Symantec Caught in Norton ‘Rootkit’ Flap

Symantec Corp. has fessed up to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers.

The anti-virus vendor acknowledged that it was deliberately hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.

Symantec, of Cupertino, Calif., is the second commercial company caught in the flap over the use of rootkit-type techniques to hide files on computers. Rootkits are programs that are used to give a remote user access to a compromised system while avoiding detection from security scanners.

Music company Sony BMG faced a firestorm of criticism after anti-rootkit scanners fingered the use of stealthy rootkit-type techniques to cloak its DRM scheme. After malicious hackers used the Sony DRM rootkit as a hiding place for Trojans, the company suspended the use of the technology and recalled CDs with the offending copy protection mechanism.

A spokesman for Symantec referenced the Sony flap in a statement sent to eWEEK, but downplayed the risk to consumers. “In light of current techniques used by today’s malicious attackers, Symantec re-evaluated the value of hiding the [previously cloaked] directory. Though the chance of an attacker using [it] as a possible attack vector is extremely slim, Symantec’s update further protects computers by displaying the directory,” the spokesman said.

Microsoft to zap Sony DRM ‘rootkit.’ Click here to read more.

He explained that the feature, called Norton Protected Recycle Bin, was built into Norton SystemWorks with a director called NProtect that is hidden from Windows APIs. Because it is cloaked, files in the NProtect directory might not be scanned during scheduled or manual virus scans.

“This could potentially provide a location for an attacker to hide a malicious file on a computer,” the company admitted, noting that the updated version will now display the previously hidden directory in the Windows interface.

Despite the very low risk of this vulnerability, Symantec is “strongly” recommending that SystemWorks users update the product immediately to ensure greater protection. “To date, Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder,” the spokesman added.

Mark Russinovich, the Windows internals guru who blew the whistle on Sony’s controversial DRM rootkit, was credited with the SystemWorks discovery along with researchers at Finnish anti-virus vendor F-Secure Corp.

Russinovich, creator of the RootkitRevealer anti-rootkit utility, said the use of rootkit-type features by commercial vendors is “very worrisome.”

“It’s a bad, bad, bad idea to start hiding things in places where it presents a danger. I’m seeing it more and more with commercial vendors,” Russinovich said in an interview with eWEEK.

“When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It’s impossible to manage the security and health of that system if the owner is not in control.”

Russinovich said Symantec was “very receptive” to the warnings that the hidden directory presented a real risk to computer users. “In Sony’s case, it was meant as a benefit to Sony. In Symantec’s case, they really believed it was a benefit to the consumer. I don’t see the benefit but I think they had good intentions. They did the right thing by making this change,” he added.

Security vendors clueless over rootkit invasion. Click here to read more.

Russinovich, who plans to publish more evidence of commercial vendors using rootkits at Sysinternals.com, also pinpointed another big problem. “When you have different vendors changing the way Windows works, they start interfering with each other. Two or three rootkits on a machine could seriously change the way Windows behaves and that’s another big concern,” he said.

Mikko Hypponen, director of anti-virus research at the F-Secure Corp., said his company’s BlackLight Rootkit Elimination Technology also detected the NProtect directory, which was hidden from the Windows FindFirst/FindNext APIs.

“We found out about this when we shipped the first BlackLight beta in March 2005 and started getting reports back from users. Then we tested it in our own labs and confirmed the functionality in Symantec. It’s not a huge problem, but I’m glad they’ve now fixed it,” Hypponen said in an interview.

He confirmed Russinovich’s contention that more and more legitimate commercial vendors are using cloaking mechanisms, warning that it is a “dangerous trend,” even if the it’s not an offensive, malicious rootkit.

“The area is a little gray. We’ve seen a dozen or so commercial vendors hiding folders. Some are actual folder-hiding applications to handle things like parental controls where the target audience actually wants the folder hidden. But, even so, the risk of someone malicious making use of that hiding place is not something to ignore,” Hypponen said.

“That’s the big risk. For now, it’s completely a theoretical problem. But, as we saw in Sony’s case, the bad guys figured it out within days that they could put a Trojan in the rootkit and sail by anti-virus scanners.”

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.