January 11, 2006
By Michael Santo
Contributing Writer, RealTechNews
You would think that the Sony BMG rootkit would be the last rootkit we would see from a reputable software company, wouldn?t you? Apparently not, since Symantec fessed up today that it had been using a rootkit-type feature in Norton SystemWorks.
The anti-virus vendor acknowledged that it was deliberately hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.
A spokesman for Symantec referenced the Sony flap in a statement sent to eWEEK, but downplayed the risk to consumers. ?In light of current techniques used by today?s malicious attackers, Symantec re-evaluated the value of hiding the [previously cloaked] directory. Though the chance of an attacker using [it] as a possible attack vector is extremely slim, Symantec?s update further protects computers by displaying the directory,? the spokesman said.
He explained that the feature, called Norton Protected Recycle Bin, was built into Norton SystemWorks with a director called NProtect that is hidden from Windows APIs. Because it is cloaked, files in the NProtect directory might not be scanned during scheduled or manual virus scans.
?This could potentially provide a location for an attacker to hide a malicious file on a computer,? the company admitted, noting that the updated version will now display the previously hidden directory in the Windows interface. Source: eWeek
We Say: Er, Symantec had to be warned by security experts? To most consumers, Symantec is a security expert. And despite assertions that the risk was low, how long did it take people to figure out how to use the Sony BMG rootkit features to their malware advantage? Not long. Come on, Symantec, I would expect a security vendor to do better than this!
http://www.realtechnews.com/posts/2478
Topic: Symantec Admits Rootkit Usage in SystemWorks (Read 914 times)