No One Can Afford an Attack - Find the best Cybersecurity Pros to Protect Your Business Data
Welcome Guest | Sign In
Content Marketing on ALL EC

Symantec Removes Rootkit From Security Package

By Jennifer LeClaire
Jan 12, 2006 9:37 AM PT

Symantec this week released an update to Norton SystemWorks to fix a security issue that could leave a back door open for hackers: a rootkit.

Symantec Removes Rootkit From Security Package

A rootkit is a hacker security tool that captures passwords and message traffic to and from a computer. The tool may allow a hacker access to a so-called "back door" into a system, where he or she can collect information on other computers on the network while masking the fact that the system is compromised.

Tainted Recycle Bin

Norton SystemWorks contains a feature called the Norton Protected Recycle Bin ("NProtect"), which resides within the Microsoft Windows Recycler directory. It is used to store temporary copies of files that the user has deleted or modified. It acts as a supplement to the Windows Recycle Bin by creating a temporary backup of certain types of files that the Windows Recycle Bin does not back up.

However, NProtect is hidden from the Windows FindFirst/FindNext APIs. Since the hidden directory is not visible to Windows, the anti-virus vendor said files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer.

When NProtect was first released, Symantec said hiding its contents helped ensure that a user would not accidentally delete the files in the directory. In light of current techniques used by malicious attackers, the company said it has re-evaluated the value of hiding this directory.

Removing the Rootkit

Symantec has released an update that will make the NProtect directory visible inside the Windows Recycler directory. With this update, files within the NProtect directory will be scanned by scheduled and manual scans as well as by on-access scanners like Auto-Protect.

Symantec said the NProtect directory will continue to function as it always has, and users will continue to have the ability to enable or disable the feature through the Norton Protected Recycle Bin user interface.

Symantec's Response

"Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder. This update is provided proactively to eliminate the possibility of that type of activity," the company said in its advisory.

As a part of normal best practices, Symantec said users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec recommends customers update their products to protect against any probability of this type of threat.

Reliving Sony's Nightmare?

At the end of 2005, Sony came under fire for peddling copyright protected discs that planted rootkit software on customers' computers. Class action lawsuits and ongoing negative media publicity followed.

Like Symantec's rootkit, Sony's rootkit technology offered a back door for hackers and a hiding place for malicious code. Is Symantec in for some analyst bashing and consumer backlash over its rootkit incident?

Basex President and Chief Analyst Jonathan Spira says no. "This shows that everyone, even Symantec, can make a mistake. That's all," he said.

Mikko Hypponen, Chief Research Officer for F-Secure said his firm found the rootkit back in March and informed Symantec. SystemWorks can not be compared to actual malware that uses rootkits, he said. It is a commercial product and the involved technology performs a task that is documented, desired and that the user pays for.

"The only problem in here is that the folder SystemWorks uses to hide its backup files can also contain other files, like viruses -- and those would be hidden too," he said.

"We haven't seen anybody actually exploit this vulnerability anywhere," he added.


Advertising revenue is diminishing across the Internet, and independent publishers like ECT News Network are the most adversely affected.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats, and no subscription fees.

If you like the content on TechNewsWorld, and want to help support traditional journalism, please consider making a contribution of any size via PayPal by clicking the Donate button:

By donating, you acknowledge that no goods or services are purchased with your donation, donations are not tax-deductible, are non-refundable, and no perks are given to donors.


ECT News Network offers a variety of custom sponsorship packages to meet your business goals. Please contact sales for advertising information.

Facebook Twitter LinkedIn Google+ RSS
Freshsales - Your salesforce deserves better CRM
What do you think of commercial spaceflight?
It's the best hope for advancing space exploration.
It's little more than a hobby for billionaires.
It will result in highly profitable new industries, like space mining.
It will dramatically increase space junk and pollution.
It will offer the opportunity to establish a new way of life in space colonies.
It should be heavily regulated by governments.