Hackers have claimed to have lifted the source code for Symantec's Norton anti-virus with a view to post it publicly.
A post on Pastebin by a gang calling itself ‘The Lords of Dharmaraja' promised to release the entire source code, but subsequently removed it. A cached version is available here.
It said "now we release confidential documentation we encountered of Symantec corporation and its Norton anti-virus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies".
It then included the fourth draft of the ‘Definition Generation Service API specifications' with IBM user details. It states: “This document describes the application programming interface specifications required for generating virus definitions automatically from the Immune System analysis center.”
The group said it stole the data by infiltrating servers belonging to an Indian military intelligence agency; however, Symantec said the document did not include any proprietary programming language.
Speaking to SC Magazine US, Symantec's Cris Paden said that it was not source code, but a document from 28 April 1999 defining the application programming interface for Symantec's virus definition generation service.
“This document explains how the software is designed to work and contains function names, but there is no actual source code present,” he said. However, he did say that Symantec is reviewing this information to determine what impact its exposure may have.
Paden said it could not speculate on exactly what the group has and does not have, nor on how it got the information, but he said he did not think that Symantec's systems were breached to obtain the data.
Writing at infosecisland.com, Anthony M. Freed said he had been provided with a file that, after preliminary analysis, appears to contain source code for the 2006 version of Symantec's Norton anti-virus product. He said this had been sent to Symantec and was awaiting its analysis.
Paden told Freed that it had investigated the original claim that NAV source code had been exposed and found it to be false, as the information posted was a document from 1999 explaining how the software worked, but did not include any source code.
Symantec said it had no further details to disclose but that it would provide updates in time. In a statement, it said: “Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is four and five years old. This does not affect Symantec's Norton products for our consumer customers.
“Symantec's own network was not breached, but rather that of a third party entity. We are still gathering information on the details and are not in a position to provide specifics on the third party involved.
“Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec's solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time.
“However, Symantec is working to develop remediation process to ensure long-term protection for our customers' information. We will communicate that process once the steps have been finalised. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”
Graham Cluley, senior technology consultant at Sophos, said: “It's important to underline that there is presently not reason to believe that Symantec's own servers have been breached. Instead, it appears that the data leak may have occurred on Indian government servers and the implication is that Symantec, and perhaps other software companies, may have been required to supply their source code to the Indian authorities.
“Furthermore, it is not clear if the source code which was accessed is relevant to up-to-date installations of Symantec's anti-virus products and thus customers may not be at risk. Even if it was up-to-date source code, it may be of limited use to hackers and be used more as a 'trophy scalp' for a hacking group attending to generate publicity for its grievances with the Indian authorities.”