Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit-like Feature Found in Norton Systemworks

Posted by Zonk on from the i'm-helping-i'm-helping dept.

GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."

6 of 221 comments (clear)

  1. Before the flame wars start... by thepotoo · · Score: 5, Insightful
    Lets get one thing clear.
    This is not the Sony rootkit. It's just a directory that's not scanned by antivirus/antispyware.

    And, now that it's potential vulnerability has been exposed, Symantec is releasing a new version without the protected recycle bin.
    In other words, too bad they had to have their wrists slapped to fix it, but there was no malicious attempt.

    --
    Obligatory Soundbite Catchphrase
    1. Re:Before the flame wars start... by GenieGenieGenie · · Score: 5, Insightful
      I guess the point about this whole story is not the intended malice of Symantec, but rather that ye-old first principle of medical science: If you're a doctor, trying to keep a system healthy, primum non nocere . First of all, do not harm.

      From this point of view, Symantec is actually worse than Sony, because the latter never claims to protect your system (not that I'm saying Sony are angels). True, the reaction by Sony was just before they had a gun pointed at their company's head, but how serious can you take a security-software company that has a rootkit in their software, acknowledges that due to developments in hacker-tech this has become a serious vulnerability (is this news at Symantec?), but still waits for some external source to publish their hole in order to fix it?

  2. Rootkits are big now by filenavigator · · Score: 5, Interesting

    Rootkits in windows are becoming more and more of a problem. I found this interesting site the other day when looking for a rootkit detector: www.rootkit.com

  3. Re:Uninstall vulnerable? by toleraen · · Score: 5, Informative

    For those of us who dislike reading TFA, we'd never find out about the free utility linked in TFA to check if the rootkit is there.

  4. Not quite the same... by drakewyrm · · Score: 5, Informative

    The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.

    Also, according to Symantec's own writeup on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.

    Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue

    --
    Batou: Hey, Major... You ever hear of "human rights"? Major: I understand the concept, but I've never seen it in action
  5. Re:It's hard to uninstall Symantec software by NVP_Radical_Dreamer · · Score: 5, Informative

    Not to take up for symantec, but they do offere a free utility for removing all traces of their software. They have one for each piece of software as far as I know.

    http://service1.symantec.com/SUPPORT/nav.nsf/docid /2001092114452606

    --
    The best argument against democracy is a five-minute conversation with the average voter.

    - Winston Churchill