[ISN] Symantec provides hiding place for hackers

From: InfoSec News (isn@private)
Date: Thu Jan 12 2006 - 01:25:59 PST


By Joris Evers 
Staff Writer, CNET News.com
January 11, 2006

Symantec has released an update to its popular Norton SystemWorks to
fix a security problem that could be abused by cybercriminals to hide
malicious software.

In the PC-tuning application, a feature called the Norton Protected
Recycle Bin creates a hidden directory on Windows systems. The feature
is meant to help people restore modified or deleted files, but the
hidden folder might not be scanned during scheduled or manual virus
scans, Symantec said in an advisory released Tuesday.

"This could potentially provide a location for an attacker to hide a
malicious file on a computer," Symantec said. The Cupertino, Calif.,
security provider is not aware of any attempts by hackers to conceal
malicious code in the folder. "This update is provided proactively to
eliminate the possibility of that type of activity," it said.

Symantec's alert has echoes of Sony BMG Music Entertainment's recent
PC security fiasco. The record label was found to be shipping
copy-protected compact discs that planted so-called rootkit software
on the computers that played them. The rootkit technology also offered
a hiding place for malicious software.

When the recovery feature was first introduced, hiding the directory
helped ensure that a user would not accidentally delete the files in
it, Symantec said.

"In light of current techniques used by malicious attackers, Symantec
has re-evaluated the value of hiding this directory," the company said
in its advisory.

Security monitoring company Secunia rates the issue "not critical."  
Symantec itself deems the risk impact "low."

Symantec credits Mark Russinovich, the Sysinternals researcher who
also investigated the Sony rootkit, and F-Secure, a Finnish security
company that has a rootkit detection product, for helping it address
the SystemWorks issue.

The Norton update will display the previously hidden "NProtect"  
directory in the Windows interface, which will allow it to be scanned
by antivirus products, Symantec said. The new version is available
through the Symantec LiveUpdate service. Installing the software will
require a system reboot.


Copyright 1995-2006 CNET Networks, Inc. All rights reserved.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Thu Jan 12 2006 - 01:37:12 PST