Symantec pcAnywhere Code Leaked After $50,000 Payoff Deal Collapses

A series of emails on Pastebin show Yamatough negotiating with Symantec for the return of the stolen source code in exchange for a $50,000 payoff. However, the company claims the exchange was part of the investigation into the theft.

Symantec offered $50,000 to Yamatough in exchange for returning the source code related to the company€™s pcAnywhere product, according to an email chain posted on Pastebin. When negotiations fell apart, a copy of the code was leaked and posted on Pirate Bay.

According to the emails posted Feb.6, Sam Thomas, a Symantec employee, reached out to Yamatough in mid-January to begin negotiations. Thomas asked for proof that Yamatough actually had the code, asking for the path where the file was, as well as seeing samples of the stolen loot.

Symantec has a different version of the story. The individual "actually reached out to us, first, saying that if we provided them with money, they would not post any more source code," Cris Paden, senior manager of Symantec Corporate Communications, wrote in an email. After an internal investigation verified that source code was missing, Symantec contacted law enforcement. "Given that it was a clear-cut case of extortion, we contacted law enforcement and turned the investigation over to them," said Paden.

"The email string posted by Anonymous was actually between them and a fake email address set up by law enforcement," said Paden.

The email chain does not include the initial message sent by "Sam Thomas."

Yamatough, an individual associated with an Indian hacker group, had claimed in early January to have obtained the source code for several Symantec products in a network breach that happened in 2006. Symantec downplayed the claim, initially claiming it was for old products and that the breach had happened on a third-party server. A few days later, Symantec admitted the 2006 versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks and pcAnywhere had been stolen. Symantec warned users to stop using pcAnywhere while it patched the software, and on Jan. 30, said it was safe to use the software again.

It appears from the email chain that Yamatough was talking with Thomas for the entire month. "The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation," Paden said.

Thomas used a Gmail account to communicate with Yamatough, who appears to have a Venezuelan address. Yamatough was also asked to send samples of the code and documents to a secure FTP site. "We don't want these docs posted on a public site," according to the email.

Yamatough was suspicious about the FTP site. "If you are trying to trace with the ftp trick, it's just worthless," Yamatough wrote. "If we detect any malevolent tracing action, we cancel the deal."

"We are trying to set up a stand-alone computer so this doesn't affect our network," was the reply.

On Jan. 30, Yamatough wrote, "Time's up," and demanded Symantec name the price it would pay to get the code back. The Feb. 1 offer was $50,000, with three payments of $2,500 over three months. The company would then pay the remaining balance to Yamatough after he was able to convince the Symantec that the code had been destroyed.

Yamatough rejected the offer on Feb. 1. "I am afraid we have to cancel the whole deal because our offshore people won't let us securely get the money because they won't process amounts less than 50k a shot," the email said.

"Money never exchanged hands and was never going to," according to Paden. The chain was just an example of the investigative techniques employed by law enforcement authorities for these types of incidents.

Right after calling the deal off, Yamatough wrote, "Say hi to FBI agents."

After denying being in touch with the FBI, the Symantec email amended the offer with the same initial three-month payment schedule, but asked Yamatough to make a public statement€”in exchange for the rest of the money€”that the 2006 attack was a lie.

The email chains were published later on Feb. 6, and links to a Pirate Bay page appeared on Twitter. The title of the page was "Symantec's pcAnywhere Leaked Source Code," and in the description, the user "samthomas" had written, "Symantec has been lying to its customers. We exposed this point thus spreading the word that ppl need."

When asked about the legitimacy of the code on Pirate Bay, Paden said Symantec was looking into it and had no additional comments. Paden also said there had been exploit code released earlier in the day attacking pcAnywhere, but Symantec had patched that vulnerability two weeks ago.