An analysis of Symantec's leaked source code for PCAnywhere has revealed that the code has remained largely unchanged for the past 10 years, and that it could be turned into a back-door application.
Hackers previously stole the security company's source code for PCAnywhere during a 2006 raid on the company, and, after attempts to extort Symantec for money, released the code on the internet.
It wasn't long before Symantec admitted that the release of the source code would allow hackers to exploit the then-latest version of PCAnywhere. It released a fix shortly afterward, but the source code continues to reveal more about the company's practices.
In a submission to the InfoSec Institute, an anonymous analyst reveals that PCAnywhere, although heavily documented with comments throughout its code, is relatively unchanged from 10 years ago. Most changes, according to the analyst, were made to accommodate changes in Windows versions.
Although the leaked code is believed to be from 2006, it provides information on the development and design plans for subsequent versions of PCAnywhere. They include the plans for the current version of the software, 12.5. This documentation revealed that an estimated 4448 hours were planned to be spent across eight developers, four of which were outsourced, to develop PCAnywhere 12.5. It also reveals that there was never a plan for the complete rewrite of the source code.
Along with the source code, the analyst noted that the company developed separate code to install versions of PCAnywhere, "including a 'silent' installer that is completely undetectable by the end user".
The analyst worried that this could then be used to make a silently installable, modified version of PCAnywhere to be used as a back-door application, and that other flaws could be found in the software's source code and be exploited.
"Any exploits in the code are now visible by all. The only hope for Symantec and PCAnywhere is that these days, users typically do not run their home or office computers with the ports required for this product open to the internet. So attacks for this particular product across the internet are minimal. However, hackers always seem to find a way."
ZDNet Australia contacted Symantec, but the company was unable to respond at the time of writing.
However, statements provided by the company indicate that it expects more trouble from hackers.
"So far, they have posted code for the 2006 versions of Norton Utilities and PCAnywhere. We also anticipate that at some point, they will post the code for the 2006 versions of Norton AntiVirus Corporate Edition and Norton Internet Security. As we have already stated publicly, this is old code, and Symantec and Norton customers will not be at an increased risk as a result of any further disclosure related to these 2006 products."