Symantec Corp. and Kaspersky Lab Ltd. have been stung by criticisms of their cloaking techniques by Mark Russinovich, the software expert who created a stir last year by exposing Sony BMG Music Entertainment’s covert use of anti-piracy rootkit features and their security risks. Both Symantec and Kaspersky concede that they have shipped software that hides information from system tools. But they said they disagreed with Russinovich’s use of the term rootkit, because their software was not designed with malicious intent, so it should not be lumped in the same category.Text
Mark Russinovich, chief software architect with systems software company Winternals Software LP, says that the techniques used by Symantec’s Norton SystemWorks and Kaspersky’s Anti-Virus products are rootkits, a term usually reserved for the techniques used by malicious software to avoid detection on an infected PC.
There is “no good justification,” for the use of such techniques, Russinovich said. “If the vendor believes that the implementation of their software requires a rootkit then I think they need to go back and re-architect it.”
But a Canadian information security analyst said Russinovich’s use of the loaded term may be excessive in these instances.
“What Symantec and Kaspersky are doing is not in the same category as Sony’s,” said James Quin, senior research analyst at London, Ont.-based InfoTech Research. “I don’t think these would have been classed as rootkits before Sony’s media exposure.”
Both Symantec and Kaspersky concede that they have shipped software that hides information from system tools. But they said they disagreed with Russinovich’s use of the term rootkit, because their software was not designed with malicious intent, so it should not be lumped in the same category.
Symantec and Kaspersky favour a definition that considers the designer’s intentions, while Russinovich adheres to a narrower definition that is based on the behaviour of the software. Symantec believes getting industry consensus on the definition of rootkit is a serious issue, and has already approached an industry group, IT-ISAC (Information Technology Information Sharing and Analysis Center), for clarification.
But arguing semantics is somewhat counter-productive, said Quin. Whether it is called rootkit or something else, he said, the central issue is that the companies have hidden functionality from users. “And the average user’s response to a large software firm hiding things is, oh no, here we go again,” he said.
Unlike Sony’s XCP (Extended Copy Protection) software, the Symantec and Kaspersky products do not cloak the fact that certain pieces of software are running on the computer. Instead, they hide data.
Symantec’s Norton SystemWorks PC-tuning software uses cloaking techniques to hide a directory of backup files. This technique has been employed by SystemWorks since the 1990s in order to prevent users from accidentally deleting these files, according to Vincent Weafer, director of the company’s Security Response Center.
These paternalistic techniques are often used to save users from themselves, said Quin.
“What Symantec was doing, to their minds, was altruistic: Consumers are too error-prone to let them do things without holding their hands,” he said, pointing out that Microsoft Windows also uses hidden files. For example, a user who wants to look at a system folder on the hard drive must click “unhide” to view it, he said. “What Symantec did was take that process one step further and hide it to the point a user can’t find it.”
Symantec has already issued a patch to SystemWorks that disables the cloaking feature. Kaspersky is considering similar action.
Symantec issued the patch because hackers could conceivably use the SystemWorks cloaking capability to hide files on the system. Weafer described this possibility as a “low risk” threat, saying that most security software would be able to detect these cloaked files. “The intent of this feature was for good,” he said. “But we need to look at these technologies and say, ‘What is the potential for harm?’ Even if it’s a low risk, the right thing to do is remove them.”
No security problems with SystemWorks have been reported to date, although the software has been in use for years. “Let’s not forget this is not something new that has just been implemented in the latest version of SystemWorks,” said Quin, pointing out the feature was designed in the 1990s and likely overlooked since. “However, my bigger concern is: If they made this oversight, what other potential oversights exist?”
Unlike Sony, Symantec’s openness about the feature and speedy release of a patch may let the company off the hook in their specific instance, said Quin. “But there really is no excuse for this anymore. Malware is proliferating and threat vectors are easily exploited. The bad guys are too savvy to allow this nowadays.”
In Kaspersky’s instance, the use of cloaking techniques is in fact more recent. With version 5 of its Kaspersky Anti-Virus software, first released about a year ago, the company hid “checksum” information that the software used to determine which files on the computer it had or had not scanned.
The Moscow-based security vendor uses the technique to improve the performance of its software, said David Emm a senior technology consultant with Kaspersky, who does not believe the software poses a security risk. “There’s no vulnerability,” he said. “There’s no way in which the technology that we’re implementing can be used by an attacker to actually abuse what we’re doing and cause harm on the user’s system.”
Quin believes Russinovich’s criticisms of Kaspersky are particularly excessive. “I don’t know that what they’re doing would be considered rootkit. It’s about software optimization. Do we really want to get into a situation where we’re looking at every process and sub-process an application uses?”
While Russinovich agreed that the Symantec and Kaspersky cloaking techniques are not as dangerous as Sony’s, which was ultimately exploited by virus writers, he said that all three vendors were engaging in a practice that was bad for users and IT professionals. “You don’t want IT not knowing what’s on the systems,” he said. “Not being able to go to the system to do software inventory and disk space inventory, that’s just not a good idea.”