General discussion

Locked

Symantec Uses Rootkit Technology, But Can't Seem to Detect Them?

By secureplay ·
While we all thought 2005 was the year of the rootkit, apparently it is bleeding over into 2006.

Sony is not alone in the use of rootkit technology to hide its activities, Symantec, for relatively benign reasons (supposedly) has been using the same techniques to hide some of its directories for Norton SystemWorks "to protect against accidental deletion"...

I think this is what Sony was saying too.

Once detected, these hidden directories and applications can be used as tools for attackers... again.

(Futile Rant) These are not rootkits in and of themselves, they are low level file system and operating system use/abuse methods... they are not trying to achieve root access. Rootkit sounds sexy, but we need a better name...
OSevaders?
(End Rant)

This does follow up in an interesting way on my article at TechRepublic about the inability of Symatec, MacAffee, etc. to detect these applications even though they have been around for years (see <a href="http://techrepublic.com.com/5208-11193-0.html?forumID=4&threadID=184752&start=0">Not Just Sony To Blame - Security Companies' Catastrophic Failure</a&gt.

(What follows is yet another, NOT A LAWYER DO NOT CONSTRUE THIS AS LEGAL ADVICE COMMENT)

Since I just installed several new pieces of software recently, I have been reading (sort of) a lot of EULAs. Since they all tell me I actually didn't by the software, but can use it, the other side of the coin should be increased accountability by the software owners....

You own it, your responsibility

If I rented an apartment and their actions/neglect caused the building to fall down, they would pay... same thing here, right? I have a presumption of a quality of service when I rent... when I sell something, I can sell it "As is", rental, not the same.


<a href="http://blogs.zdnet.com/Spyware/?p=747&tag=nl.e589">Symantec confesses to using rootkit technology </a>

Interesting Article & Tool on Rootkits and Their Detection - <a href="http://www.sysinternals.com/Utilities/RootkitRevealer.html">Rootkit Revealer</a> - at SysInternals

First posted at:

http://playnoevil.com/serendipity/index.php?/archives/224-Symantec-Uses-Rootkit-Technology,-But-Cant-Seem-to-Detect-Them.html

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Makes Sense

by Dr Dij In reply to Symantec Uses Rootkit Tec ...

that they can't detect all of them. I don't think they originally detected ANY of them but quickly added. However as the guy at sysinternals (which has a free rootkit detector) states, they can make rootkits that he could not detect with the method that detects the sony rootkit. But they are not currently (or we don't detect them doing this currently :)

I also think it DOES make sense to use this for anti-virus stuff. What if a rootkit could intercept the call or open the checksum file and change it to match its modified version or erase the anti-virus software if it was visible? We know that current trojans try to disable anti-virus software. Why make it easier? Tho I think they should disclose this..

Back to Security Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums