NEWS FROM THE LAB - Thursday, January 12, 2006

The "Symantec rootkit" Posted by Mikko @ 18:39 GMT

There has been quite a bit of media coverage on the "Symantec rootkit".

nprotectWe were the ones that discovered this issue and informed Symantec about it last year - in fact this is nicely attributed in the Symantec advisory.

But we want to be clear on this: what Symantec was doing here was not nearly as bad as what Sony was doing with their rootkit.

Norton Systemworks has a feature called "Protected Recycle Bin". This feature is intended to enable the user to recover deleted files that would otherwise be unrecoverable. These files are stored in a folder typically called C:\Recycler\Nprotect - and this folder is hidden with rootkit-like techniques. There's nothing inherently wrong in this.

The only problem is that any malware already running on the system can copy itself to that particular folder and Systemworks will hide it completely from the user and from most on-demand antivirus scanners (but not from F-Secure Internet Security 2006, which will see it because it integrates the BlackLight rootkit detection technology).

However, we haven't seen any malware which would even attempt to do that.

PropsitThe main difference between the Symantec rootkit and Sony rootkit is not technical. It's ideological. Symantec's rootkit is part of a documented, useful feature; it could be turned on or off and it could easily be uninstalled by the user. Unlike Sony's rootkit.

So we don't think this was that big a deal. But we're happy it has been fixed before anybody really attempted to exploit it.