Symantec told a hacker group that it would pay $50,000

As part of a sting operation, Symantec told a hacker group that it would pay $50,000 to keep the source code for some of the its flagship security products off the Internet, the company confirmed to CNET this evening.

An e-mail exchange revealing the extortion attempt posted to Pastebin (see below) today shows a purported Symantec employee named Sam Thomas negotiating payment with an individual named “Yamatough” to prevent the release of PCAnywhere and Norton Antivirus code. Yamatough is the Twitter identity of an individual or group that had previously threatened to release the source code for Norton Antivirus.

“We will pay you $50,000.00 USD total,” Thomas said in an e-mail dated last Thursday. “However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.”
A Symantec representative confirmed for CNET the extortion attempt in this statement:

In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.

However, after weeks of discussions regarding proof of code and how to transfer payment, talks broke down and the deal was never completed. A group called AnonymousIRC tweeted this evening that it would soon release the data. “#Symantec software source codes to be released soon. stay tuned folks!!! #Anonymous #AntiSec #CockCrashed #NortonAV.”
Apparently after weeks of discussions, Yamatough’s patience was wearing thin, leading to an ultimatum:

“If we dont hear from you in 30m we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code. Dont f*** with us.”

The exchange gets contentious at times, with Yamatough suggesting that Symantec was trying to track the source of the e-mails:

“If you are trying to trace with the ftp trick it’s just worthless. If we detect any malevolent tracing action we cancel the deal. Is that clear? You’ve got the doc files and pathes [sic] to the files. what’s the problem? Explain.”

Another e-mail, with the subject line “say hi to FBI,” accuses the company of being in contact with the federal law enforcement agency, a charge Thomas denied. “We are not in contact with the FBI,” he wrote, falsely. “We are using this email account to protect our network from you. Protecting our company and property are our top priorities.”
Yamatough demanded that Symantec transfer the money via Liberty Reserve, a payment processor based in San Jose, Costa Rica. But Thomas appears reluctant, calling it “more complicated than we expected.” Thomas instead suggests using PayPal to transmit a $1,000 test as “a sign of good faith.” Yamatough rejects that offer, saying, “Do not send us any money (we do not use paypal period) do not send us any 1k etc. We can wait till we agree on final amount.”
Liberty Reserve did not immediately respond to a request for comment.
The posted thread ends with an exchange today with the subject line “10 minutes” that threatens to release the code immediately if Symantec doesn’t agree to use the payment processor to transfer the funds:

“Since no code yet being released and our email communication wasnt also released we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus totaling 2350MB in size (rar) 10 minutes if no reply from you we consider it a START this time we’ve made mirrors so it will be hard for you to get rid of it.”

Thomas’ response, apparently the last of the discussion, is brief: “We can’t make a decision in ten minutes. We need more time.”
Symantec admitted in mid-January that a 2006 security breach of its networks led to the theft of the source code, backtracking on earlier statements that its network had not been hacked. The security software maker initially said a third party was responsible for allowing the theft of 2006-era source code for Norton Antivirus Corporate Edition, Norton Internet Security, Norton SystemWorks (Norton Utilities and Norton GoBack), and PCAnywhere.

Symantec said that most of it customers were not in any increased danger of cyberattacks as a result of the code’s theft but that users of its remote-access suite PCAnywhere may face a “slightly increased security risk.”
Symantec instructed its PCAnywhere users in late January to disable the product until the company could issue a software update to protect them against attacks that could result from the theft of the product’s source code.
The theft came to light in early January when hackers claimed that they had accessed the source code for certain Symantec products, which Symantec identified as Symantec Endpoint Protection (SEP) 11.0 and Symantec Antivirus 10.2. Evidence at the time suggested that hackers found the code after breaking into servers run by Indian military intelligence.
A hacker group calling itself Yama Tough and employing the mask of hacktivist group Anonymous in its Twitter avatar said in a tweet last month that it would release 1.7GB of source code for Norton Antivirus, but the group said in a later tweet that that it had decided to delay the release.

Update at 9:15 p.m.: A 1.2GB file labeled “Symantec’s pcAnywhere Leaked Source Code” has been posted to The Pirate Bay. CNET has asked Symantec whether the code is authentic. The story will be updated when Symantec responds.