Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Admits Its Networks Were Hacked in 2006

Posted by Soulskill on from the timely-disclosure dept.

Orome1 writes "After having first claimed that the source code leaked by Indian hacking group Dharmaraja was not stolen through a breach of its networks, but possibly by compromising the networks of a third-party entity, Symantec backpedalled and announced that the code seems to have exfiltrated during a 2006 breach of its systems. Symantec spokesman Cris Paden has confirmed that unknown hackers have managed to get their hands on the source code to the following Symantec solutions: Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere."

113 comments

  1. Thanks a bunch by John+Napkintosh · · Score: 4, Interesting

    As this includes a Corporate version, I'm sure enterprises just LOVE to hear that the company to whom they entrust a certain amount of their data security completely lied to them about the effectiveness of that security, and covered up the fact that future use of their product might be for naught.

    --

    Long signatures suck.
    1. Re:Thanks a bunch by LostCluster · · Score: 2

      Source code in this case is mostly a list of things the software does to attack viruses... they gave away a copy of their secret sauce recipe. Doesn't make the burgers taste worse, it just opens them up to being subject to competition.

    2. Re:Thanks a bunch by hedwards · · Score: 4, Informative

      Anybody that still uses Symantec software more or less deserves what they get. I can't imagine that the enterprise version is any less crappy than the home version is.

    3. Re:Thanks a bunch by SJHillman · · Score: 2

      We have the Enterprise version where I work - one of my more recent responsibilities is monitoring it. Overall, it's pretty good at detecting most infections but doesn't always remove the infection. Personally, I'll keep using MS Security Essentials on all of my PCs

    4. Re:Thanks a bunch by mrclisdue · · Score: 1

      Whew (wipes brow),

      For a moment there, I saw your thread title, and thought you were thanking bonch; I was about to skip right to the next thread.

      But now, since the source is open, maybe we can all work together to fix it....

      Come to think of it, they made more money with it broken than they would ever make with it fixed.

      cheers,

    5. Re:Thanks a bunch by Synerg1y · · Score: 4, Insightful

      Realize that no piece of security software will keep you safe indefinitely from a determined hacker. That applies to security companies as well.

    6. Re:Thanks a bunch by mlts · · Score: 1

      Realistically, it probably wouldn't affect a single sale. The reason is that companies buy SEP not because of its virus stomping capability. They buy it because it has good audit logging, works with Cisco's NAC, and checks that all-important little box off about "do these machines have antivirus on them?".

      If SEP wasn't able to report that machines were up to date, didn't lock out "hack tools", and didn't work with the healthcheck features, then Symantec would be in a world of hurt.

      As for security, even with source code out, it might hurt some things, but zero day exploits are still zero days, and few AV products actually protect against the primary source of infection these days, which would be infections through compromised ad servers that serve up attacks against Web browsers or browser add-ons. The only thing that comes close is Malwarebytes IP address blocking.

    7. Re:Thanks a bunch by MightyMartian · · Score: 2

      The only reason for any of the enterprise-level apps is centralized updating and control. Security Essentials works with WSUS now, so you get the updating, but still, you have no good way to monitor which workstations are well protected or which ones have a problem. At the end of the day, my shop is small enough that I can manage the slightly extra load of a checking things out. I haven't actually had a problem with MS Security Essentials, though back in the day when I was using Norton, it was always screwing up on some machine or another.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    8. Re:Thanks a bunch by Bert64 · · Score: 2

      If the software is decently written, then exposure of the source code won't matter anyway.

      Exposure of the sourcecode is only going to be a problem if its full of easily noticeable exploitable holes.. Such a situation would be unforgivable, since you'd have expected them to fix such holes internally anyway.

      The sourcecode for Linux, OpenBSD, Apache and many other widely used pieces of software are already available to the public, and it doesn't result in mass hacks against these systems. On the contrary, many security oriented devices such as firewalls are actually based on this publicly available code.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    9. Re:Thanks a bunch by Tim4444 · · Score: 1

      Hmm. 5-6 years. I'm guessing that's enough time, given the corporate turnover rate, for anyone who could be held responsible for entrusting such data to Symantec to pack their bags and pass the buck. For anyone who's left, how's it go again? Something like, "nobody ever got fired for buying IBM equipment." I wonder if there's an equivalent today regarding security and trusting your data to third parties. Clearly, having management learn something other than "VPN equals security" and "large corporations are trustworthy" would be asking too much.

    10. Re:Thanks a bunch by Dishevel · · Score: 2, Insightful

      You are saying (with a straight face) that having the source code that describes in detail how the software goes about removing viruses is of no use to the people who write them? Go to a doctor immediately and get checked out for massive brain tumors.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    11. Re:Thanks a bunch by Anonymous Coward · · Score: 1

      FYI, the license on Security Essentials is for up to 10 machines at small business. Anything past that (and since you've got WSUS setup, you're probably bigger than that), and you need to move up to MS Forefront Endpoint Protection.

    12. Re:Thanks a bunch by Dishevel · · Score: 1

      So you are saying that now that the code is out there Symantec is going to use the community to fix the massive problems that will be revealed?
      I think that you are giving them too much credit.

      --
      Why is it so hard to only have politicians for a few years, then have them go away?
    13. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      Except that now hackers can find bugs in the code and exploit them to cause the anti-virus to execute malicious code at the system level.

    14. Re:Thanks a bunch by DarkOx · · Score: 3, Insightful

      Other than perhaps finding sploits in Symantec itself no I don't expect looking at virus removal code to be terribly useful to those developing malicious code.

      Look yes the AV stuff gets its hooks in pretty deep but until they start implementing their own filesystem drivers and stuff like that (they don't, not on desktops anyway) then there is a finite set of APIs and syscalls they can use. They are mostly documented, or otherwise known. Reading the source to Symantec's AV scanner is not going to give you a lot of insight into how to write something it can't clean up.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    15. Re:Thanks a bunch by cbass377 · · Score: 1

      "completely lied to them" Lied to them for 6 years! Is probably still lying.

    16. Re:Thanks a bunch by rickb928 · · Score: 5, Insightful

      How they use their signatures and heuristics to detect threats is of great use to attackers. Thinking otherwise is naive.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    17. Re:Thanks a bunch by forkfail · · Score: 3, Insightful

      Horrible analogy, because the scenario is adversarial in nature.

      A far better one would be that the other team just stole your playbook. Your QB still throws the same, your receivers run just as fast, your linebackers still do their thing, but now the other team can anticipate all your plays and outwit you far more often.

      --
      Check your premises.
    18. Re:Thanks a bunch by timeOday · · Score: 3, Interesting
      I have to use it at work under OSX and in a lot of ways it's worse than the virii it protects against.

      I am looking right now at a computer with 2 fully-loaded cores that has been viris scanning for 25 solid hours. This is typical. It starts up after EVERY login, then just sits and churns forever with no visible progress. Or sometimes it finishes after a few seconds.

      Sometimes you go to run some other program and it will just freeze up until/unless you kill navx (if you're lucky enough to have admin rights).

      Or you're sitting on a plane, and it decides now would be a fine time to fire up and drain your battery in 40 minutes.

      I can't leave my email box open because it pops up every few seconds and says THREAT DETECTED! (probably in some old email in mail spool already marked as deleted), but you press OK to fix, and after a few seconds it says it failed to repair it, no other explanation, so it pops up a modal dialog box in front of whatever you're trying to do. This occurs a couple times per minute, forever.

      I hate it.

    19. Re:Thanks a bunch by Adriax · · Score: 2

      I've got a computer on my bench that has a virus symantec corp edition is currently protecting. Attempts to remove the file run afowl of symantec, and I can't kill symantec because it refuses to disable or uninstall (can't manually stop services either).

      Little bastard has hooks all over the place and is a variant of the "Your harddrive is failing, pay us monies to fix it!" that actually deletes all the start menu shortcuts instead of just moving them.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    20. Re:Thanks a bunch by forkfail · · Score: 1

      Paden said that the 2006 attack presented no threat to customers using the most recent versions of Symantec's software.

      Hmm... this too rather begs the question of why they didn't tell people.

      Either they wanted to mitigate possible security threats by not letting the bad guys know they were vulnerable, or it was a marketing ploy that put customers in danger. Either way, maybe not so good...

      --
      Check your premises.
    21. Re:Thanks a bunch by LostCluster · · Score: 1

      Yes I am. If you know of an exploit the source code doesn't cover, you know of a 0-day. That use to happen all the time but Microsoft has gotten better at it.

    22. Re:Thanks a bunch by doesnothingwell · · Score: 1

      I can't imagine that the enterprise version is any less crappy than the home version is.

      The enterprise edition of Symantec has one redeeming quality, it doesn't expire. Some of my computers have been running it over 10 years with NO ransom fees, but without software support.

      I made grandma an enterprise user years ago, it's better than nothing as it keeps well known pests away. Grandma won't run Linux she likes her Juno mail client.

      --
      They can have my command prompt when they pry it from my cold dead fingers.
    23. Re:Thanks a bunch by gstoddart · · Score: 4, Interesting

      I have to use it at work under OSX and in a lot of ways it's worse than the virii it protects against.
      I am looking right now at a computer with 2 fully-loaded cores that has been viris scanning for 25 solid hours.

      Some years ago at a previous job, IT decided that 10:30 am would be the perfect time to schedule a full scan of the computers. The rationale being that the computers wouldn't be hibernating or powered off.

      So, promptly at 10:30 am, my machine would lock up and be 100% CPU and memory bound for about 2 hours or more. I asked IT to reschedule it, as it was interfering with my work .. they said no. I told them that I was going to bill them 2 hours/day for the time lost ... they said I can't do that (at the time, they billed customers $1500/day for me).

      Then I finally told them that since I had local admin privileges, and unless they were willing to change it, I was simply going to uninstall the AV software ... which I ended up doing. And, when people started to uninstall it, they found they had no choice but to change the schedule ... because it was making it impossible for people to do their jobs and HR didn't like the fact that everyone was in the break room bitching about the fact that their computers were unavailable to them.

      In my experience, most enterprise AV solutions cause more lost productivity than the things they're meant to prevent.

      so it pops up a modal dialog box in front of whatever you're trying to do

      I'm about one upgrade of AVG away from finding an alternative ... because it suddenly decides that it wants to update, and that I need to reboot right now, or postpone as much as 60 minutes. The problem is that I'm using the computer for my job, and I will tell it when it can reboot or update ... but when it pops up a modal dialog while you're typing, with "OK" selected by default, you can get a case where you've clicked "sure, go ahead and reboot" before you even realize the dialog has been presented. So all of a sudden your machine starts shutting down out from under you.

      AVG didn't always suck, but over the last few versions it has become nag-ware which wants to instal crap toolbars in my browser and otherwise do shit that I've not asked it to do.

      The use of a modal dialog box that grabs focus should lead to someone being staked to an ant-hill in the hot sun -- I'm running more than your program, and just because you want to do something doesn't mean I don't get a vote.

      Unfortunately, I find that AV in general is far more pushy and annoying about deciding it's in charge.

      --
      Lost at C:>. Found at C.
    24. Re:Thanks a bunch by nigelo · · Score: 3, Funny

      > Little bastard has hooks all over the place

      This was my experience with Symantec software, too.

      --
      *Still* negative function...
    25. Re:Thanks a bunch by VortexCortex · · Score: 4, Informative

      Aaaand, you believe that's not one of the hundreds of variants, or a new variant that also installs other malware, because? I hope you're not the kind of person that "removes" viruses for a fee, and after my Aunt has paid you, she comes home and looks through her image library and gets re-infected...

      Just to be perfectly clear: WIPE the drive, FLASH the mobo BIOS, REINSTALL the OS. There is NO SUCH THING as removing malware. Unless you watched that sucker get installed while stepping through it with a debugger, you don't really know WTF is going on or what else it has done.

      Perhaps you're just playing with the viruses, cultivating them and studying them before they're released into the wild; Either this, or you don't realize that you are...

    26. Re:Thanks a bunch by fwarren · · Score: 2

      We used to run the Norton Corporate product and we loved it. It is much lighter on system resources than the retail product. Corp 9, then Corp 10 then Corp 11.

      Once we hit version 11 we had a problem. Every time it did a download and update, it would keep a copy of the older downloads and updates. Every 3 months our hard drive would run out of room. The solution a) wait for the patch to fix this for customers with this issue and b) uninstall the software from the server, reinstall it, and then manually every client back in. We would lose a full day every 3 months doing this. After more than a year of this and no patch forthcoming we switched products.

      As it turns out there are other products that are even ligther on resources, as easy to administer and cost less as well. A 3 year license came to $18 a system. At the cost of $6 a year for a professional antivirus product, it was easy to make the switch.

      --
      vi + /etc over regedit any day of the week.
    27. Re:Thanks a bunch by TheLink · · Score: 1

      The enterprise edition of Symantec has one redeeming quality, it doesn't expire. Some of my computers have been running it over 10 years with NO ransom fees, but without software support.

      And it actually still gets virus signature/engine updates that can detect new viruses?

      --
    28. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      Symantec corporate is completely different than any home version of norton. Symantec corporate is actually quite good

    29. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      Hmm... this too rather begs the question of why they didn't tell people.

      No it doesn't.

    30. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      There are only two items that might be an issue if source code is out:

      1: Scanning for rootkits already present.
      2: Heuristic scanning in hopes of catching a 0-day.

      However, the bad guys will always be good at reverse engineering, and likely have this stuff quickly decoded anyway.

    31. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      Older versions of SAV don't protect against some browser borne viruses. You probably want to try and get grandma upgraded.

      IMO, for home use, the corporate edition works better than the retail edition. It is clean and to the point, no bells and whistles that tend to clutter and hid things in the home version.

    32. Re:Thanks a bunch by skogula · · Score: 1

      Yes I am. If you know of an exploit the source code doesn't cover, you know of a 0-day. That use to happen all the time but Microsoft has gotten better at it.

      So you're saying Microsoft products are a 0-day virus?

    33. Re:Thanks a bunch by Anonymous Coward · · Score: 1

      Oh fuck, you obviously have no clue. I do this for a living and your one of the idiots that give me more business. Because people don't like getting WIPED. They like getting fixed.

    34. Re:Thanks a bunch by Sir_Sri · · Score: 2

      Comodo antivirus is very good, but really invasive. As a corporate user it's worth having a licence around, and if you get a machine that you really aren't sure what's up with it, try comodo. Then uninstall it once it is done working. It's the only English AV I've found that will reliably detect chinese virii, or other languages, but chinese is particularly troublesome.

      Failing that, there's always MSE and avast which are generally 'good enough' for day to day use.

      The idea that the anti virus should update when you tell it to, and not when it needs to is an odd one. On one hand, being a bit of an HCI guy I understand the problem, but as a practical matter if they're patching in stuff for 0 day exploits, if it needs to reboot, it really needs to reboot right now, and not rebooting is as good as not having an AV at all. Oh but you don't go to sketchy websites at work? Well that's sort of the point of '0 day exploit' isn't it? Someone got hacked, and whether that file lands in your inbox from a coworker, gets injected via MSDN, or wikipedia, or youtube or whatever (all of which could be in use for perfectly legitimate reasons) you are basically undoing the work that is done to try and deal with these problems. Sure, there's some general routine patching going on, and yes AVG could handle its dialog boxes better, but saying 'well tough I'm working right now I don't want this update' is the same as saying 'I'm not really concerned about the security of my machine while I'm using it for work'. It would be nice if there was a better solution there, and certainly there's a productivity boost from having an SSD so you can resume your work very quickly for a reboot, but alas, MS does not offer a 'save state of running programs and reboot' option, which I don't imagine would be trivial anyway.

    35. Re:Thanks a bunch by operagost · · Score: 1

      It may actually just be setting their "hidden" file attribute. I've seen that one. Kill that process if possible, roll back with System Restore, then run "attrib -h c:\users /s" (or "c:\documents and settings"). You might have to actually "-s" also for it to allow you to -h; I don't remember.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    36. Re:Thanks a bunch by operagost · · Score: 5, Funny

      I'm glad you aren't a physician.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    37. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      Yessssss, AVG went to the dogs quite a while back. I hate it as much as Norton or McAfee. I either use MSE or nothing at all.

    38. Re:Thanks a bunch by DMUTPeregrine · · Score: 1

      I've had good luck with Comodo so far. Their "internet security" suite is a lot like AVG+Kerio firewall a few years back. Application behavior blocking is good to have, half of SELinux-style protection (and easier to configure) is better than none at all.

      --
      Not a sentence!
    39. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      What they like and whats best for them are not always the same thing. - My doc tells me I have to excercise and eat fins & feathers. - The hell with him, I'll sit on my butt and eat Whoppers because I'm lazy and they taste WAY better.

      Get real. - I do this for a living too and have for ages. Matter of fact, the kids I first had when I started are now working in the field as well. They don't always approach things from the wisest stance either.....

    40. Re:Thanks a bunch by DeathFromSomewhere · · Score: 1

      It would have been useful 5 years ago. Thinking the source is unchanged since then is naive.

      --
      -1 overrated isn't the same thing as "I disagree".
    41. Re:Thanks a bunch by eldorel · · Score: 1

      Perhaps you should consider bring the system to an experienced shop who knows how to properly deal with rootkits and viruses.

      Symantec has a removal tool available on their web site which will remove the software, but you should absolutely not do this until the virus has been removed.

      As for removing the virus itself, good luck.
      My experience is that you can not effectively remove a virus from inside the infected operating system.
      Pull the drive, scan from a different system running a different OS, scan again 2 time with alternate AV software.

      Then go through and double check the normal start up locations by hand, and scan again with a 4rth AV from inside the OS.


      (Note: The GOOD shops have all of the scans automated, along with a full forensic-style backup before anything gets modified on the drive)

    42. Re:Thanks a bunch by eldorel · · Score: 1

      Just because you've been doing this for a few decades doesn't mean you should assume that you still know what you're doing.
      I suggest you go do some research on the current state of virus removal.

      90% of the viruses you will deal with on a daily basis are based on the same kits.
      This means that they follow the same basic methods for infection, self-preservation, and spreading.

      Most of the time, with tools like Process Monitor, you can identify a few of the payload files and upload them to virustotal.
      This gives you a nice long rundown of EXACTLY which AV tools already detect the virus, and what the virus name is.

      15 minutes on google, and you have a full list of every known trace the virus leaves, and what other viruses it is usually bundled with.
      Once you know what the virus does, then you can double check for proper removal and test for reinfection.

      Nuke and Pave is NOT the optimal solution. (unless you are more concerned with finishing the job fast than doing it right.)

    43. Re:Thanks a bunch by Unka · · Score: 1

      To me it sounds like the problem is the paranoid configuration set by your systems administrator. I work at a company that has more than 100 OSX computers running SEP 11 and I never heard anyone having issues like that, apart from the annoyance of the LiveUpdate application popping once a day.

    44. Re:Thanks a bunch by Anonymous Coward · · Score: 0

      In my experience, you should have been fired for uninstalling the AV software.

    45. Re:Thanks a bunch by rickb928 · · Score: 1

      Always good to lift the skirt. Some things never change. And the damage was done back then. Today the bad guys are doing what works today .

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    46. Re:Thanks a bunch by DeathFromSomewhere · · Score: 1

      In the fast moving arms race between malware and anti-malware writers, you can bet that anything important and exploitable will have changed in such a long time span.

      --
      -1 overrated isn't the same thing as "I disagree".
    47. Re:Thanks a bunch by Luckyo · · Score: 1

      "Nuke and Pave" is an optimal solution if you have backup of all necessary data and installers and prioritize having a clean machine over speed of cleaning. It's not if you do not.

      Sadly, most home users do not have such a backup, and most "computer shop" people find it faster to try to go after infection with surgeon's approach then to simply backup data and nuke the machine. Problem is, regardless of how accurate your searches are, you may still miss something. So you have to choose between being certain that machine is clean and being faster with cleaning.

      Personally I'd rather have more certainty that machine is clean, but I can understand your point of view as well.

    48. Re:Thanks a bunch by Luckyo · · Score: 1

      I think your case is more of an IT failure then anti-virus failure. If they properly configured the scan times as well as make them happen less often (why daily scans?), it would work much better for everyone involved. Instead, it seems like you got a dick in IT who figured his needs eclipsed everyone else, while not even properly knowing what his needs are.

    49. Re:Thanks a bunch by Luckyo · · Score: 1

      Yes. I still have a copy running on my old machine (my old university had a license for all students and teachers to use corporate version). I believe I installed the AV around 2006 or so when I bought the machine and installed XP.

      It still gets signature and engine updates for both AV and FW.

    50. Re:Thanks a bunch by dudpixel · · Score: 1

      um, sorry but this is just wrong.

      If Symantec is able to disable itself, then the source code definitely allows a virus-writer to do disable it too.

      Having insight into how the AV works, gives them greater ability to disable it, if not work around it.

      --
      This seemed like a reasonable sig at the time.
    51. Re:Thanks a bunch by dudpixel · · Score: 1

      In the fast moving arms race between malware and anti-malware writers, you can bet that anything important and exploitable will have changed in such a long time span.

      but a virus writer will try it anyway...so then you'd want to make really sure it actually has changed...rather than just making assumptions.

      --
      This seemed like a reasonable sig at the time.
    52. Re:Thanks a bunch by dudpixel · · Score: 1

      If all you have is a virus, that can delete files and make a nuisance of itself, then a wipe/reinstall is really just doing a better job than the virus would have. I mean, isn't losing all your data what you were afraid the virus would do anyway?

      On the other hand, if its malware you're worried about, then a wipe/reinstall is really the best option.

      You have to weigh up the cost of reinstalling and restoring backups, against the potential cost of having your bank accounts, email accounts, or even your identity stolen.

      I'm not sure if the people who get viruses realise that this is a far worse problem than some mysterious program that deletes the odd file here and there.
      And I'm not sure if the people who remove viruses for money are doing a good job of informing their customers of this either...

      --
      This seemed like a reasonable sig at the time.
    53. Re:Thanks a bunch by hitmark · · Score: 1

      Funny thing is, i read recently of a botnet that used boot sector infections as part of its distribution strategy. And it works, because it seems that various security companies have stepped down their boot checks because nobody used those kinds of attacks any more...

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
    54. Re:Thanks a bunch by hitmark · · Score: 1

      Never mind the chance that a backup actually houses a copy of the malware in the first place, and so restoring from backups may well bring the nasty right back...

      --
      comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm
    55. Re:Thanks a bunch by RockDoctor · · Score: 1

      Because people don't like getting WIPED. They like getting fixed.

      ... and people are wrong.

      But don't let that stop you from abusing the retards of the world. They're there to be used, after all.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
    56. Re:Thanks a bunch by Adriax · · Score: 1

      Wow, did a shady repair shop tech kill your family or something?
      Just wondering because holy crap, you make some huge assumptions as to who and what I am, what's going on, and what I'm capable of.

      I've been an IT admin overseeing ~120 state employees for almost 5 years now. When one of my users screws their computer up I fix it, and due to state laws and regulations I'm not allowed to force any changes to our systems that would prevent this from happening on a weekly basis.
      I'm also really good at dissecting these pieces of crap as they come in and have successfully removed previous variants with 2-3 years clean running since.

      But please, continue to tell me how to do my job. I can learn so much from a wannabe indie game developer with a pre-canned website and a basic "Look, I gots a grid textured flat plane to stand on and a cool rotating sky to looks at!" demo video.
      Though I will give you this, it did turn out to be a wipe job. Thankfully I know how to use the basic tools of the trade and had it cloned and ready really quickly.

      --
      I don't suffer from insanity, I enjoy every minute of it!
    57. Re:Thanks a bunch by eldorel · · Score: 1

      That's actually the whole point of a forensic level backup prior to working on it.

      You restore from backup, then start the cleanup over again if any important data is damaged or lost.

      Or

      You restore the backup to a separate drive and manually recover and clean the files that were determined to be vital.

      Where I work, losing customer data is NEVER an option. If it can be prevented in any way, we do so.

    58. Re:Thanks a bunch by eldorel · · Score: 1

      Honestly, I agree with you for the most part, but you are correct.
      Most home users don't have any type of backup.
      Unfortunately, neither do most small businesses.

      A residential user who has to reinstall a new software can either purchase it or go download a free alternative. It's an annoyance, but not world-ending.

      A LARGE number of small businesses have custom software/databases/configuration that was installed for them by a vendor at some point.
      Often, this vendor is unreachable/shut down/dead or wants to charge to reinstall the software and link it to the old database. The worst ones have grown into a large development house and refuse to help unless the customer buys the newest version for $20,000.

      While a Nuke-and-Pave can guarantee the virus is gone, it's up to the customer to decide if the risk is worth the savings.
      Usually, it is.

      However, we do NOT want the customer to have to deal with a reinfection, so we offer to store our backups of the customer's data for 30 days.
      We also offer a 30 warranty on all cleanups (as long as the customer follows a set of basic guidelines).

      Our backup server re-scans the archived data automatically every weekend (with current AV) while the office is closed, and provides us with a report of what new infections were found. This way we can decide who needs to be contacted for a follow-up clean.

      This gives us 4 more chances to catch anything that may have been missed.
      In my experience, even the slowest antivirus vendors can detect a virus that has been on ice for 4 weeks.

      In the 4 years since we implemented this, we have recalled Most of the time the only files missed are simply inert and get removed automatically by the AV software we install.

  2. Obscure CNBC reference by LostCluster · · Score: 0

    We have yet another winner of the Late Lameo award. You're such a lameo,

  3. Surely this is a good thing... by el3mentary · · Score: 5, Insightful

    Surely this is a good thing, the hackers might release an anti-virus for Norton

    --
    I reject your reality and substitute my own.
    1. Re:Surely this is a good thing... by Krneki · · Score: 5, Funny

      They tried, but apparently removing norton proved to be too difficult.

      --
      Love many, trust a few, do harm to none.
    2. Re:Surely this is a good thing... by el3mentary · · Score: 1

      I love the fact that comment got an +5 Insightful mod...only on Slashdot...

      In all seriousness though that program is evil, I would be glad to see it lose market share by any measure, I never completely managed to remove it from an old desktop of mine (came pre-packaged) and that's despite removing all the program files, using their own uninstaller and purging the registries. I've since given the box away to a friend but I wiped all the drives before doing so and apparently it still comes up with popups occasionally.

      --
      I reject your reality and substitute my own.
    3. Re:Surely this is a good thing... by pinkushun · · Score: 1

      Indeed they have, it's endearingly called "applying the Linux patch"

      *grins*

    4. Re:Surely this is a good thing... by ArundelCastle · · Score: 1

      *crosses arms*

  4. Obviously, I'm going to have to switch to McAfee by elrous0 · · Score: 5, Funny

    That'll be a lot better, right?

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  5. You're five years late.... by LostCluster · · Score: 2

    We have to take ten points a day off your score for releasing your findings five years late. Good luck keeping your GPA up.

  6. In their defence... by nick357 · · Score: 4, Funny

    ...they were running McAfee at the time!

    --
    Word game?
  7. "exfiltrated" by Baloroth · · Score: 5, Funny

    the code seems to have exfiltrated

    Wow, must be bad working at Symantec. Even the code wants to escape.

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    1. Re:"exfiltrated" by forkfail · · Score: 1

      I still don't understand how code can have baby smooth skin...

      --
      Check your premises.
  8. Re:Obviously, I'm going to have to switch to McAfe by hedwards · · Score: 1

    Better, switch to PC-Cillin and you'll be sure that nobody's exploiting your system. Because when it takes up 99% of your system resources you're sure as hell not going to bother turning it on anytime soon.

  9. GoBack... by omganton · · Score: 1

    Maybe they'll use the source code for Norton GoBack to rebuild the program into less of a headache.

  10. They aint got Norton? by Anonymous Coward · · Score: 1

    Why didn't they use Norton?

    1. Re:They aint got Norton? by FranktehReaver · · Score: 2

      You kidding? They have to write code all day they can't put that kind of a system load on their machines!

  11. I KNEW IT! by SoTerrified · · Score: 5, Interesting

    Was working with a company that was dealing with some security issues in late 2008, and we found out that the source of the breach was going right through Norton like a hot knife through butter. However, just about any other security solution would stop it. At that time, we theorized that whoever had created the problem had some intimate/inside knowledge of Norton systems and we even joked that "Symantec better check who has their source code".

  12. Good, maybe now we'll have GoBack etc file formats by Anonymous Coward · · Score: 4, Interesting

    If someone with illegally-obtained source code anonymously posts the Ghost and other file formats AND posts a credible "here's how I reverse engineered the file formats" document, and others use it to create open-source software to read the software, will Symantec have any recourse against those who write, host, or use the resulting software?

  13. You're all missing the big picture by Provocateur · · Score: 2

    Who the hell outsourced the hacking to India, and have they really sunk so low?

    --
    WARNING: Smartphones have side effects--most of them undocumented.
    1. Re:You're all missing the big picture by Anonymous Coward · · Score: 0

      it was a mecanical turk job listing

  14. Re:Obviously, I'm going to have to switch to McAfe by Anonymous Coward · · Score: 0

    ...or not.

  15. I think we're all missing the big opportunity here by TheSpoom · · Score: 1

    Norton Antivirus: De-Crappified, Open Source, Slightly Illegal Edition

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  16. we all ditched nis/nas/nav back in 04! by Anonymous Coward · · Score: 0

    why would we re adoopt that memory leakin shiznit?

  17. Re:I think we're all missing the big opportunity h by LostCluster · · Score: 2

    The pay-for antivirus industry makes most of its money in valuing the updates that they send out. Open source at his point can write an antivirus heuristics program but can't get the staff to write good enough updates for known trouble programs.

  18. Open Source by Anonymous Coward · · Score: 1

    If they just had open sourced their programs they wouldn't had lost face.

    Their programs are just mechanisms. It's the filter data where the value is at.

  19. Re:I think we're all missing the big opportunity h by Anonymous Coward · · Score: 0

    Midnight AV ?

  20. 2006? So... 6 year old code? by lumenistan · · Score: 1

    Realistically, the codebase has to have changed somewhat since then, right?

  21. Surprised? by InsertCleverUsername · · Score: 1

    Considering my low esteem for their anti-virus products, I'm not surprised security is also of low caliber.

    The breach makes me wonder if Symantec is even dogfooding their own security products. Wouldn't the drag on their systems from Norton cause such slow response times that hackers would lose interest and move on? Security through performance degradation!

    --
    Ask me about my sig!
    1. Re:Surprised? by TheDarkMaster · · Score: 1

      "The breach makes me wonder if Symantec is even dogfooding their own security products."

      They are not crazy enough to do this

      --
      Religion: The greatest weapon of mass destruction of all time
  22. Code injection, not theft by Anonymous Coward · · Score: 0

    I wondered how it could go from good (meh... mediocre) to bad so quickly. They didn't steal anything - they left bloat!

  23. Re:Good, maybe now we'll have GoBack etc file form by dotancohen · · Score: 2

    If someone with illegally-obtained source code anonymously posts the Ghost and other file formats AND posts a credible "here's how I reverse engineered the file formats" document, and others use it to create open-source software to read the software, will Symantec have any recourse against those who write, host, or use the resulting software?

    If the cracker posts a document with a clear specification without any code examples, then users of that specification will likely be safe. If there is a single line of code in the spec, then it would be a big no no.

    --
    It is dangerous to be right when the government is wrong.
  24. Support by gregsmac · · Score: 1

    I called their customer support to inquire. They opened a Ticket and said someone who I couldnt understand would get back to me within 3 days or maybe not at all. I think they then called me "assface".

  25. Re:I think we're all missing the big opportunity h by dotancohen · · Score: 1

    The pay-for antivirus industry makes most of its money in valuing the updates that they send out. Open source at his point can write an antivirus heuristics program but can't get the staff to write good enough updates for known trouble programs.

    So implement the code that downloads the updates.

    --
    It is dangerous to be right when the government is wrong.
  26. Even Bigger point being missed.... lawsuits by realsilly · · Score: 1

    .... for each and every paying customer who's PC's were being compromised and having both their identity stolen as well as their PC's being used to help share and harbor malware. In 2006 I was still foolishly paying for that service. I should be receiving a refund for years of purchases, for failure to notify me that my security software was breached. By withholding this information they were willingly complicit in any illegal activities that happened on any of their customer's PC's. They continue to push / shove their product down the throats of the non-technical user community with the grand notion of "your system is secure with us". How is this any different than the cigarette companies saying it's perfectly safe to smoke, knowing all the while of the harmful affects.

    They knew their product was breached, but failed to disclose, and continued to sell it.

    --
    Life takes interesting turns, but the most interest is when you're off the beaten path.
  27. Why are we assuming by Belial6 · · Score: 1

    Why are we assuming that the breach only stole code, and did not hide malicious code in the source?

  28. Security Software and Foreign Nationals by Anonymous Coward · · Score: 1

    In the 4Q of 2005, Symantec purchased Sygate, which was largely a company of Chinese foreign nationals and Chinese ex-patriots in the US. They then proceed to give that team access to Symantec source code so that they code can integrate the firewall into the Corporate product. Surprise, somehow the source code is "hacked" in 2006. Bullshit. It is even worse now. Ask Symantec how much source code is developed and maintained in China. I always enjoy a good hand-waving.

    1. Re:Security Software and Foreign Nationals by Anonymous Coward · · Score: 0

      Chinese ex-patriots

      How is giving access to ex-patriots a bad thing?..After all, their patriotism is a thing of a past.

      Giving access to expatriates is a whole different issue.

    2. Re:Security Software and Foreign Nationals by netwarerip · · Score: 1

      So they gave access to Steve Grogan, Willie McGinest, and Tony Bruschi?
      Yeah, like those guys will know what to do with it. The Symantec guys really are loosers!

  29. Why bother... Symantec's code is already malicious by SockPuppetOfTheWeek · · Score: 1

    Yo dawg, we herd u liek malicious code, so we put some malicious code in your malicious code so you can ruin your computer while you ruin your computer by installing Symantec's software.

  30. ladeda by Osgeld · · Score: 1

    I had a MBR virus in 97, you may be asking what the point of that was, well ... neither I (back then) or Symantec (today) are doing anything meaningful. One major difference was I had a job and brought in money ... Symantec just extorts it from people who dont know better, all the while it bogs your machine down and is effectively useless at its one and only task.

  31. Re:I think we're all missing the big opportunity h by TheSpoom · · Score: 1

    If it's illegal (and it would be) they'd find a way to use Symantec's updates.

    --
    It's better to vote for what you want and not get it than to vote for what you don't want and get it.
    - E. Debs
  32. Re:2006? So... 6 year old code? by jesseck · · Score: 1

    Today the code is 6 years old, but it was new when it was stolen in 2006. It has taken 6 years for Symantec to admit to the breach.

  33. Re:2006? So... 6 year old code? by Anonymous Coward · · Score: 0

    It's probably worse. They didn't realize the breach included source code until now (assuming they didn't realize the breach happened because of the recently leaked code).

    And with the SW writting attitude of the last decade, the inner workings of the antivirus engine might not have changed that much. Too much software seems to have stalled, and focuses on cosmetic changes to justify/sell yearly upgrades. There is a need for improvement, but real new features require more investment than they're willing to commit, so tend to skirt the issues and implement useless features.

  34. Do you work for Best Buy, HP or Dell? by Anonymous Coward · · Score: 0

    Because this sounds exactly what we hear from support from these clowns daily - Virus? Wipe and reinstall. Drive with bad sectors or a dead RAID array member? Wipe and reinstall. Dead motherboard or power supply? Wipe and reinstall....

  35. Re:I think we're all missing the big opportunity h by LostCluster · · Score: 2

    In other words, you want to break the paywall.... these guys know security so that ain't happening.

  36. re: virus removal by King_TJ · · Score: 1

    As one of those guys who DOES get paid to remove viruses, I have to disagree with you....

    Yes, a complete wipe of everything and a fresh reinstall is the only way to be 100% sure you eliminated whatever malware or virus was on a given machine. BUT, that's like telling the exterminator he should just burn your entire house down to get rid of the ants or spiders you called about, because simply spraying some poison down doesn't guarantee they're all gone.

    I've actually gone through the whole "backup data, wipe drive, reload OS, reinstall all needed apps from the original CDs, restore data" process for people on many occasions, when they had a computer that was so obviously screwed up, I didn't feel like I was making headway with anything else.

    That's really a losing proposition for everyone involved when you're reached that point, though. Inevitably, there's SOMETHING that doesn't get put back the way the user wants it, because he/she can no longer find an installation disc for some program or lost a license key for some downloadable product. It takes so much time, you can't really bill your normal labor rate for such a project, or the customer will go ballistic (and probably refuse to pay!). It's really not what they WANTED to pay you to do in the first place when they called you.

    In most cases (maybe 80% of the one I've encountered?), I see pretty readily identifiable infections (like those fake "AntiVirus 2011" programs that would pop up on startup and do a fake scan), or I have a system that's still fairly usable, except for symptoms like random pop-ups in the browser, telling me it's not quite right. Most of these issues are pretty well documented all over the net, with people offering known good solutions for removing them. If I boot from a CD and scan the system while its own OS isn't running, I stand a good chance of finding and removing the most stubborn pieces of the malware with that. A full scan with a couple other good tools like Malware Bytes as a follow-up, and if nothing else is detected at that point AND the PC seems to be working right? That's good enough for most people.

  37. Those in the know... by Anonymous Coward · · Score: 0

    know that hackers have been using the presence of NORTON (most any of it) to hack their way into users systems. Best advice? Get some serious anti-virus and firewall, that does NOT include anything with 'NORTON' on the cover.

  38. OK, I'll say it... by Anonymous Coward · · Score: 0

    ...as nobody else has as yet:

    JUL. (Just Use Linux)

    And BEFORE you all start bleating about market share blah blah command line blah blah not my software blah blah drivers blah blah, just this: in 10 years I have NEVER EVER been inconvenienced by malware. So my productivity has never been impacted by the malware circus a.k.a. Windows.

  39. Symantecs Free Public Service by neurosine · · Score: 1

    I like to think that Symantec provides a self maintaining honeypot for those of us who use more obscure, less intrusive, and less expensive solutions which aren't so highly exploited. Thanks Symantec. I also like Backup Exec, somewhat.

  40. Wonderful... by Anonymous Coward · · Score: 0

    Now my business insurance is invalid. Thanks to me reading this article, I now know that my corporate anti-virus solution in my office is potentially flawed. Knowing this, I must now choose another solution. If I don't then my insurance company, in the event that one of my clients gets a virus from some of our software distributions, will not cover those damages. Even if I claim I did not know, my insurance provider now has an excuse to be held unaccountable, which is all they usually need.

    Great. I thought I had my day planned too. Let's flip a coin to find an alternative.

    Note: I have Norton Antivirus Corporate Edition installed on my office machines _purely_ because it is mandated by my public and product insurance / professional indemnity insurance policies. I practice a far more effective method of virus prevention as my primary defence: common sense.

  41. Re:Why bother... Symantec's code is already malici by Anonymous Coward · · Score: 0

    Sorry. Not funny.

  42. I just want a copy... by Anonymous Coward · · Score: 0

    because I'm curious about the comments