Update 3: Hackers May Leak Norton Antivirus Source Code

Thursday, January 05, 2012

Contributed By:
Headlines

Update: Symantec Confirms Source Norton AV Code Exposed

* * *

Update: Update: File Appears to Contain 2006 Norton AV Source Code

* * *

Older Updates at end of article...

Reports are surfacing that the Indian hacker group known as "The Lords of Dharmaraja" is claiming to have come into possession of the source code for Symantec's flagship Norton Antivirus program.

The hackers have apparently posted on Pastebin a list of the files they obtained with the message "Complete listing of NAV source code package which is comming..." [sic], an indication that they intend to post the actual source code for the Symantec product.

Source code is the proprietary mechanics of any software, and the leak of this code would open the doors for malware manufacturers to create viruses that could more effectively escape detection by the Norton AV product.

This breach could in turn render Norton AV ineffective as a defense tool and have a very serious impact on Symantec's bottom line and stock value.

While these reports have not been confirmed, security journalist Brian Krebs (http://krebsonsecurity.com/) made a brief reference to the rumor in a post on InAGist.com with a link to the Pastebin file list: "Indian hacker Group claims to have leaked source code file list for Norton Antivirus. Says source coming soon. http://t.co/D9L4fePT".

Infosec Island has contacted Symantec's management and is awaiting comment on the validity of the reports. We will be monitoring Krebs' site and other news feed sources for more information.

Update One:

Hat tip to Richard Stiennon for sending us a Google cache of a Pastebin posting from "The Lords of Dharmaraja" that is no longer available which states in part:

As of now we start sharing with all our brothers and followers information from the Indian Militaty Intelligence servers, so far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI.

Now we release confidential documentation we encountered of Symantec corporation and it's Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies.

Tancs spy programme preview:

http://imgur.com/a/8XoGf

Our first release with the Indian MI in Paris owneed like shit:

http://pastebin.com/0U4dWcUX

And now first portion of Symantec docs: We want to ask Symantec WTF Indian MI have them at?

Update Two:

Again, hat tip to Richard Stiennon for sending us a Tweet he noticed where someone calling them self "YamaTough" is offering Brian Krebs the opportunity to interview them about the Norton AV source code breach:

The breach of the Norton source code is as of yet still unconfirmed, as is the identity of "YamaTough" and whether or not they actually have any connection to these events, be they actual or merely a spoof.

Update 3:

YamaTough has posted more information from the alleged breach on Google+ in an effort to prove this is not a spoof, an excerpt is as follows:

Yama Tough - 12:42 PM - Public another internal doc from Symantec NAV src
Immune System Gateway Array Setup

Rev 2

05/01/2000

Raju Pavuluri
Immune System QA group
IBM Research.

Gateway Array Setup

This document discusses about setting up Gateway Array – 1, and references to the domain “gw01” are made throughout the document. While installing Gateway Array – 2 please follow the same document but use “gw02” wherever a reference to “gw01” is made.

Please follow the following instructions before setting up the hardware/software for gateway arrays.

For each Gateway Array

• Allocate IP names and addresses for each machine.

gw01data01.gw01.dis.symantec.com
gw01entry01.gw01.dis.symantec.com
gw01inside01.gw01.dis.symantec.com
gw01sample01.gw01.dis.symantec.com
gw01def01.gw01.dis.symantec.com
gw01def02.gw01.dis.symantec.com
gw01def03.gw01.dis.symantec.com

• Get DNS records for each

IP Name -> IP address
IP Address -> IP name

• Read the documentation for setting up DNS correctly, available in GWDNS.TXT file (in avis200.xxx directory). Test the DNS records with the test program GWDNS.PL (in avis200.xxx\src\testtools directory).

• You need the following CD’s for Gateway Array installation.

Microsoft Windows NT Server version 4.0
Microsoft Windows NT service pack 5
IBM DB2 Universal Enterprise Extended Edition version 6.1
IBM DB2 fixpack 2
IBM LotusGo for WinNT version 4.6.2.6
Microsoft Data Access version 2.1
Immune System build avis200.xxx
Initial definitions (VDB packages).
Dimension 4 Software (with custom-built config. files for Symantec)

Setup instructions for the machine “GW01DATA01”

The posted information is lengthy, so only an excerpt was reposted here.

More to come...

Share This! |

Views:	28911
Categories:	Breaches
Tags:	Antivirus Symantec Headlines hackers Norton breach Source Code Pastebin The Lords of Dharmaraja Brian Krebs

Post Rating I Like this!

Comments:

Anthony M. Freed Updated with some additional information - though no actual source code leaked yet. Given that we don't know how long the source code has been compromised, there is the possibility that there are already exploits in the wild that could threaten consumer and more so companies that depend on Norton AV to protect their networks.. If this leak is confirmed, this will be bigger than the RSA SeurID breach, as there will be no easy fix (like RSA issuing new keys)...

1325790183

Cris Paden Hi. Cris Paden with Symantec. Be advsied we investigated the original claim that NAV source code had been exposed and found it to the be false. The information posted was actually a document from 1999 explaining how the software worked, but did not include any actual source code. FYI.

1325796763

Anthony M. Freed Cris - thanks for the info. We are, of course, hoping all this turns out to be a load of baloney. Feel free to send me any statements you wish included in further updates: anthonymfreed at gmail dot com

1325797486

Michael Menefee I was given the opportunity to personally review some of the source code produced by @YamaTough and without being able to verify it against Symantec's source....looks pretty valid to me, albeit from a 2006 development date of the code

1325808970

Bobby Mann I'm tired of these activist scumbags getting airtime. How about breaking the "story" when there is one. Looks like old code to me, WHO CARES.

1325815551

Michael Menefee Bobby,

I completely agree that 2006 code seems like ages ago...

However: what we dont know are 2 things:

1) how much of that code is still the baseline for current releases, and;

2) whether the people that released the code to us have more current versions or not...we're not sure

All I can say is I went through the provided source code to me...unless someone went through a lot of trouble to fake what appears to be Symantec code dating back to 1998 with developer comments included all the way through each .ccp file, there is some serious validity to this claim.

either way, I hope that YT thinks about the implications of releasing this code to the public, despite his personal problems with his country's government...maybe an agreement can be reached that wont result in such a massive global loss of trust for a long-term reputable product that is supported by really talented professionals.

1325816421

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"I thought this article discuss a very important issue of security.If we have well developed technology in one particular field then we ..."

Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013

"ATM machine are for our convenience but if we are not careful they can compromise our safety. Discount theater tickets "

ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013

"A expressive case study is used to explore causation in order to find underlying principles. Case studies may be prospective in which c..."

New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013

"In the social sciences and life sciences a case study or case report is a descriptive or descriptive analysis of a someone, group or ev..."

Case Study: A Cloud Security Assessment... Caitlin Rachel on 05-21-2013