Say That Again

by Carlo Longino




You Say Rootkit, I Say Tomato

from the double-double-speak-speak dept

Symantec is denying the assertion made earlier in the week that its Norton SystemWorks product installs a rootkit. Although the company acknowledged its existence, it denies it's a rootkit, calling it instead a "hidden folder". F-Secure, whose software picked up the rootkit hidden folder, says that the difference between what Symantec is doing and the Sony BMG rootkit is "ideological", and isn't anywhere as malicious since it can be turned off or uninstalled by the user. Symantec now says it's working with some trade bodies to try to develop a definition of rootkit, and that the changing nature of malware makes hiding files no longer a viable option. All this talk still clouds the fact that the hidden folder could be used to cloak malicious files on someone's PC -- the exact sort of thing security software is supposed to prevent.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Jeremiah, 13 Jan 2006 @ 8:01am

    Ummm...

    I would think that as a protective countermeasure, anti-virus/malware software would want to keep some of its files hidden, making them a bit more impervious to deletion/blocking by clever crapware....

    I'm probably wrong.

    reply to this | link to this | view in chronology ]

  • identicon
    DaveTheCripple, 13 Jan 2006 @ 8:25am

    Big Deal

    Wow... Big Deal, Systemworks installs a "hidden folder" that is easily found with the "show hidden folders" setting in view file types. This is nowhere to the point of %blah% that hides the folder from everything including cmd.exe. The whole intent was to hide nortons working, as lately there have been a slew of virii and malware programs that disable things (Microsoft Update, Adaware, AV's, etc). Its quite easy for Systemworks to implment the hidden folder, so if a new virus was to expose it, whats to say another virus cant simply just make its OWN hidden folder!

    reply to this | link to this | view in chronology ]

    • identicon
      Ed H., 13 Jan 2006 @ 9:49am

      Re: Big Deal

      That's incorrect. It is not simply a normal "hidden folder" that can be viewed by enabling "show hidden folders." It is hidden from the Windows FindFirst/FindNext API that scans a directory, probably by patching those those Windows API functions.

      reply to this | link to this | view in chronology ]

  • identicon
    cb, 13 Jan 2006 @ 8:26am

    hidden files

    If I pay for virus detection software or any software , then I should have the right to see any or all files or changes that the software makes to my computer. All changes or files added, register changes, etc... to your computer during a software add or change should be printed or available for you to see in either a hard copy or file format.

    Is this to much to ask ?

    reply to this | link to this | view in chronology ]

    • identicon
      rl, 13 Jan 2006 @ 8:50am

      Re: hidden files

      I guess you dont write software, In short answer YES. However I agree that an uninstall procedure should remove ALL remnants of the software.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jan 2006 @ 8:55am

      Re: hidden files

      is it too much to ask for a choice of "to install software" or "not to install software"?

      Symantec only installs if you choose to have the active features installed.

      Sony's software installs itself even if you tell it NOT to install anything at all -- no matter if you do or do not agree with the EULA.

      Symantec's directory does not "Call Home" without you first asking it to -- and in that case, it is doing what you have instructed it to do -- it's "LiveUpdate" checks for newer version of the symantec software you choose to install.
      http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html

      Sony's software calls home and reports information about what is on your hard-drive -- no matter who's IP that data on your hard-drive belongs to.

      reply to this | link to this | view in chronology ]

      • identicon
        Stu, 13 Jan 2006 @ 5:52pm

        Re: hidden files

        On the subject of "calling home" -
        I wonder why Symantec/Norton Systemworks calls home every time I defrag or use the other functions of the software. They might say they just want to be sure I have the latest version of the component before I use it.
        I say baloney. I can use Live Update or manually update it IF I want to. Calling home caused the software to boot very slowly while it phoned home.
        I stopped it with my free Zone Alarm firewall, and everything Norton works just fine, and boots much faster.
        It's really not that big a deal. It's the principle of the thing. It's none of their damn business!!
        Consumers are treated like prey.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jan 2006 @ 9:13am

      Re: hidden files

      Is this to much to ask ?
      Please, people... for the love of god, PLEASE learn how to use to, too, and two correctly. While you're at it, learn lose and loose. No, they're not interchangable.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 13 Jan 2006 @ 9:32am

        Re: hidden files

        OH NO! NOT THE GRAMMAR POLICE!!!!! PLEASE DONT TAKE US TO ALPHABET JAIL!

        reply to this | link to this | view in chronology ]

        • identicon
          Travis, 13 Jan 2006 @ 9:48am

          Re: hidden files

          HAhahaahaa alphabet jail, I may be a bit out of the loop having not heard that before, but that's hillzzzarious man.
          1 point for you!

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 13 Jan 2006 @ 9:49am

          Re: hidden files

          OMGWTFPWNED by the grammer police.

          reply to this | link to this | view in chronology ]

          • identicon
            redheaded_stepchild, 13 Jan 2006 @ 10:12am

            Re: hidden files

            Uh, sir, I'm going to have to cite you for misspelling 'grammar'.

            reply to this | link to this | view in chronology ]

            • identicon
              Mecc, 13 Jan 2006 @ 10:39am

              Spyware/ Virus/ Malware

              All of this can be easily defeated. Everyone go and download your FREE copy of linux. There are no pop-ups, viruses, or malware for linux. So stop living in fear and do something about it without spending money on "anti-virus".

              reply to this | link to this | view in chronology ]

              • identicon
                drkkgt, 13 Jan 2006 @ 11:18am

                Re: Spyware/ Virus/ Malware

                Okay, go to
                http://sarc.com/avcenter/enterprise/vinfodb.html
                in that search field in the middle, type the word Linux and see how much malware shows up.

                reply to this | link to this | view in chronology ]

                • identicon
                  Travis, 13 Jan 2006 @ 11:42am

                  Re: Spyware/ Virus/ Malware

                  drkkgt ftw
                  Malware/adware/viruses/whatever can be written just as easily for Linux as for Windows (yes Macs too). If it's a string of 1s and 0s, it can be manipulated; I don't care if it's harder, easier, or just not as common, the security holes of any OS be exploited.
                  Granted, Linux isn't as targeted as Windows, but the guys out there are targeting Windows because it's Windows. If Linux was a pay-to-license, non-open-source OS and had as much market share as Windows, you better be damn sure people would target it just as much.
                  .02

                  reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jan 2006 @ 10:47am

      Re: hidden files

      Hey dumbass.

      you do, MS hides files all the time, hence the "show hidden files" selection.

      If they didn't show the files after that selection was checked,then there would be an issue.

      Maybe you should have the frame of mine to actually FIND your answers instead of asking someone to searve it up on a silver platter for you.

      reply to this | link to this | view in chronology ]

      • identicon
        pegagos, 13 Jan 2006 @ 11:17am

        Re: hidden files

        Microsoft Windows creates hidden folders... Nobody complains about that :)

        reply to this | link to this | view in chronology ]

        • identicon
          Dogstar, 13 Jan 2006 @ 12:53pm

          Re: hidden files

          *** Post removed for linking to potentially dangerous website. ***

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 13 Jan 2006 @ 1:10pm

            Re: hidden files

            You are so right. Microsoft has files that are hidden and REMAIN hidden even when you select the 'show hidden folders' option. Check this link if you don't believe it!

            Do NOT click the above link from "Dogstar", it takes you to "http://fuckmicrosoft.com/" and will attempt to install several cookies and a virus onto your computer.

            obviously "Dogstar" knew that and this is why he hid the URL by using a free forwarding service in his phishing-style attempt to get you to visit his anti-productive website.

            reply to this | link to this | view in chronology ]

  • identicon
    Craig, 13 Jan 2006 @ 8:47am

    Whats the problem here

    Whats the problem here really. It's completely obvious that this feature is not for malicious purposes and its also obvious that you can DISABLE the feature and any time. Quit yer bitchin and quit being so paranoid.

    reply to this | link to this | view in chronology ]

  • identicon
    Andrew Strasser, 13 Jan 2006 @ 9:06am

    Addressing the issues.

    I don't know how many people have had this problem over the past few years and it's become anusiance. I am really glad to see that people are stepping up to the plate and trying to keep these things from being in their systems.

    reply to this | link to this | view in chronology ]

  • identicon
    Gumby, 13 Jan 2006 @ 10:38am

    You don't even know what the folder was doing

    This folder was used in the protected recycling bin in Norton System Works. It was not malicious, it was not ever used for any virus or trojan attacks, it was completely harmless. It was that it was hidden to the user so that they didn't delete the backup data accidently, but the files within the folder were still accessible through the system works application. Don't get me wrong, I absoluletly hate rootkits, but this doesnt come close to qualifying as one. Additionally, they have already released a patch which corrects the problem. The potential for any exploits or security threats has been eliminated, because the problem has ALREADY BEEN FIXED. Sony went seriosly wrong, but don't take that as an opprotunity to jump on other corporations without first knowing at least the basics of whats going on.

    reply to this | link to this | view in chronology ]

  • identicon
    Grammer Outlaw, 13 Jan 2006 @ 11:51am

    Too all the grammar loosers

    When it is illegal to use poor grammar, only illegals will use grammer poorly.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 13 Jan 2006 @ 12:49pm

      Re: Too all the grammar loosers

      I dont kayr abowt grammer all thatt much. Itz just thet win peepel kommyunikait onlee in fonetix it mayks them look lyke reetardz.

      So screw up your sentence structures all you want, just use the right friggin WORD. If I needed a heart transplant, but the doctor told me I needed a Hartz Trains Plant, even if it was in an email, i would find a new doctor.

      reply to this | link to this | view in chronology ]

  • identicon
    Miss piggy, 14 Jan 2006 @ 11:00am

    I see a pig.

    You can put lipstick on a pig, but it does not make it beautiful. You just make a pig look stupid.

    reply to this | link to this | view in chronology ]

  • identicon
    Adam W, 15 Jan 2006 @ 10:30pm

    No Subject Given

    IMO rootkit = something that modifies the OS kernel in memory

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Close

Email This

This feature is only available to registered users. Register or sign in to use it.