Is It Really the Norton AV Source Code?

Friday, January 06, 2012

Keith Mendoza


As stated in this article Symantec has confirmed that the source code that Yama Tough provided to Infosec Island what is indeed a portion of Norton Anti-virus source code.

Yama Tough also posted on Google+ a link to what they claim to be a portion of NAV source code (since I didn't see the contents of the file(s) provided to Infosec Island I cannot confirm whether the code I have is identical to what Symatec confirmed to be the code).

I have done some analysis of that code and it would appear to be from Symantec based on the copyright information posted at the top of the files.

Due to the sensitivity of this nature, I will not provide detailed information to back up my observation of the floated code. Please note that this is not a detailed analysis of the source code.

First, the code appears to be from an antique version of NAV running on an antique Windows version. If this OS is running in your organization you deserve to get your servers broken into.

Second, and this is the best part, the archive file that Yama Tough floated does not contain any code that does the actual scanning for viruses. That's the good news, now for the part that would keep me awake tonight if I were a developer in the Norton Anti-virus team.

The archive file contains enough code that would make certain parts of Norton Anti-virus, not necessarily downright not work, but send it into a "fat, dumb, and happy" state of operation.

What I mean is NAV could be put in a state where it believes that it did certain actions; but, in reality it was either looking at something else or things not really happening as it thought it should.

This would be like a parent trying to divert their child's attention so they don't start doing things you don't want them to (like my oldest son insisting that he sits on my lap while I was reading the NAV source code).

There's a rather interesting behavior that I'm seeing Yama Tough exhibiting. They seem to be going out of their way to gain publicity. Anonymous may have started this whole trend, but they pretty much did a dump and run.

They never really went out of their way to offer "right of primma notte" or go on publicly posting to sites like Infosec Island. I have two questions about Yama Tough:

First, did they stumble on a honeypot and have realized their mistake, so now they are making lots of noise in the hope that the Indian military intelligence will be careful not to harm them? Or, is this really an Indian government operation in retaliation to US companies slowly moving to China and leaving India?

Cross-posted from Home+Power

Possibly Related Articles:
Information Security
Antivirus Symantec Hacktivist hackers Norton Source Code The Lords of Dharmaraja YamaTough NAV
Post Rating I Like this!
Anthony M. Freed Keith - depends on which sample of code you are referring to. The first one YamaTough provided was from an installer called WhiteSmoke. The second sample provided was enough that someone clever could compile a working version of NAV 2006 in a matter of hours. The question remains as to whether Symantec redesigned the entire NAV product between 2006 and today - as it is clear that they had not between 1998 and 2006 from the leaked materials.
Keith Mendoza I'm looking at all of this from a software engineer's perspective. Unless they chose to basically throw out all code, replaced the NAV development team, and then didn't allow the new group to see any of the old code, then I would say that--at the minimum--the concepts behind this code version could still be in the latest version of NAV. In my experience as a software engineer, code rewrite cannot be practically a complete rewrite unless it's decided that it'll be a complete product from the ground up. I think the reality is that--at the very least--many of the design/architecture concepts may still be in the current version of NAV. Considering NAV's history I doubt that they would have done a complete rewrite of NAV without keeping the foundational concepts that I have seen in the 2 archive packages that I got a hold of. That is what worries me most. If you have an idea of how things are done--even though you don't know the current architecture--you have a good idea of what to look for and can always go from there.

As I said in my post, even if they don't release the complete source package there's enough in there to use as a starting point to do lots of nasty things to NAV. I feel that's what makes this dangerous all together. If the full source code is released, then we can hope for some tunnel vision on the part of anyone willing to take advantage.
Anthony M. Freed I agree with your analysis - I doubt Symantec 'reinvented the wheel' after 2006 - and they have not stated as much either. So then the question (one of many) is how compromised is the NAV product?
Bobby Mann Please, lets keep this in perspective. more details will be released shortly.
Fact: (from insider)
1) Code was 90% rewritten in the consumer product circa 2007/2008 for enhanced performance, update resiliency and protection. It is NOT the same codebase. The enterprise products were also rewritten around that time to start using many of the consumer technologies. Update system was rewriten. Finally, the core backend definition generation system code is secure. That is the secret sauce and as many security experts have already stated, even with the source code you are just looking for vulnerabilities and that is a big job and one that does not need the sourcecode - ever hear of decompilers? Risk to end users is extremely low.
Anthony M. Freed Mr. Mann - I hope what you state about the 90% rewritten code is true, I really do. As you were previously adamant about YamaTough having to "put up or shut up" by producing some evidence, I would like to ask you to do the same regarding the factoid you have offered. It seems that if this were the case, in all likelihood Symantec would have said as much in their statements to Infosec Island and the rest of the press. Just sayin...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.