The Windows operating system expert who exposed Sony BMG Music Entertainment use of “rootkit” cloaking techniques last year is now criticizing security vendors Symantec Corp. and Kaspersky Lab Ltd. for shipping software that works in a similar manner. If the vendor believes that the implementation of their software requires a rootkit then I think they need to go back and re-architect it.Mark Russinovich>Text
Mark Russinovich, chief software architect with systems software company Winternals Software LP, says that the techniques used by Symantec’s Norton SystemWorks and Kaspersky’s Anti-Virus products are rootkits, a term usually reserved for the techniques used by malicious software to avoid detection on an infected PC.
There is “no good justification,” for the use of such techniques, Russinovich said. “If the vendor believes that the implementation of their software requires a rootkit then I think they need to go back and re-architect it.”
Both Symantec and Kaspersky concede that they have shipped software that hides information from system tools, but told IDG News Service they disagreed with Russinovich’s use of the term rootkit, saying that because their software was not designed with malicious intent, it should not be lumped into the same category.
Russinovich said that he has discussed this issue with Symantec and while both parties are in “general agreement about the nature of their cloaking,” they differ when it comes to defining the term “rootkit.” Symantec and Kaspersky favour a definition that considers whether or not the author had malicious intent, while Russinovich adheres to a definition that is based on the behaviour of the software.
In fact, Symantec believes that this issue of what is and what is not a rootkit merits serious attention. The company would like to see the industry take steps to define rootkits in much the same way a coalition of companies and public interest groups called the Anti-Spyware Coalition produced a definition of the term “spyware” in 2005.
Though Symantec is still discussing how this definition might be hammered out the director of the company’s Security Response center, Vincent Weafer, believes that CERT (Carnegie Mellon University’s Computer Emergency Response Team) or the IT-ISAC (Information Technology Information Sharing and Analysis Center) might be appropriate venues for such a discussion. “We’ve already approached the IT-ISAC, a forum of security vendors and researchers, and asked them as to whether they can help us form an open discussion,” said Weafer. “It looks like they’re willing to do that.”
Still, both companies appeared sensitive to Russinovich’s criticism.
Symantec on Tuesday issued a patch to SystemWorks that disabled the cloaking feature. And on Thursday, a representative from Kaspersky said that it was possible that his company could take similar action. “I don’t know whether we’ve got a plan to do that, but that’s obviously one thing that we could do here,” said David Emm a senior technology consultant with Kaspersky.
Unlike Sony’s XCP (Extended Copy Protection) software, the Symantec and Kaspersky products do not cloak the fact that certain pieces of software are running on the computer. Instead, they hide data.
Symantec’s Norton SystemWorks PC-tuning software uses cloaking techniques to hide a directory of backup files. This technique has been employed by SystemWorks since the 1990s in order to prevent users from accidentally deleting these files, according to Weafer.
Symantec issued the patch because hackers could conceivably use the SystemWorks cloaking capability to hide files on the system. Weafer described this possibility as a “low risk” threat, saying that most security software would be able to detect these cloaked files. “The intent of this feature was for good,” he said. “But we need to look at these technologies and say, ‘What is the potential for harm?’ Even if it’s a low risk, the right thing to do is remove them.” Symantec would like to see the industry take steps to define rootkits as the Anti-Spyware Coalition defined ‘spyware’ in 2005.Text
Kaspersky’s use of cloaking software is more recent. With version 5 of its Kaspersky Anti-Virus software, first released about a year ago, the company used cloaking techniques to hide “checksum” information that the software used to determine which files on the computer it had or had not scanned.
The Moscow-based security vendor uses the technique to improve the performance of its software, said Emm, who does not believe that Kaspersky’s software poses a security risk. “There’s no vulnerability,” he said. “There’s no way in which the technology that we’re implementing can be used by an attacker to actually abuse what we’re doing and cause harm on the user’s system.”
While Russinovich agreed that the Symantec and Kaspersky cloaking techniques are not as dangerous as Sony’s, which was ultimately exploited by virus writers, he said that all three vendors were engaging in a practice that was bad for users and IT professionals. “You don’t want IT not knowing what’s on the systems,” he said. “Not being able to go to the system to do software inventory and disk space inventory, that’s just not a good idea.”
