Last night Imperva sent along an email stating that hacker group Lords of Dharmaraja is threatening to release the source code of Symantec's flagship product, Norton Antivirus. The group's original threat posted on Pastebin is now gone, but a Google cached version claims that the source code was retrieved during a hack of India's military and intelligence servers.
"As of now we start sharing with all our brothers and followers information from the Indian Military Intelligence servers, so far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI," the group states.
"Now we release confidential documentation we encountered of Symantec corporation and it's Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies," the group adds.
Security firm Imperva indicated that there's a good chance the group actually did retrieve the source code from the Indian military, as many governments require source code from vendors to prove that the software isn’t really spyware. But the company also points out that the hackers could have easily retrieved the code by gaining access to a test server that was mistakenly exposed or a link to an FTP that was unintentionally made public.
"If the rumors turn out to be true, the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers," Imperva said. "After all, there isn’t much hackers can learn from the code which they hadn’t known before."
That's because most of the antivirus product is based on attack signatures. By basing defenses on signatures, malware authors continuously write malware to evade signature detection. Even more, malware versions continuously evolve, making it hard for firms like Symantec to stay one step ahead.
"The workings of most of the anti-virus' algorithms have also been studied already by hackers in order to write the malware that defeats them," the blog explained. "A key benefit of having the source code could be in the hands of the competitors. If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself. But that is a big if and no one but Symantec knows what types of weaknesses hackers could find."
After word began to spread about the source code leak, Symantec released a statement, confirming that a segment of Norton's source code used in two of the older enterprise products has been accessed, one of which has been discontinued.
"The code involved is four and five years old," the company said. "This does not affect Symantec’s Norton products for our consumer customers. Symantec’s own network was not breached, but rather that of a third party entity. We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time."
Symantec said that it is working to develop a remediation process to ensure long-term protection for its customers’ information. "We will communicate that process once the steps have been finalized," Symantec said. "Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts."