Symantec Caught in Norton 'Rootkit' Flap

You may think that no other corporation will be dumb enough to use rootkits in their software, like Sony BMG did. Well it seems that Symantec has been installing rootkits with their SystemWorks software.

Ryan Naeaine of Eweek writes:

Symantec Corp. has fessed up to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers.

The anti-virus vendor acknowledged that it was deliberately hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.

Symantec, of Cupertino, Calif., is the second commercial company caught in the flap over the use of rootkit-type techniques to hide files on computers. Rootkits are programs that are used to give a remote user access to a compromised system while avoiding detection from security scanners.

Music company Sony BMG faced a firestorm of criticism after anti-rootkit scanners fingered the use of stealthy rootkit-type techniques to cloak its DRM scheme. After malicious hackers used the Sony DRM rootkit as a hiding place for Trojans, the company suspended the use of the technology and recalled CDs with the offending copy protection mechanism.

This is no where near a bad as Sony's little global fiasco, but it points out an interesting trend. Customers want to know what exactly is going on their system. And don't dare lie to us, we got the power to make you sweat binary.

He explained that the feature, called Norton Protected Recycle Bin, was built into Norton SystemWorks with a director called NProtect that is hidden from Windows APIs. Because it is cloaked, files in the NProtect directory might not be scanned during scheduled or manual virus scans.

"This could potentially provide a location for an attacker to hide a malicious file on a computer," the company admitted, noting that the updated version will now display the previously hidden directory in the Windows interface.

Despite the very low risk of this vulnerability, Symantec is "strongly" recommending that SystemWorks users update the product immediately to ensure greater protection. "To date, Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder," the spokesman added.

Mark Russinovich, the Windows internals guru who blew the whistle on Sony's controversial DRM rootkit, was credited with the SystemWorks discovery along with researchers at Finnish anti-virus vendor F-Secure Corp.

You can find Mark Russinovitch's website, Sysinternals, in my link list or just click here. I strongly reccomend using Rootkit Revealer but you have to be careful. It is a very powerful program. There are files are are naturally hidden in windows. Just finding something hidden does not mean you have a rootkit. Read the entire page before downloading and check out the forum if you have any questions about what you find. Never delete anything with out knowing with %100 confidence what it is and where it came from.

The rest of the article can be found here:
Symantec Caught in Norton 'Rootkit' Flap