Oh, dear. We're just getting over the Sony DRM rootkit ruckus and now we have a security company hiding software components from Windows APIs with rootkit technology. News.com reports that Symantec Corp.'s spokesperson admitted to using this rootkit type feature in Norton SystemWorks to hide a directory so customers wouldn't accidentally delete files. The problem was it could also provide a convenient hiding place for attackers to place malicious files. Due to the vulnerability, Symantec has issued an update for SystemWorks and is "strongly recommending" users update the software immediately. Link here.
Mark Russinovich of SysInternals, along with security company F-Secure, was credited with discovering the rootkit feature in SystemWorks. Russinovich, the developer of rootkit scanner Rootkit Revealer, also discovered the SONY DRM rootkit. Russinovich is quoted as saying:
It's a bad, bad, bad idea to start hiding things in places where it presents a danger. I'm seeing it more and more with commercial vendors, [...]
When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It's impossible to manage the security and health of that system if the owner is not in control.
Russinovich is planning to publish more information about commercial vendors using rootkit technology according to eWeek. At spyware help forums like SpywareWarrior, we are advising users to run rootkit detection apps more frequently as a result of spyware infestations from threats like the AOL Instant Messaging worm. It will be interesting to see what other non-malware is found using rootkits to hide. Stay tuned for more on this unfolding situation.
Update Jan. 12: I received an email from a reader today who pointed out using the term "rootkit" was incorrect in this case. Larry Seltzer at eWeek writes "some rootkits are worse than others". Wikipedia definition of rootkit:
A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.
And the functions of a rootkit:
A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many instances, rootkits are counted as trojan horses.
So, was Symantec using a rootkit or not? I'd like to hear Mark Russinovich's take, but he has not written about Symantec on his blog.