Symantec source code that was recently lifted by hackers is from two
old enterprise products unrelated to the company's current consumer
software, according to the antivirus vendor.
On Thursday, several reports surfaced that hackers had managed to
access source code from
certain Symantec products. But the exact products and their version numbers were initially unknown.
certain Symantec products. But the exact products and their version numbers were initially unknown.
In an e-mail to CNET today, Symantec spokesman Cris Paden said that
the two products in question are Symantec Endpoint Protection (SEP) 11.0
and Symantec Antivirus 10.2. Currently at version 12, SEP 11 is 4 years
old but is still supported, while Symantec Antivirus 10.2 has been
discontinued.
Though the company is taking the hack seriously for any enterprise
businesses still using either product, Paden stressed that the attack
did not affect any Norton consumer products. Further, the hackers didn't
breach Symantec's own security but rather that of a third party.
The hackers, who dub themselves The Lords of Dharmaraja, said they
found the code after breaking into servers run by Indian military
intelligence. They've threatened to publicly release the code, but have
yet to follow through. The group's post on the Pastebin site has since
been removed, though a Google cached version still exists, as noted by CNET sister site ZDNet.
Explaining the background, Paden said that on Wednesday, a local
chapter of Anonymous from India claimed in an online forum that they had
the source code for Symantec's Norton Antivirus solutions. A Symantec
investigation found instead that they simply had documentation from 1999
describing how Norton Antivirus worked, but no source code. On
Thursday, the same group said they had access to additional code from a
third-party site, Paden said. Symantec's investigation confirmed this
but found that the code was for the two older enterprise products.
"We are still gathering information on the details and are not in a
position to provide specifics on the third party involved," Symantec
said in a statement. "Presently, we have no indication that the code
disclosure impacts the functionality or security of Symantec's
solutions. Furthermore, there are no indications that customer
information has been impacted or exposed at this time."
So, for
now anyway, users of current Norton products can rest easy, although the
attack at the very least calls into question just how hackers were able
to grab Symantec source code from a third-party-based server.
Offering his take on the incident, Rob Rachwald, director of security strategy at Imperva, called it "embarrassing on Symantec's part" but not likely to "keep the Symantec folks awake too late at night, and certainly not their customers."
If the source code had been recent and the hackers were able to poke
enough holes in it, then exploiting the software could be possible,
noted Rachwald. But there's not much they can learn from old code.
"Most of the antivirus product is based on attack signatures,"
explained Rachwald. "By basing defenses on signatures, malware authors
continuously write malware to evade signature detection...Further,
malware versions continuously evolve in such a rate where signatures
cannot keep up with them in the first place. The workings of most of the
antivirus' algorithms have also been studied already by hackers in
order to write the malware that defeats them."
Symantec added in its statement that it has already launched an
investigation to learn what happened and take steps against further
incidents.
"Symantec is working to develop [a] remediation
process to ensure long-term protection for our customers' information.
We will communicate that process once the steps have been finalized.
Given the early stages of the investigation, we have no further details
to disclose at this time but will provide updates as we confirm
additional facts."
