Bloggers can't help but resurrect images of Sony BMG Music Entertainment Inc.'s rootkit fiasco
Tuesday, the Cupertino, Calif.-based AV giant fixed a flaw in its popular Norton SystemWorks program. As Symantec put it, "Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans."
Symantec acknowledged attackers could use this feature to hide malicious files on computers, and updated the product so it would display the NProtect directory in the Windows interface.
'The black hat of Symantec'
Bloggers writing about NProtect were quick to compare Symantec to Sony. The entertainment company caught hellfire for using a rootkit-based digital rights management (DRM) system to prevent CD copying. Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers.
Ido Kanner talked about what he called the "black hat of Symantec" in his SecuriTeam blog posting.
" They [have] hidden the folder by using Norton Protected Recycle Bin," he said. "Now on that folder they placed files that they did not want others to delete. Or in other words: They created a rootkit.
"The Genesis song 'Jesus he knows me' has the line 'Just do as I say, don't do as I do' about a priest that does everything for money except what he's suppose to," he also said. "Well it seems that Symantec is like that priest. … I have an open suggestion for law enforcement and legislators out there: Please define such acts like Sony's and Symantec's as a crime and fine Sony and Symantec for it."
And Kanner wasn't the only one outraged. "Unbelievable… Symantec has confessed to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers," the Digital Silence blog's webmaster -- an electrical engineer who calls himself "Agitator!!" -- said in a posting. "A couple of years ago, I dumped Norton because I didn't like what Symantec was doing to users of their products. Seeing things like this just helps to reinforce that decision."
Definition of rootkit needs clarity
Symantec hardly sees this as a crime. In fact, a company spokesman e-mailed a statement to SearchSecurity.com arguing for more clarity in the information security community as to what is and isn't a rootkit.
"At this time, there are a number of rootkit definitions used in the industry and not all definitions are aligned," the company said. "Symantec is currently working with CERT, IT-ISAC and other industry leading organizations to create consensus on this definition."
As for NProtect, Symantec said it "functions differently than a rootkit." For example, the company said, "the Norton Protected Recycle Bin is detectable on a user's machine, documented for customers, gives end users a choice as to whether to enable or disable the feature and most all antivirus products will scan and detect any malicious code that could potentially be stored in it upon attempted execution."
A calmer assessment
Other bloggers took a less-heated look at Symantec's actions.
He told site visitors that, "Symantec has confessed that in an attempt to save the users from themselves… they included a form of a rootkit into the SystemWorks application." He went on to describe the nature of the problem and what Symantec has done about it, but didn't offer his opinion.
Washington Post cybersecurity expert Brian Krebs noted in his popular Security Fix blog that the Symantec flaw was discovered in part by Mark Russinovich, "the same Sysinternals researcher who investigated Sony BMG's antipiracy software.
"Symantec notes that it is not aware of any threats that try to take advantage of this functionality," Krebs said. "Still, this kind of thing underscores why it is never a good idea for companies to build their software so that it can hide from Windows and the end-user."
In the posting, he quoted Russinovich as saying, "In this case, Symantec was using cloaking techniques to protect the end user from themselves and from deleting files they might want to get back someday. But in the process, they've created a potential security risk and making it so that whole portions of the machine are unmanageable by Windows or the user."
Krebs said Russinovich plans to detail his findings in his Sysinternals blog. As of Thursday, the findings were not yet on site.