Possible security issue in NAV2001 on Windows ME

[Bill Sobel <bsobel () SYMANTEC COM>]

This post is Symantec's response to Peter Kruse's 10/22/2000 post.
Bill Sobel
Symantec

Bugnet Post

If you place a virus or other known malware in the c:\_RESTORE folder
(apparently default on Windows ME) Norton Antivirus will not scan that
folder in a "full-system" scan. This seems to be Symantec´s poor choice not
to scan such files?  However if you manually scan C:\_RESTORE NAV will find
the infected file but won´t be able to delete, repair nor quarantine the
file? This could lead a malicious user to drop files into the restore
folder
* there´re a few obvious ways to exploit this. Eventually this can be
tested by booting from a dos and copy a virus to c:\_RESTORE. The test will
show
that NAV2001 will indeed detect the virus but will be unable to do further.


Symantec Response:
Norton AntiVirus 2000 and 2001 under Windows ME exclude the c:\_Restore
folder from the list of directories that are monitored for virus activity.
This is perceived as a threat because when this directory is scanned,
Norton AntiVirus reports that no viruses are found, even if  a virus
infected file had been archived in the c:\_Restore directory.

What happens when the C:\_Restore folder is removed from the list of
exclusions?
Norton AntiVirus 2000 and 2001 will then scan the c:\_Restore folder and
alert the user if any virus infected files have been found. Even though
Norton AntiVirus 2000 and 2001 will find these viruses, they will not be
able to delete, repair or quarantine these files. As seen in Microsoft's
knowledge base document found at
http://support.microsoft.com/support/kb/articles/Q263/4/55.ASP,

   "Although some anti-virus programs may have the ability to work with
   files that have been compressed and/or stored in a .zip or .cab file
   format, the System Restore feature does not permit these utilities to
   manipulate these files within the data store. The Data Store is
   protected for data integrity purposes, and the System Restore feature is
   the only method you can use to obtain access to the data store. Because
   of this, the anti-virus program is unable to remove the virus from the
   file or files within the data store. These files in the data store are
   inactive and can only be used by the System Restore feature."

Because of this feature, Norton AntiVirus 2000 and 2001can't delete, repair
or quarantine virus infected files in the c:\_Restore directory.

Can a virus infected file archived in the C:\_Restore directory infect my
system?
The suggested way to infect this directory by booting with a DOS bootable
disk and copying virus infected files to this directory would require
someone to be able to have physical access to my computer. Having physical
access to my computer requires human intervention, and is not something a
virus alone could do. Antivirus software can't protect your system from
someone who has physical control over the computer.

Laura



Motoaki Yamamura
10/23/2000 11:07 PM

To:   "Bill Sobel" <bsobel () symantec com>
cc:   <myamamura () symantec com>, "Vincent Weafer" <vweafer () symantec com>,
      <tmmather () symantec com>, <Lgarcia () symantec com>,
      <asanjabi () symantec com>, Francia
      Saplala/SanMon/Cal/SYMANTEC@SYMANTEC, Yunsun
      Wee/SanMon/Cal/SYMANTEC@SYMANTEC, Susan
      Murdico/SanMon/Cal/SYMANTEC@SYMANTEC, Deirdre
      Allingham/SanMon/Cal/SYMANTEC@SYMANTEC, Patrick
      Martin/SanMon/Cal/SYMANTEC@Symantec
Subject:  Need response from CPD asap  (Document link: Laura
      Garcia-Manrique)


Laura,

Can I presume your team will assemble the official response for this by
Tuesday(Oct 24)?
If not, we need to discuss this quickly because I want to make sure to take
care of this quickly.  Its public information and needs to be addressed
quickly.  I'm happy to help brain storm on the reply if you need help.

Bill,
I mentioned the inability to execute a file from _RESTORE to address the
comment he made about hiding the malicious code in that folder.
> This could lead a malicious user to drop files into the restore
> folder - there´re a few obvious ways to exploit this.

In order to use that malware, the malware will need to move it out of there
(at which point NAV will detect it).  Can you let me know if their is any
obvious way to get around this?  (I'm hoping there is not)

I do understand that reinfection that will occur if you rollback.  I think
its like taking a backup of the system in an infected state.  Although its
bad to include known infections in backup, maybe (this sounds like a bad
excuse) it could be used if we have a false positive or bad repair (similar
to keeping a backup copy of pre-repaired files).  I think it was a concious
decision made by the NAV2001 team to implement it this way until they can
implement a better way to do this.

Anyways, I will try to chat with NAV2001 team to make sure we can responds
to this post before it blows up.

- Moto




"Bill Sobel" <bsobel () symantec com> on 10/23/2000 04:28:19 PM


To:   <myamamura () symantec com>
cc:   "Vincent Weafer" <vweafer () symantec com>, <tmmather () symantec com>,
      <Lgarcia () symantec com>, <asanjabi () symantec com>
Subject:  RE: FW: Message sent to Security () SYMANTEC COM


Update,

Bugtraq sent it out, and it's up on SecurityFocus.  Probably need to get an
official response ready.

Moto, one more thing, apparently if you manually scan the _RESTORE folder
we
can't repair or delete the file.  Your infected, but your stuck with it and
you'll get reinfected if the user has to do a restore which pulls that file
out (so it doesn't matter if you can run code from that dir or not for this
case)

Bill

-----Original Message-----
From: myamamura () symantec com [mailto:myamamura () symantec com]
Sent: Monday, October 23, 2000 11:30 AM
To: Bill Sobel
Cc: myamamura () symantec com; Vincent Weafer; tmmather () symantec com;
scott.martin () symantec com; Lgarcia () symantec com; asanjabi () symantec com
Subject: RE: FW: Message sent to Security () SYMANTEC COM




Thanks for that info.  I was aware of this rollback feature, but was not
aware of the directory name - I need to study a bit more on new OS -
learning something everyday :-).

I think it had to do with repairing viruses.  When viruses are repaired,
the original unrepaired file will automatically be sent to restore
directory by the OS.  Ideally, we want to prevent that from happening to
keep restore clean (probably need to hook somewhere inside of restore
feature and repair files being sent into restore).  But since that feature
was not possible to implement in the NAV2001 timeframe, the product avoided
scanning restore to avoid confusion by novice users.

This way, the user will clean a virus and not detect it again (in the
restore).  If NAV2001 scanned the restore, they would think they are still
infected.  Lastly, I thought it was not possible to execute programs from
inside restore directory (if true, this should eliminate a trojan being
hidden).

Anyways, I think Ali or Laura (CPD) can validate my answer and also keep
you any other updates they may have.

- Moto


- Moto





"Bill Sobel" <bsobel () symantec com> on 2000/10/23 11:01:29


To:   <myamamura () symantec com>
cc:   "Vincent Weafer" <vweafer () symantec com>, <tmmather () symantec com>,
      <scott.martin () symantec com>, <Lgarcia () symantec com>
Subject:  RE: FW: Message sent to Security () SYMANTEC COM


Moto,

I'm pretty sure he's talking about the 'restore' folder, not the recycle
bin.  The restore folder is where ME stores data that is used when the
system needs to be rolled back.  As the poster says, installing an infected
item here will cause an infection if/when a rollback later occurs.

Bill

-----Original Message-----
From: myamamura () symantec com [mailto:myamamura () symantec com]
Sent: Monday, October 23, 2000 10:53 AM
To: Bill Sobel
Cc: Motoaki Yamamura; Vincent Weafer; tmmather () symantec com;
scott.martin () symantec com; Lgarcia () symantec com
Subject: Re: FW: Message sent to Security () SYMANTEC COM




I presume he is talking about "recycled" folder (trash can) rather than
"restore".
I recall a similar issue being raised in the past about this and I can't
recall the answer to it.

Anyways, this code is independent of the scanning engine and is in the
product code.  I suggest we talk with Laura Garcia about the reason why
they chose to do this.

Laura,
Can you comment on this?

- Moto





"Bill Sobel" <bsobel () symantec com> on 2000/10/22 11:48:18


To:   "Motoaki Yamamura" <myamamura () symantec com>, "Vincent Weafer"
      <vweafer () symantec com>
cc:   <tmmather () symantec com>, <scott.martin () symantec com>
Subject:  FW: Message sent to Security () SYMANTEC COM


Vincent, Moto,

This came in from external, can you review and comment (and let me know if
we or SARC will respond to the poster)?

Bill

-----Original Message-----
From: Security () symantec com [mailto:Security () symantec com]
Sent: Sunday, October 22, 2000 8:36 AM
To: tmmather () symantec com; scott.martin () symantec com;
bsobel () symantec com
Subject: Message sent to Security () SYMANTEC COM




If you wish to reply to this message as "Security () SYMANTEC COM" to the
Internet, please be sure to switch to the Security/Cupertino/Cal/SYMANTEC
notes ID before replying.







"Peter Kruse" <peter.kruse () it dk> on 10/22/2000 08:20:20 AM

Please respond to <peter.kruse () it dk>


To:   Security/Cupertino/Cal/SYMANTEC@SYMANTEC
cc:
Subject:  Possible security bug in Norton Antivirus 2001 running on Windows
      ME


Yesterday I received my new laptop with a default installation of Microsoft
Windows ME and the Norton Antivirus 2001 product. Durring a short test I
accidentally stumbled upon a possible security problem with Norton
Antivirus.

Overview:
If you place a virus or other known malware in the c:\_RESTORE folder
(apparently default on Windows ME) Norton Antivirus will not scan that
folder in a "full-system" scan. This seems to be Symantec´s poor choice not
to scan such files?  However if you manually scan C:\_RESTORE NAV will find
the infected file but won´t be able to delete, repair nor quarantine the
file? This could lead a malicious user to drop files into the restore
folder - there´re a few obvious ways to exploit this.

This just be a even bigger issue and could be Windows ME based and
therefore
involve leave even more AV-products vulnerable.
Does anybody have furher information regarding this possible security bug?

Kind regards
Peter Kruse
www.virus112.com

(See attached file: winmail.dat)

(See attached file: winmail.dat)