Hackers: $50,000 to keep Symantec source code private

Hackers: $50,000 to keep Symantec source code private

Summary: As part of a sting operation, Symantec told a hacker group that it would pay $50,000 to keep the source code off the Internet.

TOPICS: Security

As part of a sting operation, Symantec told a hacker group that it would pay $50,000 to keep the source code for some of the its flagship security products off the Internet, the company confirmed to CNET this evening.

An e-mail exchange revealing the extortion attempt posted to Pastebin (see below) today shows a purported Symantec employee named Sam Thomas negotiating payment with an individual named "Yamatough" to prevent the release of PCAnywhere and Norton Antivirus code. Yamatough is the Twitter identity of an individual or group that had previously threatened to release the source code for Norton Antivirus.

"We will pay you $50,000.00 USD total," Thomas said in an e-mail dated Thursday. "However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain." A Symantec representative confirmed for CNET the extortion attempt in this statement:

In January an individual claiming to be part of the 'Anonymous' group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.

However, after weeks of discussions regarding proof of code and how to transfer payment, talks broke down and the deal was never completed. A group called AnonymousIRC tweeted this evening that it would soon release the data. "#Symantec software source codes to be released soon. stay tuned folks!!! #Anonymous #AntiSec #CockCrashed #NortonAV."

Apparently after weeks of discussions, Yamatough's patience was wearing thin, leading to an ultimatum:

"If we dont hear from you in 30m we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code. Dont f*** with us."

The exchange gets contentious at times, with Yamatough suggesting that Symantec was trying to track the source of the e-mails.

"If you are trying to trace with the ftp trick it's just worthless. If we detect any malevolent tracing action we cancel the deal. Is that clear? You've got the doc files and pathes [sic] to the files. what's the problem? Explain."

Another e-mail, with the subject line "say hi to FBI," accuses the company of being in contact with the federal law enforcement agency, a charge Thomas denied. "We are not in contact with the FBI," he wrote, falsely. "We are using this email account to protect our network from you. Protecting our company and property are our top priorities."

Yamatough demanded that Symantec transfer the money via Liberty Reserve, a payment processor based in San Jose, Costa Rica. But Thomas appears reluctant, calling it "more complicated than we expected." Thomas instead suggests using PayPal to transmit a $1,000 test as "a sign of good faith." Yamatough rejects that offer, saying, "Do not send us any money (we do not use paypal period) do not send us any 1k etc. We can wait till we agree on final amount."

Liberty Reserve did not immediately respond to a request for comment.

The posted thread ends with an exchange today with the subject line "10 minutes" that threatens to release the code immediately if Symantec doesn't agree to use the payment processor to transfer the funds.

"Since no code yet being released and our email communication wasnt also released we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus totaling 2350MB in size (rar) 10 minutes if no reply from you we consider it a START this time we've made mirrors so it will be hard for you to get rid of it."

Thomas' response, apparently the last of the discussion, is brief: "We can't make a decision in ten minutes. We need more time."

Symantec admitted in mid-January that a 2006 security breach of its networks led to the theft of the source code, backtracking on earlier statements that its network had not been hacked. The security software maker initially said a third party was responsible for allowing the theft of 2006-era source code for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and PCAnywhere.

Symantec said that most of it customers were not in any increased danger of cyberattacks as a result of the code's theft but that users of its remote-access suite PCAnywhere may face a "slightly increased security risk."

Symantec instructed its PCAnywhere users in late January to disable the product until the company could issue a software update to protect them against attacks that could result from the theft of the product's source code.

The theft came to light in early January when hackers claimed that they had accessed the source code for certain Symantec products, which Symantec identified as Symantec Endpoint Protection (SEP) 11.0 and Symantec Antivirus 10.2. Evidence at the time suggested that hackers found the code after breaking into servers run by Indian military intelligence.

A hacker group calling itself Yama Tough and employing the mask of hacktivist group Anonymous in its Twitter avatar said in a tweet last month that it would release 1.7GB of source code for Norton Antivirus, but the group said in a later tweet that that it had decided to delay the release.

About Steven Musil
Steven Musil is the night news editor at CNET News. Before joining CNET News in 2000, Steven spent 10 years at various Bay Area newspapers.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Hackers: $50,000 to keep Symantec source code private

    ummm... Actually it was released last night. Please check your facts before posting nonsense like this. Here is my post from last night releasing it: " This is the reason why you were asked to uninstall your Norton tonight. The Symantec Source code leak http://pastebin.com/UmJy7Bb1 #Anonymous "
    • RE: Hackers: $50,000 to keep Symantec source code private

      IF this is genuinely being done by people associated with Anonymous, they have probably done more to harm the image of the group than any other action. Whether or not you agree with the aims of Anonymous, I do not believe that the group has sunk to outright commercial blackmail before
      • RE: Hackers: $50,000 to keep Symantec source code private

        @keithc I see your point. There wouldn't have been an issue if they didn't try to bribe us to say we lied about the code. This was stolen in 2006. Anonymous has grown and matured since then. The only reason why we released it last night is because Symantec had no intentions of paying and was trying to apprehend the person/people who originally stole the code. Anonymous is more than just a group of people. We are a family. We are an idea. We are one, we are many. Sometimes we just do things for the "lulz". It wasn't my decision for them to release the code, it was just my decision to spread the torrent. It was actually Symantec that came to Anonymous offering the money. We never threatened them to give us money or we will release the code. I have read all the email correspondences. The officer that they used to contact us was only trying to stall to get more info to prosecute.
    • RE: Hackers: $50,000 to keep Symantec source code private


      Perhaps I'm naive, but I just don't understand why people of your obvious skill would bother with this at all. If it's money you are after, you could quite obviously use your talents for legitimate purposes and make far more than $50,000, so I can't believe money is your end goal. What are you trying to accomplish?
      Michael Kelly
      • RE: Hackers: $50,000 to keep Symantec source code private

        @Michael Kelly Contrary to what the media says, this wasn't about the money. There were no intentions at ALL to release the code. A couple of our hackers in 2006 decided to just do it for fun. As I stated above, Anonymous has matured since then and has grown as a whole. The only reason for the leak is because of their blatant attempt of having a cop try to stall to get as much info as possible. They deny the use of the cop but we know better. We know how they negotiate. There are key terms we look for. And for the record, it's not like that source code is of much use anymore. That was another reason why it grew to our suspicion that NOW they want to try to get us to lie about the code being in our possession. The thing about Anonymous, well members of Anonymous, we tend to do things for the "lulz". Sometimes there is not motive behind what we do. Lately, however, we have been doing very positive stuff. We are fighting to protect human rights, gain global unity, and helping the Occupy movement by protesting on the streets or just by bringing food and water to the protesters. This Symantec thing shouldn't have even made news because its not really relevant to anything.
      • RE: Hackers: $50,000 to keep Symantec source code private

        @Michael Kelly: "If it's money you are after, you could quite obviously use your talents for legitimate purposes and make far more than $50,000"

        That is true, Only in America, Michael!!
    • RE: Hackers: $50,000 to keep Symantec source code private

      @AnonymousFlorida Well excuse us, if it was stolen then all involved should be in jail and not residing in the comforts of there mommy's basement.
    • RE: Hackers: $50,000 to keep Symantec source code private

      @AnonymousFlorida <br><br>I don't know how much of this is speculation vs rumor vs fact but one thing I do know is that the people of this country have far more to fear from the law enforcement and the various intelligence branches of this out of control US Federal government. <br><br>I understand that anonymous is not one person, group of persons or entity but is instead an idea that many get behind. That said the media, primarily the corporate owned presstitutes and faux so called patriot talk show hosts (both radio and TV) paint Anonymous as being a group united behind a cause whatever that cause is at the time. When anonymous does things like strike back at a deserving corporate villain like Monsanto, the globally renowned maker of quality frakenfood, or that little prick at HBG who so perfectly represents the arrogant persona of the modern day corporate executive villain, it causes the rest of us out here to cheer and say take that you corporate thug. <br><br>Unfortunately this same presentation of anonymous as a single group can also be problematic when some person or persons decide to act in the name of anonymous who have no interests in the ideology of anonymous but instead want to tarnish the name and image by engaging in illegal acts under the name of anonymous. It may be that nothing like this has happened but if it has I would not be surprised knowing how corrupt our government has gotten especially since it was bought out by big corporate decades ago. <br><br> <br><br>I dont know if discussions amongst anonymous members about government hacks posing as you guys has even come up. In any event whatever anonymous does, do not let those hacks tarnish the name or image no matter how insignificant the act they are engaging in may seem. You can bet your let you know what (and your right one too) that if it can the government will use the anonymous name and image to further its own agenda of a police like state. As an average joe Im asking you to not let them do that. <br><br> <br><br>Thanks
    • RE: Hackers: $50,000 to keep Symantec source code private

      software renewal can be $50,000-$300,000 per year per customer for symantec. $50k is NOTHING to Symantec

      Been supporting Altiris for 8years wish it was still Altiris
  • RE: Hackers: $50,000 to keep Symantec source code private

    it seems odd that after someone broke in and stole from you that you would try to appeal to their virtues such as trust anf faith; "We are trusting you to keep your end of the bargain" and "a sign of good faith."
  • RE: Hackers: $50,000 to keep Symantec source code private

    Symantec should have offered way more then that. $50,000 = is that a joke? or an insult? 50k is often just to license a Symantec product for ayear. What was Symantec using to protect their Intelecual property? Symantec Endpoint Protection? LOL
    • RE: Hackers: $50,000 to keep Symantec source code private

      @johndow1 LOL
  • RE: Hackers: $50,000 to keep Symantec source code private

    I'm not sure I understand the value of Symantec AV source code. Unless there is something in there that is questionable or proves Symantec is doing something with the code that they shouldn't. I don't even use Symantec anything, its slow, full of bloat, bogs down the machine and is next to useless. I mainly use linux anyway.<br><br>What I want to know is, what are the reasons for Symantec not wanting people to see their code besides the fact that it is proprietary. Granted that Symantec has supposedly been into shady stuff in the past. I have a hard time believing this is an act of "anonymous". Just because some one is anonymous, and supports the group "anonymous", and has good hacking skills doesn't make them part of "anonymous". If I claimed to be part of congress, would you believe me? No, you would still investigate the issue at hand. Claims mean nothing by a single individual. Although the government wouldn't mind lumping them together to take down anyone who opposes them. "anonymous" has never asked for or even blackmailed for money to date.. Why would they start now? This isn't even a hacktivist movement, just a blatant form of blackmail. "Anonymous" works the way it does because it runs on the concept of "checks and balances" in the form of making sure the people aren't being outweighed or fooled by their government or other facilities/people. If this wasn't so, "Anonymous" wouldn't be able to orchestrate such complex tasks among so many different people with different beliefs around the world. <br><br>What all people have in common is the wish for freedom, and less oppression from their government which has turned crooked as milk goes sour. Civilians go to prison or jail, politicians and congressmen get a slap on the wrist or worse... get away with everything. The world has a very large double standard and its sick. Government should be afraid of its People, People should never be afraid of their government.<br><br>I wish everyone would quit lumping every hacking crime in with the group "anonymous" and actually start investigating. #lulzsec is not #anonymous different groups, similar goals, different methods, but support each other! My brother is not me, and I am not my brother! Don't make me viable for a crime he commits and vica versa!
    • RE: Hackers: $50,000 to keep Symantec source code private

      @Darksurf Here are the facts... the code was taken in 2006. Anonymous is much different now. Anonymous NEVER asked for money from Symantec. and lulsec is technically a "branch" of Anonymous. Anonymous claims this attack. Go look into any Anonymous source. We are all posting about this. The leak from last night was even originated from an Anon member. Anonymous isn't a "group". Anonymous is an idea. Anyone can be Anonymous if they stand for what Anonymous believes in. You dont have to be a hacker to be in Anonymous. Some Anonymous members still do bad things. Most dont. You can't really generalize Anonymous based on what you read online in news articles. There is a whole other world that you should look into.
  • RE: Hackers: $50,000 to keep Symantec source code private

    I'd pay Anonymous to keep Symantec's code off the interwebz, too. Their products are horrible!
    • RE: Hackers: $50,000 to keep Symantec source code private

      @KevinFairchild How much are you willing to pay? lol Just kidding.
  • RE: Hackers: $50,000 to keep Symantec source code private

    Good thing I don't use Symantec Products. LOL.
  • RE: Hackers: $50,000 to keep Symantec source code private

    Honestly, Symantec products are so poorly written anyway (almost as bad as McAfee), I fail to see why anyone would continue to use it, even before the source code was released.<br><br>This is now just another reason not to use their products, after all, if they can't protect their own source code, how can I trust them to protect my data?
    • The Source Code

      @cmwade1977 <br>If I remember this issue correctly, the leaked source was not on Symantec's hand when it leaked, but in India where the Symantecs source was being audited.<br><br>We can't question the security practices of Symantec in U.S. when it is a third party who leaked Symantec's source. <br><br>The reason why I'm always posting here regarding third party breaches and why be paranoid with the word "third party". Yes, even third party software to keep your passwords, third party to fill up your online forms, third party to protect you from malwares yet opens up some network ports in your machine, and the list goes on and on.
    • Not all poorly written

      @cmwade1977 ... there are many talented people at Symantec. But the leadership of the company is all salesmen. The company is totally deadline driven and deadlines are decided for sales purposes. So crap is being rearchitected as it goes out the door.

      I am astonished that they don't have more problems than they do.

      As far as getting paid not to do something - you have to have professional representation for that, otherwise it looks like (and you get arrested for) extortion.

      Remember Rachel Uchitel? That b*tch got PAID. Gloria Allred announced a press conference for 1PM the following day, and shortly before 1PM the press conference was called off, and it was then all over the tabloids that a ten million dollar check had been written. Allred is the pro because she knows how to do something like that and have it be all nice and legal, and can facitilitate it, and has a long track record of doing that kind of deal. Non-pros meet somebody in a parking lot to collect a check, they try to deposit the check (doesn't work) and then they get arrested.