A Digital Age Deserves A Digital Leader

Symantec Uses RootKits!!!

Postby rippinchikkin » Thu Jan 12, 2006 11:41 pm

moved from bin / rippinchikkin
A rubber band pistol was confiscated from algebra class because it was a weapon of math disruption.
VP - Syndication
User avatar
Posts: 15191
Joined: Fri Mar 19, 2004 1:38 am
Location: 32°28′05″N 93°46′16″W

Postby ZRC » Thu Jan 12, 2006 11:48 pm

FWIW, I think you need to have the "Full" install of NSW to have this. i.e. NSW is a suite of apps, the one in question is the UnErase Wizard component, so if you didn't do a Full/Normal install, you could have selected to not have this on your machine.

If anyone out there has this installed (the vulnerable version), I would very much like to know if third-party programs like Total Commander can see the NProtect folder inside the Recycler folder on a drive?
-ZRC
PRO Level 5
Posts: 184
Joined: Thu Mar 17, 2005 12:28 am
Location: Massachusetts.USA.Earth.in-addr.arpa.

Postby jrfree1 » Thu Jan 12, 2006 11:54 pm

SYM06-002
January 10, 2006
Symantec Norton Protected Recycle Bin Exposure
Revision History
None

Risk Impact
Low

Remote Access No
Local Access Yes
Authentication Required Yes
Exploit publicly available N/A

Overview

Norton SystemWorks contains a feature called the Norton Protected Recycle Bin, which resides within the Microsoft Windows Recycler directory. The Norton Protected Recycle Bin includes a directory called NProtect, which is hidden from Windows APIs. Files in the directory might not be scanned during scheduled or manual virus scans. This could potentially provide a location for an attacker to hide a malicious file on a computer.

Symantec has released a product update that will now display the previously hidden NProtect directory in the Windows interface.

Affected Product(s)

Product Version Solution
Norton SystemWorks 2006 Run LiveUpdate
2005 Run LiveUpdate
Norton SystemWorks Premier 2006 Run LiveUpdate
2005 Run LiveUpdate


<img src="http://www.pro-networks.org/forum/images/smiles/source.jpg"> Symantec
<img src="http://www.pro-networks.org/forum/images/smiles/view.jpg" border="0"> <a href=http://securityresponse.symantec.com/avcenter/security/Content/2006.01.10.html target=_blank>complete response</a>
PROfessional Member
User avatar
Posts: 3779
Joined: Mon Aug 30, 2004 4:24 pm
Location: Florida

Postby kd1966 » Fri Jan 13, 2006 12:21 am

So say you had some malware in there (The norton hidden folder)........... could you just "Empty" the Norton recycly bin and get rid of it??

Then again, you'd have to know it's there in the first place.............lol
PRO PLATINUM
User avatar
Posts: 6831
Joined: Tue Aug 09, 2005 2:00 am
Location: USA - GSO - NC

Postby kd1966 » Fri Jan 13, 2006 1:18 pm

so hiding within another hidden folder........yikes.....
PRO PLATINUM
User avatar
Posts: 6831
Joined: Tue Aug 09, 2005 2:00 am
Location: USA - GSO - NC

Postby ZRC » Fri Jan 13, 2006 8:00 pm

CG - I'm still confused as to why kd's suggestion won't work - if Norton deletes the contents of the NProtect folder, then anything hiding within the folder will be deleted. Or are you saying that everything that gets put in the folder is enumerated in another location by Norton so that when you go to empty the Protected Recycle Bin, Norton makes XXX requests to delete each of the XXX files individually? That's the only way I can see that a virus could hide in the folder.

And, furthermore, for Norton to be able to work with the folder, it must be able to find it, so I don't see how Norton could work without being able to see the folder itself.

Sorry - just a little confused.
-ZRC
PRO Level 5
Posts: 184
Joined: Thu Mar 17, 2005 12:28 am
Location: Massachusetts.USA.Earth.in-addr.arpa.

Return to Security & Virus

Who is online

Users browsing this forum: No registered users and 3 guests

cron
cron