Content

The root of all IT evil?

The Windows programming expert who first uncovered the Sony rootkit application has now said such technology never should be used - even if companies deem it beneficial for the user.

Russinovich's Sunday posting on the Sysinternals weblog came about a week after Symantec offered users the option to fix a rootkit-like directory the company admitted may not be examined during virus scans.

Russinovich assisted Symantec with the issue, according to the anti-virus company's website.

The "NProtect" directory was created as a temporary backup for certain types of files that the Windows Recycle Bin does not back up, according to Symantec. However, the directory is hidden from the Windows APIs and may not be found during scheduled or manual virus scans, the company said.

Malware may also be able to hide beneath the cloak, Russinovich said.

"Even if a vendor has ensured with certainty that that's not possible, the cloak makes it impossible for a security administrator to ensure that the cloaked objects have correctly configured security," Russinovich, who was also credited with making the Sony rootkit public in October, said.

Symantec, in a Jan. 10 security advisory, defended the directory's release but also offered users a remedy.

"When Nprotect was first released, hiding its contents helped ensure that a user would not accidentally delete files in the directory,'' the company said. "In light of current techniques used by malicious attackers, Symantec has re-evaluated the value of hiding this directory."

The company released an update last week making the NProtect directory visible inside the Windows Recycler directory. Files within the directory will now be scanned, Symantec said.

The company said there have been no hacking attempts to conceal malicious code within the NProtect folder. Instead, the update was done "proactively" to prevent such incidents.

The issue of rootkits rose to the forefront in recent months after Sony-BMG Entertainment admitted to using spyware-like technology on CDs.

Virus authors also took advantage of the cloaking technology, and within days of Sony revelations, trojans were compromising PCs using the Extended Copyright Protection (XCP) rootkit.

"I hope that the publicity generated by the Sony and Symantec examples have sent a strong message to the software and music industries," Russinovich said, "and that they follow Symantec's lead by removing the use of rootkit techniques from their applications and avoiding them in the future."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.