Hackers Get Copy of Symantec AntiVirus Source Code
In a major breach of security, a group of South Asian hackers appears to have gotten hold of the source code of Symantec's anti-virus software.
After initially denying that the hackers had anything worthwhile, Symantec admitted that a sample of code appeared to be taken from either of two older versions of Symantec business-market software, Symantec Antivirus Corporate Edition 10.2 or Symantec Endpoint Protection 11.
"While SAV 10.2 is still serviced by Symantec, it has been discontinued," company spokesman Cris Paden told SecurityNewsDaily in an email. "SEP 11 has since evolved into SEP 12.0 and 12.1."
The tech-news website InfoSec Island stated that the code appeared to come from Norton AntiVirus 2006, a consumer product, confirming the hacker group's initial claims. Infosec Island reporter Anthony Freed passed on to Paden a segment of the source code he'd received from the hackers.
"Symantec's own network was not breached, but rather that of a third party entity," Paden said. "We are still gathering information on the details and are not in a position to provide specifics on the third party involved.
"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions," Paden added. "Furthermore, there are no indications that customer information has been impacted or exposed at this time."
Earlier this week, the group, calling itself the Lords of Dharmaraja (a possible Buddhist or Sri Lankan reference), posted to the online bulletin board Pastebin a list of filenames and a set of instructions which they said had come from Indian government servers.
"As of now we start sharing with all our brothers and followers information from the Indian Militaty [sic] Intelligence servers," read the introduction to one of the postings. "[S]o far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI."
The Central Bureau of Investigation is one of India's national police and intelligence agencies. It's not clear what "TANCS" refers to.
A spokesman for the hackers, calling himself "Yama Tough" (Yama is the Hindu lord of death), told Freed that the group's goal was to expose corruption and influence peddling within the Indian government.
"Our goal is Bharti Mittal [an Indian telecommunications mogul] go off politacl [sic] arena and stop manipulating our government India bought the right to spy on people worldwide by getting src [source code] from all major sft mnfctrs [software manufacturers]," Yama Tough said in a message to Freed.
If the source code for the 2006 edition of Norton AntiVirus, or of the older versions of Symantec Antivirus Corporate Edition and Symantec Endpoint Protection, bears any resemblance to the crucial components of Symantec's current security products, then the public release of that code could endanger the security of tens of millions of computers worldwide.
Paden implied that the current versions had substantially changed.
"In 2010 alone, we distributed 10 million updates to our products in response to new cyber threats," he told SecurityNewsDaily. "If you extrapolate to four and five years, you can get an idea of how much our products/solutions/and code has evolved over the following years."
However, most of those 10 million updates last year would have been virus definitions, which are updated by the thousands several times per day.
Infosec Island's Keith Mendoza, who examined the source code his colleague Anthony Freed had received from Yama Tough, said it seemed to be from "an antique version of NAV running on an antique Windows version," and that it did not contain any virus-scanning components.
Mendoza did say, however, that the code might still contain enough information to interfere with current versions of Symantec products.
Security researcher Kevin McAleavey also had a look at the code. He concluded that it was for a 2005-era product built for Windows XP, and would not run on Windows Vista or Windows 7 at all.
"It's absolutely safe to believe that none of the key kernel code by which current versions of Symantec antivirus could be hacked or compromised from this code would still be in use at all," McAleavey wrote.
In March of last year, security-token manufacturer RSA suffered a devastating data breach, but initially refused to say whether its corporate and government customers could be affected. It turned out that they were, and the breach led directly to another network intrusion at defense contractor Lockheed Martin.
And if it's true that Symantec provided a foreign intelligence agency with source code to its products, presumably for espionage purposes, it raises the question of how many other governments might have similar information.
Paden dismissed the link to the government of India claimed by the Lords of Dharmaraja, which he identified as a subset of the hacktivist movement Anonymous.
"With regards to the government of India, that is speculation based on what Anonymous has claimed online and the media has picked up on that," he said. "But it is not something we ourselves have confirmed."
Mountain View, Calif.-based Symantec bought Peter Norton's Windows-utility company in 1990. It is one of the largest makers of computer security software for the business and consumer markets, with roughly $6 billion in revenue per year.
This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.