Symantec Investigating Possible Theft of Norton AV Source Code

A group of hackers claim to have stolen source code for Symantec’s Norton Antivirus software.

Update: 01/06/12 12:20AM EST – Symantec has confirmed with SecurityWeek that hackers have accessed source code related to Symantec Endpoint Protection 11.0 and Symantec Antivirus 10.2.

The group is operating under the name Dharmaraja, and claims it found the data after compromising Indian military intelligence servers.

“So far we have discovered within the Indian Spy Programme source codes of a dozen software companies which have signed agreements with Indian TANCS programme and CBI,” according to a post on Pastebin that has since been deleted. “Now we release confidential documentation we encountered of Symantec Corporation and it’s [sic] Norton AntiVirus source code which we are going to publish later on, we are working out mirrors as of now since we experience extreme pressure and censorship from US and India government agencies.”

Thus far, the information posted by the hackers includes a document dated April 28, 1999, that Symantec describes as defining the application programming interface (API) for the virus Definition Generation Service.

“This document explains how the software is designed to work (what inputs are accepted and what outputs are generated) and contains function names, but there is no actual source code present,” Cris Paden, senior manager of corporate communication for Symantec told SecurityWeek.

A second post entitled ‘Norton AV source code file list’ includes a list of file names reputedly contained within Norton AntiVirus source code package.

Symantec said it is still in the process of analyzing the data in the second post, Paden said.

What if the Norton Source Code has Been Stolen?

“If the rumors turn out to be true, the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers,” noted Rob Rachwald, Director of Security Strategy at Imperva. “After all, there isn’t much hackers can learn from the code which they hadn’t known before.” Why? “Most of the anti-virus product is based on attack signatures,” he said. “By basing defenses on signatures, malware authors continuously write malware to evade signature detection.”

“The workings of most of the anti-virus’ algorithms have also been studied already by hackers in order to write the malware that defeats them. A key benefit of having the source code could be in the hands of the competitors.”

But hackers could use the source code to search out and exploit vulnerabilities in the software itself. “If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself. But that is a big if and no one but Symantec knows what types of weaknesses hackers could find,” Rachwald concluded.

Norton is one of the most widely used anti-virus products, being used by millions of users around the world.