Large media conglomerations are apparently not the only ones
who are hiding files and directories on PCs unbeknownst to users—Symantec has admitted
to planting a hidden directory on Windows systems
that hackers could use to hide malicious files. Meanwhile, a recent FBI study
reports that security attacks have cost U.S. business $67 billion over a
12-month period.


It seemed bad enough when a major music
company was surreptitiously planting dangerous rootkit files
on users’ PCs last November.
But now, it turns out that security vendor Symantec has been doing something
similar all along with Norton SystemWorks. In what must have been more than a little
humiliating—not to mention ironic—to Symantec executives, it was competing
security vendor F-Secure
that discovered the rootkit
. (F-Secure was also responsible for finding the
Sony BMG vulnerability.)

The problem in this case lies with the Norton Protected
Recycle Bin and its hidden NProtect directory. Just to be clear: Symantec isn’t
doing anything damaging or wrong in itself. In no way was this an attack or
even a way to track occurrences or in any other way invade users’ privacy.

The problem is that malware distributors can take advantage
of the directory, which Symantec created for perfectly legitimate and
reasonable purposes. However, rootkits just aren’t a good idea for any purpose
these days. The problem is that anything placed into this directory—either by
Norton or a hacker—would be invisible to most antivirus and other security

For its part, Symantec argues that this really isn’t a
rootkit threat and says that security programs would scan any programs in the
directory if they attempted to execute. However, the security vendor has released an update
that will display the previously hidden NProtect

The threat, which Secunia has rated “not
critical,” applies to Norton SystemWorks 2005 and 2006, as well as
SystemWorks Premier 2005 and 2006. Since the fix is in, just run the Symantec LiveUpdate service to automatically fix the

If you’re one of those trusting individuals who leaves
LiveUpdate enabled and you shut down for the weekend, then your PC may likely already
have the fix applied. Keep in mind that the fix does require a reboot. However,
there have been no reports of exploits of this vulnerability at this time, so
you can probably wait until you have adequate time to shut down the network.

For more information, read the
entire Symantec report
, which explicitly credits F-Secure with discovering
the flaw.

Although the FBI probably wasn’t thinking about Sony and
Symantec when it began the study, its recently released 2005 FBI
Computer Crime Survey
indicates that computer crime costs
have reached $67 billion a year
—and that doesn’t include the cost of
security measures to thwart attacks. And don’t blame Eastern Europe or
third-world countries for hosting these hackers; the United States and China
combine to lead the world as the source of half of all attacks.

The average loss for a single incident in a corporate
environment is $24,000. As contrast, the total
loss to telecommunication fraud was only $1 billion. But don’t feel left out as
an individual—identity theft cost Americans roughly $52.6 billion in 2004.

If you have experienced an attack but thought yours was the
only IT department afflicted by virus or spyware attacks and port scans,
consider this: The FBI study, which surveyed more than 2,000 public and private
organizations in four states, found that only 9 percent of respondents had
reported attacks to law enforcement agencies, largely because they didn’t
expect any real help.

Surprisingly, 91 percent of those who did report attacks
said they were satisfied by the response, and more than 80 percent who had gone
this route would do so again. (Then again, of
that’s what they said to the FBI.)

Final word

Regarding the proliferation of rootkit malware planted by
legitimate businesses—and now even security firms—I did my accounting in an
MS-DOS version of Lotus 1-2-3 for a decade, but now I use an older version of
Excel. Why? Is it because I can’t afford QuickBooks? Or I can’t learn how to
use it?

Actually, I have several copies of QuickBooks because I’ve
reviewed them for various publications, and I’ve found it to be very good
software. So why don’t I use it?

It’s simple: I can see exactly what the rules are in a
spreadsheet that I’ve programmed for myself. But I have no way of knowing what’s
hiding behind the scenes in a commercial accounting program. (While the
situation used to be much worse with low-end accounting programs filled with
errors, those days are past.) However, several years ago, just as I was about
to switch from my own spreadsheet bookkeeping to a fancy commercial version, I
began to worry about what other code might be lurking in the software.

I can avoid possible accounting traps because I have a small
company. Of course, big companies don’t have that luxury. Unfortunately, none
of us can program and maintain our own security software, especially antivirus
software, so I have always worried about what antivirus software might be doing
unnoticed in my PC.

In fact, Symantec’s LiveUpdate service once blocked my office
suite from working for a few days. That was when I shut off everything except
virus signature updates and switched to manual updates. And now we learn that
the company was also planting hidden directories that anyone could use, and I once
again feel vindicated about my professional paranoia.

And don’t forget to check out my
TechRepublic blog
for my uncensored opinions on
what’s happening in the security arena and to see what didn’t make the cut for
this week’s article.

Also watch for…

  • With more
    than half a million infections under its belt already, the Nyxem worm is
    spreading quickly. See F-Secure’s
    report for more details.
  • Cisco
    Systems has
    released fixes
    for flaws in its software for routers and
    Internet-based telephony.
  • For
    its quarterly update, Oracle has
    released fixes
    for 37 flaws related to Oracle’s Database products, 17
    related to Application Server, 20 to the Collaboration Suite, 27 to
    E-Business Suite and Applications, one to PeopleSoft’s Enterprise Portal and
    one in JD Edwards software.
  • Microsoft
    has announced plans to release Windows XP
    Service Pack 3
    in the second half of 2007.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter
, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.