Symantec Found Using Rootkit Feature
Symantec is cleaning up a feature in Norton SystemWorks that uses a rootkit-like technique to hide a system folder from Windows. The technology works similar to Sony BMG's controversial rootkit DRM in the way it masks files and makes them invisible to the operating system.
The Norton Protected Recycle Bin feature adds a directory called NProtect, which stores temporary copies of files that users delete. The idea was to supplement the standard Windows Recycle Bin and enable users to recover files they removed accidentally.
However, hiding a directory from Windows can open the door to vulnerabilities, as the Sony DRM rootkit debacle exposed. Malware authors were able to write viruses and worms that hid in the cloaked directory, effectively preventing scanning software from discovering their existence on a PC.
Symantec notes that on-demand scanners, including Norton AntiVirus, would discover the malware when it is loaded it memory. Still, the company isn't taking any chances after Sony's PR disaster and has issued an update to make the NProtect directory visible in the Recycle Bin.
"The NProtect directory will continue to function as it always has, and users will continue to have the ability to enable or disable the feature through the Norton Protected Recycle Bin user interface," the company said in a security advisory.
Users of Norton SystemWorks can download the patch now through LiveUpdate. "Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder. This update is provided proactively to eliminate the possibility of that type of activity."
The rootkit-like activity was discovered by Mark Russinovich of Sysinternals, who first released details on the Sony XCP software. Symantec also thanked the F-Secure Blacklight team for their assistance in resolving the potential problem.