Network Security, Threat Management, Vulnerability Management

Symantec code posted despite attempt to trap suspect

The Anonymous hacking group said Tuesday that it always intended to release the source code for Symantec's Norton AntiVirus and pcAnywhere remote access software -- despite publishing emails Monday in which a supposed member of the group negotiates to sell the code back to the security company.

The emails, released Monday night EST to Pastebin, chronicle communications between a hacker using the alias "Yamatough" -- who is part of the Anonymous-affiliated group The Lords of Dharmaraja -- and a supposed Symantec employee, Sam Thomas, who turned out to be a law enforcement official.

The conversations begin around Jan. 18 with Thomas, communicating from a Symantec email account, trying to confirm that Yamatough was in possession of proprietary code, which Symantec has confirmed on a number of occasions was stolen by hackers.

For several days after, the pair go back and forth on how Yamatough can best deliver the files so Symantec can confirm their validity. On Jan. 24, after Thomas fails to send credentials to access an FTP server, the hacker writes: "If you are trying to trace with the FTP trick, it's just worthless. If we detect any malevolent tracing action, we cancel the deal. "

After not hearing back on where to send the proof, on Jan. 25, Yamatough threatens to put the code up for sale if Thomas doesn't respond. A day later, the money discussion begins, with Yamatough asking how much Symantec is willing to pay. Thomas responds on Jan. 26 that he needs two to three days to come up with an answer.

On Jan. 30, Thomas changes the subject: "Before we can discuss a dollar amount, we need to figure out how the payment is going to be made." The hacker suggests depositing the money into an account with Liberty Reserve, a Costa Rica-based payment processor.  A day later, Thomas says it would be "complicated" to get money into the account, so he suggests depositing $1,000 into a PayPal account as a gesture of good faith.

The hacker declines, saying he will wait "till we agree on a final amount." On Wednesday, Thomas offers to pay $50,000.

"However, we need assurances that you are not going to release the code after payment," he writes. "We will pay you $2,500 a month for the first three months. Payment starts next week. After the first three months, you have to convince us you have destroyed the code before we pay the balance."

On Thursday, Yamatough responded, saying the deal has to be nixed because "our offshore people won't let us securely get the money because they won't process amounts less than 50k (thousand) a shot." Yamatough then accuses Thomas of coordinating with the FBI, which he denies.

The negotiations reach a stalemate, and on Monday night EST, Anonymous posted a 1.2GB file, titled "Symantec's pcAnywhere Leaked Source Code," on torrent website The Pirate Bay.

In a statement Tuesday, Symantec spokesman Cris Paden confirmed the sting operation.

"The email string posted by Anonymous was actually between them and a fake email address set up by law enforcement," the statement said. "Anonymous actually reached out to us first, saying that if we provided them with money, they would not post any more source code. At that point, given that it was a clear cut case of extortion, we contacted law enforcement and turned the investigation over to them. All subsequent communication was actually between Anonymous and law enforcement agents -- not Symantec. This was all part of their investigative techniques for these types of incidents."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.