 |
|
||||
|
Symantec Closes Rootkit HoleBy Pedro HernandezJanuary 12, 2006
Shades of Sony? Not so fast. Symantec's Norton SystemWorks contains a feature that can restore deleted and otherwise unrecoverable files called Norton Protected Recycle Bin. It accomplished this by creating a directory hidden from the Windows FindFirst/FindNext APIs and storing data therein. Sysinternal's Mark Russinovich, also credited with blowing open the Sony rootkit controversy, and F-Secure caught wind of this behavior, and worked with Symantec to resolve the situation. In this blog post, Mikko Hypponen, F-Secure's Chief Research Officer, explains that the feature, while beneficial for users on the surface, could have allowed malware to write to the hidden directory. The danger in such a scenario is that any malware residing there would have been invisible to most virus scans. He notes that his company has not come across malware that targets that technology. The NProtect directory was designed in this manner to prevent users from accidentally deleting its contents. Symantec's advisory states, "In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory." Hypponen also contrasts this case with Sony's infamous missteps last year. He writes: The main difference between the Symantec rootkit and Sony rootkit is not technical. It's ideological. Symantec's rootkit is part of a documented, useful feature; it could be turned on or off and it could easily be uninstalled by the user. Unlike Sony's rootkit. Symantec quickly released a patch, shuttering the door on this potential security hole. In the related advisory (SYM06-002), the company recommends that users of Norton SystemWorks 2005/2006 and SystemWorks Premier 2005/2006 run LiveUpdate to bring their installations up to date. Changes take effect after a system reboot.
|
|
|
|
Email
Print
Digg This
Add to del.icio.us
