January 11th, 2012, 08:06 AM
Symantec: parts of antivirus source code exposed
The story itself is not a news. Understandible that there is no 100% solution against data leak. Many enterprises faced such things from time to time. The question is what to do when a data (in this matter source code) alredy leaked away? My thoughts is to prtect source code itself to harden itsreversing and analysis. It could give some time to conduct preventive measures.
January 13th, 2012, 01:16 AM
Hi nerva, and welcome to AO
The best protection for your intellectual property (source code) is to employ a team of good Patent Lawyers. Then a competitor can gain no advantage from the knowledge.
As for criminals, I doubt if they would be that interested. They know how security software works in principle, and design their malware to avoid it in general, rather than for a specific vendor. If they worked on the source code, they would fall into the trap of designing and writing for a specific product.
You write your malware then test it against security software. You then look at how any that detected your application found it, and amend your code accordingly.
Otherwise you would need the source code for all security products and you would automatically be behind in the race rather than in front.
Remember that AV vendors talk to each other, and it only takes one of them to identify your malware and the game is over.
If you have to hand out source code to third parties, I would recommend two fundamental precautions you should take:
1. Only give them that part that is relevant to them, and as up to date as is relevant.
2. Uniquely "watermark" it so that you can immediately trace the source of any leak.
January 13th, 2012, 10:24 AM
So, nihil, you think that the fact of code leaking in this circumstances is not a problem for Symantec?
January 13th, 2012, 01:31 PM
Hi there nerva,
I think that there are two aspects to your question.
1. It is embarassing for Symantec, in that they are sellers of security products and have been seen to have a leak in their own security.
IT professionals will not pay much attention to this, as the problem happened at a third party, and was a matter of physical security, rather than the effectiveness of Symantec's products.
We all know that once data leaves your premises it is out of your control and at risk. This is why we encrypt data in transit.
2. From a technical viewpoint it should not be a problem either, as the code was old, and of no real interest to competitors anyway.
3. If Symantec's competitors are truly in competition, they have their own way of doing things, and don't really care about anybody else's detailed solutions. What the competitors claim to be able to achieve is far more important than how they actually do it.
It is really all about marketing these days, as traditional security products are pretty much obsolete other than in the private user sector.
January 15th, 2012, 02:23 AM
**** may just start to get interesting come Tuesday.
A hacker who goes by the name of 'Yama Tough' threatened Saturday to release next week the full source code for Symantec Corp's flagship Norton Antivirus software.
"This coming Tuesday behold the full Norton Antivirus 1,7Gb src, the rest will follow," Yama Tough posted via Twitter.
In the past week Yama Tough has released fragments of source code from Symantec products along with a cache of emails. The hacker says all the data was taken from Indian government servers.
I'm sitting on the fence on this, i think the kid is trying to gain more of the spotlight, as the 1st mention of there intrusion was forgotten about pretty darn quickly.
But another part of me thinks maybe just maybe he did get lucky.
January 15th, 2012, 03:44 AM
Yeah, it sounds rather like the work of a disgruntled ex-employee trying to embarass the Indian government or parts of it?
If I were a malware author I don't think I would be interested in AV source code as much as I would be in the signature files.
Most AV still relies very much on signature or pattern matching, so knowing what they are looking for would be of more use in obfuscating your code than knowing how it looks for it.
Similarly, which files are being monitored for on the fly changes, which Registry entries and so on. You already know what it does so how it does it isn't that interesting, compared to what it will and won't detect?
A lakh of rupees for ze man who breengs me ze 'ead of Alfredo Singh.......................................
January 20th, 2012, 01:06 PM
Ok guys. I undesrstood that i definately need to rise my knowladge in the foeld of information security. Can you advise me couple of events in Europe and USA like InfoSecurity London, but more conference based style? To attend, listen and discover what's going on around?
January 20th, 2012, 11:59 PM
Kinda scary......Zero Days are already in the wild.....Glad I stayed away from these fools years ago.......just sayin'! Then again, code is being Reversed, Sourced, and Bypassed every minute....quite frankly, this won't matter much....but it will matter....IMHO
"It is a shame that stupidity is not painful" - Anton LaVey
January 21st, 2012, 11:35 AM
Well, if you look at security products, they have two basic elements:
1. The static part, core, or "engine". This is defined in the source code and changes very infrequently, typically every year, or no more frequently than 6 months.
2. The dynamic part. This comprises current detection routines and the traditional patterns or code strings. Patterns can change hourly, and are invariably updated at least daily. The detection processes change less frequently but would typically be several times a month.
The source code is irrelevant to a malware author, it is the dynamic part that determines whether his product will be detected or not, and that is assuming that he hasn't disabled or totally circumvented it.
The days of hard coding variables, and monolithic architectures have long gone, so the source code is pretty much irrelevant. The source code will not contain the source of dynamic executables, only the calls to them.
Last edited by nihil; January 21st, 2012 at 11:38 AM.
January 23rd, 2012, 11:27 PM
You know there may be some good coming from this!
Maybe someone can read the Source Code and find a way to actually un-install that ****.
By morganlefay in forum General Computer Discussions
Last Post: September 12th, 2010, 12:25 PM
By SDK in forum Miscellaneous Security Discussions
Last Post: May 25th, 2004, 03:06 PM
By SDK in forum AntiOnline's General Chit Chat
Last Post: February 12th, 2004, 02:18 PM
By DjM in forum AntiVirus Discussions
Last Post: May 30th, 2003, 12:13 AM
By tekfrost in forum Non-Security Archives
Last Post: January 6th, 2002, 12:17 AM