A group of hackers has claimed that it has stolen the source code to Symantec’s flagship antivirus product, according to a Pastebin post.
This may just be an antivirus company’s worst nightmare come true.
The group, named Lords of Dharmaraja, claimed to have breached an Indian military server and stolen several documents and files, according to the post, which appeared on the text-sharing site on Jan. 5. Pastebin has since removed the page, but a copy is still available on Google Cache.
To prove their claims, the group posted excerpts of various documents they’d obtained, including an internal document from April 1999 that discussed the application programming interface for the company’s Definition Generation Service.
“As of now we start sharing with all our brothers and followers information from the Indian military intelligence servers,” according to the post. The group has discovered “source codes of a dozen software companies,” they added.
The leaked document merely explains how the software is designed to work, such as what inputs are accepted and what outputs are generated, Cris Paden, senior manager of corporate communications at Symantec, told eWEEK. While the document contains function names, no actual source code was present in that document, according to Paden.
The fact that the hackers claimed to have discovered source code for several types of software on the breached military server is not a surprise, as many governments require companies to supply source code to prove it isn’t spyware, Rob Rachwald, director of security strategy at Imperva, told eWEEK. He said it wasn’t unusual, especially when working with the military.
The group breaching military servers should be of bigger concern than the possibility of leaked source code, Stephen Cobb, a security evangelist for ESET, told eWEEK. A security breach on such sensitive servers could “prove harmful to cooperation between public and private sectors,” Cobb said.
Lords of Dharmaraja promised to post actual source code for Norton Antivirus online once they lined up some mirror sites. “We are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies,” the group wrote.
Symantec is still investigating the incident, according to Paden. “As for the second claim of additional code, we cannot confirm or deny those claims as we are still analyzing the information,” Paden said.
While it “clearly is undesirable” for any antivirus vendor or software vendor to have their source code made public, it does not necessarily mean the protection the software provides has been compromised, Chester Wisniewski, a senior security adviser at Sophos, told eWEEK. It could provide attackers with the knowledge needed to exploit undiscovered or unpatched vulnerabilities, but shouldn’t provide “any miracle insights” needed to defeat the product, according to Wisniewski.
Imperva’s Rachwald also noted that the only people to benefit from looking at the source code are likely to be Symantec competitors who would be able to look at how the company built its antivirus engine. There isn’t “much” malware writers can learn from the source code, since they don’t need to know how the engine works to defeat it, according to Rachwald. Antivirus software runs on signatures, and developers have been effectively creating malware that can evade detection for quite some time now, Rachwald said. Antivirus software tends to have a poor rate of detection, as low as 20 percent to 30 percent, because criminals are testing their code against security products and using encryption and other methods to ensure they slip through, he said.
If the source code also dates back to 1999, then the information is likely to be of interest to only “software historians” interested in how software was created a decade ago, Aryeh Goretsky, a researcher for ESET, told eWEEK. It takes roughly two years to create a new antivirus engine, and although there may be certain elements that still stay the same, there’s enough of a generational gap that attackers won’t be able to find vulnerabilities in the source code that can be used to exploit modern versions of the software, he said.
While an actual source code leak could turn out to be embarrassing for Symantec, it won’t impact Symantec that much in the market, either, according to Goretsky. “It happened to both Kaspersky a year ago and Microsoft in 2004, and neither seemed to suffer any ill effects, economically,” Goretsky said.
If all the attackers have is a 12-year-old API document, the contents of which can be reverse-engineered from publicly available information, then Symantec and their customers can have “some confidence that the sky is not falling,” Wisniewski said.