Symantec provides hiding place for hackers

By Joris Evers

Story last modified Wed Jan 11 17:20:00 PST 2006

Symantec has released an update to its popular Norton SystemWorks to fix a
security problem that could be abused by cybercriminals to hide malicious

In the PC-tuning application, a feature called the Norton Protected Recycle
Bin creates a hidden directory on Windows systems. The feature is meant to
help people restore modified or deleted files, but the hidden folder might
not be scanned during scheduled or manual virus scans, Symantec said in an
advisory released Tuesday.

"This could potentially provide a location for an attacker to hide a
malicious file on a computer," Symantec said. The Cupertino, Calif.,
security provider is not aware of any attempts by hackers to conceal
malicious code in the folder. "This update is provided proactively to
eliminate the possibility of that type of activity," it said.

Symantec's alert has echoes of Sony BMG Music Entertainment's recent PC
security fiasco. The record label was found to be shipping copy-protected
compact discs that planted so-called rootkit software on the computers that
played them. The rootkit technology also offered a hiding place for
malicious software.

When the recovery feature was first introduced, hiding the directory helped
ensure that a user would not accidentally delete the files in it, Symantec

"In light of current techniques used by malicious attackers, Symantec has
re-evaluated the value of hiding this directory," the company said in its

Security monitoring company Secunia rates the issue "not critical." Symantec
itself deems the risk impact "low."

Symantec credits Mark Russinovich, the Sysinternals researcher who also
investigated the Sony rootkit, and F-Secure, a Finnish security company that
has a rootkit detection product, for helping it address the SystemWorks

The Norton update will display the previously hidden "NProtect" directory in
the Windows interface, which will allow it to be scanned by antivirus
products, Symantec said. The new version is available through the Symantec
LiveUpdate service. Installing the software will require a system reboot. 

You are a subscribed member of the infowarrior list. Visit for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to