Slashdot Mirror
Rootkit-like Feature Found in Norton Systemworks
GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."
For those of us who dislike the pre-installed Symantec software and uninstall it first chance we get, is there still a vulnerability?
The world is made by those who show up for the job.
This is not the Sony rootkit. It's just a directory that's not scanned by antivirus/antispyware.
And, now that it's potential vulnerability has been exposed, Symantec is releasing a new version without the protected recycle bin.
In other words, too bad they had to have their wrists slapped to fix it, but there was no malicious attempt.
Obligatory Soundbite Catchphrase
They did it so users couldn't accidentally delete important files?? Sure would be nice if there was such thing as "root" on Windows so you could have files that every day users couldn't delete...
Rootkits in windows are becoming more and more of a problem. I found this interesting site the other day when looking for a rootkit detector: www.rootkit.com
The cloaked directory is intended to prevent users from accidentally deleting important files
There's thousands of important files on a Windows system, and they don't need a rootkit to protect them. What's special about Norton files that make them extra-specially important?
I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work.
So, I had to go to this link and do it manually....talk about a pain in the #*$%.
He who knows best knows how little he knows. - Thomas Jefferson
Apparently insecure and/or incompetent sysadmins are behind the boom in "all-in-one-fix-'em-all" suites. Why not tackle the problems head-on yourself rather than relying on third party software which might actually jeopardise your entire system without you knowing it? And I found Norton Anti-virus to be a serious hog on system resources. It's safe to assume their other products are in the same league.
"...Symantec's update further protects computers by displaying the directory,"
That's great! Our product is now better, because we turned off something bad we were previously doing!
Now that's a nice spin!
Steps of action when joe six-pack brings me a windoz box: 1. Uninstall Norton 2. Install AVG 3. Delete all "e"'s from everywhere 4. Install Firefox 5. Install Opera 6. Delete all Outlook shortcuts 7. Install Thunderbird 8. Install VLC and associate all media with it 9. Teach the guy to right-click/scan with AVG everything he downloads from the internet It worked nice in most occasions My 2p
www.lemonodor.com A mostly Lisp weblog
The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.
Also, according to Symantec's own writeup on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.
Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue
Batou: Hey, Major... You ever hear of "human rights"? Major: I understand the concept, but I've never seen it in action
I must have missed something in the article. All it refers to is a "cloaked" directory. Now this shouldn't surprise anyone here. This is no different than how XP works normally. By default XP hides or "cloaks" protected system directories too, namely the System Volume Information folder in the root of each partition. The only way you can find them is by selecting to show hidden files and folders and to uncheck the "hide protected operating system files" option.
Now what is interesting is that even if you have administrative privileges, you by default do not have access to that folder. You have to manually add yourself to the security on it just to open it. From the article this seems to be the exact deal with the Symantec product. They are worried that an intruder may use the location to stash files. Well guess what? That is exactly what attackers do with the System Volume Info folder. It happened to me on a system that I had an older version of the Backup Exec remote client installed on. A well known hole, thankfully it was on a test system with no access. I noticed a huge amount of outgoing connects from the box and used disk space that I could not account for. After some minor digging around I managed to find everything stashed in that hidden system folder.
So what I would really like to know, and the article doesn't specify, is Symantec actually hooking into the kernel to hide the folder from Windows, or is it just setting the permissions on the folder in a way that is similar to the System Volume Information folder? If it is the later this is not a rootkit, it's just being sneaky. If they are hooking in, well shame on them.
I remember a couple years ago when I still bought and used Norton/Symantec anti-virus; it kept claiming my subscription ran out and wouldn't update the definitions. So I uninstalled and reinstalled. Same problem. After doing some searching, I realized it had installed itself all over the registry and wouldn't get out. It took a good 2 hours of hand-editing to remove all traces of Symantec from my registry.
So much for "uninstall".
Which is why I never use their stuff anymore. Truth be told, I don't think they've done anything good since. Well. Since Peter Norton still loosened his tie and programmed for a living.
I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Add to this their track record: failure to detect SONY's malware, (and now they seem to have one of their own) and they are always the last to provide adequate means to remove fresh exploits (no data here, but I distinctly remember that whenever something crops up, f-prot, free-av, etc. works, and NAV comes trailing behind other antivir solutions.). Plus it is a serious resource hog - more than any antivir progs.
The first serious breach of "Do no evil" of Google was their inclusion of a Symantec product in google pack :)))
Not to take up for symantec, but they do offere a free utility for removing all traces of their software. They have one for each piece of software as far as I know.
d /2001092114452606
http://service1.symantec.com/SUPPORT/nav.nsf/doci
The best argument against democracy is a five-minute conversation with the average voter.
- Winston Churchill
I know they have that now, but they didn't at the time.
Worse, I don't trust Symantec to really remove their software. Why doesn't uninstall remove the software? Why do I need to uninstall then run "really uninstall" to really uninstall it?
You were mistaken. Which is odd, since memory shouldn't be a problem for you
Isn't that what a rootkit does - allow unauthorized access?
The terminology being used is confusing to many people. In common parlance a rootkit is a general purpose setup to compromise a system and hide all evidence of that compromise. Usually this includes a "kernel" patch that hides the offending files and in some cases network traffic. Symantec is patching the "kernel" to hide files, and doing so is wholly unnecessary. My guess is were not concerned about users so much as malware/worms that would automatically cripple their program. The side affect of this is worms can actually exploit this to hide themselves. It seems like a risky and invasive attempt at security through obscurity.
A big part of the problem is that they are trying to secure an inherently insecure system, without having access to the source code. Windows users are generally admin (since Windows is pretty unusable as a regular user) and local privilege escalations are common and trivial. I don't think MS even tries to fix them anymore. As a result Symantec is basically in an arms race on even footing with malware authors.
While I don't want anyone "hiding" stuff on my system, I know very well there are users out there that can be easily convinced to delete important system files...
That is part of the danger of using Windows. Clueless users have unfettered access to delete vital parts of the system and rightly believe worms and viruses can easily infect their poorly secured machines. Still, Symantec should have known this was unworkable in the long term and would result in a persistent liability.
When you install Symantec (works with McAfee too I've been told) just set the system clock forward a few years. If it installs in 2010, but then finds itself in 2006, it'll think you have a 4 year subscription. I did this when I was still in the 'give me free stuff script kiddie' mode a few years back. A friend of mine just did it and confirmed that it still works. I switched to Debian and haven't had a problem with ClamAV.
Silly Symantec, not getting a real date online.