That stolen Symantec source code? It's for older enterprise products
Antivirus vendor says the hacked source code was for the outdated Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2. Rest easy, Norton consumers--for now, anyway.
Symantec source code that was recently lifted by hackers is from two old enterprise products unrelated to the company's current consumer software, according to the antivirus vendor.
On Thursday, several reports surfaced that hackers had managed to access source code from certain Symantec products. But the exact products and their version numbers were initially unknown.
In an e-mail to CNET today, Symantec spokesman Cris Paden said that the two products in question are Symantec Endpoint Protection (SEP) 11.0 and Symantec Antivirus 10.2. Currently at version 12, SEP 11 is 4 years old but is still supported, while Symantec Antivirus 10.2 has been discontinued.
Though the company is taking the hack seriously for any enterprise businesses still using either product, Paden stressed that the attack did not affect any Norton consumer products. Further, the hackers didn't breach Symantec's own security but rather that of a third party.
The hackers, who dub themselves The Lords of Dharmaraja, said they found the code after breaking into servers run by Indian military intelligence. They've threatened to publicly release the code, but have yet to follow through. The group's post on the Pastebin site has since been removed, though a Google cached version still exists, as noted by CNET sister site ZDNet.
Explaining the background, Paden said that on Wednesday, a local chapter of Anonymous from India claimed in an online forum that they had the source code for Symantec's Norton Antivirus solutions. A Symantec investigation found instead that they simply had documentation from 1999 describing how Norton Antivirus worked, but no source code. On Thursday, the same group said they had access to additional code from a third-party site, Paden said. Symantec's investigation confirmed this but found that the code was for the two older enterprise products.
"We are still gathering information on the details and are not in a position to provide specifics on the third party involved," Symantec said in a statement. "Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."
So, for now anyway, users of current Norton products can rest easy, although the attack at the very least calls into question just how hackers were able to grab Symantec source code from a third-party-based server.
Offering his take on the incident, Rob Rachwald, director of security strategy at Imperva, called it "embarrassing on Symantec's part" but not likely to "keep the Symantec folks awake too late at night, and certainly not their customers."
If the source code had been recent and the hackers were able to poke enough holes in it, then exploiting the software could be possible, noted Rachwald. But there's not much they can learn from old code.
"Most of the antivirus product is based on attack signatures," explained Rachwald. "By basing defenses on signatures, malware authors continuously write malware to evade signature detection...Further, malware versions continuously evolve in such a rate where signatures cannot keep up with them in the first place. The workings of most of the antivirus' algorithms have also been studied already by hackers in order to write the malware that defeats them."
Symantec added in its statement that it has already launched an investigation to learn what happened and take steps against further incidents.
"Symantec is working to develop [a] remediation process to ensure long-term protection for our customers' information. We will communicate that process once the steps have been finalized. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts."
Updated 9 a.m. PT with details from Symantec.