Use of Rootkits in Symantec AV products is exaggerated

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Recently, a number of media articles have surfaced that claim Symantec is using "Rootkit techniques" by hiding key control folders from the Operating System. There are some concerns, as this non-conventional approach can create install/uninstall issues or it could be manipulated by virus writers to hide malicious malware.

The key reason this is NOT a rootkit, is that Symantec is not directly doing anything malicious with this approach. Symantec is trying to lock down and protect the SAV infrastructure, so that there might be less risk associated with users accidently discovering and manipulating the installed AV environment. The Symantec approach uses only one element of a "rootkit" like techique by hiding control files from the Operating System.

To be a TRUE rootkit, there should be a malicious attribute in the design. Sometimes when "it quacks like a duck" you may not need to get the orange sauce out right away. A true rootkit hides malicious routines from the Operating System in a highly stealth-like manner and it is far more sophisticated than steatlh-like viruses or worms. Thankfully, AV products are adding additional routines to their scanning engines to begin detecting this worst class of malware better.

At first, even the Sony XCP based approach rootkit may not been considered a rootkit. They were trying to lock down digital music rights, rather than the classical rootkit design, which is to "load highly stealth-like malware and phone home to the bad guys".

However, if a non-convential approach like the Sony XCP controls creates "accidental" instead of "malicious" issues, than it's indeed time to get the orange sauce out. The Sony rootkit like approach was a botched technical control, where the consequences weren't tested or properly planned for, before it was placed on musical CDs.

Thus when innocent customers played CDs on their PCs, they were impacted by a bad technical glitch in the software controls. Some folks lost CD-ROM capabilities when trying to uninstall the DRM controls or through other technical glitches. Even the Sony XCP controls may be on the borderline of being a true rootkit, as in retrospect I'm sure Sony BMG didn't intend for their customers to be impacted in this nature.

The rootkit designation does not apply in the case of Symantec taking steps to further protect their AV environment, so that virus writers won't manipulate this environment to hide malware. The original findings were beneficial. Symantec is now addressing potential issues before they go occur, so that history does not repeat itself, as in the case of Sony's DRM controls.

Some of the security sites below are trying to set the record straight. I also hope for more well researched and accurate reporting of security and technical matters in 2006.

eWeek: Symantec Caught in Norton 'Rootkit' Flap
http://www.eweek.com/article2/0,1895,1910077,00.asp

QUOTE: Symantec Corp. has admitted to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers. The anti-virus vendor acknowledged that it was hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.

Kapersky: No rootkit in Kaspersky Anti-Virus
http://www.viruslist.com/en/weblog?calendar=2006-01

QUOTE: We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:

1. If a KAV product is active, the streams are hidden and no processes (including system) have access to them.

2. If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)

3. If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database - thus it will destroy the alien code/data.

To sum up: I think that the ”rootkit” problem is being over hyped. It is up to all of us in the security industry and press to be careful about how we use terms. Ordinary users, who can't analyze the situation themselves, shouldn't be misinformed.

Other Links

F-Secure: Cloaking without malicious intent

F-Secure: The "Symantec rootkit"

Posted: Jan 15 2006, 11:00 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.