Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Privacy

Rootkit-like Feature Found in Norton Systemworks 221

Posted by Zonk from the i'm-helping-i'm-helping dept.
GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."
This discussion has been archived. No new comments can be posted.

Rootkit-like Feature Found in Norton Systemworks More

Rootkit-like Feature Found in Norton Systemworks

Comments Filter:

  • Grant money well spent (not) (Score:3, Insightful)

    by conteXXt ( 249905 ) on Thursday January 12, 2006 @10:29AM (#14453828)
    I have always been suspect of Symantec.

    I am sure the DHS knows what it is doing when it gives Symantec money to "secure" linux.

    Gawd help us.

    • Before the flame wars start... (Score:5, Insightful)

      by thepotoo ( 829391 ) <thepotoospam@yah[ ]com ['oo.' in gap]> on Thursday January 12, 2006 @10:32AM (#14453863)
      Lets get one thing clear.
      This is not the Sony rootkit. It's just a directory that's not scanned by antivirus/antispyware.

      And, now that it's potential vulnerability has been exposed, Symantec is releasing a new version without the protected recycle bin.
      In other words, too bad they had to have their wrists slapped to fix it, but there was no malicious attempt.

      • Re:Before the flame wars start... (Score:4, Informative)

        by jim_v2000 ( 818799 ) on Thursday January 12, 2006 @10:36AM (#14453905)
        Symantec is releasing a new version without the protected recycle bin Correction, they are releasing an update via LiveUpdate that will remove the cloak from the protected recycle bin folder. The protected recycle bin will still be there. *So once you run LiveUPdate, you're fixed.

        • Re:Before the flame wars start... (Score:5, Insightful)

          by GenieGenieGenie ( 942725 ) on Thursday January 12, 2006 @11:34AM (#14454467)
          I guess the point about this whole story is not the intended malice of Symantec, but rather that ye-old first principle of medical science: If you're a doctor, trying to keep a system healthy, primum non nocere . First of all, do not harm.

          From this point of view, Symantec is actually worse than Sony, because the latter never claims to protect your system (not that I'm saying Sony are angels). True, the reaction by Sony was just before they had a gun pointed at their company's head, but how serious can you take a security-software company that has a rootkit in their software, acknowledges that due to developments in hacker-tech this has become a serious vulnerability (is this news at Symantec?), but still waits for some external source to publish their hole in order to fix it?

      • Sony did not install a "rootkit". Sony installed crappy DRM with security holes. They both created completely hidden directories to save people from themselves (regardless of personal intention). There really is very little difference.
        • Sony installed crappy DRM with security holes.

          To be more precisely, Sony installed crappy DRM software, which was implemented with rootkit technology.
          Norton has a hidden directoy to prevent certain files to be accidentally deleted by a user.
          Sony's DRM has hidden files, to prevent the DRM software to be intentionally deleted by a user who doesn't want to have DRM crap on his/her PC. The Sony DRM software hides all files starting with a certain string. In Sony's case it is the software itself that's bei

        • rootkit is very well defined, it is a program that subverts the operational system so that it become in fact invisible. The files do not show in directory listings and the process is not reported as running even thougth it is actually there.

          They are not evil or bad in way by definition, but is arguable that this behaviour is not good. This is similar to the "good virus" concept (a program that replicates it self and goes from computer to computer doing something good like cleaning up another virus).

          The sony
      • There's a way of making files so that Norton won't scan them... Symantec actually volunteered the information a couple of years ago until I pointed out that putting that in an opensource product would make expose the information to virus writers. Me and my big mouth... I should have just gone ahead and got the information & published it.

        OTOH I still recommend that Norton is removed before using my (and any other) software.. it's junk and drags the machine down to a crawl. One place that I worked tried

        • Re:Before the flame wars start... (Score:5, Informative)

          by Feyr ( 449684 ) on Thursday January 12, 2006 @11:26AM (#14454392) Journal
          it does way more than slow the machine to a crawl. it prevents it from working properly.

          working for an ISP, we get a surprising number of users that can connect to the net (as in, the modem dial), but nothing works, no web, no email, nothing. everything checks out, configs are fine and all.

          but they have norton antivirus with their crap security. the configs to that seems fine. as soon as you uninstall that crap, everything work.

          do your users a favor, have them install AVG (www.grisoft.com)

          • I work for a local community telco here in Ipswich - Internet, mobiles, landlines - and I have to ask customers to disable, or even uninstall, Nortons "something or other" sometimes.

            Those poor bastards. For years we've - a general we've, not specifically you and I - been telling people have a virus checker, firewall, so on and so forth, and often recommending Symantec software because it used to be good, and now I gotta tell them that Nortons Security or Nortons Whatever is causing half their bloody pro

      • Re:Before the flame wars start... (Score:5, Informative)

        by QuestorTapes ( 663783 ) on Thursday January 12, 2006 @11:16AM (#14454301)
        > Lets get one thing clear.
        > This is not the Sony rootkit. It's just a directory that's not scanned
        > by antivirus/antispyware.

        Let's be completely clear. It appears to be more than "a directory that's not scanned by antivirus/antispyware"

        It's a directory that is cloaked from the administrator. It's not merely bypassed by the antivirus and antispyware utilities, it is hidden from anything that uses the Windows FindFirst/FindNext APIs to view and scan files and folders.

        It -potentially- opens a bigger security hole than merely software that hides from antivirus. It can hide from other tools as well. But is is different from the Sony Rootkit; it doesn't open up ridiculous holes. It seems most likely that this was a case of reusing code without understanding the security implications.

        > And, now that it's potential vulnerability has been exposed, Symantec
        > is releasing a new version without the protected recycle bin.
        > In other words, too bad they had to have their wrists slapped to fix
        > it, but there was no malicious attempt.

        And, equally importantly, they didn't need to be dragged kicking and screaming, with the threat of lawsuits, into remediating the problem. That makes it a much smaller story.
        • It's not merely bypassed by the antivirus and antispyware utilities, it is hidden from anything that uses the Windows FindFirst/FindNext APIs to view and scan files and folders.

          In order to the first, you must do the second. There is no other way to do this. If the Windows APIs can see the data, then applications built on the APIs can see the data.


        • Since we were covering the non-evilness of cookies last week, why is it that index.dat [acesoft.net] is never discussed? What does it contain and why is it tied so much to the OS?
          • index.dat caches the contents of a folder and icon previews for previewed files such as video and image files. index.dat it what makes it possible to open huge folders full of media files without a horrendous wait *every* time you open the folder.

    • Re:Grant money well spent (not) (Score:2, Interesting)

      by Anonymous Coward
      I have always been suspect of Symantec.

      I am sure the DHS knows what it is doing when it gives Symantec money to "secure" linux.

      You "suspect" Symantec because they used a rootkit-like trick to hide the Norton NProtect feature's directory from other applications? Why is that? Do you believe that I don't want NProtect installed on my computer (NProtect is an optional feature of a software package that I choose to install)? Do you believe that Symantec is working against my interests, like Sony?

      I'm not sure

    • Re:Grant money well spent (not) (Score:4, Insightful)

      by molnarcs ( 675885 ) <csabamolnar@gm a i l . com> on Thursday January 12, 2006 @10:57AM (#14454108) Homepage Journal
      I have always been suspect of Symantec. Me too. That's why I wrote this [slashdot.org] recently. Just a few weeks ago I removed yet another NAV install from a puter. This time it went well - uninstall worked fine it seems, needed just one reboot. But previously, with certain NAV releases, it was impossible to remove - or at least harder than removing spyware. Even after "uninstalling" it NAV left a lot of cruft on the system, that not only was "just there" but it loaded code at boot time. It was only possible to remove by switching to safe mode, cleaning up the registry, and removing some files manually. Symantic is EVIL!

      Add to this their track record: failure to detect SONY's malware, (and now they seem to have one of their own) and they are always the last to provide adequate means to remove fresh exploits (no data here, but I distinctly remember that whenever something crops up, f-prot, free-av, etc. works, and NAV comes trailing behind other antivir solutions.). Plus it is a serious resource hog - more than any antivir progs.

      The first serious breach of "Do no evil" of Google was their inclusion of a Symantec product in google pack :)))

    • NAV also has a "trusted application list" that will update when the 'live update' feature is run. Yet i cannot find this list, or a way to edit it. There is also no choice in accepting or declining the list. It comes along with virus def updates. Only after the Def's are downloaded can you see that "trusted application list" has been updated also.

      Maybe, just maybe, there are applictions on that list that i do not choose to trust. Maybe i want to trust all of them. I would like to have that choice.

      Or m

  • Uninstall vulnerable? (Score:5, Interesting)

    by jbeaupre ( 752124 ) on Thursday January 12, 2006 @10:29AM (#14453830)
    For those of us who dislike the pre-installed Symantec software and uninstall it first chance we get, is there still a vulnerability?

    • Re:Uninstall vulnerable? (Score:4, Informative)

      by jim_v2000 ( 818799 ) on Thursday January 12, 2006 @10:34AM (#14453883)
      If you're using any product other than Norton SystemWorks, you're fine.

    • Re:Uninstall vulnerable? (Score:5, Informative)

      by toleraen ( 831634 ) * on Thursday January 12, 2006 @10:39AM (#14453932)
      For those of us who dislike reading TFA, we'd never find out about the free utility [f-secure.com] linked in TFA to check if the rootkit is there.

    • No. (Score:2, Informative)

      by thepotoo ( 829391 )
      From what I can tell, if you uninstall it, you lose the system protected recycle bin (designed to prevent you from deleting your pr0n, actually it provides a hidden place for viruses to hide). Therefore, you're safe.
      If you are still paranoid, reinstall it and run the update patch with fixes it.
      Or, check out BlackLight Rootkit Elimination Technology [f-secure.com], which is supposed to eliminate (or at least detect) the rootkit.

      • Re:No. (Score:3, Informative)

        by Spad ( 470073 )
        Certainly on older versions of Systemworks this isn't the case. My housemate came to me after being unable to account for 8Gb of used hard disk space, after much investigation it turned out that that 8Gb consisted of files that had been in Norton Protected Recycle bin when he uninstalled it and they were still there. In the end I had to use a DOS bootdisk to delete the folder structure and free up the space.
        • I inherited a W2K system with the evil Protected Recycle Bin... and have noticed that the "Empty Bin" functions are buggy as hell. Sometimes it works (tho typically it takes several tries, and thumping on two different "Empty bin" menu items), sometimes it doesn't. The rest of SystemWorks on this machine seems to keep its claws politely out of stuff, but I'd like to get rid of its recycle bin meddling.

    • My real problem is that my mom bought a PC at Christmas. While visiting (she's a couple time zones away), I did a little tuning (firewall, firefox, openoffice, etc.) Symantecs pisses me off so it got uninstalled (replaced with Avast). But ... did the uninstall really clean everything up? I can't check in person and I'm not going to walk my mom through rootkit detection unless neccessary.
      • Ahhh - well I can sympathize with you in that case! While a straight answer would have been better, the tool that's linked in the article is very very simple to run. You hit download, open it to install, accept the EULA, and hit scan. The window is simple and well laid out, tells you if you found anything, hit next if it did, and hit exit. Should be pretty easy to walk anyone through (a lot easier than stuff like a virus scan or spyware scan).

    • It's hard to uninstall Symantec software (Score:5, Interesting)

      by tkrotchko ( 124118 ) * on Thursday January 12, 2006 @10:54AM (#14454080) Homepage
      I remember a couple years ago when I still bought and used Norton/Symantec anti-virus; it kept claiming my subscription ran out and wouldn't update the definitions. So I uninstalled and reinstalled. Same problem. After doing some searching, I realized it had installed itself all over the registry and wouldn't get out. It took a good 2 hours of hand-editing to remove all traces of Symantec from my registry.

      So much for "uninstall".

      Which is why I never use their stuff anymore. Truth be told, I don't think they've done anything good since. Well. Since Peter Norton still loosened his tie and programmed for a living.

      I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.

      • Re:It's hard to uninstall Symantec software (Score:5, Informative)

        by NVP_Radical_Dreamer ( 925080 ) on Thursday January 12, 2006 @11:27AM (#14454401) Homepage
        Not to take up for symantec, but they do offere a free utility for removing all traces of their software. They have one for each piece of software as far as I know.

        http://service1.symantec.com/SUPPORT/nav.nsf/docid /2001092114452606 [symantec.com]
      • Ghost has saved my life so often that I seriously love that tool. Apart from that, you're right.

        I just found out that Sygate has been acquired by Symantec and they discontinued the free for home use firewall.... Bummed!

        Symantec has never even made anything, they just buy the competition.
        • I love Ghost too... it's a lifesaver. However it can get expensive if you need many copies. You should also consider using the (obviously free) linux partimage [partimage.org] which can do the same things. In fact, it can make images of a greater variety of filesystem types (at least compared to the last version of Ghost I used). Even if you're running Windows boxes, you can still boot off of a Linux LiveCD, and use partimage to backup/restore partitions (in fact, there is a Linux LiveCD specifically optimized for rescuing
          • The problem im having with finding a linux backup tool (somthing like ghost which makes nice convienent images and you just click to restore) is that none of them tend to support my RAID-0 (software) array. Would anyone know of a nice convienent way to backup a complete image for my array. Im running 2 old HDD's linked together cause im too cheap to buy one big one and since the nature of RAID-0 I wouldn't mind somthing that could be clicky clicky fixed.

            I googled it up but all the apps didn't like my rai
      • I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.

        Ghost, that is the only product of thiers I can think of that is even remotely worth getting. Even though the need to install it to make a boot disk seems a bit strange...

        But if I ever have a need to image a disk I'd recommend Knoppix and use partimage if you have the capacity to read simple instructions and learn without pictures...otherwise I tell the lamaas to spend the $70 o
      • Just last week I had a hell of a time removing Norton AV after it expired. The MSI installer registry was not cleaned out and the PC thought it had extra applications the the Symantec installer had removed. NOTHING else would install that used the MSI mechanism; the installer would hang every time.

        After spending days cleaning out obscure HEX GUIDs from the registry, it still didn't work. In the end my googling for the GUIDs they'd used unearthed a registry file that appeared to remove every Symantec entry

      • How to get unlimited free subscription (Score:5, Interesting)

        by jambarama ( 784670 ) <jambarama AT gmail DOT com> on Thursday January 12, 2006 @12:41PM (#14455143) Homepage Journal
        When you install Symantec (works with McAfee too I've been told) just set the system clock forward a few years. If it installs in 2010, but then finds itself in 2006, it'll think you have a 4 year subscription. I did this when I was still in the 'give me free stuff script kiddie' mode a few years back. A friend of mine just did it and confirmed that it still works. I switched to Debian and haven't had a problem with ClamAV.

        Silly Symantec, not getting a real date online.
      • I've used this a lot lately when upgrading NAV, this is a removal tool which will nuke all traces of many Norton programs off a computer. Not as useful if you have, say, NAV and Ghost and just want to remove NAV, but if you only have NAV, this works for different versions. (As my family all uses NAV, but everyone always seems to have a different version, sticking this on my usb drive has been invaluable.)

        http://service1.symantec.com/SUPPORT/tsgeninfo.nsf /docid/2005033108162039?Open&src=&docid=200 [symantec.com]
      • I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.

        Exactly. I'm not too sure at which point their software became counterproductive trash, but lately on every system I've seen it on it seems to do more harm than good. I've lately seen a lot of XP computers with quite a lot of power and RAM which are slowed to an absolute crawl (as in, takes 5 minutes of thrashing to start IE), and the common thread is that they all seem to

      • I don't know if there is a relationship or not, but when the company was known as Norton (for Peter Norton), they had good products. When they transitioned to Symantec they seemed to make whatever they touched worse.

        Norton's utilities were great, tiny, fast little tools that did what you wanted in a predictable way. A must have in the DOS days, and even early Window days. As Symantec the tools seemed to get more and more bloated. Then some of the tools had to be bought separately, costing more money. They t

  • Deleting files (Score:4, Funny)

    by gr8_phk ( 621180 ) on Thursday January 12, 2006 @10:34AM (#14453890)
    They did it so users couldn't accidentally delete important files?? Sure would be nice if there was such thing as "root" on Windows so you could have files that every day users couldn't delete...

    • Re:Deleting files (Score:2, Insightful)

      by thepotoo ( 829391 )
      From what I understand, this is so you can't delete all your precious word documents without meaning too.

      That's still a problem in Linux.

      • How is this post insightful? Both Gnome and KDE supports the concept of a trash-can, which is pretty similar to what Windows has to offer.

        What is the meaning of keeping files on the disk that you have deleted anyhow? That is what backups are for. I personally recommend: BackupPC [sourceforge.net] (incremental, on-the-fly, total, compressed, remote, minimal-storage and Free backup solution for Linux)

    • Re:Deleting files (Score:3, Informative)

      by l2718 ( 514756 )
      Symantec's "NProtect" is a service similar to the recycle bin: when you delete a file, it is moved to a special directory and its metadata is preserved. This allows for easy undelete. As with any internal state of a program, users mucking about the special directory could cause problems (e.g. what should you do if the users deletes a file from the NProtect directory?). This has nothing to do with "root" privileges.
    • Sure would be nice if there was such thing as "root" on Windows so you could have files that every day users couldn't delete...

      You mean like the Administrative account? It's not entirely MS's fault that almost everyone abuses it; most of the blame lies squarely with the third party developers. XP has been out for a long time now, there's no excuse for new software to require admin privs to run.

      I know, IHBT, IHL, I will HAND, etc.
      • Why should the third-party developers fix Microsoft's mess? They know that everyone who buys a new computer will get a W95-like system with an "Owner" account, no password, and no hint that they should even create new accounts. Maybe 5% of those will add a password, and few of those might create extra accounts, which may or may not be limited. Plus, quite a few of those programs that won't run in limited accounts are FROM MICROSOFT!

        I agree that devs have had half a decade to fix their crap, but MS has ha
      • It's not entirely MS's fault that almost everyone abuses it; most of the blame lies squarely with the third party developers.

        3d party developer? You mean silly things like:
        - The user created during XP install is an administrator.
        - The builtin administrator account can have blank password.
        - During installation the system doesn't warn you at all that you enter a blank password.

        Yes let's blame the 3d party devs when the installation of Windows XP welcomes and encourages shitty shitty security.
    • There is such a thing as "root" on windows NT/2K/Xp/2K3. It is the local Administrators group, plus the LocalSystem account. Those accounts have the power to hide anything from regular users. The problem is, most home users run with their account as part of the local Administrators group, since Windows makes the installing user part of that group. Which was stupid design decision on the part of MSFT.

      That said, if a workstation is part of a Windows domain, by default new users are NOT part of the local Admin

  • Rootkits are big now (Score:5, Interesting)

    by filenavigator ( 944290 ) * on Thursday January 12, 2006 @10:35AM (#14453893) Homepage
    Rootkits in windows are becoming more and more of a problem. I found this interesting site the other day when looking for a rootkit detector: www.rootkit.com [rootkit.com]

  • $sys$Nothing 2 see here. Please move along.htm.pif (Score:2, Funny)

    by Anonymous Coward
    I don't see any problem here at all.

    Heh, my "confirm you're not a script" image is "sanity."

  • I don't get it (Score:4, Interesting)

    by Anonymous Coward on Thursday January 12, 2006 @10:37AM (#14453911)

    The cloaked directory is intended to prevent users from accidentally deleting important files

    There's thousands of important files on a Windows system, and they don't need a rootkit to protect them. What's special about Norton files that make them extra-specially important?

  • Uninstalling Norton can be very time consuming (Score:5, Interesting)

    by digitaldc ( 879047 ) * on Thursday January 12, 2006 @10:38AM (#14453921)
    I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work.
    So, I had to go to this link [symantec.com] and do it manually....talk about a pain in the #*$%.
    • Ha ha, I did support for Norton awhile back, and I dreaded going through that document on the phone with some poor SOB who managed to hose his box to the point where Norton wouldn't uninstall. LoL.
    • I have had to uninstall Norton a few times and the 'Add and Remove Programs' feature in Windows did not work. So, I had to go to this link [symantec.com] and do it manually....talk about a pain in the #*$%.

      I have to admit that manually removing Norton is always a pain in the ass but Norton has provided a total removal tool for years. Before, it was called Rnav2003 and was available for free download on their website. Newer versions of Norton require SymNRT, which is also available free on their website:
      • The alternative, of course is to:

              JUST HAVE NORTON UNINSTALL LIKE A REGULAR PROGRAM!!!!

        Just what is Symantec hiding that they won't let you just get rid of their stuff when you uninstall?
      • I have to admit that manually removing Norton is always a pain in the ass but Norton has provided a total removal tool for years. Before, it was called Rnav2003 and was available for free download on their website.

        Unfortunately, RNAV and SYMNRT do not work for Norton SystemWorks. Those are tools for the Antivirus. SystemWorks is still a biatch to manually remove.

  • Who needs Symantec? (Score:4, Interesting)

    by PhakeDC ( 932887 ) on Thursday January 12, 2006 @10:38AM (#14453925)
    Apparently insecure and/or incompetent sysadmins are behind the boom in "all-in-one-fix-'em-all" suites. Why not tackle the problems head-on yourself rather than relying on third party software which might actually jeopardise your entire system without you knowing it? And I found Norton Anti-virus to be a serious hog on system resources. It's safe to assume their other products are in the same league.

    • Re:Who needs Symantec? (Score:5, Insightful)

      by Ilgaz ( 86384 ) on Thursday January 12, 2006 @11:04AM (#14454191) Homepage
      Their target for SystemWorks is not Slashdot posting people like you and there are people who actually DELETE these files making their system unusable.

      System admins use Symantec corparate solutions which has NOTHING TO DO with the stuff mentioned here.

      But keep bashing Symantec. It is number 2 favorite target of geeks after real networks.

      I bought it as a gift to a pure newbie computer user who is really busy with stuff rather than dll and registry hunting manually, he is happy to this day.

  • Rootkits (Score:2, Insightful)

    by cyp43r ( 945301 )
    I've never much liked Norton Antivirus, and this just adds more fuel to the fire.

  • Wow, now with fewer holes! (Score:4, Insightful)

    by frostfreek ( 647009 ) on Thursday January 12, 2006 @10:44AM (#14453987)
    "...Symantec's update further protects computers by displaying the directory,"

    That's great! Our product is now better, because we turned off something bad we were previously doing!
    Now that's a nice spin!

  • Not a Surprise (Score:2, Informative)

    by u16084 ( 832406 )
    Maybe slightly off topic, but I'll speak my mind anyways. Systemworks is Very dangerous, for those that have observed how it actually installs onto a system its a scary sight, A VERY tight intergration with the OS. If a "User" rm's one of these "files" without a doubt the computer will suffer. Their intentions were good to "protect" the files, since meny users who install "Systemworks" have no clue anyways. A patch was issued (not ignored), Sony should learn from its mistakes.

  • steps (Score:3, Insightful)

    by trandism ( 835011 ) on Thursday January 12, 2006 @10:48AM (#14454031) Journal
    Steps of action when joe six-pack brings me a windoz box: 1. Uninstall Norton 2. Install AVG 3. Delete all "e"'s from everywhere 4. Install Firefox 5. Install Opera 6. Delete all Outlook shortcuts 7. Install Thunderbird 8. Install VLC and associate all media with it 9. Teach the guy to right-click/scan with AVG everything he downloads from the internet It worked nice in most occasions My 2p
    • 10.
      teach
      user
      how
      to
      use
      BR
      tags
      .

    • Re:steps (Score:2, Informative)

      by Shawn is an Asshole ( 845769 )
      Don't forget about BitDefender. It has a free on-demand scanner, and I've found it to be excellent. I gave it a try this weekend on a few computers heavily infested with spyware and viruses and it found and removed things that Spybot, Ad-Aware, Microsoft AntiSpyware, AVG Free, F-Prot, and ClamWin didn't. I'm definatly going to be using this more often.

  • Not quite the same... (Score:5, Informative)

    by drakewyrm ( 573759 ) on Thursday January 12, 2006 @10:49AM (#14454033) Homepage Journal

    The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.

    Also, according to Symantec's own writeup [symantec.com] on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.

    Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue

  • Article doesn't say enough... (Score:5, Interesting)

    by DnemoniX ( 31461 ) on Thursday January 12, 2006 @10:49AM (#14454044)
    I must have missed something in the article. All it refers to is a "cloaked" directory. Now this shouldn't surprise anyone here. This is no different than how XP works normally. By default XP hides or "cloaks" protected system directories too, namely the System Volume Information folder in the root of each partition. The only way you can find them is by selecting to show hidden files and folders and to uncheck the "hide protected operating system files" option.

    Now what is interesting is that even if you have administrative privileges, you by default do not have access to that folder. You have to manually add yourself to the security on it just to open it. From the article this seems to be the exact deal with the Symantec product. They are worried that an intruder may use the location to stash files. Well guess what? That is exactly what attackers do with the System Volume Info folder. It happened to me on a system that I had an older version of the Backup Exec remote client installed on. A well known hole, thankfully it was on a test system with no access. I noticed a huge amount of outgoing connects from the box and used disk space that I could not account for. After some minor digging around I managed to find everything stashed in that hidden system folder.

    So what I would really like to know, and the article doesn't specify, is Symantec actually hooking into the kernel to hide the folder from Windows, or is it just setting the permissions on the folder in a way that is similar to the System Volume Information folder? If it is the later this is not a rootkit, it's just being sneaky. If they are hooking in, well shame on them.
    • A "cloaked" system folder that can be made visible in Folder Options is different from a directory created by a rootkit-like piece of software. By definition, a rootkit patches the OS it's compromised so that the operating system itself cannot see the directories. It sounds to me like Symantec's actions here are very similar to what Sony BMG got in all that hot water for.

      Odd thing is, it was pretty widely known that some anti-virus programs have rootkit-like properties; i.e. they hide directories from the
  • I always knew that Norton guy was shady. Just look at the smug picture on the back of his books and other products. Plus he went and trademarked his name.
  • Given the way Norton will not uninstall without downloading a separate removal tool (and the fact they've known about this for five years but continue to ship versions that won't uninstall) I have zero confidence in Symantec having had good intentions with this.
    • Given the way Norton will not uninstall without downloading a separate removal tool (and the fact they've known about this for five years but continue to ship versions that won't uninstall)

      Give me a break, I uninstall Norton Antivirus all the time. The only time it doesn't uninstall is when someone has gone in and tried to delete files related to it, or if the Windows MSI is hosed anyway. (Trust me, I supported the product for a long time...till it went to India)

      99% off "problems" people have with Norton
      • The only time it doesn't uninstall is when someone has gone in and tried to delete files related to it

        Just as well you didn't say that last week, when I was fixing my box after removing Norton. Lot's of blue screens and other such crap started the moment I uninstalled it. Had to remove so much junk by hand, unfortunately I didn't know about the cleaner. There is clearly a problem here; if there wasn't why would they spend resource producing and maintaining a repair product?

        99% off "problems" people ha

    • The uninstall software that Symantec uses hinges on the fact that the software is intact and was functioning. If the AV or any other feature breaks, then the uninstaller is questionable at best, a system-breaker at worst. This is why I keep a copy of the cleaners on my flash drive if I run across an AV that got compromised because the dummy behind the keyboard didn't know a single thing about updating and maintenance. And a copy of the free version of Avast! Antivirus too.
  • Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole.

    I was getting directions to someplace the other day, the guy said the road there was paved with "good intentions". Damn, I can't remember the name of the place... think, think...

  • I may have missed something, but I saw nothing whatsoever in the article that sends information or provides external access without the users knowledge.

    Isn't that what a rootkit does - allow unauthorized access?

    Of course, it's hiding a directory, but as mentioned by other posters, Symantec has never been very secretive about that, they just didn't come out and announce in big flashing red letters that they were creating a hidden directory. Not a lie at all, as was the case with Sony.

    Now, apparentl

    • Re:Why is this a "rootkit"? (Score:5, Informative)

      by 99BottlesOfBeerInMyF ( 813746 ) on Thursday January 12, 2006 @11:56AM (#14454700)

      Isn't that what a rootkit does - allow unauthorized access?

      The terminology being used is confusing to many people. In common parlance a rootkit is a general purpose setup to compromise a system and hide all evidence of that compromise. Usually this includes a "kernel" patch that hides the offending files and in some cases network traffic. Symantec is patching the "kernel" to hide files, and doing so is wholly unnecessary. My guess is were not concerned about users so much as malware/worms that would automatically cripple their program. The side affect of this is worms can actually exploit this to hide themselves. It seems like a risky and invasive attempt at security through obscurity.

      A big part of the problem is that they are trying to secure an inherently insecure system, without having access to the source code. Windows users are generally admin (since Windows is pretty unusable as a regular user) and local privilege escalations are common and trivial. I don't think MS even tries to fix them anymore. As a result Symantec is basically in an arms race on even footing with malware authors.

      While I don't want anyone "hiding" stuff on my system, I know very well there are users out there that can be easily convinced to delete important system files...

      That is part of the danger of using Windows. Clueless users have unfettered access to delete vital parts of the system and rightly believe worms and viruses can easily infect their poorly secured machines. Still, Symantec should have known this was unworkable in the long term and would result in a persistent liability.

  • Mikko Hypponen, director of anti-virus research at the F-Secure Corp., said his company's BlackLight Rootkit Elimination Technology also detected the NProtect directory, which was hidden from the Windows FindFirst/FindNext APIs. "We found out about this when we shipped the first BlackLight beta in March 2005 and started getting reports back from users. Then we tested it in our own labs and confirmed the functionality in Symantec. It's not a huge problem, but I'm glad they've now fixed it," Hypponen said in
  • ...the norton recycle bin extension?

    I know that nowadays norton products are mostly crap with near-to-none options, and all non-basic funtionality removed successively in every version, but this recycle bin extension comes from the good days and already saved my ass may times. (every time i typed something like Ctrl-N, Ctrl-S, Enter, and overwrote my just finished huge file with an EMPTY file.)

    The direcory it used was not cloakrd in any other way than setting it to "hidden". I don't know if that changed in

  • Just to note (Score:2, Informative)

    by Anonymous Coward
    The symantec web site report on this states that it only affects 2005 and 2006, but I am running 2003 and it is also affected! The update fixes (supposedly) the issue. Nprotect can now be seen in the RECYCLED directory.

    Info can be found here:

    http://securityresponse.symantec.com/avcenter/secu rity/Content/2006.01.10.html [symantec.com]

  • Not very surprising (Score:3, Interesting)

    by Kristoffer Lunden ( 800757 ) on Thursday January 12, 2006 @12:53PM (#14455277) Homepage
    They have gaping holes in their firewall, so why not in more products?

    Explanation: a fresh install of Windows XP on my father machine, SP1 because that was the CD that came with the machine, then an install of the Norton firewall that also came with the purchase - firewall set on as paranoid as the settings allowed... plug in network, and bam! Instant infection. There aren't any settings in the stupid product for "block everything" or anything either, just security levels or whatever it was. In any case, highest whatever apparently still left ports open... impressive.

    The reinstall was because their firewall and antivirus had already failed to protect the computer btw. Why anyone would use thir products is way beyond comprehension. It's utter crap.
  • "The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware..."

    Is it just me, or does that sound like the Windows Registry?

Slashdot Top Deals

One man's constant is another man's variable. -- A.J. Perlis

Close