Symantec and Kespersky Anti-virus software are found to be using rootkit
to make files invisible.
Symantec is cleaning up a feature in Norton SystemWorks that uses a
rootkit-like technique to hide a system folder from Windows. The
technology works similar to Sony BMG’s controversial rootkit DRM in the
way it masks files and makes them invisible to the operating system.
http://www.pcworld.com/news/article/0,aid,124365,00.asp
Symantec is shipping an update to eliminate the risk of attackers using
the feature to hide malicious files. According to the Symantec website,
it’s only in 2005 and 2006 versions, and can be eliminated by getting a
LiveUpdate.
Symantec denies it’s a rootkit, calling it instead a “hidden folder”. F-
Secure, whose software picked up the rootkit hidden folder, says that
the difference between what Symantec is doing and the Sony BMG rootkit
is “ideological”, and isn’t anywhere as malicious since it can be turned
off or uninstalled by the user. Symantec now says it’s working with some
trade bodies to try to develop a definition of rootkit.
However… here is the definition of a rootkit: A tool intended to conceal
running processes, files or system data. (that hooks into the OS in a
nonstandard way.)
Microsoft offers a free rootkit detection and removal tool and admits that
half of all pre-SP2 Windows XPs and a fifth of post-SP2 XPs are infected
with rootkits. http://www.emailbattles.com/archive/battles/security_aacciifeca_fi/
Exact location of the download:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Here is a free utility for rootkit detection program from System
Internals.
RootkitRevealer is an advanced patent-pending root kit detection
utility. http://www.sysinternals.com/Utilities/RootkitRevealer.html
Interesting reading on the methods to find hidden programs and files
and figure out what software they are related to:
http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html
The tool called Strider GhostBuster detects API-hiding rootkits by doing a
“cross-view diff” between “the truth” and “the lie”. It’s not based on a
known-bad signature, and it does not rely on a known-good state. It targets
the fundamental weakness of hiding rootkits, and turns the hiding behavior
into its own detection mechanism. http://research.microsoft.com/rootkit/
The more you know, the easier it is to protect your system.