Symantec Removes Rootkit From Security Package

Symantec (Nasdaq: SYMC) this week released an update to Norton SystemWorks to fix a security issue that could leave a back door open for hackers: a rootkit.

A rootkit is a hacker security tool that captures passwords and message traffic to and from a computer. The tool may allow a hacker access to a so-called "back door" into a system, where he or she can collect information on other computers on the network while masking the fact that the system is compromised.

Tainted Recycle Bin

Norton SystemWorks contains a feature called the Norton Protected Recycle Bin ("NProtect"), which resides within the Microsoft (Nasdaq: MSFT) Windows Recycler directory. It is used to store temporary copies of files that the user has deleted or modified. It acts as a supplement to the Windows Recycle Bin by creating a temporary backup of certain types of files that the Windows Recycle Bin does not back up.

However, NProtect is hidden from the Windows FindFirst/FindNext APIs. Since the hidden directory is not visible to Windows, the anti-virus vendor said files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer.

When NProtect was first released, Symantec said hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, the company said it has re-evaluated the value of hiding this directory.

Removing the Rootkit

Symantec has released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect.

Symantec said the NProtect directory will continue to function as it always has, and users will continue to have the ability to enable or disable the feature through the Norton Protected Recycle Bin user interface.

Symantec's Response

"Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder. This update is provided proactively to eliminate the possibility of that type of activity," the company said in its advisory.

As a part of normal best practices, Symantec said users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec recommends customers update their products to protect against any probability of this type of threat.

Reliving Sony's Nightmare?

At the end of 2005, Sony (NYSE: SNE) came under fire for peddling copyright protected discs that planted rootkit software on customers' computers. Class action lawsuits and ongoing negative media publicity followed.

Like Symantec's rootkit, Sony's rootkit technology offered a back door for hackers and a hiding place for malicious code. Is Symantec in for some analyst bashing and consumer backlash over its rootkit incident?

Basex President and Chief Analyst Jonathan Spira says no. "This shows that everyone, even Symantec, can make a mistake. That's all," he said.

Mikko Hypponen, Chief Research Officer for F-Secure said his firm found the rootkit back in March and informed Symantec. SystemWorks can not be compared to actual malware that uses rootkits, he said. It is a commercial product and the involved technology performs a task that is documented, desired and that the user pays for.

"The only problem in here is that the folder SystemWorks uses to hide its backup files can also contain other files, like viruses -- and those would be hidden too," he said.

"We haven't seen anybody actually exploit this vulnerability anywhere," he added.