Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit-like Feature Found in Norton Systemworks

Posted by Zonk on from the i'm-helping-i'm-helping dept.

GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."

14 of 221 comments (clear)

  1. Grant money well spent (not) by conteXXt · · Score: 2, Insightful

    I have always been suspect of Symantec.

    I am sure the DHS knows what it is doing when it gives Symantec money to "secure" linux.

    Gawd help us.

    --
    The truth about Led Zep should never be told on /. (Karma suicide ensues)
    1. Re:Grant money well spent (not) by molnarcs · · Score: 3, Insightful
      I have always been suspect of Symantec. Me too. That's why I wrote this recently. Just a few weeks ago I removed yet another NAV install from a puter. This time it went well - uninstall worked fine it seems, needed just one reboot. But previously, with certain NAV releases, it was impossible to remove - or at least harder than removing spyware. Even after "uninstalling" it NAV left a lot of cruft on the system, that not only was "just there" but it loaded code at boot time. It was only possible to remove by switching to safe mode, cleaning up the registry, and removing some files manually. Symantic is EVIL!

      Add to this their track record: failure to detect SONY's malware, (and now they seem to have one of their own) and they are always the last to provide adequate means to remove fresh exploits (no data here, but I distinctly remember that whenever something crops up, f-prot, free-av, etc. works, and NAV comes trailing behind other antivir solutions.). Plus it is a serious resource hog - more than any antivir progs.

      The first serious breach of "Do no evil" of Google was their inclusion of a Symantec product in google pack :)))

  2. Before the flame wars start... by thepotoo · · Score: 5, Insightful
    Lets get one thing clear.
    This is not the Sony rootkit. It's just a directory that's not scanned by antivirus/antispyware.

    And, now that it's potential vulnerability has been exposed, Symantec is releasing a new version without the protected recycle bin.
    In other words, too bad they had to have their wrists slapped to fix it, but there was no malicious attempt.

    --
    Obligatory Soundbite Catchphrase
    1. Re:Before the flame wars start... by GenieGenieGenie · · Score: 5, Insightful
      I guess the point about this whole story is not the intended malice of Symantec, but rather that ye-old first principle of medical science: If you're a doctor, trying to keep a system healthy, primum non nocere . First of all, do not harm.

      From this point of view, Symantec is actually worse than Sony, because the latter never claims to protect your system (not that I'm saying Sony are angels). True, the reaction by Sony was just before they had a gun pointed at their company's head, but how serious can you take a security-software company that has a rootkit in their software, acknowledges that due to developments in hacker-tech this has become a serious vulnerability (is this news at Symantec?), but still waits for some external source to publish their hole in order to fix it?

  3. Re:Deleting files by thepotoo · · Score: 2, Insightful
    From what I understand, this is so you can't delete all your precious word documents without meaning too.

    That's still a problem in Linux.

    --
    Obligatory Soundbite Catchphrase
  4. Rootkits by cyp43r · · Score: 2, Insightful

    I've never much liked Norton Antivirus, and this just adds more fuel to the fire.

  5. Wow, now with fewer holes! by frostfreek · · Score: 4, Insightful

    "...Symantec's update further protects computers by displaying the directory,"

    That's great! Our product is now better, because we turned off something bad we were previously doing!
    Now that's a nice spin!

  6. steps by trandism · · Score: 3, Insightful

    Steps of action when joe six-pack brings me a windoz box: 1. Uninstall Norton 2. Install AVG 3. Delete all "e"'s from everywhere 4. Install Firefox 5. Install Opera 6. Delete all Outlook shortcuts 7. Install Thunderbird 8. Install VLC and associate all media with it 9. Teach the guy to right-click/scan with AVG everything he downloads from the internet It worked nice in most occasions My 2p

    --
    www.lemonodor.com A mostly Lisp weblog
  7. Re:Who needs Symantec? by Ilgaz · · Score: 4, Insightful

    Their target for SystemWorks is not Slashdot posting people like you and there are people who actually DELETE these files making their system unusable.

    System admins use Symantec corparate solutions which has NOTHING TO DO with the stuff mentioned here.

    But keep bashing Symantec. It is number 2 favorite target of geeks after real networks.

    I bought it as a gift to a pure newbie computer user who is really busy with stuff rather than dll and registry hunting manually, he is happy to this day.

  8. Re:Article doesn't say enough... by BVis · · Score: 2, Insightful

    A "cloaked" system folder that can be made visible in Folder Options is different from a directory created by a rootkit-like piece of software. By definition, a rootkit patches the OS it's compromised so that the operating system itself cannot see the directories. It sounds to me like Symantec's actions here are very similar to what Sony BMG got in all that hot water for.

    Odd thing is, it was pretty widely known that some anti-virus programs have rootkit-like properties; i.e. they hide directories from the OS. Ostensibly, this is to prevent malware from accessing the directories and compromising the anti-virus. Not saying it's right, just saying this shouldn't be a big shock.

    --
    Never underestimate the power of stupid people in large groups.
  9. Re:Uninstalling Norton can be very time consuming by F_Scentura · · Score: 4, Insightful

    "They're really complicated!" is no excuse for not following the conventional uninstall procedure and requiring that a separate uninstall program be downloaded separately from the internet.

  10. Re:WINDOWS IS IRRETRIEVABLY BROKEN by xtracto · · Score: 1, Insightful

    Although you are an anonymous troll I think you are somewhat right:

    The actual real (for the end user) problem I see for Windows, that other OSS do not have is that you require to install certain "security" software after installing the O.S. The software is among others:
    - Antivirus (Like McAffee or Norton or AVG or Sophos)
    - System security programs: Kind of like Norton System works or SANDRA or Diskkeeper
    - Another browser (like firefox or opera)

    The bad thing about that is not the number of software programs you have installed but the number of programs that must stay RESIDENT on RAM from the beginning.

    That slows PC a lot, and it is something that (at least in my experience) you do not need to do when using Linux.

    As an example, my current machine has the Sweepsrv.sys (Sophos AV) with 25,796 private Bytes. Then I have Firefox with 141,188 Bytes and on my laptop I have AVG free version and perfectdisk monitor.

    Sure, I know how to disable all those things but that is one of me most common problems why people have to reinstall windows after several months.

    On Linux you dont need a running antivirus so that memory (and processing time) can be used for something better. Oh, and it is also annoying that if you are Moving large files, you have to wait after selecting and pressing CTRL+X to cut it and CTRL+V to paste it on another side because the antivirus is checking the file.

    --
    Ubuntu is an African word meaning 'I can't configure Debian'
  11. Re:It's hard to uninstall Symantec software by tkrotchko · · Score: 3, Insightful

    I know they have that now, but they didn't at the time.

    Worse, I don't trust Symantec to really remove their software. Why doesn't uninstall remove the software? Why do I need to uninstall then run "really uninstall" to really uninstall it?

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  12. Re:It's hard to uninstall Symantec software by linuxtelephony · · Score: 2, Insightful

    I don't know if there is a relationship or not, but when the company was known as Norton (for Peter Norton), they had good products. When they transitioned to Symantec they seemed to make whatever they touched worse.

    Norton's utilities were great, tiny, fast little tools that did what you wanted in a predictable way. A must have in the DOS days, and even early Window days. As Symantec the tools seemed to get more and more bloated. Then some of the tools had to be bought separately, costing more money. They took over PC Anywhere at some point, and made the tool so large that it was all but impossible to load into some DOS based systems (with plenty of RAM) and still be able to run the rest of the system properly. They took over WinFax and took out some of the best features and seemed to make it more prone to failures.

    It's a pattern of theirs. And a great disappointment. And why I, also, no longer buy or use anything from them. First thing I do on new equipment that has their software is uninstall it. Same thing I tell others.

    --
    . 62,400 repetitions make one truth -- Brave New World, Aldous Huxley