Security Bytes: AV firms accused of rootkit use

By SearchSecurity.com Staff 13 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Symantec, Kaspersky accused of rootkit use
The man who discovered that Sony BMG Music Entertainment Inc. was using rootkit technology in its antipiracy software says Symantec Corp. and Kaspersky Lab Ltd. have engaged in similar behavior.

Mark Russinovich, chief software architect for Austin-based Winternals Software LP, said the techniques used by Symantec's Norton SystemWorks and Kaspersky's Anti-Virus products are rootkits, a term that usually refers to malicious software designed to evade detection. There is "no good justification," for the use of such techniques, Russinovich is quoted as saying in a report from the IDG News Service. "If the vendor believes that the implementation of their software requires a rootkit then I think they need to go back and re-architect it."

Both Symantec and Kaspersky concede that they have shipped software that hides information from system tools, the IDG News Service said. But they disagreed with Russinovich's use of the term rootkit.

Tuesday, Cupertino, Calif.-based Symantec fixed a flaw in its popular Norton SystemWorks program. As Symantec put it, "Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans."

Symantec acknowledged attackers could use this feature to hide malicious files, and updated the product so it would display the NProtect directory in the Windows interface. A company spokesman e-mailed a statement to SearchSecurity.com arguing for more clarity in the information security community as to what is and isn't a rootkit. "At this time, there are a number of rootkit definitions used in the industry and not all definitions are aligned," the company said. "Symantec is currently working with CERT, IT-ISAC and other industry leading organizations to create consensus on this definition."

Thursday, a representative from Russia-based Kaspersky said his company may follow Symantec's lead and tweak its application. "I don't know whether we've got a plan to do that, but that's obviously one thing that we could do here," David Emm, a senior technology consultant with Kaspersky, told the IDG News Service.

In a statement issued Friday, Kaspersky denied the claim, saying that its iStreams technology used in its Anti-Virus 5.x product line, where the alleged rootkit was found, poses no threat to users. More specifically, the company said it utilizes NTFS Alternate Data Streams to hold checksum data about files on a user's system; if a checksum is unchanged, that is how the program determines that a repeat scan is not required.

"NTFS Alternate Data Streams are not visible to the naked eye; special tools are required to view them," said Kaspersky. "The fact that these data streams are not automatically visible does not mean technology which utilizes these streams is malicious."

Flaw found in Microsoft Visual Studio
Microsoft Visual Studio, a development environment for building applications on Microsoft platforms, is prone to a flaw that attackers could exploit to launch malicious code, according to a warning Symantec issued to customers of its DeepSight Threat Management Service Thursday. The problem is a design flaw that executes code contained in a project file without first notifying users.

"Specifically, if a 'UserControl' object is added to a Form in a Visual Studio project, it will be executed whenever a user opens the form containing the 'UserControl' object," Symantec said. "The 'UserControl_Load' function will be executed without notifying the user, without prior confirmation, and without compiling or executing the project."

This allows attackers to execute arbitrary code in the context of the user viewing a malicious project file, Symantec said, adding, "As viewing a project file is usually considered to be a safe operation, users may have a false sense of security by attempting to inspect unknown code prior to compiling or executing it."

Visual Studio 2005 is reportedly vulnerable, and other versions may also be affected.

Symantec recommended users not accept or execute files from untrusted or unknown sources, run all software as a non-privileged user with minimal access rights and perform all tasks as an unprivileged user with minimal access rights "to limit the consequences of successful exploitation."

Users have trouble with QuickTime fixes
Some QuickTime users are having trouble installing the updates Apple Computer Inc. released this week to fix several security holes. The security update seems to cause problems for some Mac OS X and Windows users, according to a CNET News.com report. People have reported multiple flaws via the discussion boards on Apple's Web site, the report noted. Mac OS X users have had the most trouble, including issues such as deleted applications and files, unplayable movie files and the disappearance of rights to use the professional version of QuickTime.

Apple has published a tool for Mac OS X users that removes the suspected culprit, QuickTime 7.0.4, and restores QuickTime 7.0.1, according to the report. Posts in the forums also noted that QuickTime 7.0.4 was removed from Apple's Web site and then reposted.

Tags: Rootkits,  Secure Software Development,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us