Symantec plugs vulnerability caused by its hidden directory

by John McCormick | Jan 23, 2006 7:09:00 PM

Tags: Rootkits, John McCormick, Symantec Corp., security, Norton Co., rootkit, IT Locksmith Newsletter

Takeaway: Sony is apparently not the only company with the penchant for hiding files on users' computers�security vendor Symantec recently 'fessed up to similar practices. While its intentions were good, the hidden directory could make the perfect hiding place for a hacker's malicious files. In this edition of the IT Locksmith, John McCormick has the details on this threat, and he tells you what the FBI's recent computer crime survey revealed.

Large media conglomerations are apparently not the only ones who are hiding files and directories on PCs unbeknownst to users�Symantec has admitted to planting a hidden directory on Windows systems that hackers could use to hide malicious files. Meanwhile, a recent FBI study reports that security attacks have cost U.S. business $67 billion over a 12-month period.

Details

It seemed bad enough when a major music company was surreptitiously planting dangerous rootkit files on users' PCs last November. But now, it turns out that security vendor Symantec has been doing something similar all along with Norton SystemWorks. In what must have been more than a little humiliating�not to mention ironic�to Symantec executives, it was competing security vendor F-Secure that discovered the rootkit. (F-Secure was also responsible for finding the Sony BMG vulnerability.)

The problem in this case lies with the Norton Protected Recycle Bin and its hidden NProtect directory. Just to be clear: Symantec isn't doing anything damaging or wrong in itself. In no way was this an attack or even a way to track occurrences or in any other way invade users' privacy.

The problem is that malware distributors can take advantage of the directory, which Symantec created for perfectly legitimate and reasonable purposes. However, rootkits just aren't a good idea for any purpose these days. The problem is that anything placed into this directory�either by Norton or a hacker�would be invisible to most antivirus and other security programs.

For its part, Symantec argues that this really isn't a rootkit threat and says that security programs would scan any programs in the directory if they attempted to execute. However, the security vendor has released an update that will display the previously hidden NProtect directory.

The threat, which Secunia has rated "not critical," applies to Norton SystemWorks 2005 and 2006, as well as SystemWorks Premier 2005 and 2006. Since the fix is in, just run the Symantec LiveUpdate service to automatically fix the problem.

If you're one of those trusting individuals who leaves LiveUpdate enabled and you shut down for the weekend, then your PC may likely already have the fix applied. Keep in mind that the fix does require a reboot. However, there have been no reports of exploits of this vulnerability at this time, so you can probably wait until you have adequate time to shut down the network.

For more information, read the entire Symantec report, which explicitly credits F-Secure with discovering the flaw.

Although the FBI probably wasn't thinking about Sony and Symantec when it began the study, its recently released 2005 FBI Computer Crime Survey indicates that computer crime costs have reached $67 billion a year�and that doesn't include the cost of security measures to thwart attacks. And don't blame Eastern Europe or third-world countries for hosting these hackers; the United States and China combine to lead the world as the source of half of all attacks.

The average loss for a single incident in a corporate environment is $24,000. As contrast, the total loss to telecommunication fraud was only $1 billion. But don't feel left out as an individual�identity theft cost Americans roughly $52.6 billion in 2004.

If you have experienced an attack but thought yours was the only IT department afflicted by virus or spyware attacks and port scans, consider this: The FBI study, which surveyed more than 2,000 public and private organizations in four states, found that only 9 percent of respondents had reported attacks to law enforcement agencies, largely because they didn't expect any real help.

Surprisingly, 91 percent of those who did report attacks said they were satisfied by the response, and more than 80 percent who had gone this route would do so again. (Then again, of course that's what they said to the FBI.)

Final word

Regarding the proliferation of rootkit malware planted by legitimate businesses�and now even security firms�I did my accounting in an MS-DOS version of Lotus 1-2-3 for a decade, but now I use an older version of Excel. Why? Is it because I can't afford QuickBooks? Or I can't learn how to use it?

Actually, I have several copies of QuickBooks because I've reviewed them for various publications, and I've found it to be very good software. So why don't I use it?

It's simple: I can see exactly what the rules are in a spreadsheet that I've programmed for myself. But I have no way of knowing what's hiding behind the scenes in a commercial accounting program. (While the situation used to be much worse with low-end accounting programs filled with errors, those days are past.) However, several years ago, just as I was about to switch from my own spreadsheet bookkeeping to a fancy commercial version, I began to worry about what other code might be lurking in the software.

I can avoid possible accounting traps because I have a small company. Of course, big companies don't have that luxury. Unfortunately, none of us can program and maintain our own security software, especially antivirus software, so I have always worried about what antivirus software might be doing unnoticed in my PC.

In fact, Symantec's LiveUpdate service once blocked my office suite from working for a few days. That was when I shut off everything except virus signature updates and switched to manual updates. And now we learn that the company was also planting hidden directories that anyone could use, and I once again feel vindicated about my professional paranoia.

And don't forget to check out my TechRepublic blog for my uncensored opinions on what's happening in the security arena and to see what didn't make the cut for this week's article.

Also watch for�

With more than half a million infections under its belt already, the Nyxem worm is spreading quickly. See F-Secure's report for more details.
Cisco Systems has released fixes for flaws in its software for routers and Internet-based telephony.
For its quarterly update, Oracle has released fixes for 37 flaws related to Oracle's Database products, 17 related to Application Server, 20 to the Collaboration Suite, 27 to E-Business Suite and Applications, one to PeopleSoft's Enterprise Portal and one in JD Edwards software.
Microsoft has announced plans to release Windows XP Service Pack 3 in the second half of 2007.

Miss a column?

Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

6 comment(s)