Slashdot Mirror
Rootkit-like Feature Found in Norton Systemworks
GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."
For those of us who dislike the pre-installed Symantec software and uninstall it first chance we get, is there still a vulnerability?
The world is made by those who show up for the job.
Rootkits in windows are becoming more and more of a problem. I found this interesting site the other day when looking for a rootkit detector: www.rootkit.com
The cloaked directory is intended to prevent users from accidentally deleting important files
There's thousands of important files on a Windows system, and they don't need a rootkit to protect them. What's special about Norton files that make them extra-specially important?
I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work.
So, I had to go to this link and do it manually....talk about a pain in the #*$%.
He who knows best knows how little he knows. - Thomas Jefferson
Apparently insecure and/or incompetent sysadmins are behind the boom in "all-in-one-fix-'em-all" suites. Why not tackle the problems head-on yourself rather than relying on third party software which might actually jeopardise your entire system without you knowing it? And I found Norton Anti-virus to be a serious hog on system resources. It's safe to assume their other products are in the same league.
Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole.
Sony's rootkit was done entirely under good intentions as well (like it or not DRM is not a bad intention), and look how that turned out.
What's funny is everybody will blow this over because it's Symantec not the RIAA. It really is just as severe if not more so, coming from a software company that deals in security.
I trust Russinovich's technical analysis, but I don't his moral opinion.
My real problem is that my mom bought a PC at Christmas. While visiting (she's a couple time zones away), I did a little tuning (firewall, firefox, openoffice, etc.) Symantecs pisses me off so it got uninstalled (replaced with Avast). But ... did the uninstall really clean everything up? I can't check in person and I'm not going to walk my mom through rootkit detection unless neccessary.
The world is made by those who show up for the job.
I have always been suspect of Symantec.
I am sure the DHS knows what it is doing when it gives Symantec money to "secure" linux.
You "suspect" Symantec because they used a rootkit-like trick to hide the Norton NProtect feature's directory from other applications? Why is that? Do you believe that I don't want NProtect installed on my computer (NProtect is an optional feature of a software package that I choose to install)? Do you believe that Symantec is working against my interests, like Sony?
I'm not sure that I agree with Symantec's solution. It would be trivial for Symantec to program Norton Antivirus to scan the NProtect feature's directory (NAV is a part of any package including Norton Utilities, which includes NProtect). I suspect that they abandoned the whole idea because: 1. The argument concerning multiple-'rootkit' incompatibly is reasonably persuasive; 2. You could conceivably decide to use something other than NAV by choosing not to install it and 3. They could be swamped by alarmed calls from users detecting a 'malicious' rootkit with the various tools that are coming into vogue.
However, I still value a feature that prevents little Johnny from blowing away important files while he dorks around with Windows Explorer with all the "hide files" settings disabled. It is supremely aggravating that I have to let users run on a machine Administrator level to run half of their software, which prevents me from using directory security to effectively perform its God-given function of stopping the user from deleting anything but their own dang work.
Invitations to switch OSs will be summarily ignored. You have been warned.
I must have missed something in the article. All it refers to is a "cloaked" directory. Now this shouldn't surprise anyone here. This is no different than how XP works normally. By default XP hides or "cloaks" protected system directories too, namely the System Volume Information folder in the root of each partition. The only way you can find them is by selecting to show hidden files and folders and to uncheck the "hide protected operating system files" option.
Now what is interesting is that even if you have administrative privileges, you by default do not have access to that folder. You have to manually add yourself to the security on it just to open it. From the article this seems to be the exact deal with the Symantec product. They are worried that an intruder may use the location to stash files. Well guess what? That is exactly what attackers do with the System Volume Info folder. It happened to me on a system that I had an older version of the Backup Exec remote client installed on. A well known hole, thankfully it was on a test system with no access. I noticed a huge amount of outgoing connects from the box and used disk space that I could not account for. After some minor digging around I managed to find everything stashed in that hidden system folder.
So what I would really like to know, and the article doesn't specify, is Symantec actually hooking into the kernel to hide the folder from Windows, or is it just setting the permissions on the folder in a way that is similar to the System Volume Information folder? If it is the later this is not a rootkit, it's just being sneaky. If they are hooking in, well shame on them.
I remember a couple years ago when I still bought and used Norton/Symantec anti-virus; it kept claiming my subscription ran out and wouldn't update the definitions. So I uninstalled and reinstalled. Same problem. After doing some searching, I realized it had installed itself all over the registry and wouldn't get out. It took a good 2 hours of hand-editing to remove all traces of Symantec from my registry.
So much for "uninstall".
Which is why I never use their stuff anymore. Truth be told, I don't think they've done anything good since. Well. Since Peter Norton still loosened his tie and programmed for a living.
I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
There's a way of making files so that Norton won't scan them... Symantec actually volunteered the information a couple of years ago until I pointed out that putting that in an opensource product would make expose the information to virus writers. Me and my big mouth... I should have just gone ahead and got the information & published it.
OTOH I still recommend that Norton is removed before using my (and any other) software.. it's junk and drags the machine down to a crawl. One place that I worked tried to force it on my desktop machine - I knew immediately because a 10 minute compile slowed to a 40 minute one (and the new icon gave it away)... ended up removing it daring them to complain (OTOH a week later they removed it from everyones machine once productivity went through the floor).
I may have missed something, but I saw nothing whatsoever in the article that sends information or provides external access without the users knowledge.
Isn't that what a rootkit does - allow unauthorized access?
Of course, it's hiding a directory, but as mentioned by other posters, Symantec has never been very secretive about that, they just didn't come out and announce in big flashing red letters that they were creating a hidden directory. Not a lie at all, as was the case with Sony.
Now, apparently there are a few folks here that seem to consider Symantec only a couple notches away from M$ on the slimeball ladder, but the fact is they write software that attempts to protect computers (typically from the gifts M$ has bestowed on the world). Personally, I only use their antivirus SW, since Windows does just fine bogging the one machine I run it on without any unnecessary help. To date, I have had far fewer issues with Windows machines using Norton Antivirus than those without it. In fact, it seems to me Norton AV is as important for Windows machines as a network connection.
Not that this isn't something to be aware of, but at best this is a potential security hole, not a rootkit. While I don't want anyone "hiding" stuff on my system, I know very well there are users out there that can be easily convinced to delete important system files - or doesn't anyone remember the SULFNBK virus?
Ghost has saved my life so often that I seriously love that tool. Apart from that, you're right.
I just found out that Sygate has been acquired by Symantec and they discontinued the free for home use firewall.... Bummed!
Symantec has never even made anything, they just buy the competition.
...the norton recycle bin extension?
I know that nowadays norton products are mostly crap with near-to-none options, and all non-basic funtionality removed successively in every version, but this recycle bin extension comes from the good days and already saved my ass may times. (every time i typed something like Ctrl-N, Ctrl-S, Enter, and overwrote my just finished huge file with an EMPTY file.)
The direcory it used was not cloakrd in any other way than setting it to "hidden". I don't know if that changed in very recent versions (haven'T RTFA), but last time i used it (system works 2005) i could simply go into the directory and look what's inside it.
So maybe this is a common bug of virus scanners...
I even implemented something like this for my samba-shares. srue someone will come up with the "well, maybe it's a PEBCAK"-argument. but don't tell me you never did such an error and then whished to have the data back?
Any sufficiently advanced intelligence is indistinguishable from stupidity.
When you install Symantec (works with McAfee too I've been told) just set the system clock forward a few years. If it installs in 2010, but then finds itself in 2006, it'll think you have a 4 year subscription. I did this when I was still in the 'give me free stuff script kiddie' mode a few years back. A friend of mine just did it and confirmed that it still works. I switched to Debian and haven't had a problem with ClamAV.
Silly Symantec, not getting a real date online.
They have gaping holes in their firewall, so why not in more products?
Explanation: a fresh install of Windows XP on my father machine, SP1 because that was the CD that came with the machine, then an install of the Norton firewall that also came with the purchase - firewall set on as paranoid as the settings allowed... plug in network, and bam! Instant infection. There aren't any settings in the stupid product for "block everything" or anything either, just security levels or whatever it was. In any case, highest whatever apparently still left ports open... impressive.
The reinstall was because their firewall and antivirus had already failed to protect the computer btw. Why anyone would use thir products is way beyond comprehension. It's utter crap.
Spine World