Update 3: Hackers May Leak Norton Antivirus Source Code

Thursday, January 05, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

Update: Symantec Confirms Source Norton AV Code Exposed

*   *   *

Update:  Update: File Appears to Contain 2006 Norton AV Source Code

*   *   *

Older Updates at end of article...

Reports are surfacing that the Indian hacker group known as "The Lords of Dharmaraja" is claiming to have come into possession of the source code for Symantec's flagship Norton Antivirus program.

The hackers have apparently posted on Pastebin a list of the files they obtained with the message "Complete listing of NAV source code package which is comming..." [sic], an indication that they intend to post the actual source code for the Symantec product.

Source code is the proprietary mechanics of any software, and the leak of this code would open the doors for malware manufacturers to create viruses that could more effectively escape detection by the Norton AV product.

This breach could in turn render Norton AV ineffective as a defense tool and have a very serious impact on Symantec's bottom line and stock value.

While these reports have not been confirmed, security journalist Brian Krebs (http://krebsonsecurity.com/) made a brief reference to the rumor in a post on InAGist.com with a link to the Pastebin file list: "Indian hacker Group claims to have leaked source code file list for Norton Antivirus. Says source coming soon. http://t.co/D9L4fePT".

Infosec Island has contacted Symantec's management and is awaiting comment on the validity of the reports. We will be monitoring Krebs' site and other news feed sources for more information.

Update One:

Hat tip to Richard Stiennon for sending us a Google cache of a Pastebin posting from "The Lords of Dharmaraja" that is no longer available which states in part:

As of now we start sharing with all our brothers and followers information from the Indian Militaty Intelligence servers, so far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI.

Now we release confidential documentation we encountered of Symantec corporation and it's Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies.

Tancs spy programme preview:

http://imgur.com/a/8XoGf

Our first release with the Indian MI in Paris owneed like shit:

http://pastebin.com/0U4dWcUX

And now first portion of Symantec docs: We want to ask Symantec WTF Indian MI have them at?

Update Two:

Again, hat tip to Richard Stiennon for sending us a Tweet he noticed where someone calling them self "YamaTough" is offering Brian Krebs the opportunity to interview them about the Norton AV source code breach:

Krebs - Norton AV

The breach of the Norton source code is as of yet still unconfirmed, as is the identity of "YamaTough" and whether or not they actually have any connection to these events, be they actual or merely a spoof.

Update 3:

YamaTough has posted more information from the alleged breach on Google+ in an effort to prove this is not a spoof, an excerpt is as follows:

Yama Tough  -  12:42 PM  -  Public another internal doc from Symantec NAV src
Immune System Gateway Array Setup

Rev 2

05/01/2000

Raju Pavuluri
Immune System QA group
IBM Research.

Gateway Array Setup

This document discusses about setting up Gateway Array – 1, and references to the domain “gw01” are made throughout the document. While installing Gateway Array – 2 please follow the same document but use “gw02” wherever a reference to “gw01” is made.

Please follow the following instructions before setting up the hardware/software for gateway arrays.


For each Gateway Array

• Allocate IP names and addresses for each machine.

gw01data01.gw01.dis.symantec.com
gw01entry01.gw01.dis.symantec.com
gw01inside01.gw01.dis.symantec.com
gw01sample01.gw01.dis.symantec.com
gw01def01.gw01.dis.symantec.com
gw01def02.gw01.dis.symantec.com
gw01def03.gw01.dis.symantec.com

• Get DNS records for each

IP Name -> IP address
IP Address -> IP name

• Read the documentation for setting up DNS correctly, available in GWDNS.TXT file (in avis200.xxx directory). Test the DNS records with the test program GWDNS.PL (in avis200.xxx\src\testtools directory).

• You need the following CD’s for Gateway Array installation.

Microsoft Windows NT Server version 4.0
Microsoft Windows NT service pack 5
IBM DB2 Universal Enterprise Extended Edition version 6.1
IBM DB2 fixpack 2
IBM LotusGo for WinNT version 4.6.2.6
Microsoft Data Access version 2.1
Immune System build avis200.xxx
Initial definitions (VDB packages).
Dimension 4 Software (with custom-built config. files for Symantec)

Setup instructions for the machine “GW01DATA01”

The posted information is lengthy, so only an excerpt was reposted here.

More to come...

Possibly Related Articles:
55601
Breaches
Antivirus Symantec Headlines hackers Norton breach Source Code Pastebin The Lords of Dharmaraja Brian Krebs
Post Rating I Like this!
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Updated with some additional information - though no actual source code leaked yet. Given that we don't know how long the source code has been compromised, there is the possibility that there are already exploits in the wild that could threaten consumer and more so companies that depend on Norton AV to protect their networks.. If this leak is confirmed, this will be bigger than the RSA SeurID breach, as there will be no easy fix (like RSA issuing new keys)...
1325790183
Default-avatar
Cris Paden Hi. Cris Paden with Symantec. Be advsied we investigated the original claim that NAV source code had been exposed and found it to the be false. The information posted was actually a document from 1999 explaining how the software worked, but did not include any actual source code. FYI.
1325796763
6d117b57d55f63febe392e40a478011f
Anthony M. Freed Cris - thanks for the info. We are, of course, hoping all this turns out to be a load of baloney. Feel free to send me any statements you wish included in further updates: anthonymfreed at gmail dot com
1325797486
Default-avatar
Bobby Mann I'm tired of these activist scumbags getting airtime. How about breaking the "story" when there is one. Looks like old code to me, WHO CARES.
1325815551
Default-avatar
jassica john The Canopus ADVC110 analog & digital video conversion unit works pretty well. So far, so good. I would give it a whole lot more credit if it came with the power supply but for standard operation it is not needed.
http://www.thomsoncanopus.com
1393502609
Default-avatar
john flynn I agree! The information posted was actually a document from 1999 explaining how the software worked, but did not include any actual source code. FYI.

http://bank-i-danmark.dk/
http://www.loan-reviews.net/
http://finansielle-raadgivere.dk/
http://www.laan-info.dk/
1398262360
Default-avatar
leesa betham This post is good enough to make somebody understand this amazing thing, and I’m sure everyone will appreciate this interesting things. ALUMINIUM ARMOURED CABLES
1405679568
Default-avatar
leesa betham Thanks for making the effort to talk about this, I experience highly about it and really like studying more on this subject. [url=http://facables.in/xlpe%20insulated%20armoured.html]COPPER ARMOURED CABLES[/url]
1405679597
Default-avatar
1405679651
Default-avatar
Dierk Bauer Thanks for everything guys
Cheers
http://www.opzionibinariegov.com/
1407242004
Default-avatar
Angelo Alba They will hopefully now leak it...fingers crossed!


http://www.binaeraoptioner.org/
1407333752
Default-avatar
Bill Phillips These things just create more problems, anyway, I have total faith in the ability of Norton programmers to make the neccessary adjustments to adapt to these malicious individuals.

Rd
http://www.compuchenna.co.uk
1410955769
Default-avatar
shahbaz ocpfsd1 Do you want to learn meditation online? New york meditation classes by light watkins has been providing meditation course from many year in new york.Get the best meditation audio course online and best personal trainer now.
1414384799
Default-avatar
Steve watson This is very interesting.Thanks for sharing it,looks very informative blog.great post with useful tips.Thanks for sharing.
Scrimmage-Vests
1418276225
Default-avatar
Steve watson Its amazing to see someone put so much passion into a subject. I’m glad I came across this.I’m glad I took the time to read on past the first paragraph. I hope people realize this and look into your page.
soccer-discounts.com/scrimmage-vests/
1418276650
Default-avatar
Steve watson This is very interesting.Thanks for sharing it,looks very informative blog.great post with useful tips.Thanks for sharing.
soccer-discounts.com/scrimmage-vests/
1418276816
Default-avatar
1418969012
Default-avatar
amanda ana very interesting post, the post is very old but still it has value and great information. Do you have any update about todays software.

Regards
http://www.expert-market.com
1420919934
Default-avatar
Jhun Astillero Hey it's a nice post you got here and I enjoyed reading your article.I hope to find some nice news here. And of course I bookmarked it, Thank you for sharing!!

follow me here: http://www.meditation-training.com
1425562219
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.