Symantec Confirms Hackers Stole Outdated Code, Downplays Impact

Symantec confirmed that hackers have obtained source code to two enterprise security products, but third-party experts said the impact on users will be minimal to none.

Symantec has confirmed that a group of hackers has stolen source code to two Symantec products, but downplayed the possible impact on users as a result of the theft.

The attackers stole source code for two older Symantec products for enterprise customers, and not on the consumer-focused Norton product line as had been previously reported, according to Cris Paden, senior manager of corporate communications at Symantec.

The code segments are from Symantec Endpoint Protection 11 and Symantec Antivirus 10.2. SAV 10.2 has already been discontinued, and SEP 11 came out four to five years ago. Symantec currently offers SEP 12 and 12.1 to enterprises.

A group of hackers, named Lords of Dharmaraja, claimed to have breached an Indian military server and stolen several documents and files, according to a Jan. 5 post on Pastebin. The post is no longer available on the text-sharing site, but a copy can be accessed via Google Cache.

"Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time," according to Paden.

Several security experts have told eWEEK they didn't think criminals would examine the leaked code to find vulnerabilities that could be used to exploit the security products directly. While it "clearly is undesirable" for any antivirus vendor or software vendor to have their source code made public, attackers are not likely to gain "any miracle insights" needed to defeat the product, Chester Wisniewski, security adviser at Sophos, told eWEEK.

Malware writers don't need to learn from the source code, since they don't need to know how the engine works in order to defeat it, Rob Rachwald, director of security strategy at Imperva, told eWEEK. Antivirus software relies on signatures, and developers have been effectively creating malware that can evade detection for quite some time, Rachwald said. Antivirus software tend to have a poor rate of detection, as low as 20 percent to 30 percent, because criminals are testing their code against security products and using encryption and other methods to ensure they slip through, he said.

While they could theoretically find a vulnerability that would allow them to disable the software, it seems unnecessary when they are already creating malware that can't be detected, according to Rachwald.

Nor do criminals trying to create a fake antivirus need access to the source code to create a convincing looking scareware, David Harley, senior research fellow at ESET, told eWEEK. "Fake AV doesn't have to have the core functionality of the real thing. It just has to look genuine to a potential victim," Harley said.

Symantec distributed 10 million updates to its products in 2010 alone, according to a Symantec spokesperson. Extrapolating to four and five years shows how much the code has evolved over that period of time. "It doesn't minimize the situation, but it helps as far as a perspective on how old this code is," the spokesperson said.

While it's possible Symantec competitors would be able to look at how the company built its antivirus engine, that seems unlikely, considering the age of the stolen code. The information is likely to be of interest only to "software historians" such as computer science students looking at legacy code, Aryeh Goretsky, a researcher for ESET, told eWEEK. It takes roughly two years to create a new antivirus engine, and although certain elements may still stay the same, there will be enough changes to make the software outdated, he said.

"AV scanning software and modules tend to change fairly rapidly compared to some other security products," Harley said.

While an actual source code leak could turn out to be embarrassing for Symantec, it won't impact Symantec that much in the market, according to Goretsky. "It happened to both Kaspersky a year ago and Microsoft in 2004, and neither seemed to suffer any ill effects, economically," Goretsky said. 

Symantec confirmed that the breach occurred on a third-party network and not on Symantec servers. The Pastebin post claimed to have compromised servers belonging to Indian intelligence agencies.

The fact that the group managed to breach military servers should be of bigger concern than the possibility of leaked source code, Stephen Cobb, a security evangelist for ESET, told eWEEK. A breach on sensitive servers could "prove harmful to cooperation between public and private sectors," Cobb said.

This incident highlights that corporations that follow best practices to secure their infrastructure and data can still be impacted because someone else did not, Mike Lloyd, CTO of RedSeal Networks, told eWEEK. As enterprises lose control over their own assets, regulatory requirements and compliance standards become more important in order to create a baseline that allows organizations to verify their partners are taking necessary steps to be secure, according to Lloyd.

"Business partners and strategic customers may be friendly, but they are not going to expose specifics to you about how well they protect themselves," Lloyd said.

The group Lords of Dharmaraja has not yet posted the code, claiming it needs time to set up some mirror sites. "We are working out mirrors as of now since we experience extreme pressure and censorship from U.S. and India government agencies," the group wrote.