Remote Attack Code for Symantec's pcAnywhere in the Wild

Thursday, February 23, 2012

Headlines

69dafe8b58066478aea48f3d0f384820

Alert Logic's Johnathan Norman issued a warning via Pastebin that a remote attack code for Symantec's pcAnywhere product, dubbed the "pcAnywhere Nuke", is now available in the wild.

"The following code will crash the awhost32 service. It'll be respawned so if you want to be a real  pain you'll need to loop this.. my initial impressions are that controlling execution will be a pain..." Norman wrote.

The exploit is said to be effective against the most recent 12.5.0 build 463 version of the product, which Symantec had released after previously advising users to disable the software over vulnerability concerns.

"Symantec is aware of the posting and is investigating the claims. We have no additional information to provide at this time," InformationWeek quoted Symantec spokeswoman Katherine James as stating.

In January, YamaTough had threatened a public dump of the stolen pcAnywhere source code, claiming that the release would demonstrate that newer versions of the remote access tool were simply re-packaged code from previous releases, with little in the way of significant changes to the software.

"Weve got some nice things resolved with other companies they are not that slow thinking as symantec but now we know that they fool people aroung by selling them software which is not rebuilt but only have nice wrapper and a few new features - PCAnywhere 2Gb code will be prior to NAV full. And Sabu shall take care of it," YamaTough told Infosec Island (quote remains unedited for grammar).

The hacktivist promptly changed his mind though, opting instead to provide the code first to black hats aligned with the Anonymous and AntiSec movements.

YamaTough tweeted "Heil to our brothers @#antisec who support us. PCAnywhere code is being released to blackhat community for 0d expltin!" along with "We've decided not to release code to the public until we get full of it =) 1st we'll own evrthn we can by 0din' the sym code & pour mayhem."

Infosec Island asked the hacktivist for clarification, to which he replied, "it wil be but not as public release a decision was made to 0day everything we got and than make it public." Some of the source code for Symantec's pcAnywhere product was subsequently posted on The Pirate Bay.

An analysis provided to the Infosec Institute anonymously revealed that some of the code was as recent as 2002, and backs up YamaTough's claim that much had remained unchanged over several years.

"A surprising amount of the core code originates from what is now 10 years ago with only a few added changes, mainly to accommodate changes in Windows versions. Many individual .exe or other files include an accompanying Word document with a detailed developer description of how it functions," the reviewer stated.

The reviewer also found that critical aspects of Symantec's LiveUpdate system were exposed.

"For hackers, the sky is the limit as hackers now have all of the juicy details of the pcAnywhere product as well as accompanying source code for all related components. pcAnywhere is now pcEverywhere. We now know how their LiveUpdate system works thanks to the included architecture plans and full source code, which is also used to update Symantec’s current anti-virus products. Any exploits in the code are now visible by all," the reviewer said.

As previously reported, YamaTough and the hacktivist group “The Lords of Dharmaraja” were responsible for exposing parts of the source code for the 2006 version of Symantec's Norton antivirus product, as well as posting questionable documents online that showed that the United States-China Economic and Security Review Commission (USCC) was possibly breached.

YamaTough had also sent Infosec Island 68 sets of usernames and passwords for compromised US government networks. The group maintains claims that the information was obtained from servers owned by various ministries of the Indian government.

Infosec Island had made multiple attempts to prompt YamaTough to provide actual proof that the data had in fact been stolen from servers operated by the Indian government, but all requests were either met with silence or an outright refusal.

Symantec maintains that the source code was stolen in 2006 in a previously undetected network security breach at the company. It is not known how YamaTough came to be in possession of the data, but it became apparent that he and his cohorts were looking to profit from it.

After some early communications with YamaTough, Symantec officials realized the hacker and his group were making attempts to illegally extort funds, at which time the company turned over the operation to U.S. law enforcement.

An email exchange posted on Pastebin which was alleged to have taken place between YamaTough and a representative from Symantec was really part of a law enforcement sting operation.

Possibly Related Articles:
7741
Vulnerabilities
Vulnerabilities Symantec Exploits Anonymous Hacktivist hackers breach Source Code AntiSec The Lords of Dharmaraja YamaTough PCAnywhere PCAnywhere Nuke
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.