On The Insider: Mew Moon Pulls $140.7 Million
BNET Business Network:
BNET
TechRepublic
ZDNet

January 11th, 2006

Symantec confesses to using rootkit technology

Posted by Suzi Turner @ 10:04 pm

Categories: General

Tags:

Oh, dear.  We’re just getting over the Sony DRM rootkit ruckus and now we have a security company hiding software components from Windows APIs with rootkit technology.  News.com reports that Symantec Corp.’s spokesperson admitted to using this rootkit type feature in Norton SystemWorks to hide a directory so customers wouldn’t accidentally delete files.  The problem was it could also provide a convenient hiding place for attackers to place malicious files. Due to the vulnerability, Symantec has issued an update for SystemWorks and is "strongly recommending" users update the software immediately.  Link here.

Mark Russinovich of SysInternals, along with security company F-Secure, was credited with discovering the rootkit feature in SystemWorks.  Russinovich, the developer of rootkit scanner Rootkit Revealer, also discovered the SONY DRM rootkit.  Russinovich is quoted as saying:

It’s a bad, bad, bad idea to start hiding things in places where it presents a danger. I’m seeing it more and more with commercial vendors, [...]

When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It’s impossible to manage the security and health of that system if the owner is not in control.

Russinovich is planning to publish more information about commercial vendors using rootkit technology according to eWeek. At spyware help forums like SpywareWarrior, we are advising users to run rootkit detection apps more frequently as a result of spyware infestations from threats like the AOL Instant Messaging worm.  It will be interesting to see what other non-malware is found using rootkits to hide. Stay tuned for more on this unfolding situation.

Update Jan. 12:  I received an email from a reader today who pointed out using the term "rootkit" was incorrect in this case.  Larry Seltzer at eWeek writes "some rootkits are worse than others".  Wikipedia definition of rootkit:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user’s knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

And the functions of a rootkit:

A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard. In many instances, rootkits are counted as trojan horses.

So, was Symantec using a rootkit or not? I’d like to hear Mark Russinovich’s take, but he has not written about Symantec on his blog

  • Talkback
  • Most Recent of 45 Talkback(s)
Symantec wasn't as severe  george_ou | 01/11/06
Bullspit  Real World | 01/12/06
I can't wait till MS admits to the same sort of thing..  LazLong | 01/12/06
Nothing new................................  glstorck@... | 01/12/06
we're gonna die! we're all gonna die!  anythingbutmine0 | 01/18/06
Symantic rootkit  jjneethling@... | 01/12/06
Symantec installs were always a kluge  ~doolittle~ | 01/12/06
Aha!  jimfof1913@... | 01/12/06
Same here  KOS-MOS | 01/12/06
Hiding is bad  Dr_Zinj | 01/12/06
Perhaps special folder Icon  mustang_z | 01/12/06
While we're on the subject of hidden items...  gardoglee | 01/12/06
No, not needed...  techboy_z | 01/12/06
Any tools to remove ALL of Norton?  OldTimer1 | 01/12/06
Any tools to remove ALL of Norton?  burke@... | 01/12/06
Removing Norton  roadiebob_z | 01/12/06
Removing Norton  serenitywizard | 01/12/06
Tempest in a teacup  plumnilly | 01/12/06
but....  Suzi_z | 01/12/06
What if you disable protected trash bin?  upuaut_z | 01/12/06
I Knew It!!  luvmylab28 | 01/12/06
Its not a rootkit  BrewMan01 | 01/12/06
Dishonest  thammr | 01/12/06
I updated the post  Suzi_z | 01/12/06
Am not surprised  awalexander@... | 01/12/06
People crack me up.  cglrcng@... | 01/13/06
GREAT  johni123 | 01/12/06
OT - but what is up with Symantec Norton Antivirus & Spybot??  ~doolittle~ | 01/12/06
Re: People crack me up  tfischer1@... | 01/13/06
Depends on your degree of paranoia  Chiatzu | 01/13/06
Any tools to remove ALL of Norton? Mark dm53  nickel_z | 01/13/06
re :Any tools to remove ALL of Norton?  Ricb_z | 01/13/06
This is what popped up at the link:  Bill4 | 01/13/06
False sense of security?  too_much green_tea | 01/13/06
Symantec NAV & Spybot  nickel_z | 01/13/06
What next???  marbing@... | 01/13/06
I'm sure their intentions were good....  darreno1 | 01/14/06
They should have known better  mobrien_12@... | 01/15/06
Did kaspersky do the same?  metallicakid15 | 01/16/06
Kaspersky uses ADS  Suzi_z | 01/17/06
NOT a Rootkit  marlinj@... | 01/16/06
rootkit definition  Suzi_z | 01/17/06
defining rootkit ..continued  marlinj@... | 01/19/06
Symantec Premium Anti-Spam Add-on  soco180 | 01/23/06
RE: Symantec confesses to using rootkit technology  gg_forums | 05/04/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here