Hacker Posts Symantec Source Code After Ransom Talks Fail
A detail of a 17th-century Tibetan painting depicting Yama, the Hindu/Buddhist lord of death.
CREDIT: Public domain
Proudly waving the AntiSec hacktivist flag, a hacker known as "YamaTough" has leaked an email exchange that took place between himself and a supposed representative of the security-software maker Symantec before YamaTough released the source code to pcAnywhere, one of Symantec's flagship consumer products.
The Symantec employee was actually a law-enforcement agent, and offered YamaTough $50,000 not to publish the source code for pcAnywhere and an older version of Norton Anti-Virus.
In the email conversation, which began Jan. 18 and was leaked to Pastebin yesterday (Feb. 6), YamaTough repeatedly pressures "Sam Thomas," the purported Symantec representative, to wire $50,000 to an offshore account in exchange for destroying the source code to Norton Anti-Virus and pcAnywhere.
Extortion turns into sting
"We will pay you $50,000.00 USD total," Thomas told YamaTough on Feb. 1. "However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain."
Thomas, despite the Symantec email address that he began the conversation with (he later switched to a Gmail account), was not a Symantec employee, and the $50,000 was bait to reel in YamaTough and any accomplices, according to a Symantec spokesman.
"The email string posted by Anonymous was actually between them and a fake e-mail address set up by law enforcement," Cris Paden, Symantec's senior corporate communications manager, told SecurityNewsDaily.
(Paden consistently refers to YamaTough as "Anonymous." While the hacker has been getting encouragement on Twitter from prominent Anonymous members, there is no independent evidence that he has been actively working with them.)
"Anonymous actually reached out to us first, saying that if we provided them with money, they would not post any more source code," Paden said. "At that point, given that it was a clear-cut case of extortion, we contacted law enforcement and turned the investigation over to them."
"All subsequent communications were actually between Anonymous and law enforcement agents — not Symantec," Paden added.
YamaTough gets frustrated
Those heated emails show YamaTough, using a Venezuelan email address, becoming increasingly frustrated with Symantec's excuses for why the company couldn't immediately honor his deadlines.
"If we don't hear from you in 30m we make an official announcement and put your code on sale at auction terms," YamaTough wrote on Jan. 25. "We have many people who are willing to get your code. Don't [mess] with us."
On Jan. 30, Thomas asked YamaTough to "be patient" and said, "We are really trying to work with you but we can't meet all the deadlines that you keep throwing at us." YamaTough replied, "You have 24 hours for a definite answer."
Late last night (Feb. 6), the law-enforcement sting ran into a wall. YamaTough wrote, "There is no time, yes or no, pcAnywhere is ready to be distributed, 10 min."
Shortly afterwards, a link to the pcAnywhere source code appeared on the file-sharing site The Pirate Bay. Paden confirmed that it is, in fact, the actual code.
Source code hits the Web, Symantec is ready
"We can confirm that the source code is legitimate," Paden said. "It is part of the original cache of code for 2006 versions of the products that Anonymous has claimed to have been in possession during the last few weeks."
Symantec, Paden added, had a contingency plan ready.
"Symantec was prepared for the code to be posted at some point, and has developed and distributed a series of patches since Jan. 23rd to protect our users against attacks that might transpire as a result of the anti-virus code being made public," Paden told SecurityNewsDaily.
He said Symantec has reached out to its customers in the past few weeks, urging them to install version 12.5 of pcAnywhere to reduce the risk of their systems becoming compromised in the wake of the leak.
The pcAnywhere leak may just be the first drop in a coming flood, Paden said.
"We also anticipate Anonymous to post the rest of the code they have claimed [they] have in their possession," he said. "So far, they have posted code for the 2006 version of Norton Internet Security and pcAnywhere. We also anticipate that at some point, they will post the code for Norton AntivirusCorporate Edition and Norton Systemworks. Both products no longer exist."