January 11, 2006 5:20 PM PST
Symantec closes off hiding place for hackers
- Related Stories
Sony settles 'rootkit' class action lawsuitDecember 29, 2005
New Sony CD security risk foundDecember 6, 2005
Sony sailing past rootkit controversyNovember 21, 2005
What makes a rootkit?November 21, 2005
FAQ: Sony's 'rootkit' CDsNovember 11, 2005
Sony CD protection sparks security concernsNovember 1, 2005
In the PC-tuning application, a feature called the Norton Protected Recycle Bin creates a hidden directory on Windows systems. The feature is meant to help people restore modified or deleted files, but the hidden folder might not be scanned during scheduled or manual virus scans, Symantec said in an advisory released Tuesday.
"This could potentially provide a location for an attacker to hide a malicious file on a computer," Symantec said. The Cupertino, Calif., security provider is not aware of any attempts by hackers to conceal malicious code in the folder. "This update is provided proactively to eliminate the possibility of that type of activity," it said.
Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC security fiasco. The record label was found to be shipping copy-protected compact discs that planted so-called rootkit software on the computers that played them. The rootkit technology also offered a hiding place for malicious software.
When the recovery feature was first introduced, hiding the directory helped ensure that a user would not accidentally delete the files in it, Symantec said.
"In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory," the company said in its advisory.
Security monitoring company Secunia rates the issue "not critical." Symantec itself deems the risk impact "low."
Symantec credits Mark Russinovich, the Sysinternals researcher who also investigated the Sony rootkit, and F-Secure, a Finnish security company that has a rootkit detection product, for helping it address the SystemWorks issue.
The Norton update will display the previously hidden "NProtect" directory in the Windows interface, which will allow it to be scanned by antivirus products, Symantec said. The new version is available through the Symantec LiveUpdate service. Installing the software will require a system reboot.
20 commentsJoin the conversation! Add your comment