Symantec fesses up (and Seuss turns in grave)

In today's IT Blogwatch, we do the rounds with Symantec's Rootkit. Not to mention the scientists in Taiwan who claim to have bred green, glow-in-the-dark pigs -- next stop: green eggs... [You're fired - Ed-I-am.]

After all the hoohah over Sony and its use of a rootkit, it seems Symantec's doing it too. We have to be thankful to Mark Russinovich, according to John Paczkowski's post from yesterday: "After the Sony rootkit debacle, you'd think we would have heard the last of reputable software companies creating hidden directories in Windows systems ... But no. Symantec just admitted that the 'Norton Protected Recycle Bin,' or 'NProtect' feature of Norton SystemWorks, deliberately conceals a directory from Windows APIs to protect the files from accidental deletion ... Unbelievable. Symantec explained its thinking in a security bulletin ... 'In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory. We have released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect.' ... embarrassing turn of events for Symantec ...  bills itself as 'a world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information' ... [Russinovich] alerted them to it ... 'When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It's impossible to manage the security and health of that system if the owner is not in control.'"

» tbro leaves a comment: "Nothing wrong with saving users from themselves....except tell them it's being done and give them the option to decide for themselves if that's what they want.." [This comment amongst several dissatisfied Symantec customers who appear to like any excuse for a rant]

» Michael Santo, RealtechNews: "Er, Symantec had to be warned by security experts? To most consumers, Symantec is a security expert. And despite assertions that the risk was low, how long did it take people to figure out how to use the Sony BMG rootkit features to their malware advantage? Not long. Come on, Symantec, I would expect a security vendor to do better than this!" Which raised a comment from Kevin K: "Are they just conveniently forgetting about all the previous versions and the fact it's in Norton Utilities too?!?!? I have used various rootkit revealers and not one says anything about a directory called nprotect and I can’t confirm nor deny it exists. I guess it’s time to get out a DOS command line utility and look for it with a binary disk editor!" And Michael responded with: "According to the Symantec website, it’s only in 2005 and 2006 versions, and can be eliminated by getting a LiveUpdate. You can also use the Rootkit Revealer at Sysinternals." More from Steve: "The qualification for the rootkit in this instance is that it is not merely a standard hidden directory. It is a directory that is hidden not by adding the hidden bit to the directory information, but instead by actually altering the way Windows sees the directory at all ... Now, if someone were to place a malicious file on your computer in that location, then windows would get a little cross eyed trying to find the file, as would any spyware/av tool."

» Mikko, F-Secure: blows his trumpet: "We were the ones that discovered this issue and informed Symantec about it last year - in fact this is nicely attributed in the Symantec advisory. But we want to be clear on this: what Symantec was doing here was not nearly as bad as what Sony was doing with their rootkit ... The only problem is that any malware already running on the system can copy itself to that particular folder and Systemworks will hide it completely from the user and from most on-demand antivirus scanners (but not from F-Secure Internet Security 2006, which will see it because it integrates the BlackLight rootkit detection technology) ... The main difference between the Symantec rootkit and Sony rootkit is not technical. It's ideological. Symantec's rootkit is part of a documented, useful feature; it could be turned on or off and it could easily be uninstalled by the user. Unlike Sony's rootkit."

» Carlo, Techdirt:  "So the AV software is supposed to protect people from this type of thing, but who protects people from their AV software?" He points to a prescient Techdirt article from June 2005, which said: "A new study suggests that who protects people from their AV software. It appears that malicious hackers are beginning to realize this, and are having more fun attacking the security offerings than the easy targets like your operating system and browser."

Buffer overflow:

• Martin McKeay: Anyone seen that backup tape?
• Harry Waldron: Sarbanes-Oxley Act - Key Information
• Doc Searls: The other side of Telecommuting
• Cory Doctorow : Steve Jobs (?): Apple discards information transmitted by iTunes
• Nicholas Carr: The beta culture
• Om Malik: Silos Are For Grain, Not VoIP
• David Ferris: GroupSystems Adds Structure to Electronic Meetings
• Sarah Lacy: Is Siebel's great news great for Oracle?
• Nate Anderson: Next-gen Wi-Fi spec ready for approval
• Chris Pirillo: Ten Reasons Your Next PC Will Be From Apple
• Sarah Blow: 10 Reasons NOT to date a Geek
• Mary Jo Foley: Microsoft Quietly Extends Support Life for XP Products
• Steve Gillmor: Where in the world is Jonathan Schwartz?
• Martin MC Brown: eBay/Paypal pyramid scam doing the rounds
• Computerworld TechCast: Multicore Chips
• Bill Bowerman: Veritas NetBackup Vault Option ~ saving grace for VTL Administrators?
• Martin McKeay: Windows support fading with time
• Shark Tank: Never, EVER depend on what users won't do
• Douglas Schweitzer: Here we go, again
• Martin MC Brown: Linux is not Windows

And finally... I do not like them, Sam-I-Am. I do not like Taiwanese green ham

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk. Also contributing to today's post: Judi Dey, our very own Antipodean.