Symantec Confirms Source Code Stolen in 2006 Breach It Didn't Know About

Symantec servers were breached six years ago, and source code to several of its security products was stolen. What's more, the company is just now discovering the fact.

Symantec has admitted that unknown perpetrators had breached its servers and stolen source code to a number of its security products despite previous claims to the contrary.

Earlier this month, a group called Lords of Dharmaraja claimed to have broken into military intelligence servers belonging to the Indian government and obtained source code to Symantec products. After an investigation, Symantec said the group may have obtained the source code to Symantec Endpoint Protection 11 and Symantec Antivirus 10.2 and assured customers there was no risk because the software had either been discontinued or was too old to be relevant.

At the time, the security company declined to say which servers had been breached, but claimed it was the computer systems of a "third party" that had been compromised and that company systems remained secure.

That appears to be incorrect, as Symantec admitted Jan. 17 that source code was stolen during an attack against its own servers back in 2006. Source code for "2006-era versions" of Norton Antivirus Corporate Edition, Norton Internet Security, pcAnywhere and Norton SystemWorks, which include Norton Utilities and Norton GoBack, a Symantec spokesperson told eWEEK. The revelation came after a Twitter user Yama Tough, a member of Lord of Dharmaraja, who identifies with Anonymous, threatened on Jan. 13 to leak the source code for Norton Utilities to "accompany" a class-action lawsuit that was filed recently against Symantec in California.

The lawsuit accused Symantec of using scareware tactics to bully users into buying its products. The lawsuit claimed Symantec allegedly distributed a trial version of its security products, which used a separate software scanner to alert users to nonexistent problems, according to the lawsuit. These tactics are used by fake antivirus and other scareware programs to trick users into buying products that don't work.

Even though it appears more code has been stolen than previously disclosed, Symantec reiterated its claim that customers "should not be in any increased danger of cyber-attacks resulting from this incident." The six-year-old code was too old to be relevant, the company said.

There appears to be a "slightly increased risk" for pcAnywhere customers, but only if they aren't following "general best practices," the company said. It is not clear what those best practices or risks are for this remote-access application, but it's possible attackers would be able to take over computers using the software, Melih Abdulhayoglu, president and CEO of Comodo, told eWEEK.

"Symantec is currently in the process of reaching out to our pcAnywhere customers to make them aware of the situation and to provide remediation steps to maintain the protection of their devices and information," the company said.

Since Symantec has admitted to a risk, Abdulhayoglu recommended finding an alternative remote-access product.

The fact that Symantec did not know about the theft was also a matter of concern. "We really had to dig way back to find out that this was actually part of a source-code theft," Cris Paden, director of corporate communications at Symantec told Reuters, adding, "We are still investigating exactly how it was stolen."

Companies need to invest in network forensics and related technology in order to be able to collect information about what happened, how the attackers got in and what was compromised, Jay Botelho, director of product management at WildPackets, told experts told eWEEK. "Network forensics is like having an insurance policy," Botelho said, as it would allow administrators to "piece together exactly what happened in the breach."

Abdulhayoglu also questioned Symantec's certainty that other products were not compromised. "If they didn't know they were hacked for over five years, how can they know and assure their customers that these were the only things that were stolen? How do they know these are the only things?" he asked.

Whether or not the fact that source code for Symantec security products are now in malicious hands poses a risk to customers appears to be a source of confusion. Several security companies have told eWEEK that it is highly unlikely that the older incarnations of the software and the current versions have that much code in common to pose a security risk. "There's enough of a generational gap here that even having the source code available is not likely to allow potential attackers to do anything potentially damaging," Aryeh Goretsky, an ESET researcher, told eWEEK earlier this month.

Others noted that attackers are regularly reverse-engineering antivirus software to figure out how to evade detection. So seeing old versions would probably not be that useful. AV software and associated modules tend to change more rapidly than other types of security products, according to ESET's David Harley.

However, a former McAfee executive felt Symantec was just trying to avoid responsibility. "It's highly unlikely that Symantec completely rebuilt its AV product in six years and deployed a new, ground-up version to all its customers," John Viega, an application security expert at Perimeter E-Security and former McAfee CTO and head of McAfee's anti-virus product development team, told eWEEK. Security flaws can stay in products for decades without detection, and it is still possible for attackers to find vulnerabilities within current versions based on what they know in the older software, Viega said.

Symantec needs to "provide far more evidence" that its customers are safe, Viega said.

It was unlikely the company had made a "focused effort" to re-write the code as it hadn't been aware of the breach, Abdulhayoglu said, adding that the "basis for virus detection" hasn't changed in many years. Symantec's assurances make sense only if they had made sure within the last few years to change the code entirely, he said.

Despite numerous "promises" from the group that claims to have stolen the source code, the Lords of Dharmaraja, that it would publicly reveal the source code, the software hasn't been leaked anywhere online.