Rootkit-like Feature Found in Norton Systemworks 221
GenieGenieGenie writes "eWeek reports a rootkit-like 'feature' in Symantec's Norton Systemworks, discovered by the Mark Russinovich, who was also responsible for blowing the whistle on Sony's DRM rootkit. The cloaked directory is intended to prevent users from accidentally deleting important files, but could compromise a system by serving as a hiding place for malware, as was the case with Sony's rootkit. Russinovich says Symantec had good intentions, but they were right to post an update to fix this hole."
Grant money well spent (not) (Score:3, Insightful)
I am sure the DHS knows what it is doing when it gives Symantec money to "secure" linux.
Gawd help us.
Before the flame wars start... (Score:5, Insightful)
This is not the Sony rootkit. It's just a directory that's not scanned by antivirus/antispyware.
And, now that it's potential vulnerability has been exposed, Symantec is releasing a new version without the protected recycle bin.
In other words, too bad they had to have their wrists slapped to fix it, but there was no malicious attempt.
Re:Before the flame wars start... (Score:4, Informative)
Re:Before the flame wars start... (Score:5, Insightful)
From this point of view, Symantec is actually worse than Sony, because the latter never claims to protect your system (not that I'm saying Sony are angels). True, the reaction by Sony was just before they had a gun pointed at their company's head, but how serious can you take a security-software company that has a rootkit in their software, acknowledges that due to developments in hacker-tech this has become a serious vulnerability (is this news at Symantec?), but still waits for some external source to publish their hole in order to fix it?
Re:Before the flame wars start... (Score:2)
Re:Before the flame wars start... (Score:3)
To be more precisely, Sony installed crappy DRM software, which was implemented with rootkit technology.
Norton has a hidden directoy to prevent certain files to be accidentally deleted by a user.
Sony's DRM has hidden files, to prevent the DRM software to be intentionally deleted by a user who doesn't want to have DRM crap on his/her PC. The Sony DRM software hides all files starting with a certain string. In Sony's case it is the software itself that's bei
Re:Before the flame wars start... (Score:2)
They are not evil or bad in way by definition, but is arguable that this behaviour is not good. This is similar to the "good virus" concept (a program that replicates it self and goes from computer to computer doing something good like cleaning up another virus).
The sony
Re:Before the flame wars start... (Score:3, Interesting)
OTOH I still recommend that Norton is removed before using my (and any other) software.. it's junk and drags the machine down to a crawl. One place that I worked tried
Re:Before the flame wars start... (Score:5, Informative)
working for an ISP, we get a surprising number of users that can connect to the net (as in, the modem dial), but nothing works, no web, no email, nothing. everything checks out, configs are fine and all.
but they have norton antivirus with their crap security. the configs to that seems fine. as soon as you uninstall that crap, everything work.
do your users a favor, have them install AVG (www.grisoft.com)
Re:Before the flame wars start... (Score:3)
I work for a local community telco here in Ipswich - Internet, mobiles, landlines - and I have to ask customers to disable, or even uninstall, Nortons "something or other" sometimes.
Those poor bastards. For years we've - a general we've, not specifically you and I - been telling people have a virus checker, firewall, so on and so forth, and often recommending Symantec software because it used to be good, and now I gotta tell them that Nortons Security or Nortons Whatever is causing half their bloody pro
Re:Before the flame wars start... (Score:5, Informative)
> This is not the Sony rootkit. It's just a directory that's not scanned
> by antivirus/antispyware.
Let's be completely clear. It appears to be more than "a directory that's not scanned by antivirus/antispyware"
It's a directory that is cloaked from the administrator. It's not merely bypassed by the antivirus and antispyware utilities, it is hidden from anything that uses the Windows FindFirst/FindNext APIs to view and scan files and folders.
It -potentially- opens a bigger security hole than merely software that hides from antivirus. It can hide from other tools as well. But is is different from the Sony Rootkit; it doesn't open up ridiculous holes. It seems most likely that this was a case of reusing code without understanding the security implications.
> And, now that it's potential vulnerability has been exposed, Symantec
> is releasing a new version without the protected recycle bin.
> In other words, too bad they had to have their wrists slapped to fix
> it, but there was no malicious attempt.
And, equally importantly, they didn't need to be dragged kicking and screaming, with the threat of lawsuits, into remediating the problem. That makes it a much smaller story.
Re:Before the flame wars start... (Score:2)
In order to the first, you must do the second. There is no other way to do this. If the Windows APIs can see the data, then applications built on the APIs can see the data.
Re:Before the flame wars start... (Score:2, Troll)
Since we were covering the non-evilness of cookies last week, why is it that index.dat [acesoft.net] is never discussed? What does it contain and why is it tied so much to the OS?
Re:Before the flame wars start... (Score:3, Informative)
Re:Grant money well spent (not) (Score:2, Interesting)
I am sure the DHS knows what it is doing when it gives Symantec money to "secure" linux.
You "suspect" Symantec because they used a rootkit-like trick to hide the Norton NProtect feature's directory from other applications? Why is that? Do you believe that I don't want NProtect installed on my computer (NProtect is an optional feature of a software package that I choose to install)? Do you believe that Symantec is working against my interests, like Sony?
I'm not sure
Re:Grant money well spent (not) (Score:4, Insightful)
Add to this their track record: failure to detect SONY's malware, (and now they seem to have one of their own) and they are always the last to provide adequate means to remove fresh exploits (no data here, but I distinctly remember that whenever something crops up, f-prot, free-av, etc. works, and NAV comes trailing behind other antivir solutions.). Plus it is a serious resource hog - more than any antivir progs.
The first serious breach of "Do no evil" of Google was their inclusion of a Symantec product in google pack :)))
Re:Grant money well spent (not) (Score:2, Informative)
Maybe, just maybe, there are applictions on that list that i do not choose to trust. Maybe i want to trust all of them. I would like to have that choice.
Or m
Uninstall vulnerable? (Score:5, Interesting)
Re:Uninstall vulnerable? (Score:4, Informative)
Re:Uninstall vulnerable? (Score:5, Informative)
No. (Score:2, Informative)
If you are still paranoid, reinstall it and run the update patch with fixes it.
Or, check out BlackLight Rootkit Elimination Technology [f-secure.com], which is supposed to eliminate (or at least detect) the rootkit.
Re:No. (Score:3, Informative)
Re:No. (Score:2)
Uninstall vulnerable? clarification (Score:2, Interesting)
Re:Uninstall vulnerable? clarification (Score:2, Informative)
It's hard to uninstall Symantec software (Score:5, Interesting)
So much for "uninstall".
Which is why I never use their stuff anymore. Truth be told, I don't think they've done anything good since. Well. Since Peter Norton still loosened his tie and programmed for a living.
I can't think of any software of theirs that I would consider putting on a system, so I can't say I'm surprised by stuff like this.
Re:It's hard to uninstall Symantec software (Score:5, Informative)
http://service1.symantec.com/SUPPORT/nav.nsf/doci
Re:It's hard to uninstall Symantec software (Score:4, Insightful)
Worse, I don't trust Symantec to really remove their software. Why doesn't uninstall remove the software? Why do I need to uninstall then run "really uninstall" to really uninstall it?
Re:It's hard to uninstall Symantec software (Score:2, Interesting)
I just found out that Sygate has been acquired by Symantec and they discontinued the free for home use firewall.... Bummed!
Symantec has never even made anything, they just buy the competition.
Re:It's hard to uninstall Symantec software (Score:2)
Re:It's hard to uninstall Symantec software (Score:2)
I googled it up but all the apps didn't like my rai
Re:It's hard to uninstall Symantec software (Score:2)
Ghost, that is the only product of thiers I can think of that is even remotely worth getting. Even though the need to install it to make a boot disk seems a bit strange...
But if I ever have a need to image a disk I'd recommend Knoppix and use partimage if you have the capacity to read simple instructions and learn without pictures...otherwise I tell the lamaas to spend the $70 o
Re:It's hard to uninstall Symantec software (Score:2, Informative)
Re:It's hard to uninstall Symantec software (Score:2)
Re:It's hard to uninstall Symantec software (Score:2)
After spending days cleaning out obscure HEX GUIDs from the registry, it still didn't work. In the end my googling for the GUIDs they'd used unearthed a registry file that appeared to remove every Symantec entry
How to get unlimited free subscription (Score:5, Interesting)
Silly Symantec, not getting a real date online.
Symantec's Norton Removal Tool (Score:2, Informative)
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf
Re:It's hard to uninstall Symantec software (Score:2)
Exactly. I'm not too sure at which point their software became counterproductive trash, but lately on every system I've seen it on it seems to do more harm than good. I've lately seen a lot of XP computers with quite a lot of power and RAM which are slowed to an absolute crawl (as in, takes 5 minutes of thrashing to start IE), and the common thread is that they all seem to
Re:It's hard to uninstall Symantec software (Score:3, Insightful)
Norton's utilities were great, tiny, fast little tools that did what you wanted in a predictable way. A must have in the DOS days, and even early Window days. As Symantec the tools seemed to get more and more bloated. Then some of the tools had to be bought separately, costing more money. They t
Deleting files (Score:4, Funny)
Re:Deleting files (Score:2, Insightful)
That's still a problem in Linux.
Re:Deleting files (Score:2)
What is the meaning of keeping files on the disk that you have deleted anyhow? That is what backups are for. I personally recommend: BackupPC [sourceforge.net] (incremental, on-the-fly, total, compressed, remote, minimal-storage and Free backup solution for Linux)
Re:Deleting files (Score:3, Informative)
Re:Deleting files (Score:2)
You mean like the Administrative account? It's not entirely MS's fault that almost everyone abuses it; most of the blame lies squarely with the third party developers. XP has been out for a long time now, there's no excuse for new software to require admin privs to run.
I know, IHBT, IHL, I will HAND, etc.
Re:Deleting files (Score:2)
I agree that devs have had half a decade to fix their crap, but MS has ha
Re:Deleting files (Score:2)
3d party developer? You mean silly things like:
- The user created during XP install is an administrator.
- The builtin administrator account can have blank password.
- During installation the system doesn't warn you at all that you enter a blank password.
Yes let's blame the 3d party devs when the installation of Windows XP welcomes and encourages shitty shitty security.
Re:Deleting files (Score:2)
That said, if a workstation is part of a Windows domain, by default new users are NOT part of the local Admin
Rootkits are big now (Score:5, Interesting)
Re:Rootkits are big now (Score:3, Funny)
Dude, you slashdotted a rootkit (detection?) site.
Somewhere there's irony in that.
If you want a detector (Score:2)
$sys$Nothing 2 see here. Please move along.htm.pif (Score:2, Funny)
Heh, my "confirm you're not a script" image is "sanity."
I don't get it (Score:4, Interesting)
The cloaked directory is intended to prevent users from accidentally deleting important files
There's thousands of important files on a Windows system, and they don't need a rootkit to protect them. What's special about Norton files that make them extra-specially important?
Uninstalling Norton can be very time consuming (Score:5, Interesting)
So, I had to go to this link [symantec.com] and do it manually....talk about a pain in the #*$%.
Re:Uninstalling Norton can be very time consuming (Score:2)
Re:Uninstalling Norton can be very time consuming (Score:3, Informative)
I have to admit that manually removing Norton is always a pain in the ass but Norton has provided a total removal tool for years. Before, it was called Rnav2003 and was available for free download on their website. Newer versions of Norton require SymNRT, which is also available free on their website:
Re:Uninstalling Norton can be very time consuming (Score:3)
JUST HAVE NORTON UNINSTALL LIKE A REGULAR PROGRAM!!!!
Just what is Symantec hiding that they won't let you just get rid of their stuff when you uninstall?
Re:Uninstalling Norton can be very time consuming (Score:2)
Exactly, so you'd expect a functional installer/uninstaller to be a given.
Re:Uninstalling Norton can be very time consuming (Score:5, Insightful)
Re:Uninstalling Norton can be very time consuming (Score:2)
That's why some people (especially those with teenagers) decide to wipe disks clean and start all over again, paying $100 to have it done.
They don't really care if their machine has been rooted or "pwned", it just slows down unacceptably and then it's either disk wiping time or time to buy a new computer.
My brother is a good example of this. When I ask if he's running AV, anti-spyware and a firewall, he says yes. When I ask if he keeps all these up-to-date and installs Windows Updates, he goes - "doh"
Re:Uninstalling Norton can be very time consuming (Score:2)
I don't doubt that the software is both complex and well designed and written, but that's no reason not to provide correct uninstall functionality. If anything, you'd expect them to be *better* at that sort of thing if the rest of the software is so good...
Re:Uninstalling Norton can be very time consuming (Score:2)
Unfortunately, RNAV and SYMNRT do not work for Norton SystemWorks. Those are tools for the Antivirus. SystemWorks is still a biatch to manually remove.
Who needs Symantec? (Score:4, Interesting)
Re:Who needs Symantec? (Score:5, Insightful)
System admins use Symantec corparate solutions which has NOTHING TO DO with the stuff mentioned here.
But keep bashing Symantec. It is number 2 favorite target of geeks after real networks.
I bought it as a gift to a pure newbie computer user who is really busy with stuff rather than dll and registry hunting manually, he is happy to this day.
Re:Who needs Symantec? (Score:2)
I keep asking for a life preserver and they keep throwing cinder blocks.
Rootkits (Score:2, Insightful)
Re:Rootkits (Score:3, Informative)
Re:Rootkits (Score:2)
Wow, now with fewer holes! (Score:4, Insightful)
That's great! Our product is now better, because we turned off something bad we were previously doing!
Now that's a nice spin!
Not a Surprise (Score:2, Informative)
steps (Score:3, Insightful)
Re:steps (Score:2, Funny)
teach
user
how
to
use
BR
tags
.
Re:steps (Score:2, Informative)
Not quite the same... (Score:5, Informative)
The hidden NProtect directory at the heart of this issue has been (reasonably) common knowledge for some time. They were up-front and honest about the presence of this directory, and made frequent reference to the "hidden" and "protected" nature of said directory in documentation and marketing literature.
Also, according to Symantec's own writeup [symantec.com] on the issue, the directory was cloaked specifically so that it would work as advertised: to keep people from deleting important shit, particularly files that can't be put in the Recycle Bin.
Also, also, you need to give them a bit of credit for the fact that they worked with Mark Russinovich of Sysinternals and F-Secure in fixing this. Nobody needed to make a huge stink about the problem like the last big rootkit issue
Article doesn't say enough... (Score:5, Interesting)
Now what is interesting is that even if you have administrative privileges, you by default do not have access to that folder. You have to manually add yourself to the security on it just to open it. From the article this seems to be the exact deal with the Symantec product. They are worried that an intruder may use the location to stash files. Well guess what? That is exactly what attackers do with the System Volume Info folder. It happened to me on a system that I had an older version of the Backup Exec remote client installed on. A well known hole, thankfully it was on a test system with no access. I noticed a huge amount of outgoing connects from the box and used disk space that I could not account for. After some minor digging around I managed to find everything stashed in that hidden system folder.
So what I would really like to know, and the article doesn't specify, is Symantec actually hooking into the kernel to hide the folder from Windows, or is it just setting the permissions on the folder in a way that is similar to the System Volume Information folder? If it is the later this is not a rootkit, it's just being sneaky. If they are hooking in, well shame on them.
Re:Article doesn't say enough... (Score:3, Insightful)
Odd thing is, it was pretty widely known that some anti-virus programs have rootkit-like properties; i.e. they hide directories from the
Re:Article doesn't say enough... (Score:2)
Re:Article doesn't say enough... (Score:2)
I can tell you why 'con' is not allowed. It is a device name reserved for legacy DOS stuff. Do this at a command prompt:
1.) copy con test.txt
2.) type random text you want inserted into test.txt HERE
3.) Ctrl-Z
You now have a file with the contents of what you just typed. And now for my next trick, I'll make the DOS cursor a flashing smiley-face! *bows and leaves the stage*
Re:Article doesn't say enough... (Score:3, Informative)
For instance, open cmd.exe, and type:
copy con test.txt
type some text, press
^Z (Ctrl+Z)
This is the DOS/Windows equivalent to cat > test.txt. Reading from CON reads from the standard input, writing writes to the standard output.
I always knew... (Score:2, Funny)
I don't trust their intentions (Score:2, Troll)
Re:I don't trust their intentions (Score:2)
Give me a break, I uninstall Norton Antivirus all the time. The only time it doesn't uninstall is when someone has gone in and tried to delete files related to it, or if the Windows MSI is hosed anyway. (Trust me, I supported the product for a long time...till it went to India)
99% off "problems" people have with Norton
Re:I don't trust their intentions (Score:2)
Just as well you didn't say that last week, when I was fixing my box after removing Norton. Lot's of blue screens and other such crap started the moment I uninstalled it. Had to remove so much junk by hand, unfortunately I didn't know about the cleaner. There is clearly a problem here; if there wasn't why would they spend resource producing and maintaining a repair product?
99% off "problems" people ha
Re:I don't trust their intentions (Score:2)
Where was that place? (Score:2, Funny)
I was getting directions to someplace the other day, the guy said the road there was paved with "good intentions". Damn, I can't remember the name of the place... think, think...
Why is this a "rootkit"? (Score:2, Interesting)
Isn't that what a rootkit does - allow unauthorized access?
Of course, it's hiding a directory, but as mentioned by other posters, Symantec has never been very secretive about that, they just didn't come out and announce in big flashing red letters that they were creating a hidden directory. Not a lie at all, as was the case with Sony.
Now, apparentl
Re:Why is this a "rootkit"? (Score:5, Informative)
Isn't that what a rootkit does - allow unauthorized access?
The terminology being used is confusing to many people. In common parlance a rootkit is a general purpose setup to compromise a system and hide all evidence of that compromise. Usually this includes a "kernel" patch that hides the offending files and in some cases network traffic. Symantec is patching the "kernel" to hide files, and doing so is wholly unnecessary. My guess is were not concerned about users so much as malware/worms that would automatically cripple their program. The side affect of this is worms can actually exploit this to hide themselves. It seems like a risky and invasive attempt at security through obscurity.
A big part of the problem is that they are trying to secure an inherently insecure system, without having access to the source code. Windows users are generally admin (since Windows is pretty unusable as a regular user) and local privilege escalations are common and trivial. I don't think MS even tries to fix them anymore. As a result Symantec is basically in an arms race on even footing with malware authors.
While I don't want anyone "hiding" stuff on my system, I know very well there are users out there that can be easily convinced to delete important system files...
That is part of the danger of using Windows. Clueless users have unfettered access to delete vital parts of the system and rightly believe worms and viruses can easily infect their poorly secured machines. Still, Symantec should have known this was unworkable in the long term and would result in a persistent liability.
There are better things to hyperventilate about. (Score:2)
You don't tell me that you mean... (Score:2, Interesting)
I know that nowadays norton products are mostly crap with near-to-none options, and all non-basic funtionality removed successively in every version, but this recycle bin extension comes from the good days and already saved my ass may times. (every time i typed something like Ctrl-N, Ctrl-S, Enter, and overwrote my just finished huge file with an EMPTY file.)
The direcory it used was not cloakrd in any other way than setting it to "hidden". I don't know if that changed in
Just to note (Score:2, Informative)
Info can be found here:
http://securityresponse.symantec.com/avcenter/sec
Not very surprising (Score:3, Interesting)
Explanation: a fresh install of Windows XP on my father machine, SP1 because that was the CD that came with the machine, then an install of the Norton firewall that also came with the purchase - firewall set on as paranoid as the settings allowed... plug in network, and bam! Instant infection. There aren't any settings in the stupid product for "block everything" or anything either, just security levels or whatever it was. In any case, highest whatever apparently still left ports open... impressive.
The reinstall was because their firewall and antivirus had already failed to protect the computer btw. Why anyone would use thir products is way beyond comprehension. It's utter crap.
Cloaked Directory = Windows Registry (Score:2, Funny)
Is it just me, or does that sound like the Windows Registry?
Re:Sony Rootkit (Score:2)
Except for the part where they installed invasive system software even if you clicked the "No, I don't want that" button.
Or was that an 'honest mistake'?
Re:Sony Rootkit (Score:2)
Sony's rootkit was done entirely under good intentions as well (like it or not DRM is not a bad intention), and look how that turned out.
I'm not sure that your assertion is defensible. Sony wanted to make my computer less functional so that they could have more of my money. I don't consider that to be good intent.
Re:Sony Rootkit (Score:2)
I guess it's a good thing that Symantec released an automatic update via LiveUpdate that takes care of the issue then, eh?
Re:Sony Rootkit (Score:2)
DRM is not a bad intention? What about restricting your right to legally backup a CD to mp3 files? Wasn't that what they did?
Symantec were trying to benefit the user... (Score:2)
Sony's rootkit offered no benefit to the user, only to Sony.
Disclaimer: I don't and wouldn't run Norton, it's a massive hog and really gets into the depths of your system, the point
Re:WINDOWS IS IRRETRIEVABLY BROKEN (Score:2, Insightful)
The actual real (for the end user) problem I see for Windows, that other OSS do not have is that you require to install certain "security" software after installing the O.S. The software is among others:
- Antivirus (Like McAffee or Norton or AVG or Sophos)
- System security programs: Kind of like Norton System works or SANDRA or Diskkeeper
- Another browser (like firefox or opera)
The bad thing about that is not the number of software programs
Re:What about RAR files? (Score:2)
Indeed, I'm puzzled why we haven't heard anything more about that problem beyond the initial report [slashdot.org]. It has been nearly three weeks.
Re:systemworks is not a rootkit (Score:2)
RECYCLER is the standard recycle bin created by Windows on NTFS partitions. <b>
It is set to hidden and system attributes by default.
Re:systemworks is not a rootkit (Score:2)
RECYCLER is the standard recycle bin created by Windows on NTFS partitions.
It is set to hidden and system attributes by default.
Systemworks may utilize it as a starting point for its own stealth directory,
but what you describe has nothing to do with what Norton installs of changes
on your machine (You need to look for nprotect).