Symantec Confirms Norton AV Source Code Exposed

Thursday, January 05, 2012

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

Update: Symantec Hacked in 2006? Claim Raises More Questions

Symantec now claims that the company's own networks were in fact breached back in 2006, leading to the loss of proprietary product data: "...an investigation into the matter had revealed that the company's networks had indeed been compromised"...

*   *   *

Update:  Hacker to Release Symantec's PCAnywhere Source Code

"YamaTough, spokesperson for the hacktivist group “The Lords of Dharmaraja”, informed Infosec Island of plans to release source code for Symantec's PCAnywhere. The release is to be made prior to the threatened exposure of the full source code for the Norton antivirus..."

*   *   *

Update: Exclusive: Interview With Hacker YamaTough

*   *   *

Infosec Island was provided with a file by an unidentified hacker going by the handle YamaTough which after preliminary analysis appeared to contain source code for the 2006 version of Symantec's Norton antivirus product.

Infosec Island provided Symantec with the file for analysis, which has now been completed.

Cris Paden, Sr. Manager for Corporate Communications at Symantec emailed Infosec Island editors with the following statement concerning the exposure of source code for the company's Norton antivirus product:

"Symantec can confirm that a segment of its source code has been accessed.  Symantec’s own network was not breached, but rather that of a third party entity."

"We are still gathering information on the details and are not in a position to provide specifics on the third party involved."

"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions.  Furthermore, there are no indications that customer information has been impacted or exposed at this time."

"However, Symantec is working to develop remediation process to ensure long-term protection for our customers’ information.  We will communicate that process once the steps have been finalized."

"Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.
"

Though the code is for an older version of the Norton antivirus product, the impact of the exposure is still as of yet undetermined, and several questions remain:

  • As the file provided to Infosec Island and passed on to Symantec was merely a sample of the material YamTough claimed to be in possession of, does that mean that code for more recent editions have not been compromised as well?
  • What was the "third party" - presumably some entity related to the Indian government - doing in possession of the source code for the Symantec product?
  • How much information would source code from 2006 provide to malware authors assuming that the entire product has not been reinvented from scratch since the time this code was produced?

Symantec officials have indicated they will be providing more information as they continue their investigation, and certainly more will be known if the entirety of the compromised data YamaTough claims to be in possession of is finally released to the public as has been threatened.

Stay tuned for more as this story develops into what could be one of the biggest data loss events of 2012, and just less than one week into the new year.

Previous coverage:

Possibly Related Articles:
39579
Breaches
Information Security
Antivirus Symantec hackers Norton breach Source Code India The Lords of Dharmaraja YamaTough
Post Rating I Like this!
35f16f8d3796f94461a4d91cdacad514
Yama Tougher Cris seems to be a nice fella, I wonder if the whole board was negotiation whether to make a statement like that or not =) Any idea why they cancelled our g+ account? =)
1325822803
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Yama,
Can you confirm that your Google+ account was terminated without your consent?

We had 2 working theories: 1) that you deleted your content, or that 2) you were censored

Mike
1325824633
35f16f8d3796f94461a4d91cdacad514
Yama Tougher I was censored, I can prove that me iz me by making some more releze of src
1325825232
35f16f8d3796f94461a4d91cdacad514
Yama Tougher SpywarePlus directory from src pack - to prove my Identity. G+ deleted my account right after Tony messaged me to talk in private...
http://depositfiles.com/files/rkqsj2d98
1325825689
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Yama,

That is an interesting part of this whole story...I would suggest that a) symantec has some influence over google and (not or) 2) google can do whatever they please...

very interesting development
1325825783
35f16f8d3796f94461a4d91cdacad514
Yama Tougher a government contractor can shut up pretty much anyone...they do it coz of angst=affraid
1325828949
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee I havent looked at Google+ terms of service, neither do I use it, but sounds like something to be aware of if they can, it will, delete whatever they want
1325829226
35f16f8d3796f94461a4d91cdacad514
Yama Tougher same shit experience our anonymous brotherz, I wonder when comments from Uscc.gov ll follow?
1325829595
Default-avatar
Bobby Mann First off, Google has the right to delete based on the fact you are essentially initiating terrorist activity thus anything that violates the agreement you "signed" when you created your G+ account is grounds for deletion. Has nothing to do with Symantec, as Google just doesn't want to be part of it. By the way, that's the least of your problems. Stay tuned.
1325830741
Default-avatar
Bobby Mann Yama, you claim to have source from other companies as well. What other companies? Why target just one?
1325830898
35f16f8d3796f94461a4d91cdacad514
Yama Tougher Smell some poo?
1325830921
35f16f8d3796f94461a4d91cdacad514
Yama Tougher You know what companies we are talking about in here, am waiting for the least of my problems to follow and than deliver ok? Blame not us but blam frakign sym and others who delivered code to foreign entity they should get fraking prosecuted for doing this but ofcource since they all are cia they wont let it out
1325831258
Default-avatar
Bobby Mann Put up or shut up. What companies? Show some balls and give us proof that other companies are involved.
1325831802
Default-avatar
Bobby Mann No, the millions of symantec customers will blame YOU as a result of your terrorist activities. There will be no sympathy, only disdain (you know what that means, right) for you.
1325832160
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Bobby, Yama, lets leave this stuff for later.

Bobby, we here at Infosec Island have verified the claims of source code for Symantec products...i dont think that Yama's goal is to threaten corporations with terrorism, else he would have released this code to everyone else already.

IF the claims are true about the Indian government requiring source code to allow certain tech into their country, the expectation is that there is a lot of source code there...and I mean A LOT

There is no reason to get upset just yet...we have only verified 1 set of code...not a global disaster just yet:)

1325832437
Default-avatar
EH EH This is upsetting. Yama please delete all the source code you came into possession. And leave this issue into the void. Please walk away! :)
1325851509
Default-avatar
EH EH Actually, what I told wouldn't be a good idea. You have shown the world where from they can get the source code too.
1325852921
Default-avatar
dingo mybaby Since it was six year old code for SEP and SAV it seems like it was just a lucky find on an out of date server - no other material has been shown so its not much of a scalp...
1326107750
Default-avatar
neero 2007 Yama s list included files with names fprot.CAinnoculate. mcafee etc.. Does that men NAV was using their source codes too ?? :P...they could have. Leaked file names were from NAV 2006 and i beleive there would nt be much modification since!!
1326132780
5f799f6b38f73986d864c449c5685c5d
Commander Mukesh Saini (Retd.) I do not hold brief for government of India but I have received inputs that the above letter is not only fake but an attempt to cause misunderstanding between India and US( and I add that collateral fire may hit China. Some of the reasons which show that the documents is fake are:
(a) Despite being highly sensitive there is no security classification.
(b) Spelling mistakes show shoddy work of fraudster.
(c) Addresses are incorrect.
(d) There is no such technological, administrative and jurisdictional possibility.
(e) There are no such pacts with the named organisations/companies.
(f) The style of language and usage of phrases are not 'Indian' but 'US'
1326177899
Page: « < 1 - 2 > »
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.