Hackers Post Symantec Source Code After Failed Extortion Attempt

Hackers have posted source code for Symantec’s pcAnywhere software online after an attempt to extort money from the company fell through.

The extortion try is chronicled in a chain of emails that began in January and culminated with a $50,000 offer to hacker YamaTough in exchange for the code. Everything was not as it seemed, however, according to the company: The hacker was actually communicating with law enforcement.

“The e-mail string posted by Anonymous was actually between them and a fake e-mail address set up by law enforcement,” a Symantec spokesman said. “Anonymous actually reached out to us, first, saying that if we provided them with money, they would not post any more source code. At that point, given that it was a clear-cut case of extortion, we contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec.”

When negotiations failed to produce profit, the hacker posted the source code for pcAnywhere on The Pirate Bay. The incident is the latest twist in a story that began when YamaTough, part of Anonymous-affiliated hacking group Lords of Dharmaraja, made the news earlier this year when he claimed to be in possession of source code for numerous Symantec products.

The company subsequently revealed that source code had been stolen for 2006-era versions of Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and pcAnywhere back in 2006.

In the case of pcAnywhere, this revelation prompted a warning from the company to use the most up-to-date version of the product.

“We can confirm that the source code has been posted and is legitimate,” the Symantec spokesman said. “It is part of the original cache of code for 2006 versions of the products that Anonymous has claimed to been in possession [of] during the last few weeks.

“Symantec was prepared for the code to be posted at some point, and has developed and distributed a series of patches since Jan. 23rd to protect our users against attacks that might transpire as a result of the code being made public. “We have been conducting direct outreach to our customers since Jan. 23rd to reiterate that, in addition to applying all relevant patches that have been released, we’ve also counseled customers to ensure that pcAnywhere version 12.5 is installed, and follow general security best practices.”

[Symantec issued an advisory and released a white paper warning its customers to stop running its pcAnywhere software altogether for now in the wake of the theft of its source code. See Six-Year-Old Breach Comes Back To Haunt Symantec.]

Eric Ogren, principal analyst at the Ogren Group, said he was surprised by the extortion attempt, as the hacker was potentially setting up a trackable money trail as well as evidence of communication.

“This is difficult for security vendors to spin,” he said. "Much like with RSA, Symantec has to tell their base about the security risk of the breach. There are some that believe a vulnerability should not be announced until there is an actionable correction, but in this case [Symantec] cannot let customers proceed without knowing the risk ... It truly speaks to how difficult cyber security is if leading vendors RSA and Symantec cannot protect their own intellectual property.”

Paden said the company expects the hackers to post the rest of the code in their possession. However, both products -- Norton SymantecWorks and Norton Antivirus Corporate Edition -- no longer exist.

YamaTough promised on Twitter that the source code for Norton Antivirus was forthcoming.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.