Symantec: parts of antivirus source code exposed
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Symantec: parts of antivirus source code exposed

  1. #1
    Junior Member nerva's Avatar
    Join Date
    Jan 2012
    Location
    Moscow, Russia
    Posts
    3

    Arrow Symantec: parts of antivirus source code exposed

    Source: http://www.rawstory.com/rs/2012/01/0...-code-exposed/

    The story itself is not a news. Understandible that there is no 100% solution against data leak. Many enterprises faced such things from time to time. The question is what to do when a data (in this matter source code) alredy leaked away? My thoughts is to prtect source code itself to harden itsreversing and analysis. It could give some time to conduct preventive measures.

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi nerva, and welcome to AO

    The best protection for your intellectual property (source code) is to employ a team of good Patent Lawyers. Then a competitor can gain no advantage from the knowledge.

    As for criminals, I doubt if they would be that interested. They know how security software works in principle, and design their malware to avoid it in general, rather than for a specific vendor. If they worked on the source code, they would fall into the trap of designing and writing for a specific product.

    You write your malware then test it against security software. You then look at how any that detected your application found it, and amend your code accordingly.

    Otherwise you would need the source code for all security products and you would automatically be behind in the race rather than in front.

    Remember that AV vendors talk to each other, and it only takes one of them to identify your malware and the game is over.

    If you have to hand out source code to third parties, I would recommend two fundamental precautions you should take:

    1. Only give them that part that is relevant to them, and as up to date as is relevant.

    2. Uniquely "watermark" it so that you can immediately trace the source of any leak.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Junior Member nerva's Avatar
    Join Date
    Jan 2012
    Location
    Moscow, Russia
    Posts
    3
    So, nihil, you think that the fact of code leaking in this circumstances is not a problem for Symantec?

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hi there nerva,

    I think that there are two aspects to your question.

    1. It is embarassing for Symantec, in that they are sellers of security products and have been seen to have a leak in their own security.

    IT professionals will not pay much attention to this, as the problem happened at a third party, and was a matter of physical security, rather than the effectiveness of Symantec's products.

    We all know that once data leaves your premises it is out of your control and at risk. This is why we encrypt data in transit.

    2. From a technical viewpoint it should not be a problem either, as the code was old, and of no real interest to competitors anyway.

    3. If Symantec's competitors are truly in competition, they have their own way of doing things, and don't really care about anybody else's detailed solutions. What the competitors claim to be able to achieve is far more important than how they actually do it.

    It is really all about marketing these days, as traditional security products are pretty much obsolete other than in the private user sector.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    HYBR|D
    Guest
    **** may just start to get interesting come Tuesday.

    A hacker who goes by the name of 'Yama Tough' threatened Saturday to release next week the full source code for Symantec Corp's flagship Norton Antivirus software.
    "This coming Tuesday behold the full Norton Antivirus 1,7Gb src, the rest will follow," Yama Tough posted via Twitter.
    In the past week Yama Tough has released fragments of source code from Symantec products along with a cache of emails. The hacker says all the data was taken from Indian government servers.


    I'm sitting on the fence on this, i think the kid is trying to gain more of the spotlight, as the 1st mention of there intrusion was forgotten about pretty darn quickly.

    But another part of me thinks maybe just maybe he did get lucky.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Yeah, it sounds rather like the work of a disgruntled ex-employee trying to embarass the Indian government or parts of it?

    If I were a malware author I don't think I would be interested in AV source code as much as I would be in the signature files.

    Most AV still relies very much on signature or pattern matching, so knowing what they are looking for would be of more use in obfuscating your code than knowing how it looks for it.

    Similarly, which files are being monitored for on the fly changes, which Registry entries and so on. You already know what it does so how it does it isn't that interesting, compared to what it will and won't detect?

    A lakh of rupees for ze man who breengs me ze 'ead of Alfredo Singh.......................................
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Junior Member nerva's Avatar
    Join Date
    Jan 2012
    Location
    Moscow, Russia
    Posts
    3
    Ok guys. I undesrstood that i definately need to rise my knowladge in the foeld of information security. Can you advise me couple of events in Europe and USA like InfoSecurity London, but more conference based style? To attend, listen and discover what's going on around?

  8. #8
    Senior Member Wazz's Avatar
    Join Date
    Apr 2003
    Posts
    288
    Kinda scary......Zero Days are already in the wild.....Glad I stayed away from these fools years ago.......just sayin'! Then again, code is being Reversed, Sourced, and Bypassed every minute....quite frankly, this won't matter much....but it will matter....IMHO
    "It is a shame that stupidity is not painful" - Anton LaVey

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Well, if you look at security products, they have two basic elements:

    1. The static part, core, or "engine". This is defined in the source code and changes very infrequently, typically every year, or no more frequently than 6 months.

    2. The dynamic part. This comprises current detection routines and the traditional patterns or code strings. Patterns can change hourly, and are invariably updated at least daily. The detection processes change less frequently but would typically be several times a month.

    The source code is irrelevant to a malware author, it is the dynamic part that determines whether his product will be detected or not, and that is assuming that he hasn't disabled or totally circumvented it.

    The days of hard coding variables, and monolithic architectures have long gone, so the source code is pretty much irrelevant. The source code will not contain the source of dynamic executables, only the calls to them.
    Last edited by nihil; January 21st, 2012 at 11:38 AM.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    You know there may be some good coming from this!

    Maybe someone can read the Source Code and find a way to actually un-install that ****.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

Similar Threads

  1. router udp logs
    By morganlefay in forum General Computer Discussions
    Replies: 35
    Last Post: September 12th, 2010, 12:25 PM
  2. Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability
    By SDK in forum Miscellaneous Security Discussions
    Replies: 0
    Last Post: May 25th, 2004, 03:06 PM
  3. How can you compete with open source?
    By SDK in forum AntiOnline's General Chit Chat
    Replies: 0
    Last Post: February 12th, 2004, 02:18 PM
  4. Savce 8.0
    By DjM in forum AntiVirus Discussions
    Replies: 4
    Last Post: May 30th, 2003, 12:13 AM
  5. Source code as free speech?
    By tekfrost in forum Non-Security Archives
    Replies: 14
    Last Post: January 6th, 2002, 12:17 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides