Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit-like Feature Found in Norton Systemworks

Posted by Zonk on from the i'm-helping-i'm-helping dept.

GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."

8 of 221 comments (clear)

  1. Uninstall vulnerable? by jbeaupre · · Score: 4, Interesting

    For those of us who dislike the pre-installed Symantec software and uninstall it first chance we get, is there still a vulnerability?

    --
    The world is made by those who show up for the job.
  2. Rootkits are big now by filenavigator · · Score: 5, Interesting

    Rootkits in windows are becoming more and more of a problem. I found this interesting site the other day when looking for a rootkit detector: www.rootkit.com

  3. I don't get it by Anonymous Coward · · Score: 4, Interesting

    The cloaked directory is intended to prevent users from accidentally deleting important files

    There's thousands of important files on a Windows system, and they don't need a rootkit to protect them. What's special about Norton files that make them extra-specially important?

  4. Uninstalling Norton can be very time consuming by digitaldc · · Score: 4, Interesting

    I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work.
    So, I had to go to this link and do it manually....talk about a pain in the #*$%.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  5. Who needs Symantec? by PhakeDC · · Score: 4, Interesting

    Apparently insecure and/or incompetent sysadmins are behind the boom in "all-in-one-fix-'em-all" suites. Why not tackle the problems head-on yourself rather than relying on third party software which might actually jeopardise your entire system without you knowing it? And I found Norton Anti-virus to be a serious hog on system resources. It's safe to assume their other products are in the same league.

  6. Article doesn't say enough... by DnemoniX · · Score: 4, Interesting

    I must have missed something in the article. All it refers to is a "cloaked" directory. Now this shouldn't surprise anyone here. This is no different than how XP works normally. By default XP hides or "cloaks" protected system directories too, namely the System Volume Information folder in the root of each partition. The only way you can find them is by selecting to show hidden files and folders and to uncheck the "hide protected operating system files" option.

    Now what is interesting is that even if you have administrative privileges, you by default do not have access to that folder. You have to manually add yourself to the security on it just to open it. From the article this seems to be the exact deal with the Symantec product. They are worried that an intruder may use the location to stash files. Well guess what? That is exactly what attackers do with the System Volume Info folder. It happened to me on a system that I had an older version of the Backup Exec remote client installed on. A well known hole, thankfully it was on a test system with no access. I noticed a huge amount of outgoing connects from the box and used disk space that I could not account for. After some minor digging around I managed to find everything stashed in that hidden system folder.

    So what I would really like to know, and the article doesn't specify, is Symantec actually hooking into the kernel to hide the folder from Windows, or is it just setting the permissions on the folder in a way that is similar to the System Volume Information folder? If it is the later this is not a rootkit, it's just being sneaky. If they are hooking in, well shame on them.

  7. It's hard to uninstall Symantec software by tkrotchko · · Score: 4, Interesting

    I remember a couple years ago when I still bought and used Norton/Symantec anti-virus; it kept claiming my subscription ran out and wouldn't update the definitions. So I uninstalled and reinstalled. Same problem. After doing some searching, I realized it had installed itself all over the registry and wouldn't get out. It took a good 2 hours of hand-editing to remove all traces of Symantec from my registry.

    So much for "uninstall".

    Which is why I never use their stuff anymore. Truth be told, I don't think they've done anything good since. Well. Since Peter Norton still loosened his tie and programmed for a living.

    I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  8. How to get unlimited free subscription by jambarama · · Score: 4, Interesting

    When you install Symantec (works with McAfee too I've been told) just set the system clock forward a few years. If it installs in 2010, but then finds itself in 2006, it'll think you have a 4 year subscription. I did this when I was still in the 'give me free stuff script kiddie' mode a few years back. A friend of mine just did it and confirmed that it still works. I switched to Debian and haven't had a problem with ClamAV.

    Silly Symantec, not getting a real date online.