You Say Rootkit, I Say Tomato

from the double-double-speak-speak dept

Symantec is denying the assertion made earlier in the week that its Norton SystemWorks product installs a rootkit. Although the company acknowledged its existence, it denies it's a rootkit, calling it instead a "hidden folder". F-Secure, whose software picked up the rootkit hidden folder, says that the difference between what Symantec is doing and the Sony BMG rootkit is "ideological", and isn't anywhere as malicious since it can be turned off or uninstalled by the user. Symantec now says it's working with some trade bodies to try to develop a definition of rootkit, and that the changing nature of malware makes hiding files no longer a viable option. All this talk still clouds the fact that the hidden folder could be used to cloak malicious files on someone's PC -- the exact sort of thing security software is supposed to prevent.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Jeremiah, 13 Jan 2006 @ 8:01am

    Ummm...

    I would think that as a protective countermeasure, anti-virus/malware software would want to keep some of its files hidden, making them a bit more impervious to deletion/blocking by clever crapware....

    I'm probably wrong.

    link to this | view in thread ]

  2. identicon
    DaveTheCripple, 13 Jan 2006 @ 8:25am

    Big Deal

    Wow... Big Deal, Systemworks installs a "hidden folder" that is easily found with the "show hidden folders" setting in view file types. This is nowhere to the point of %blah% that hides the folder from everything including cmd.exe. The whole intent was to hide nortons working, as lately there have been a slew of virii and malware programs that disable things (Microsoft Update, Adaware, AV's, etc). Its quite easy for Systemworks to implment the hidden folder, so if a new virus was to expose it, whats to say another virus cant simply just make its OWN hidden folder!

    link to this | view in thread ]

  3. identicon
    cb, 13 Jan 2006 @ 8:26am

    hidden files

    If I pay for virus detection software or any software , then I should have the right to see any or all files or changes that the software makes to my computer. All changes or files added, register changes, etc... to your computer during a software add or change should be printed or available for you to see in either a hard copy or file format.

    Is this to much to ask ?

    link to this | view in thread ]

  4. identicon
    Craig, 13 Jan 2006 @ 8:47am

    Whats the problem here

    Whats the problem here really. It's completely obvious that this feature is not for malicious purposes and its also obvious that you can DISABLE the feature and any time. Quit yer bitchin and quit being so paranoid.

    link to this | view in thread ]

  5. identicon
    rl, 13 Jan 2006 @ 8:50am

    Re: hidden files

    I guess you dont write software, In short answer YES. However I agree that an uninstall procedure should remove ALL remnants of the software.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 13 Jan 2006 @ 8:55am

    Re: hidden files

    is it too much to ask for a choice of "to install software" or "not to install software"?

    Symantec only installs if you choose to have the active features installed.

    Sony's software installs itself even if you tell it NOT to install anything at all -- no matter if you do or do not agree with the EULA.

    Symantec's directory does not "Call Home" without you first asking it to -- and in that case, it is doing what you have instructed it to do -- it's "LiveUpdate" checks for newer version of the symantec software you choose to install.
    http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html

    Sony's software calls home and reports information about what is on your hard-drive -- no matter who's IP that data on your hard-drive belongs to.

    link to this | view in thread ]

  7. identicon
    Andrew Strasser, 13 Jan 2006 @ 9:06am

    Addressing the issues.

    I don't know how many people have had this problem over the past few years and it's become anusiance. I am really glad to see that people are stepping up to the plate and trying to keep these things from being in their systems.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 13 Jan 2006 @ 9:13am

    Re: hidden files

    Is this to much to ask ?
    Please, people... for the love of god, PLEASE learn how to use to, too, and two correctly. While you're at it, learn lose and loose. No, they're not interchangable.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 13 Jan 2006 @ 9:32am

    Re: hidden files

    OH NO! NOT THE GRAMMAR POLICE!!!!! PLEASE DONT TAKE US TO ALPHABET JAIL!

    link to this | view in thread ]

  10. identicon
    Travis, 13 Jan 2006 @ 9:48am

    Re: hidden files

    HAhahaahaa alphabet jail, I may be a bit out of the loop having not heard that before, but that's hillzzzarious man.
    1 point for you!

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 13 Jan 2006 @ 9:49am

    Re: hidden files

    OMGWTFPWNED by the grammer police.

    link to this | view in thread ]

  12. identicon
    Ed H., 13 Jan 2006 @ 9:49am

    Re: Big Deal

    That's incorrect. It is not simply a normal "hidden folder" that can be viewed by enabling "show hidden folders." It is hidden from the Windows FindFirst/FindNext API that scans a directory, probably by patching those those Windows API functions.

    link to this | view in thread ]

  13. identicon
    MadJo, 13 Jan 2006 @ 9:54am

    Re: Ummm...

    I actually though that Symantec was 'clever crapware' ...

    link to this | view in thread ]

  14. identicon
    redheaded_stepchild, 13 Jan 2006 @ 10:12am

    Re: hidden files

    Uh, sir, I'm going to have to cite you for misspelling 'grammar'.

    link to this | view in thread ]

  15. identicon
    Gumby, 13 Jan 2006 @ 10:38am

    You don't even know what the folder was doing

    This folder was used in the protected recycling bin in Norton System Works. It was not malicious, it was not ever used for any virus or trojan attacks, it was completely harmless. It was that it was hidden to the user so that they didn't delete the backup data accidently, but the files within the folder were still accessible through the system works application. Don't get me wrong, I absoluletly hate rootkits, but this doesnt come close to qualifying as one. Additionally, they have already released a patch which corrects the problem. The potential for any exploits or security threats has been eliminated, because the problem has ALREADY BEEN FIXED. Sony went seriosly wrong, but don't take that as an opprotunity to jump on other corporations without first knowing at least the basics of whats going on.

    link to this | view in thread ]

  16. identicon
    Mecc, 13 Jan 2006 @ 10:39am

    Spyware/ Virus/ Malware

    All of this can be easily defeated. Everyone go and download your FREE copy of linux. There are no pop-ups, viruses, or malware for linux. So stop living in fear and do something about it without spending money on "anti-virus".

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 13 Jan 2006 @ 10:47am

    Re: hidden files

    Hey dumbass.

    you do, MS hides files all the time, hence the "show hidden files" selection.

    If they didn't show the files after that selection was checked,then there would be an issue.

    Maybe you should have the frame of mine to actually FIND your answers instead of asking someone to searve it up on a silver platter for you.

    link to this | view in thread ]

  18. identicon
    pegagos, 13 Jan 2006 @ 11:17am

    Re: hidden files

    Microsoft Windows creates hidden folders... Nobody complains about that :)

    link to this | view in thread ]

  19. identicon
    drkkgt, 13 Jan 2006 @ 11:18am

    Re: Spyware/ Virus/ Malware

    Okay, go to
    http://sarc.com/avcenter/enterprise/vinfodb.html
    in that search field in the middle, type the word Linux and see how much malware shows up.

    link to this | view in thread ]

  20. identicon
    Travis, 13 Jan 2006 @ 11:42am

    Re: Spyware/ Virus/ Malware

    drkkgt ftw
    Malware/adware/viruses/whatever can be written just as easily for Linux as for Windows (yes Macs too). If it's a string of 1s and 0s, it can be manipulated; I don't care if it's harder, easier, or just not as common, the security holes of any OS be exploited.
    Granted, Linux isn't as targeted as Windows, but the guys out there are targeting Windows because it's Windows. If Linux was a pay-to-license, non-open-source OS and had as much market share as Windows, you better be damn sure people would target it just as much.
    .02

    link to this | view in thread ]

  21. identicon
    Grammer Outlaw, 13 Jan 2006 @ 11:51am

    Too all the grammar loosers

    When it is illegal to use poor grammar, only illegals will use grammer poorly.

    link to this | view in thread ]

  22. identicon
    drkkgt, 13 Jan 2006 @ 12:35pm

    Re: Spyware/ Virus/ Malware

    Hey Travis,

    I was replying to Mecc, sorry for any confusion.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 13 Jan 2006 @ 12:49pm

    Re: Too all the grammar loosers

    I dont kayr abowt grammer all thatt much. Itz just thet win peepel kommyunikait onlee in fonetix it mayks them look lyke reetardz.

    So screw up your sentence structures all you want, just use the right friggin WORD. If I needed a heart transplant, but the doctor told me I needed a Hartz Trains Plant, even if it was in an email, i would find a new doctor.

    link to this | view in thread ]

  24. identicon
    Dogstar, 13 Jan 2006 @ 12:53pm

    Re: hidden files

    *** Post removed for linking to potentially dangerous website. ***

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 13 Jan 2006 @ 1:10pm

    Re: hidden files

    You are so right. Microsoft has files that are hidden and REMAIN hidden even when you select the 'show hidden folders' option. Check this link if you don't believe it!

    Do NOT click the above link from "Dogstar", it takes you to "http://fuckmicrosoft.com/" and will attempt to install several cookies and a virus onto your computer.

    obviously "Dogstar" knew that and this is why he hid the URL by using a free forwarding service in his phishing-style attempt to get you to visit his anti-productive website.

    link to this | view in thread ]

  26. identicon
    Stu, 13 Jan 2006 @ 5:52pm

    Re: hidden files

    On the subject of "calling home" -
    I wonder why Symantec/Norton Systemworks calls home every time I defrag or use the other functions of the software. They might say they just want to be sure I have the latest version of the component before I use it.
    I say baloney. I can use Live Update or manually update it IF I want to. Calling home caused the software to boot very slowly while it phoned home.
    I stopped it with my free Zone Alarm firewall, and everything Norton works just fine, and boots much faster.
    It's really not that big a deal. It's the principle of the thing. It's none of their damn business!!
    Consumers are treated like prey.

    link to this | view in thread ]

  27. identicon
    Miss piggy, 14 Jan 2006 @ 11:00am

    I see a pig.

    You can put lipstick on a pig, but it does not make it beautiful. You just make a pig look stupid.

    link to this | view in thread ]

  28. identicon
    The AntiJyn, 14 Jan 2006 @ 11:04am

    Re: hidden files

    Uh, Stu, hate to break it to you:
    Customers are prey. Didn't you get the memo?

    link to this | view in thread ]

  29. identicon
    Adam W, 15 Jan 2006 @ 10:30pm

    No Subject Given

    IMO rootkit = something that modifies the OS kernel in memory

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.