Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit-like Feature Found in Norton Systemworks

Posted by Zonk on from the i'm-helping-i'm-helping dept.

GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."

6 of 221 comments (clear)

  1. Re:Uninstall vulnerable? by toleraen · · Score: 5, Informative

    For those of us who dislike reading TFA, we'd never find out about the free utility linked in TFA to check if the rootkit is there.

  2. Not quite the same... by drakewyrm · · Score: 5, Informative

    The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.

    Also, according to Symantec's own writeup on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.

    Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue

    --
    Batou: Hey, Major... You ever hear of "human rights"? Major: I understand the concept, but I've never seen it in action
  3. Re:Before the flame wars start... by QuestorTapes · · Score: 4, Informative

    > Lets get one thing clear.
    > This is not the Sony rootkit. It's just a directory that's not scanned
    > by antivirus/antispyware.

    Let's be completely clear. It appears to be more than "a directory that's not scanned by antivirus/antispyware"

    It's a directory that is cloaked from the administrator. It's not merely bypassed by the antivirus and antispyware utilities, it is hidden from anything that uses the Windows FindFirst/FindNext APIs to view and scan files and folders.

    It -potentially- opens a bigger security hole than merely software that hides from antivirus. It can hide from other tools as well. But is is different from the Sony Rootkit; it doesn't open up ridiculous holes. It seems most likely that this was a case of reusing code without understanding the security implications.

    > And, now that it's potential vulnerability has been exposed, Symantec
    > is releasing a new version without the protected recycle bin.
    > In other words, too bad they had to have their wrists slapped to fix
    > it, but there was no malicious attempt.

    And, equally importantly, they didn't need to be dragged kicking and screaming, with the threat of lawsuits, into remediating the problem. That makes it a much smaller story.

  4. Re:Before the flame wars start... by Feyr · · Score: 4, Informative

    it does way more than slow the machine to a crawl. it prevents it from working properly.

    working for an ISP, we get a surprising number of users that can connect to the net (as in, the modem dial), but nothing works, no web, no email, nothing. everything checks out, configs are fine and all.

    but they have norton antivirus with their crap security. the configs to that seems fine. as soon as you uninstall that crap, everything work.

    do your users a favor, have them install AVG (www.grisoft.com)

  5. Re:It's hard to uninstall Symantec software by NVP_Radical_Dreamer · · Score: 5, Informative

    Not to take up for symantec, but they do offere a free utility for removing all traces of their software. They have one for each piece of software as far as I know.

    http://service1.symantec.com/SUPPORT/nav.nsf/docid /2001092114452606

    --
    The best argument against democracy is a five-minute conversation with the average voter.

    - Winston Churchill
  6. Re:Why is this a "rootkit"? by 99BottlesOfBeerInMyF · · Score: 4, Informative

    Isn't that what a rootkit does - allow unauthorized access?

    The terminology being used is confusing to many people. In common parlance a rootkit is a general purpose setup to compromise a system and hide all evidence of that compromise. Usually this includes a "kernel" patch that hides the offending files and in some cases network traffic. Symantec is patching the "kernel" to hide files, and doing so is wholly unnecessary. My guess is were not concerned about users so much as malware/worms that would automatically cripple their program. The side affect of this is worms can actually exploit this to hide themselves. It seems like a risky and invasive attempt at security through obscurity.

    A big part of the problem is that they are trying to secure an inherently insecure system, without having access to the source code. Windows users are generally admin (since Windows is pretty unusable as a regular user) and local privilege escalations are common and trivial. I don't think MS even tries to fix them anymore. As a result Symantec is basically in an arms race on even footing with malware authors.

    While I don't want anyone "hiding" stuff on my system, I know very well there are users out there that can be easily convinced to delete important system files...

    That is part of the danger of using Windows. Clueless users have unfettered access to delete vital parts of the system and rightly believe worms and viruses can easily infect their poorly secured machines. Still, Symantec should have known this was unworkable in the long term and would result in a persistent liability.