Symantec, Kaspersky Criticized for Cloaking Software

Discussion in 'other security issues & news' started by AshG, Jan 11, 2006.

Thread Status:
Not open for further replies.
  1. AshG

    AshG Registered Member

    Joined:
    May 7, 2005
    Posts:
    206
    Location:
    East TN
    I found this to be interesting, considering how reticent Symantec was to add rootkit unhider abilities to the Norton family...

    http://www.eweek.com/article2/0,1895,1910077,00.asp

    While it's with Systemworks and not the standalone AV, I know many people who pay the small increase and buy the whole suite over just the AV. Against my recommendation, of course...
     
  2. dog

    dog Guest

    Re: Symantec caught using rootkits...

    It's an old story, known issue really ... it's how they hide the deleted files from the recylce bin ... as an extra protection feature.
     
  3. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    Re: Symantec caught using rootkits...

    I think Steve Gibson also mentioned that KAV uses rootkits too (or that was at least the result shown by rootkit revealer).
     
  4. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Re: Symantec caught using rootkits...

    No, it uses ADS (if you don't deselect it) which is a hidden Windows feature and has nothing to do with rootkits.:)
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,751
    Location:
    Texas
    Symantec Norton Protected Recycle Bin Exposure

    Symantec
     
  6. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    Hot off the press:
    http://www.pcworld.com/resource/article/0,aid,124365,pg,1,RSS,RSS,00.asp

    This is going to be an interesting debate. Mark's definition of rootkit is probably anything that tries to hide things from being seen in Windows. Both Symantec and Kaspersky of course did not like his choice of using the term rootkit as they feel that a 'rootkit' is something with a malicious intent. Don even tried to defend Kaspersky when I briefly mentioned it here:
    https://www.wilderssecurity.com/showthread.php?t=115371

    Symantec has released a patch while Kaspersky says its an option.

    So I think the interesting question is what would you define as a rootkit? Should rootkit be only associated with stuff with 'malicious intent'? Or should it be used to ddescribe any 'hidden feature'?
     
    Last edited by a moderator: Jan 13, 2006
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    I don't know about big yellow, but I don't think it's fair. Kaspersky gives you the option on install to turn the Istream feature off. They also provide a method to remove the ADS stuff, and for me at least it worked well.

    New KAV beta's make it a moot point, as they've already changed.

    Pete
     
  8. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    Yeah but Norton also gives you the option to select which components of Norton you would like to install too. You could have easily unselected the revelant Norton component. Trouble is when user buy these products, they want the feature. A normal user isn't going to know whether Norton or KAV was going to use 'stealth' technology in certain component of their products. KAV's and Norton's installer did not put a warning saying that "This feature comes with stealth protection or rootkit etc." Should these companies have even used it to begin with.
     
  9. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    Why on earth should they display a warning saying "This feature comes with stealth protection or rootkit etc." when no stealth protection or rootkit is used?

    The alternate data streams that Kav uses to store info in has nothing to do with a rootkit, it is folders to store info.

    I do agree they should have been better at informing users about this though, much FUD could have avoided.:)
     
  10. houseisland

    houseisland Registered Member

    Joined:
    Jan 12, 2006
    Posts:
    107
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Sorry, but in KAV's case it is not stealthed or a rootkit. Alternate Date Streams are neither. They are a windows feature, and an ADS can be and is part of every file, and they are not hard to detect. They were added by Microsoft to windows for compatibilty with MAC files, and like a lot of things they can be misused. I always installed KAV 5.0 with them turned off only because they broke FDISR.

    This has become much to do about nothing.
     
  12. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
  13. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    I have no doubts about the skills of Mr. Russinovich, but this time he is exaggerate the rootkit-issue.

    He claims the technique used by Kaspersky Anti-Virus has to be consider equal to 'rootkit' technology.

    IMHO an ridiculous and foolish statement.
     
  14. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    Interesting article by Euguene Kaspersky. From the PCWorld's article, it seems that Kaspersky Labs has the ability to release a patch to uncloak the ADS data without affecting ADS according to their spokesperson.

    However I felt Euguene may be jumping the gun, he quoted Mark saying the technology is not as dangerous as Sony's, and therefore is not a danger at all. I have seen a country's police advertisement warnining citizen's to be vigilant by telling them that "low crime does not mean no crime". To me it felt like Euguene's interpretation of Mark's statement was "low crime means no crime".

    I think Mark is probably now trying to find a way to find a way to exploit the data. It may be possible, it may be not. Remember that not all softwares are hack-proof. Thats why I always urge people to upgrade to the latest security product as soon as possible.
     
  15. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Peter2150

    Very true.

    If anybody is that worried over ADS['s] all they have to do is use a FAT file system, in place of their NTFS file system. :doubt:

    Take Care,
    TheQuest :cool:
     
  16. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    It's not a patch, you have the option to remove them (ADS) when you uninstall Kav 5.0.
    I can't see how you interpret it that way when there is no crime at all, the essence of his message to Kaspersky users alarmed by this silly use of the rootkit term for the NTFS Alternate Data Streams is this:

    We believe that this technology is not a rootkit and we do not believe hackers and/or malware can exploit it because:

    1. If a KAV product is active, the streams are hidden and no processes (including system) have access to them.

    2. If the product is disabled, the streams will be visible if viewed using the appropriate tools (standard for working with NTFS streams)

    3. If a stream is re-written with some (possibly malicious) data or code (for example after rebooting in Safe Mode), when the system is next re-started, KAV will read the stream and not recognize the format. KAV will then begin to rebuild the checksum database - thus it will destroy the alien code/data.:)
     
  17. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    I think the best way is for Kaspersky to release their version 6.0(which is actually pretty good) as soon as possible and encourage all their users to upgrade. Then you will give Mark less chance of criticising Kaspersky (he'd be mostly only able to criticise about business practice). Remember that this issue is not only security-related but also whether is it right for any piece of software to use cloaking technology without properly informing the user(was brought to me by jlobster who commented on Eugune's statement). When I installed KAV 5.0, I don't recall the installer telling users that ADS data will be stealthed. See those comments to the articlethat I read on Eugune's disary:
    http://www.viruslist.com/en/weblog?discuss=177727537

    Hopefully the KAV 6 launch won't get too delayed.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    True, because they weren't stealthed. You are implying the Kaspersky did something to prevent them from being seen. Simply not true. You can see them, the same as any other NTFS ADS.

    Repeat: ADS are not something Kaspersky did. They are part of the NTFS file system. Period.
     
  19. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    This does seem a bit rediculous. I can understand if NAV's hidden recycle bin poses a security threat, but the hidden recycle bin itself is nothing that they should be criticized for, it's doing what it advertises. As for KAV using ADS streams, that's no secret, and it's no malicious trick.. ADS streams are a known and documented feature. Anyone that has the inclination can find them for themselves, and disable the feature if desired. Mr. Russinovich (who I otherwise hold in the highest regard) isn't doing anyone any favors here, IMO.
     
  20. xxx111xxx

    xxx111xxx Guest

    Agree with notok

    The Norton protected files can be deleted from within the program: Not hidden function for deleting. Just doing as advertised and possibly a useful feature for many users. Whether the NPfiles can be exploited??, that could represent a threat. Considering the numbres of NAV/NSW users an exploit would have fronted by now dont you think? (now this has been publicised there are certainly coders trying)

    I am not familiar with KAV ADS feature. If it is a recognised useful component from a trusted vendor, what is the problem? If it can be disabled, WITP?

    Reminds me of the recent WMF exploit: when Ilfak Gulianov provided his patch and Secunia asked us to "trust us" we were ready to believe.

    Not withstanding possible exploits or personal likes/dislikes re software, do we have reason NOT to trust Norton or Kaspersky?

    The word ROOTKIT is assuming strange malevolence. There are good and bad rootkit applications. Likely we will allow beneficial rootkits on our systems if provided by trusted vendors for specific purposes in the near future.

    Selah.
     
  21. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    F-Secure's view on "Cloaking without malicious intent":

    here
     
Loading...
Thread Status:
Not open for further replies.