First Sony and now Symantec. Who’s next to admit using rootkits?

Remember the big uproar that broke out over Sony’s use of rootkits to hide copy protection on recent music CDs? You’d think that’d be enough to get any other companies that were using rootkits to step forward and fess up before they were discovered if for no other reason than to stay on their customers good side, right? Well, you’d be wrong.

Turns out Symantec’s System Works installs a rootkit on your PC as well:

Symantec Corp. has fessed up to using a rootkit-type feature in Norton SystemWorks that could provide the perfect hiding place for attackers to place malicious files on computers.

The anti-virus vendor acknowledged that it was deliberately hiding a directory from Windows APIs as a feature to stop customers from accidentally deleting files but, prompted by warnings from security experts, the company shipped a SystemWorks update to eliminate the risk.

I thought Symantec billed themselves as security experts so why would it take some other security experts to point out to them the potential problem with their rootkit to get them to stop using it? In this case at least it wasn’t about hiding copy protection, but rather the directory used by the “Norton Protected Recycle Bin” feature of System Works that allows you to recover crap you’ve deleted from the normal recycle bin—a sort of recycle bin for the recycle bin. The intention in this case wasn’t so much to hide as much as protect those files from being accidentally deleted by clueless users and thus breaking the feature.

“This could potentially provide a location for an attacker to hide a malicious file on a computer,” the company admitted, noting that the updated version will now display the previously hidden directory in the Windows interface.

Despite the very low risk of this vulnerability, Symantec is “strongly” recommending that SystemWorks users update the product immediately to ensure greater protection. “To date, Symantec is not aware of any attempts by hackers to conceal malicious code in the NProtect folder,” the spokesman added.

Once again Windows guru Mark Russinovich is credited with discovering the rootkit along with the folks at anti-virus vendor F-Secure Corp. Speaking of Mark, he has an excellent article on his Sysinternals blog about how some disreputable anti-spyware companies are deliberately infecting your PC with spyware and viruses to convince you to buy their product that is a must-read:

The most innocuous of malware-like antimalware behaviors is to advertise with web site banners and popups that mislead average users into thinking that they have a malware problem. Most of the advertisements look like Windows error dialogs complete with Yes and No buttons, and although the word “advertisement” sometimes appears on the dialog background, the notice is usually small, faded and far from the area where users focus their attention. Even more unlike Windows dialogs, however, is the fact that clicking anywhere on the image, even the part that looks like a No button, results in the browser following the underlying link to the target page. Here’s an example I ran across recently on a popular web site:

A click on the image took me to a page at The page looks like an Internet Explorer error message, again probably to mislead unsophisticated surfers into following its directions, and it guides visitors to download and install an antispyware utility called Spyware Cleaner.

Even on a freshly installed copy of Windows XP, Spyware Cleaner reports close to a dozen “extreme risk” and “high risk” infections that include innocuous items like cookies left by and several built-in Windows COM components, including RDSHost.exe, the Remote Desktop Service control, and Shdocvw.dll, a Windows shell COM object, both of which Spyware Cleaner identifies as spyware. It also lists each COM component twice, reporting their presence in HKLM\Software\Classes as well as HKCR, which for those objects is a symbolic link to HKLM\Software\Classes.

Of course, to remove the “infections” a user has to pay to register the software. Who makes Spyware Cleaner? You won’t find out on the Myspywarecleaner web site, which consists of only a handful of pages like the download page, a FAQ page, and one for affiliates. A Whois lookup of the domain name shows that it belongs to Gary Preston of Secure Computer LLC. The only reference I found on the web to the owner or his company was a thread at CastleCops from June of 2004 that complains of one of their tools falsely identifying systems as being infected with the Sasser worm.

Even if you’re not particularly computer literate you should still go read the article just to learn how these disreputable companies try to trick you into installing their crap so they can blackmail you into paying for their product. The article includes several screenshots of the deceptive popups used which will help you to avoid being scammed yourself. The example listed above is also very mild compared to a little later in the article when Mark describes how visiting one website with a PC that hadn’t been patched against the recently discovered WMF flaw resulted in it being force-fed 8 viruses, 8 spyware packages and 7 adware products. After which you’re told that your PC is infected (it certainly is NOW) so you should install something called “SpySheriff” to get rid of everything that was just forced onto your machine. Of course you have to buy SpySheriff before it’ll actually remove any of the crap that was forcibly installed without your consent.

Republicans would call that “creating a market for your product.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.