Symantec Admits Its Networks Were Hacked in 2006

← Back to Stories (view on slashdot.org)

Symantec Admits Its Networks Were Hacked in 2006

Posted by Soulskill on Thursday January 19, 2012 @03:51AM from the timely-disclosure dept.

Orome1 writes "After having first claimed that the source code leaked by Indian hacking group Dharmaraja was not stolen through a breach of its networks, but possibly by compromising the networks of a third-party entity, Symantec backpedalled and announced that the code seems to have exfiltrated during a 2006 breach of its systems. Symantec spokesman Cris Paden has confirmed that unknown hackers have managed to get their hands on the source code to the following Symantec solutions: Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and pcAnywhere."

32 of 113 comments (clear)

Min score:

Reason:

Sort:

Thanks a bunch by John+Napkintosh · 2012-01-19 03:54 · Score: 4, Interesting

As this includes a Corporate version, I'm sure enterprises just LOVE to hear that the company to whom they entrust a certain amount of their data security completely lied to them about the effectiveness of that security, and covered up the fact that future use of their product might be for naught.

--

Long signatures suck.
1. Re:Thanks a bunch by LostCluster · 2012-01-19 04:02 · Score: 2
  
  Source code in this case is mostly a list of things the software does to attack viruses... they gave away a copy of their secret sauce recipe. Doesn't make the burgers taste worse, it just opens them up to being subject to competition.
2. Re:Thanks a bunch by hedwards · 2012-01-19 04:03 · Score: 4, Informative
  
  Anybody that still uses Symantec software more or less deserves what they get. I can't imagine that the enterprise version is any less crappy than the home version is.
3. Re:Thanks a bunch by SJHillman · 2012-01-19 04:05 · Score: 2
  
  We have the Enterprise version where I work - one of my more recent responsibilities is monitoring it. Overall, it's pretty good at detecting most infections but doesn't always remove the infection. Personally, I'll keep using MS Security Essentials on all of my PCs
4. Re:Thanks a bunch by Synerg1y · 2012-01-19 04:09 · Score: 4, Insightful
  
  Realize that no piece of security software will keep you safe indefinitely from a determined hacker. That applies to security companies as well.
5. Re:Thanks a bunch by MightyMartian · 2012-01-19 04:20 · Score: 2
  
  The only reason for any of the enterprise-level apps is centralized updating and control. Security Essentials works with WSUS now, so you get the updating, but still, you have no good way to monitor which workstations are well protected or which ones have a problem. At the end of the day, my shop is small enough that I can manage the slightly extra load of a checking things out. I haven't actually had a problem with MS Security Essentials, though back in the day when I was using Norton, it was always screwing up on some machine or another.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
6. Re:Thanks a bunch by Bert64 · 2012-01-19 04:21 · Score: 2
  
  If the software is decently written, then exposure of the source code won't matter anyway.
  Exposure of the sourcecode is only going to be a problem if its full of easily noticeable exploitable holes.. Such a situation would be unforgivable, since you'd have expected them to fix such holes internally anyway.
  The sourcecode for Linux, OpenBSD, Apache and many other widely used pieces of software are already available to the public, and it doesn't result in mass hacks against these systems. On the contrary, many security oriented devices such as firewalls are actually based on this publicly available code.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
7. Re:Thanks a bunch by Dishevel · 2012-01-19 04:27 · Score: 2, Insightful
  
  You are saying (with a straight face) that having the source code that describes in detail how the software goes about removing viruses is of no use to the people who write them? Go to a doctor immediately and get checked out for massive brain tumors.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
8. Re:Thanks a bunch by DarkOx · 2012-01-19 04:38 · Score: 3, Insightful
  
  Other than perhaps finding sploits in Symantec itself no I don't expect looking at virus removal code to be terribly useful to those developing malicious code.
  Look yes the AV stuff gets its hooks in pretty deep but until they start implementing their own filesystem drivers and stuff like that (they don't, not on desktops anyway) then there is a finite set of APIs and syscalls they can use. They are mostly documented, or otherwise known. Reading the source to Symantec's AV scanner is not going to give you a lot of insight into how to write something it can't clean up.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
9. Re:Thanks a bunch by rickb928 · 2012-01-19 04:50 · Score: 5, Insightful
  
  How they use their signatures and heuristics to detect threats is of great use to attackers. Thinking otherwise is naive.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
10. Re:Thanks a bunch by forkfail · 2012-01-19 04:51 · Score: 3, Insightful
  
  Horrible analogy, because the scenario is adversarial in nature.
  A far better one would be that the other team just stole your playbook. Your QB still throws the same, your receivers run just as fast, your linebackers still do their thing, but now the other team can anticipate all your plays and outwit you far more often.
  
  --
  Check your premises.
11. Re:Thanks a bunch by timeOday · 2012-01-19 04:53 · Score: 3, Interesting
  
  I have to use it at work under OSX and in a lot of ways it's worse than the virii it protects against.
  I am looking right now at a computer with 2 fully-loaded cores that has been viris scanning for 25 solid hours. This is typical. It starts up after EVERY login, then just sits and churns forever with no visible progress. Or sometimes it finishes after a few seconds.
  Sometimes you go to run some other program and it will just freeze up until/unless you kill navx (if you're lucky enough to have admin rights).
  Or you're sitting on a plane, and it decides now would be a fine time to fire up and drain your battery in 40 minutes.
  I can't leave my email box open because it pops up every few seconds and says THREAT DETECTED! (probably in some old email in mail spool already marked as deleted), but you press OK to fix, and after a few seconds it says it failed to repair it, no other explanation, so it pops up a modal dialog box in front of whatever you're trying to do. This occurs a couple times per minute, forever.
  I hate it.
12. Re:Thanks a bunch by Adriax · 2012-01-19 04:57 · Score: 2
  
  I've got a computer on my bench that has a virus symantec corp edition is currently protecting. Attempts to remove the file run afowl of symantec, and I can't kill symantec because it refuses to disable or uninstall (can't manually stop services either).
  Little bastard has hooks all over the place and is a variant of the "Your harddrive is failing, pay us monies to fix it!" that actually deletes all the start menu shortcuts instead of just moving them.
  
  --
  I don't suffer from insanity, I enjoy every minute of it!
13. Re:Thanks a bunch by gstoddart · 2012-01-19 05:19 · Score: 4, Interesting
  
  I have to use it at work under OSX and in a lot of ways it's worse than the virii it protects against.
  I am looking right now at a computer with 2 fully-loaded cores that has been viris scanning for 25 solid hours.
  Some years ago at a previous job, IT decided that 10:30 am would be the perfect time to schedule a full scan of the computers. The rationale being that the computers wouldn't be hibernating or powered off.
  So, promptly at 10:30 am, my machine would lock up and be 100% CPU and memory bound for about 2 hours or more. I asked IT to reschedule it, as it was interfering with my work .. they said no. I told them that I was going to bill them 2 hours/day for the time lost ... they said I can't do that (at the time, they billed customers $1500/day for me).
  Then I finally told them that since I had local admin privileges, and unless they were willing to change it, I was simply going to uninstall the AV software ... which I ended up doing. And, when people started to uninstall it, they found they had no choice but to change the schedule ... because it was making it impossible for people to do their jobs and HR didn't like the fact that everyone was in the break room bitching about the fact that their computers were unavailable to them.
  In my experience, most enterprise AV solutions cause more lost productivity than the things they're meant to prevent.
  
  so it pops up a modal dialog box in front of whatever you're trying to do
  I'm about one upgrade of AVG away from finding an alternative ... because it suddenly decides that it wants to update, and that I need to reboot right now, or postpone as much as 60 minutes. The problem is that I'm using the computer for my job, and I will tell it when it can reboot or update ... but when it pops up a modal dialog while you're typing, with "OK" selected by default, you can get a case where you've clicked "sure, go ahead and reboot" before you even realize the dialog has been presented. So all of a sudden your machine starts shutting down out from under you.
  AVG didn't always suck, but over the last few versions it has become nag-ware which wants to instal crap toolbars in my browser and otherwise do shit that I've not asked it to do.
  The use of a modal dialog box that grabs focus should lead to someone being staked to an ant-hill in the hot sun -- I'm running more than your program, and just because you want to do something doesn't mean I don't get a vote.
  Unfortunately, I find that AV in general is far more pushy and annoying about deciding it's in charge.
  
  --
  Lost at C:>. Found at C.
14. Re:Thanks a bunch by nigelo · 2012-01-19 05:25 · Score: 3, Funny
  
  > Little bastard has hooks all over the place
  This was my experience with Symantec software, too.
  
  --
  *Still* negative function...
15. Re:Thanks a bunch by VortexCortex · 2012-01-19 05:31 · Score: 4, Informative
  
  Aaaand, you believe that's not one of the hundreds of variants, or a new variant that also installs other malware, because? I hope you're not the kind of person that "removes" viruses for a fee, and after my Aunt has paid you, she comes home and looks through her image library and gets re-infected...
  Just to be perfectly clear: WIPE the drive, FLASH the mobo BIOS, REINSTALL the OS. There is NO SUCH THING as removing malware. Unless you watched that sucker get installed while stepping through it with a debugger, you don't really know WTF is going on or what else it has done.
  Perhaps you're just playing with the viruses, cultivating them and studying them before they're released into the wild; Either this, or you don't realize that you are...
16. Re:Thanks a bunch by fwarren · 2012-01-19 05:37 · Score: 2
  
  We used to run the Norton Corporate product and we loved it. It is much lighter on system resources than the retail product. Corp 9, then Corp 10 then Corp 11.
  Once we hit version 11 we had a problem. Every time it did a download and update, it would keep a copy of the older downloads and updates. Every 3 months our hard drive would run out of room. The solution a) wait for the patch to fix this for customers with this issue and b) uninstall the software from the server, reinstall it, and then manually every client back in. We would lose a full day every 3 months doing this. After more than a year of this and no patch forthcoming we switched products.
  As it turns out there are other products that are even ligther on resources, as easy to administer and cost less as well. A 3 year license came to $18 a system. At the cost of $6 a year for a professional antivirus product, it was easy to make the switch.
  
  --
  vi + /etc over regedit any day of the week.
17. Re:Thanks a bunch by Sir_Sri · 2012-01-19 07:36 · Score: 2
  
  Comodo antivirus is very good, but really invasive. As a corporate user it's worth having a licence around, and if you get a machine that you really aren't sure what's up with it, try comodo. Then uninstall it once it is done working. It's the only English AV I've found that will reliably detect chinese virii, or other languages, but chinese is particularly troublesome.
  Failing that, there's always MSE and avast which are generally 'good enough' for day to day use.
  The idea that the anti virus should update when you tell it to, and not when it needs to is an odd one. On one hand, being a bit of an HCI guy I understand the problem, but as a practical matter if they're patching in stuff for 0 day exploits, if it needs to reboot, it really needs to reboot right now, and not rebooting is as good as not having an AV at all. Oh but you don't go to sketchy websites at work? Well that's sort of the point of '0 day exploit' isn't it? Someone got hacked, and whether that file lands in your inbox from a coworker, gets injected via MSDN, or wikipedia, or youtube or whatever (all of which could be in use for perfectly legitimate reasons) you are basically undoing the work that is done to try and deal with these problems. Sure, there's some general routine patching going on, and yes AVG could handle its dialog boxes better, but saying 'well tough I'm working right now I don't want this update' is the same as saying 'I'm not really concerned about the security of my machine while I'm using it for work'. It would be nice if there was a better solution there, and certainly there's a productivity boost from having an SSD so you can resume your work very quickly for a reboot, but alas, MS does not offer a 'save state of running programs and reboot' option, which I don't imagine would be trivial anyway.
18. Re:Thanks a bunch by operagost · 2012-01-19 07:42 · Score: 5, Funny
  
  I'm glad you aren't a physician.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
Surely this is a good thing... by el3mentary · 2012-01-19 03:57 · Score: 5, Insightful

Surely this is a good thing, the hackers might release an anti-virus for Norton

--
I reject your reality and substitute my own.
1. Re:Surely this is a good thing... by Krneki · 2012-01-19 04:35 · Score: 5, Funny
  
  They tried, but apparently removing norton proved to be too difficult.
  
  --
  Love many, trust a few, do harm to none.
Obviously, I'm going to have to switch to McAfee by elrous0 · 2012-01-19 03:57 · Score: 5, Funny

That'll be a lot better, right?

--
SJW: Someone who has run out of real oppression, and has to fake it.
You're five years late.... by LostCluster · 2012-01-19 03:58 · Score: 2

We have to take ten points a day off your score for releasing your findings five years late. Good luck keeping your GPA up.
In their defence... by nick357 · 2012-01-19 03:59 · Score: 4, Funny

...they were running McAfee at the time!

--
Word game?
"exfiltrated" by Baloroth · 2012-01-19 04:01 · Score: 5, Funny

the code seems to have exfiltrated
Wow, must be bad working at Symantec. Even the code wants to escape.

--
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
I KNEW IT! by SoTerrified · 2012-01-19 04:15 · Score: 5, Interesting

Was working with a company that was dealing with some security issues in late 2008, and we found out that the source of the breach was going right through Norton like a hot knife through butter. However, just about any other security solution would stop it. At that time, we theorized that whoever had created the problem had some intimate/inside knowledge of Norton systems and we even joked that "Symantec better check who has their source code".
Good, maybe now we'll have GoBack etc file formats by Anonymous Coward · 2012-01-19 04:22 · Score: 4, Interesting

If someone with illegally-obtained source code anonymously posts the Ghost and other file formats AND posts a credible "here's how I reverse engineered the file formats" document, and others use it to create open-source software to read the software, will Symantec have any recourse against those who write, host, or use the resulting software?
You're all missing the big picture by Provocateur · 2012-01-19 04:25 · Score: 2

Who the hell outsourced the hacking to India, and have they really sunk so low?

--
WARNING: Smartphones have side effects--most of them undocumented.
Re:They aint got Norton? by FranktehReaver · 2012-01-19 05:05 · Score: 2

You kidding? They have to write code all day they can't put that kind of a system load on their machines!
Re:I think we're all missing the big opportunity h by LostCluster · 2012-01-19 05:05 · Score: 2

The pay-for antivirus industry makes most of its money in valuing the updates that they send out. Open source at his point can write an antivirus heuristics program but can't get the staff to write good enough updates for known trouble programs.
Re:Good, maybe now we'll have GoBack etc file form by dotancohen · 2012-01-19 05:32 · Score: 2

If someone with illegally-obtained source code anonymously posts the Ghost and other file formats AND posts a credible "here's how I reverse engineered the file formats" document, and others use it to create open-source software to read the software, will Symantec have any recourse against those who write, host, or use the resulting software?
If the cracker posts a document with a clear specification without any code examples, then users of that specification will likely be safe. If there is a single line of code in the spec, then it would be a big no no.

--
It is dangerous to be right when the government is wrong.
Re:I think we're all missing the big opportunity h by LostCluster · 2012-01-19 09:05 · Score: 2

In other words, you want to break the paywall.... these guys know security so that ain't happening.