Symantec Looks Into Claims of Stolen Source Code 116
wiredmikey writes "A group of hackers claim to have stolen source code for Symantec's Norton Antivirus software. The group is operating under the name Dharmaraja, and claims it found the data after compromising Indian military intelligence servers. So far it's unclear if the claims are a significant threat, as the information posted thus far by the hackers includes a document dated April 28, 1999, that Symantec describes as defining the application programming interface (API) for the virus Definition Generation Service. However, a second post entitled 'Norton AV source code file list' includes a list of file names reputedly contained within Norton AntiVirus source code package. Symantec said it is still in the process of analyzing the data in the second post."
Update: 01/06 07:05 GMT by S : In a post to their Facebook page, Symantec has now said some of their source code was indeed accessed, but it was four or five years old.
Nope.. (Score:5, Insightful)
Who would want anything they make?
Re: (Score:1)
Who would want anything they buy?
FTFY
Re:Nope.. (Score:5, Funny)
Re: (Score:1)
Re: (Score:1)
How is it that people that have not used a product for YEARS make the most stupid of comments? Norton is one of the fastest and best products at protecting users systems. Check the countless independent reviews. Or better yet, try it for yourself. This is not your grandfathers AV.
Re: (Score:2)
Update says 4 or 5 years ago, which one is it!? Don't you people timestamp your version trees?
Besides other than virus updates I'd suspect not a hell of a lot of the core would of changed, shrugging it off "oh it was old code who cares" inst fooling me ... j00r b4s3 belongs too ...someone I guess ... heh :)
Re: (Score:3)
I'm working with an iPad here!! it's hard enough to type comments alone rather than having to check my grammar as well!
Re: (Score:2)
The source code is from two different products, one four years old, one five years old. One of them is discontinued.
https://www.facebook.com/Symantec/posts/10150465997682876
Re:Nope.. (Score:5, Funny)
Imagine the poor black hat who only got this turd as loot. It's like breaking into a bank vault and finding out that it only had some smelly bath mats inside.
Re: (Score:3)
Re: (Score:3)
Norton has long outclassed virus makers in terms of damage it does to a computer system; Now the virus makers know how to cause as much damage too!
Re: (Score:2)
To find ways of disabling or otherwise breaking it, to make their viruses immune to one of the most popular AV products.
Or instead of making fake AV software just make real AV software using the stolen code and sell that. The fake AV software scams only work because the likes of Norton are just as bad when it comes to scary warning messages and demands for payment, so they probably only need to change the logo and card processing URL.
Re: (Score:2)
Who would want anything they make?
I don't know about the actual product, but I hear The Daily WTF [thedailywtf.com] wanted to look at the code.
Re: (Score:2)
Who would want anything they make?
This is not the stolen source code you are looking for, move along.
Huh, and this does...? (Score:1)
Re:Huh, and this does...? (Score:4, Interesting)
They don't.
1. Write virus code
2. Load up a machine with the top 10 virus scanners.
3. Load your virus code
4. Let them scan.
5. If they detect it, modify code and go to 3 else 6
6. Release the hounds.
--
BMO
Re: (Score:1)
Symantec released a more up to date statement... (Score:5, Informative)
...on Facebook (yeah, I dunno). http://www.facebook.com/Symantec/posts/10150465997682876
Why does the Indian military have the source???? (Score:4, Interesting)
Wow, so the Indian military works with major US vendors like Norton to spy on their own people (and I assume other countries people since it will be the same source????)
I assume they have the source code so they can insert extra bits and dispatch spyware the next time Norton auto-updates?
You get an auto-update, they get a spyware app into your PC. Is that it?
I don't think the scandal here is that the source code was stolen, it is a scandal that Norton cooperates will military spyware!!
Re:Why does the Indian military have the source??? (Score:5, Insightful)
Indeed, a lot of people seem to missing the bombshell here.
Re: (Score:1)
Re: (Score:2)
Re:Why does the Indian military have the source??? (Score:5, Informative)
Wow, so the Indian military works with major US vendors like Norton to spy on their own people (and I assume other countries people since it will be the same source????)
I assume they have the source code so they can insert extra bits and dispatch spyware the next time Norton auto-updates?
You get an auto-update, they get a spyware app into your PC. Is that it?
I don't think the scandal here is that the source code was stolen, it is a scandal that Norton cooperates will military spyware!!
Wow, +4 already? The tinfoils must be up and about today.
Believe it or not, most major software vendors have licenses and policies in place (e.g., Microsoft [microsoft.com]) to allow sensitive institutions (governments, defense contractors, etc) access to their source code. The primary reason is actually the opposite of what you say. Customers such as the Indian government want to be able to see what's actually in the code before they agree to buy and install it on their own systems and network.
Think of it as the 1% always getting to run open-source software because they have the clout to demand it (and under strict a NDA).
Occupy Microsoft!
Re: (Score:2, Interesting)
Re: (Score:2)
Hopefully, all anti-malware updates are digitally signed. Even for Symantec, which I generally don't have much respect for, I'd be surprised if they didn't have crypto signing for their updates.
Giving access to source code to "important enough" customers isn't really suspicious, but I doubt they'd be including any crypto keys along with that. If somebody finds any private keys in the source dumps, that would be a smoking gun - if not, nothing interesting to see here, move along - only the usual bad security
Re: (Score:2)
They also ask for the source code of the compiler, which compiles itself, which compiles the AV source...
Re: (Score:1)
Believe it or not, most major software vendors have licenses and policies in place (e.g., Microsoft [microsoft.com]) to allow sensitive institutions (governments, defense contractors, etc) access to their source code. The primary reason is actually the opposite of what you say. Customers such as the Indian government want to be able to see what's actually in the code before they agree to buy and install it on their own systems and network.
Yes, this explanation is valid and almost certainly the main reason why this happens. But the fact that any institution can then exploit any bugs they do find is hardly something that can be ignored.
Re:Why does the Indian military have the source??? (Score:5, Informative)
Wow... so many assumptions in one post.
Don't you think the Indian military needs anti-virus software? Don't you think they would need to examine the source code before running software from an American company on potentially sensitive systems? And don't you think Symantec would give it to them to secure the contract?
Cyberwarfare, Indian Army Gears Up (Score:1)
http://articles.timesofindia.indiatimes.com/2010-07-19/internet/28273582_1_cyber-security-cyber-warfare-cryptographic-controls
You can claim "trust us, we're the military and we don't do this", but in the next breath they are declaring cyber-war.
So no, I would have to be an idiot not to see the connection, and the original story of the hack was very careful to point out that the hack had revealed several US corporations had provided the source code to their products to the Indian military.
You can say they ne
Re: (Score:2)
They said they are gearing up to defend themselves against the undeclared cyber-war that is being waged against them. Namely Pakistani/Chinese hacker groups.
Defending yourself against attacks is declaring cyber-war now? Wow! You are an idiot, regardless of whatever "connections" you see.
It is interesting that you think that India is an enemy for you. Last I checked, the only few countries which actually con
Re: (Score:2)
Yes, no, and no, in that order. Truly sensitive data should be on air gapped machines protected from careless media insertion and you don't need AV there.
Re: (Score:2)
There's a wide range of sensitive data.
What about a Gerneral's laptop he uses to answer (work) emails? Maybe he doesn't read sensitive reports on the laptop, but would it be ok for a foreign power to read those emails? Absolute not.
You can't expect the Indian government to run software from an American company without checking. An American company that has contracts with the US government BTW.
If they followed your advice, everything except the most highly classified data would be open to a foreign governmen
Re:Why does the Indian military have the source??? (Score:5, Informative)
Actually, they probably want to audit the code for backdoors and other security vulnerabilities before deploying the software on their systems. A whole bunch of governments got snookered when Cryto AG [wikipedia.org] sold closed-source encryption software with a backdoor that allowed the US government to easily break their communications. In particular, the NSA was rumored to have backdoored Crypto AG systems since the fifties, allowing the US government to spy on communications from such warm and fuzzy countries as Iran.
Re: (Score:2)
Ok, so they can audit the source code. Do they actually build the whole thing from this code themselves? With what compiler? I don't think having the code helps them much in this regard...If a hidden compiler trojan were to truly exist, THIS is where I'd expect to find it. It would be simple for MS to include a trojan in the compiler they give, or give binaries that don't match the source code...
Re: (Score:2)
Source sharing is essentially public knowledge, it has been around for a long time. Long enough to assume that's why they have the code.
What the recipients do with the source has not been disclosed to my knowledge.
I would assume it's up to the recipient to figure out what to do with it, and make sure that is allowed in their contract (Microsoft allegedly tries to negotiate a "come and read it yourself" kind of access so you can't build or copy it, or leak it, after Mainsoft's reported partial leak). Hopef
Re: (Score:2)
i.e. keystroke logging software that was safe from some anti-virus companies.
probably true, with Symantec unaware (Score:1)
Bleh! (Score:5, Funny)
Stealing source code from Symantec is like stealing your neighbor's garbage.
Re: (Score:2)
Not Merely Bloat (Score:1)
Bloat would merely mean an inconvenience, possibly the need to install a larger and faster hard-drive. However, my favorite independent computer shop informed me that Norton Anti-Virus was the cause of overall performance degrading on my Windows XP along with too-frequent "blue screens of death".
The computer shop advised me to obtain the freeware versions of AVG Anti-Virus and Malwarebytes. They install both on all new PCs they sell. They assert that no one anti-virus package can detect all threats.
The f
Re: (Score:1)
Re:Bleh! (Score:4, Interesting)
Ghost was a decent product. I stopped using it years ago in favor of Clonezilla.
Re:Bleh! (Score:5, Interesting)
Re: (Score:2)
I would so mod you up if I could. Out of all the open source software that I have used and all the non open source stuff, clonezilla has got to win the cake for the most ghastly interface. Not only is it confusing and long winded but the fonts they have chosen has got to be the most awful that could only be topped if someone picked the disn3y font.
Re: (Score:2)
The old DOS Norton Utilities was a awesome product, with the Norton disk editor and other cool features, their products now are just bloat and nothing else. using common sense on the Internet can keep you safer than this product.
Re: (Score:3)
Ghost was a decent product. I stopped using it years ago in favor of Clonezilla.
Seconded. Clonezilla is an excellent Ghost replacement, and I even started getting the windows-only admins I work with turned on to it!
If anyone is looking for an open source "corporate back-end Ghost", check out the FOG project [fogproject.org]. I've just begun deploying the infrastructure needed for it, but lets one backup and reimage a computer remotely using an awesome network boot method.
They both take a little bit to get used to, but it's no worse then getting used to or working around the problems and quirks of Gho
Re: (Score:3)
Stealing source code from Symantec is like stealing your neighbor's garbage.
Hey, maybe if the source is published publicly, some bright person(s) can improve it and issue a "fork" of Symantec's code :)
All they probably have to do is remove a few speed up loops [thedailywtf.com]!
Re: (Score:2)
Don't insult my neighbors. Some of their garbage is decent.
It's for Norton 2006, which is significantly old. (Score:1)
Unless their newer antivirus programs are nothing more than updated virus definitions, it shouldn't really bother Symantec.
Re: (Score:2)
It may still the same code base that makes Norton run real slow it in.
Re: (Score:1)
Recent versions allow quarenting on behaviors, like flashxxx.ocx tries to write to c:\windows\.... Figure out the function hook, and you can bypass these actions before they occur.
In addition, any encryption keys embedded would be fair game. possibly allowing to impersonate a live update server.
Reasons it's not relevant:
Any decent virus writer has disassembled it more than a Jetta in your average chop shop.
Corporate IT departments rarely read Vendor best practices and miss the boat on writing to system dir
A sane point of view (Score:1)
At least we will get some great versions of Norton Total Internet Security 2013 floating about now.
Security by Obfuscation (Score:1, Insightful)
Re: (Score:2)
Re: (Score:2)
The only open-source AV I am aware of-- ClamAV-- lacks real time scanning, and is generally awful. The version that supports real time scanning-- MoonSecure-- is apparently very much alpha, and has a high risk of ruining your machine.
Ill take the closed-source Security Essentials, thanks.
Heck even the best virus removal tools out there-- Kaspersky's tools, Combofix, GMER-- are closed source.
Re: (Score:2)
There's MoonSecure for Windows, a FOSS virus scanner with real-time scanning. It uses the ClamAV virus definition database which is unfortunately not that great...
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
that's what happens when you outsource your programmers to India.
The Indian military outsources to India? Impressive.
It's not stealing! (Score:1, Interesting)
Since the original source code wasn't destroyed and is still in the hands of Symantec, and the hackers merely made an identical copy without permission...
then it's not theft, it's copyright infringement.
I don't understand the implied risk (Score:3)
Does the code include the keys that would be needed to inject bad/malware virus definitions, causing user's machines to delete files that weren't viruses? Does this open up some sort of command-and-control channel over users machines aside from that risk?
Re: (Score:2)
Or are the crackers just counting coup for filching the source code?
And yes, I'm one of those pedantic buggers who insist that they're crackers, not hackers. Crackers steal and do damage; hackers study out of curiousity.
Re: (Score:2)
The implied risk is that the Indian military is conducting industrial espionage against the US, and then storing their bounty on internet connected computers for all the world to crack and steal.
Offshoring (Score:5, Insightful)
>>The group is operating under the name Dharmaraja
>>...compromising Indian military intelligence servers.
Dear Corporations, "Investors", and CEOs,
Please do not hesitate to keep offshoring every bit of information and technology to the third world. The things you've seen so far are mosquito bites compared to the crap that will hit the fan if you keep "enhancing profits" for another decade or even less.
Respectfully,
Software Developer, a.k.a. the guy who actually has to work for a living.
Re: (Score:3, Interesting)
The fun is in considering what recourse Symantec has. If they didn't have some really expensive penalty clause in the non-dislosure agreement that will have been involved here they'l
Re: (Score:2)
To be fair though, Symantec does do quite a bit of offshoring, with development offices in Beijing and Chengdu, amongst other places in Asia.
Why steal snake oil from Symantec? (Score:1)
Just like watching adds for "My Clean PC" the whole computer virus industry is a scam in the first place. It all originates from the fact that someone tried to sue the pants of Microsoft about file system maintenance utilities...and in return for not going all the way and taking Microsoft to the cleaners the folks just shook hands and made a deal to leave some security crumbs for the offended corporation.
The end result was the scam about operating system security, when in reality the solution was to lock do
Re: (Score:2)
Re: (Score:2)
Just like how System Restore works SOOOO well to protect you from infected...
Give it 6 months, and there will be a whole group of maleware that can break through to those "clean" files, so when you reset your computer, you stay infected.
Re: (Score:2)
Update: Symantec Confirms Hackers Accessed Code (Score:2)
Update: It wasn't Norton, it was older versions of their Enterprise protection:
http://www.securityweek.com/symantec-confirms-hackers-accessed-source-code-two-enterprise-security-products [securityweek.com]
Re: (Score:1)
Great.
So they stole source code from the older version, which is probably the last time it was useful? (unlikely.)
This is what the Mayans predicted! (Score:2)
Computers all over the world will be infected with Norton by December and human civilization as we know it will cease to exist!
Hunh? (Score:4, Funny)
Re: (Score:3, Funny)
# This part slows down the computer if the license is not renewed
Re: (Score:2)
I would be interesting to run grep through the source code. Bet you would find lines like:
# This part slows down the computer if the license is not renewed
... and being written in a scripting language probably doesn't help either!
Re: (Score:1)
Re: (Score:1)
# This part slows down the computer if the license is not renewed
Nah. That would indicate they wrote it in Perl, and perl is fast at finding things. Oh wait, it could also mean TCL.....
Re: (Score:1)
I think that's a "feature" of the AV whether or not your license is renewed...
Awesome (Score:5, Funny)
Re: (Score:2)
Here's to a brighter future! (Score:3, Funny)
Hope these hackers can turn the source code into something useful.
A little perspective (Score:2, Informative)
A lot of Symantec haters out there. Funny
Lets put some things in to perspective here.
1. Norton is a consumer product. SEP is the enterprise product - Two very different products with very different code and both have been re-written a couple of years ago. (Works a lot better than before and is less "bloated")
2. I would very much doubt that a government defense organization would be purchasing a consumer product like Norton.
3. The segments of code found are from SAV (last rolled out apporximatley 5 years ago
Re:A little perspective (Score:5, Interesting)
And both STILL are garbage. we saw a 200% speed increase on ALL our corperate Windows machines when we switched from SEP to the enterprise offering from ESET. The change was so dramatic that most of us did not believe that the ESET software was running.
Honestly, SEP and Norton both needs to have even more rewrites because it's the joke of the Enterprise world in regards to performance and reliability.
Re: (Score:2)
Pisses me the fuck off.
Oh Norton, how things have changed (Score:3)
I've never told anyone this before, because it's horrifically tragically sad but I had a picture of Peter Norton torn out of a magazine pinned up near my PC when I was a kid 20 years ago. Yeah I was a complete nerd / geek, especially for performance and hardware.
Back then Norton utilities 6 was the absoloute bees knees, speedisk for DOS is still the most thorough defragger I know of, full with file reorder was the option, it ensured 0 files were fragmented and this was in the days that exceedingly few files on the disk were set as read only / system. It genuinely improved performance significantly.
Their tools were good for maybe 3 or 4 years more, possibly the first one or two Windows tools for 95 had some useful features lacking in the core OS but after that, what a shambles. To me, any machine with Norton utilities (Norton utilities NOT "Nortons utilities" while I'm at it) should pretty much be wiped clean :/
A "Group of hackers". Sure... (Score:2)