Rootkits in Commercial Software

By now many of you have heard that Symantec released a security advisory last Tuesday that reported its use of rootkit-like cloaking technology in its SystemWorks product. The Symantec use of rootkit-like cloaking raises the question of what exactly defines a “rootkit” and whether or not there is ever a justifiable reason to use cloaking. I’ll first describe Symantec’s cloaking and then I’ll move on to trying to answer these two questions.

SystemWorks includes a feature called Norton Protected Recycle Bin that serves as an extension of the standard Windows Recycle Bin, saving copies of deleted files that the standard Recycle Bin doesn’t capture such as those deleted by applications. The saved files store in a directory named NPROTECT that SystemWorks creates under the standard Windows Recycle Bin directory, RECYCLER, of each volume. Symantec was originally concerned that end-users might stumble across the directory, not realize its purpose, and inadvertently permanently delete the backups of their already deleted files. The cloaking therefore uses a file system filter driver to mask the presence the NPROTECT directories from Windows directory enumeration APIs. Mark's Sysinternals Blog: Rootkits in Commercial Software

Linked by shanmuga Monday, 16th January 2006 8:19PM