01:09 PM
Connect Directly

Hackers Post Symantec Source Code After Failed Extortion Attempt

Symantec is warning customers to upgrade pcAnywhere and apply available patches to stay safe after source code for the product was posted online

Hackers have posted source code for Symantec’s pcAnywhere software online after an attempt to extort money from the company fell through.

The extortion try is chronicled in a chain of emails that began in January and culminated with a $50,000 offer to hacker YamaTough in exchange for the code. Everything was not as it seemed, however, according to the company: The hacker was actually communicating with law enforcement.

“The e-mail string posted by Anonymous was actually between them and a fake e-mail address set up by law enforcement,” a Symantec spokesman said. “Anonymous actually reached out to us, first, saying that if we provided them with money, they would not post any more source code. At that point, given that it was a clear-cut case of extortion, we contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec.”

When negotiations failed to produce profit, the hacker posted the source code for pcAnywhere on The Pirate Bay. The incident is the latest twist in a story that began when YamaTough, part of Anonymous-affiliated hacking group Lords of Dharmaraja, made the news earlier this year when he claimed to be in possession of source code for numerous Symantec products.

The company subsequently revealed that source code had been stolen for 2006-era versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and pcAnywhere back in 2006.

In the case of pcAnywhere, this revelation prompted a warning from the company to use the most up-to-date version of the product.

“We can confirm that the source code has been posted and is legitimate,” the Symantec spokesman said. “It is part of the original cache of code for 2006 versions of the products that Anonymous has claimed to been in possession [of] during the last few weeks.

“Symantec was prepared for the code to be posted at some point, and has developed and distributed a series of patches since Jan. 23rd to protect our users against attacks that might transpire as a result of the code being made public. “We have been conducting direct outreach to our customers since Jan. 23rd to reiterate that, in addition to applying all relevant patches that have been released, we’ve also counseled customers to ensure that pcAnywhere version 12.5 is installed, and follow general security best practices.”

[Symantec issued an advisory and released a white paper warning its customers to stop running its pcAnywhere software altogether for now in the wake of the theft of its source code. See Six-Year-Old Breach Comes Back To Haunt Symantec.]

Eric Ogren, principal analyst at the Ogren Group, said he was surprised by the extortion attempt, as the hacker was potentially setting up a trackable money trail as well as evidence of communication.

“This is difficult for security vendors to spin,” he said. "Much like with RSA, Symantec has to tell their base about the security risk of the breach. There are some that believe a vulnerability should not be announced until there is an actionable correction, but in this case [Symantec] cannot let customers proceed without knowing the risk ... It truly speaks to how difficult cyber security is if leading vendors RSA and Symantec cannot protect their own intellectual property.”

Paden said the company expects the hackers to post the rest of the code in their possession. However, both products -- Norton SymantecWorks and Norton Antivirus Corporate Edition -- no longer exist.

YamaTough promised on Twitter that the source code for Norton Antivirus was forthcoming.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Cross-site scripting (XSS) vulnerability in share/pnp/application/views/kohana_error_page.php in PNP4Nagios before 0.6.22 allows remote attackers to inject arbitrary web script or HTML via a parameter that is not properly handled in an error message.

Published: 2014-07-11
Multiple cross-site scripting (XSS) vulnerabilities in PNP4Nagios through 0.6.22 allow remote attackers to inject arbitrary web script or HTML via the URI used for reaching (1) share/pnp/application/views/kohana_error_page.php or (2) share/pnp/application/views/template.php, leading to improper hand...

Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.