NEWS FROM THE LAB - Friday, January 13, 2006

Cloaking without malicious intent Posted by Mika @ 07:23 GMT

There is an ongoing discussion on the Norton SystemWorks issue (see e.g. Larry Seltzer's opinion). As a result people are asking us how many of these cases are there. Well, ever since BlackLight beta was released on 10th March 2005 we have received reports of only a few non-malicious applications using rootkit-style cloaking. We have seen three different categories:

1) File and folder hiding software that people use e.g. to hide adult material from their family

2) System backup software hiding their backup files

3) Software protecting their processes or configuration data

There are not many applications that hide things. In fact, all in all we only know less than a dozen of such software and most of them are very rare tools. Moreover, most of these cloaking apps belong to the first group (file and folder hiding software).

This is not a big issue. Many of these applications are very upfront about their hiding functionality and have been carefully designed not to allow malware to exploit the cloak. Also, it is pretty easy for malware just to install their own rootkits on the system. On the other hand, we do not understand why benign software would need to hide something from the Administrator of the computer in the first place. If you want to prevent access to your files or processes you should use OS access controls or encryption - not rootkit cloaking techniques.

Image - Hidden attribute settings

One clarification: By hiding/cloaking/stealth we mean actual filtering of operating system functionality. We are definitely not referring to Windows "hidden attribute" or "system file attribute". By default Windows does not show files with these attributes to the user, but if the user wants to see everything, they can be made visible from the "Tools"-"Folder options" menu in Explorer.