Hackers operating under the banner of Anonymous and another related Indian hacker group on Monday night dumped the source code of a program made by Symantec, one of the world’s largest antivirus software firms and the maker of the popular “Norton” brand of anitvirus programs.
Intriguingly, the dump, which was claimed by the hacker group Lords of Dharamaja, contained several weeks of email correspondence between a purported hacker and someone who said they were a Symantec employee, revealing what appears to be a pretty clear-cut case of extortion on the part of the hacker, but also a stated willingness by the supposed Symantec employee to pay $50,000 to the hacker in exchange for destroying their copy of the code.
Except now that the emails are out, both sides are saying that they were bluffing all along: Symantec claims there was no such employee and that it was a decoy account set up by a law enforcement agency to snare Anonymous, and the hacker claims he or she was attempting to expose Symantec’s shady practices all along.
First, to the emails:
“How much do you consider ENOUGH to pay us in order to work all the issues out?” asked the alleged hacker “Yamatough,” in an email to Symantec dated January 25, 2012, “Name the price, Clock’s tikin.”
“We will pay you $50,000.00 USD total,” reads a subsequent response from the supposed Symantec employee, “Sam Thomas,” who added, “However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.”
Yamatough responded by canceling the deal, writing “our offshore people wont let us securely get the money because they wont process amounts less than 50k a shot,” later voicing suspicions that the Sam Thomas account was disingenuous, writing: “Say hi to FBI agents.”
Thomas responded with an email saying, “We are not in contact with the FBI,” and again offering to pay the $50,000 in installments, but the hacker refused to bite.
Instead, “Yamatough” gave Symantec 10 minutes to pay them on the evening of February 6, threatening to release the source codes to PCAnywhere and Norton Antivirus.
As it turned out, the hacker wasn’t bluffing on that account, and the source code to PCAnywhere was posted online on The Pirate Bay and Pastebin with the accompanying text: “‘Symantec has been lying to its customers. We exposed this point thus spreading the world that ppl need’ - #AntiSec #Anonymous.”
Symantec confirmed the apparent extortion attempt to CNET on Monday night.
Symantec spokesman Chris Paden earlier told Reuters on January 17 that hackers had indeed compromised the antivirus company’s security in a 2006 attack and obtained the source codes to “Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack and PCAnywhere.” Symantec has been patching PCAnywhere in response to the hacks since January 27 and says it is safe, if all the recommended patches have been installed.
Syamtec’s Paden did further damage control early Tuesday morning, explaining to Forbes that the “Sam Thomas” account was, in the words of Forbes, “the false name created by law enforcement agents who pretended to pursue the negotiations only to attempt to trace the hackers. The entire conversation had been a ruse.”
As Paden continued:
“Anonymous has been talking to law enforcement, not to us,” Paden says. “No money was exchanged, and there was never going to be any money exchanged. It was all an effort to gather information for the investigation.”
“Paden wouldn’t say which law enforcement agency was involved,” pointed out Sean Gallagher at Ars, while Computerworld’s Darlene Storm tracked the staggering number of times Symantec had changed its story about the hacking since January.
Symantec, though told the UK Inquirer that “Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.”
Yamatough later took to Twitter on Tuesday to voice suspicions that the “Sam Thomas” account was operated by Paden himself: “The real sting sends money and bust the crooks at the cash pickup =) it wasn’t feds - it was slimey Paden UNEMPLOYED =),” tweeted Yamatough. Yamatough also promised to release the Norton Antivirus sourcecode later in the day.
Indeed, Paden also expects as much, telling Network World that the source code for the other products will likely be posted soon, but that Symantec doesn’t foresee any security risks, given that two of the products — Norton Antivirus Corporate Edition and Norton Systemworks — no longer exist.