pcAnywhere Compromised: Disable Immediately!

    January 25, 2012
    Mike Tuttle

On January 4, Anonymous tweeted that an Indian hacker group had posted Symantec source code to Pastebin.

In response to this warning, Symantec has issued a security white paper (pdf) recommending that all users of pcAnyhwere disable the software until further notice.

“Upon investigation of the claims made by Anonymous regarding source code disclosure, Symantec believes that the disclosure was the result of a theft of source code that occurred in 2006. We believe that source code for the 2006-era versions of the following products was exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere.”

pcAnywhere is a Norton product that allows for direct PC to PC communication.If the ctolen source code is actually released, the damage to networks that use pcAnywhere could be considerable.

More detailed information from the white paper:

Our current analysis shows that all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk, as well as customers with prior, unsupported versions of the product. pcAnywhere is also bundled in three Symantec products, Altiris Client Management Suite and Altiris IT Management Suite versions 7.0 or later, and Altiris Deployment Solution with Remote v7.1. In addition, customers with earlier versions of Altiris suites may have opted to leverage pcAnywhere. The increased risk is isolated to the pcAnywhere components only. There are no known impacts to the rest of the components in the Altiris products or the pcAnywhere Solution component that provides integration between pcAnywhere and the Symantec Management Console. Customers should validate the remote control tools currently in use.

There are also secondary risks associated with this situation. If the malicious user obtains the cryptographic key they have the capability to launch unauthorized remote control sessions. This in turn allows them access to systems and sensitive data. If the cryptographic key itself is using Active Directory credentials, it is also possible for them to perpetrate other malicious activities on the network.

In an internal pcAnywhere environment, if a network sniffer was in place on a customer’s internal network and the attacker had access to the encryption details, the pcAnywhere traffic could be intercepted and decoded. This implies that a customer either has a malicious insider who planted the network sniffer or has an unknown Botnet operating in their environment. As always, security best practices are encouraged to mitigate this risk.

Since pcAnywhere exchanges user login credentials, the risk exists that a network sniffer or Botnet could intercept this exchange of information but even then it would be a difficult task to actually interpret the data even if the pcAnywhere source code is actually released. For environments with remote users, this credential exchange introduces an additional level of exposure to external attacks.