Rumor has it that hackers have obtained the source code for Symantec’s Norton AV. A posting on pastebin presented the file list and hackers are claiming that they also have the code itself. While the code is not yet out, hackers are saying that it is just a matter of time as they are considering how to best publish this information.
As a major DLP vendor, this is quite embarrassing on Symantec’s part. It’s reasonable to assume that the retrieval of such a list could be a result of the files residing on a test server which was mistakenly exposed, or a posting to FTP which unintentionally became public. It also seems, if you trust the hackers' boasting, that the code was obtained from the Indian military. Many governments do require source code from vendors to prove the software isn't spyware.
If the rumors turn out to be true, the implications of the anti-virus code leakage will not keep the Symantec folks awake too late at night, and certainly not their customers. After all, there isn’t much hackers can learn from the code which they hadn’t known before. Why? Most of the anti-virus product is based on attack signatures. By basing defenses on signatures, malware authors continuously write malware to evade signature detection (in 2007, antivirus could only detect between 20-30% of malware). We noted in our blog on the Black Hole Exploit that only 30% of AV would have been effective. Further, malware versions continuously evolve in such a rate where signatures cannot keep up with them in the first place. The workings of most of the anti-virus’ algorithms have also been studied already by hackers in order to write the malware that defeats them. A key benefit of having the source code could be in the hands of the competitors.
If the source code is recent and hackers find serious vulnerabilities, it could be possible to exploit the actual anti-virus program itself. But that is a big if and no one but Symantec knows what types of weaknesses hackers could find.
Posted by Imperva Blogger at 04:34:08 PM