IDG News Service - The Windows operating system expert who exposed Sony BMG Music Entertainment's use of rootkit cloaking techniques last year is now criticizing security vendors Symantec Corp. and Kaspersky Lab Ltd. for shipping software that works in a similar manner.
Mark Russinovich, chief software architect at systems software company Winternals Software LP, says that the techniques used by Symantec's Norton SystemWorks and Kaspersky's Anti-Virus products are rootkits, a term usually reserved for the techniques used by malicious software to avoid detection on an infected PC. There is "no good justification," for the use of such techniques, Russinovich said. "If the vendor believes that the implementation of their software requires a rootkit, then I think they need to go back and rearchitect it."
Both Symantec and Kaspersky acknowledged that they have shipped software that hides information from system tools, but they told IDG News Service that they disagreed with Russinovich's use of the term rootkit, saying that because their software was not designed with malicious intent, it should not be lumped into the same category.
Still, both companies appeared sensitive to Russinovich's criticism.
Cupertino, Calif.-based Symantec on Tuesday issued a patch to SystemWorks that disabled the cloaking feature. On Thursday, a representative of Moscow-based Kaspersky said that it was possible that his company could take similar action. "I don't know whether we've got a plan to do that, but that's obviously one thing that we could do here," said David Emm, a senior technology consultant at Kaspersky.
Unlike Sony's XCP (Extended Copy Protection) software, the Symantec and Kaspersky products do not cloak the fact that certain pieces of software are running on the computer. Instead, they hide data.
Symantec's Norton SystemWorks PC-tuning software uses cloaking techniques to hide a directory of backup files. This technique has been employed by SystemWorks since the 1990s in order to prevent users from accidentally deleting these files, according to Vincent Weafer, senior director for development at Symantec Security Response.
Symantec issued the patch because hackers could conceivably use the SystemWorks cloaking capability to hide files on the system. Weafer described this possibility as a low-risk threat, saying that most security software would be able to detect these cloaked files. "The intent of this feature was for good," he said. "But we need to look at these technologies and say, 'What is the potential for harm?' Even if it's a low risk, the right thing to do is remove them."
Kaspersky's use of cloaking software is more recent. With Version 5 of its Kaspersky Anti-Virus software, first released
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
