading from CON reads from the standard input, writing writes to the standard output.
Isn't that what a rootkit does - allow unauthorized access?
The terminology being used is confusing to many people. In common parlance a rootkit is a general purpose setup to compromise a system and hide all evidence of that compromise. Usually this includes a "kernel" patch that hides the offending files and in some cases network traffic. Symantec is patching the "kernel" to hide files, and doing so is wholly unnecessary. My guess is were not concerned about users so much as malware/worms that would automatically cripple their program. The side affect of this is worms can actually exploit this to hide themselves. It seems like a risky and invasive attempt at security through obscurity.
A big part of the problem is that they are trying to secure an inherently insecure system, without having access to the source code. Windows users are generally admin (since Windows is pretty unusable as a regular user) and local privilege escalations are common and trivial. I don't think MS even tries to fix them anymore. As a result Symantec is basically in an arms race on even footing with malware authors.
While I don't want anyone "hiding" stuff on my system, I know very well there are users out there that can be easily convinced to delete important system files...
That is part of the danger of using Windows. Clueless users have unfettered access to delete vital parts of the system and rightly believe worms and viruses can easily infect their poorly secured machines. Still, Symantec should have known this was unworkable in the long term and would result in a persistent liability.
Try Acronis True Image and leave the dark side behind entirely. ;-) It's definately better than Ghost.
Entrepreneur : (noun), French for "unemployed"
The symantec web site report on this states that it only affects 2005 and 2006, but I am running 2003 and it is also affected! The update fixes (supposedly) the issue. Nprotect can now be seen in the RECYCLED directory.
u rity/Content/2006.01.10.html
Info can be found here:
http://securityresponse.symantec.com/avcenter/sec
NAV also has a "trusted application list" that will update when the 'live update' feature is run. Yet i cannot find this list, or a way to edit it. There is also no choice in accepting or declining the list. It comes along with virus def updates. Only after the Def's are downloaded can you see that "trusted application list" has been updated also.
Maybe, just maybe, there are applictions on that list that i do not choose to trust. Maybe i want to trust all of them. I would like to have that choice.
Or maybe i simply so not understand what a "trusted application list" is. This feature should be made more clear.
This has been another valuable and informative opinion from:
Catahoula!
I've used this a lot lately when upgrading NAV, this is a removal tool which will nuke all traces of many Norton programs off a computer. Not as useful if you have, say, NAV and Ghost and just want to remove NAV, but if you only have NAV, this works for different versions. (As my family all uses NAV, but everyone always seems to have a different version, sticking this on my usb drive has been invaluable.)
f /docid/2005033108162039?Open&src=&docid=2001092114 452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&os v=&osv_lvl=&seg=
http://service1.symantec.com/SUPPORT/tsgeninfo.ns
The SymNRT.exe remover will remove ALL installs of:
* Norton AntiVirus 2004/2005/2006
* Norton AntiVirus Professional 2004
* Norton AntiVirus 3, 5 and 10 User Pack 2004/2005/2006
* Norton GoBack 3.1/3.5/3.6/4.0/4.1
* Norton SystemWorks 2004 Professional Edition
* Norton SystemWorks 2005/2006 Premier
* Norton SystemWorks 2004/2005/2006
* Norton SystemWorks 2006 Basic Edition
* Norton Password Manager 2004
* Norton Internet Security 2004/2005/2006
* Norton Internet Security 5 and 10 User Pack 2004/2005/2006
* Norton Internet Security 2005 AntiSpyware Edition 8.2
* Norton Personal Firewall 2004/2005/2006
* Norton AntiSpam 2004/2005
* Norton Ghost 2003/9.0/10.0
index.dat caches the contents of a folder and icon previews for previewed files such as video and image files. index.dat it what makes it possible to open huge folders full of media files without a horrendous wait *every* time you open the folder.
Snowden and Manning are heroes.