Symantec confesses to using rootkit technology

Symantec confesses to using rootkit technology

Summary: We're just getting over the Sony DRM rootkit ruckus and now we have a security company hiding software components from Windows APIs with rootkit technology.

SHARE:
TOPICS: Malware
46

Oh, dear.  We're just getting over the Sony DRM rootkit ruckus and now we have a security company hiding software components from Windows APIs with rootkit technology.  News.com reports that Symantec Corp.'s spokesperson admitted to using this rootkit type feature in Norton SystemWorks to hide a directory so customers wouldn't accidentally delete files.  The problem was it could also provide a convenient hiding place for attackers to place malicious files. Due to the vulnerability, Symantec has issued an update for SystemWorks and is "strongly recommending" users update the software immediately.  Link here.

Mark Russinovich of SysInternals, along with security company F-Secure, was credited with discovering the rootkit feature in SystemWorks.  Russinovich, the developer of rootkit scanner Rootkit Revealer, also discovered the SONY DRM rootkit.  Russinovich is quoted as saying:

It's a bad, bad, bad idea to start hiding things in places where it presents a danger. I'm seeing it more and more with commercial vendors, [...]


When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It's impossible to manage the security and health of that system if the owner is not in control.

Russinovich is planning to publish more information about commercial vendors using rootkit technology according to eWeek. At spyware help forums like SpywareWarrior, we are advising users to run rootkit detection apps more frequently as a result of spyware infestations from threats like the AOL Instant Messaging worm.  It will be interesting to see what other non-malware is found using rootkits to hide. Stay tuned for more on this unfolding situation.

Update Jan. 12:  I received an email from a reader today who pointed out using the term "rootkit" was incorrect in this case.  Larry Seltzer at eWeek writes "some rootkits are worse than others".  Wikipedia definition of rootkit:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

And the functions of a rootkit:

A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many instances, rootkits are counted as trojan horses.

So, was Symantec using a rootkit or not? I'd like to hear Mark Russinovich's take, but he has not written about Symantec on his blog

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

46 comments
Log in or register to join the discussion
  • Symantec wasn't as severe

    Note that this is just used for some kind of undelete folder, not to intentionally police your music habits.

    Symantec is handling this a lot better. Instead of saying something like, "most people don't know what a root kit is, why should they care?" they're going to undo the security hole.
    george_ou
    • Bullspit

      The potential for abuse is just as great. As for your point about how they're handling it, I agree.
      Real World
  • I can't wait till MS admits to the same sort of thing..

    And do not think they do not.....

    What do you think some of the auto updates are for....

    Most of MS Vulnerabilities come from cascading & recursive dependencies making sure your using what they want you to use....

    Thought Real was bad MS does the same thing but for some reason people tend to accept it..............

    As an current example Verizon VCast & MP3W/MA situation.

    Nothing new, but just one of the reasons why I switched away from MS in 2k.
    LazLong
    • Nothing new................................

      but why even comment then?
      glstorck@...
    • we're gonna die! we're all gonna die!

      im building a nuclear fallout shelter in my backyard for when microsoft takes over the world. it all starts with those darn auto updates that the user is allowed to turn off anytime they want to, and those cascading and recursive dependencies always bite you in the butt, and that doesnt sound so bad in the end... but the chemical bombs are coming man and im gonna be ready
      anythingbutmine0
  • Symantic rootkit

    Well well well! That explains why Webroot Spysweeper wanted to disinfect just about every Nortons file on my HD. AND I BLAMED WEBROOT!!!!!WRONGLY!!!!!Sorry boys. That's it - no more Nortons after this and all the other Symantic hiccups I had to suffer for more than 8 years thank you. It's F-Secure AV or McAfee from now on. Joe
    jjneethling@...
  • Symantec installs were always a kluge

    It is sad to see a product you looked up to for system protection turns out like this... Once I read of the security issues I was glad to be gone of them. I am sure they were removed in droves once they went to subscription-updates anyhow. From what I recall, even just the antivirus alone was a bit of a resource hog. and System Works? should have been called "system works harder".
    ~doolittle~
    • Aha!

      My system was always slow. Slow to bootup, shutdown, and sometimes just plain slow. I updated to a new virus protection system and in the process removed System Works from my system. The result was immediate. My system ran like lighting. Reboots were so fast I first thought something was wrong. It shouldn't be called "system work harder" as much as "time to get a new PC". Now when my friends tell me their systems are dogs the first thing I ask them is "Do you System Works installed?".
      jimfof1913@...
      • Same here

        In 2003 or therabouts, my last copy of Norton expired. I let it. It had slowed my system down seriously, and took a sub-30 second bootup time and turned it into a full 2+ minute bootup. I replaced it with Avast, and my machine runs as quick as it ever did without Norton now. Wrote Symantec and told them what I thought of their bloated code and told them they'd lost a customer. They never responded, (nor did I expect them too), it also seems they haven't learned a thing.
        KOS-MOS
  • Hiding is bad

    You may need root-kit technology to fight root-kit technology, but hiding things is rarely a good idea. And companies that do use hidden directories and files to protect them from casual deletion by careless users should still inform users that the files and directories are on their systems and why.
    Dr_Zinj
    • Perhaps special folder Icon

      Perhaps there could be a special vendor non-delete folder Icon by MS so unknowledgable deleters will think twice before trashing such files. MS currently provides such for Video, Music and Photos.

      Or maybe vendors can make their own special folder Icons!
      mustang_z
    • While we're on the subject of hidden items...

      I have been curious about another type of hidden area which does not get scanned by most virus and spyware checkers, the IDE Protected Area, which has been used by some BIOS and/or software for things like hibernation and standby files. You don't even see it as available drive space in FDISK, so it is really difficult to see why someone could not be hiding anything and everything malicious in there.

      Has anyone else seen anything to scan this are, and to manage it?
      gardoglee
    • No, not needed...

      There's no reason root-kits are needed to fight root-kits. The OS should just not allow anything to be hidden. Then there are *no* root-kits. Anything needing to be kept secret legitimately should be encrypted. There's no legitimate reason for any hidden files on a computing system (access rights are a different question).
      Techboy_z
  • Any tools to remove ALL of Norton?

    I posted this on a related story but thought I`d ask here too. I stopped using Norton years ago but my father is going online for the first time and he has Norton. I told him thats the first thing I want to remove but from past experience I know Uninstall doesn`t take out all of it. Any programs or tools out there that can remove all of Norton?
    OldTimer1
    • Any tools to remove ALL of Norton?

      There's always the "FORMAT" command. Norton is very difficult to remove. I usually do it by hand but a good registry cleaner should do the trick. You'll still hvae to remove some files by hand though.
      burke@...
    • Removing Norton

      I dont know about the Norton version, but Symantec has a program that is called NONAV. Its an unsupported tool thats available on the Corporate Edition CD. I have used it to get rid of corrupted installs and it seems to work as advertised.
      roadiebob_z
    • Removing Norton

      Best uninstaller out there!

      http://www.ursoftware.com/
      serenitywizard
  • Tempest in a teacup

    SHEESH! Anything to get posts! The "hiding" done
    by Symantec isnt anyhing like the Sony rootkit.
    Hiding anything on a computer is not a good idea,
    not for any reason. But this is like saying that
    a fircracker is as dangerous as dynamite. Get a
    grip bloggers, read up on how things work BEFORE
    you claim they are the same. Sony's rootkit drove
    me to Linux, and like W.C. Fields and the woman
    who drove him to dring, I have to thank them for
    that. I had dumped Symantec long before Though,
    they had lost their ability to compete with the
    other AV offerings and began to have problrms
    with certain operationg systems.

    This is the second article ive seen this morning
    on a "hidden directory", announced by the company
    that hid it. Was the rootkit announced by Sony?
    Was the code to hide the directory illegaly used?
    Does the fix to expose the directory require
    another download? These are not the same, just
    ZDNet trying to stir up traffic on a slow day.

    I guess its better than another win/lin flamewar
    Bob J
    plumnilly
    • but....

      "This is the second article ive seen this morning on a "hidden directory", announced by the company that hid it."

      Symantec did not announce it. They admitted to it after Mark Russinovice and F-Secure pointed it out.

      "I guess its better than another win/lin flamewar"

      That I agree with.
      Suzi_z
  • What if you disable protected trash bin?

    I've had the recycle bin protection off for sometime after I've read somewhere that it slows down your system. So, what if you temporarily disable that protection? would you still be vulnerable?
    upuaut_z