COLUMN

Security Blog Wire: Symantec flaw parallels Sony BMG

By Bill Brenner 13 Jan 2006 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

---------------------------------------------------------------------------------------------------------

Bloggers can't help but resurrect images of Sony BMG Music Entertainment Inc.'s rootkit fiasco when talking about a security hole Symantec Corp. was forced to seal this week.

Tuesday, the Cupertino, Calif.-based AV giant fixed a flaw in its popular Norton SystemWorks program. As Symantec put it, "Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans."

I have an open suggestion for law enforcement and legislators out there: Please define such acts like Sony's and Symantec's as a crime and fine Sony and Symantec for it. Ido Kanner SecuriTeam

Symantec acknowledged attackers could use this feature to hide malicious files on computers, and updated the product so it would display the NProtect directory in the Windows interface.

'The black hat of Symantec'
Bloggers writing about NProtect were quick to compare Symantec to Sony. The entertainment company caught hellfire for using a rootkit-based digital rights management (DRM) system to prevent CD copying. Rootkits, tools or programs used to mask software or network intrusions, are typically used only by malicious hackers.

Ido Kanner talked about what he called the "black hat of Symantec" in his SecuriTeam blog posting.

" They [have] hidden the folder by using Norton Protected Recycle Bin," he said. "Now on that folder they placed files that they did not want others to delete. Or in other words: They created a rootkit.

"The Genesis song 'Jesus he knows me' has the line 'Just do as I say, don't do as I do' about a priest that does everything for money except what he's suppose to," he also said. "Well it seems that Symantec is like that priest. … I have an open suggestion for law enforcement and legislators out there: Please define such acts like Sony's and Symantec's as a crime and fine Sony and Symantec for it."

And Kanner wasn't the only one outraged. "Unbelievable… Symantec has confessed to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers," the Digital Silence blog's webmaster -- an electrical engineer who calls himself "Agitator!!" -- said in a posting. "A couple of years ago, I dumped Norton because I didn't like what Symantec was doing to users of their products. Seeing things like this just helps to reinforce that decision."

Definition of rootkit needs clarity
Symantec hardly sees this as a crime. In fact, a company spokesman e-mailed a statement to SearchSecurity.com arguing for more clarity in the information security community as to what is and isn't a rootkit.

About Security Blog Wire Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Read last week's column here.

"At this time, there are a number of rootkit definitions used in the industry and not all definitions are aligned," the company said. "Symantec is currently working with CERT, IT-ISAC and other industry leading organizations to create consensus on this definition."

As for NProtect, Symantec said it "functions differently than a rootkit." For example, the company said, "the Norton Protected Recycle Bin is detectable on a user's machine, documented for customers, gives end users a choice as to whether to enable or disable the feature and most all antivirus products will scan and detect any malicious code that could potentially be stored in it upon attempted execution."

A calmer assessment
Other bloggers took a less-heated look at Symantec's actions.

They included Duncan McAlynn, founder of the new Boardfish.com blog, which he started last month after Symantec shut down its enterprise technical support discussion groups.

He told site visitors that, "Symantec has confessed that in an attempt to save the users from themselves… they included a form of a rootkit into the SystemWorks application." He went on to describe the nature of the problem and what Symantec has done about it, but didn't offer his opinion.

Washington Post cybersecurity expert Brian Krebs noted in his popular Security Fix blog that the Symantec flaw was discovered in part by Mark Russinovich, "the same Sysinternals researcher who investigated Sony BMG's antipiracy software.

"Symantec notes that it is not aware of any threats that try to take advantage of this functionality," Krebs said. "Still, this kind of thing underscores why it is never a good idea for companies to build their software so that it can hide from Windows and the end-user."

In the posting, he quoted Russinovich as saying, "In this case, Symantec was using cloaking techniques to protect the end user from themselves and from deleting files they might want to get back someday. But in the process, they've created a potential security risk and making it so that whole portions of the machine are unmanageable by Windows or the user."

Krebs said Russinovich plans to detail his findings in his Sysinternals blog. As of Thursday, the findings were not yet on site.

Tags: Software Development Methodology,  Malware, Viruses, Trojans and Spyware,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary