Symantec's Code Red: The Law Enforcement/Anonymous E-Mail Exchange

Closer Look At Anonymous' Attempted Symantec Extortion

Symantec disclosed this week that a person claiming to be from the Anonymous group Lords of Dharmaraja in India tried to extort $50,000 from the company to keep it from releasing on the Internet product code stolen from the company in 2006. Negotiations between the extortionist, who went by the moniker Yama Tough, and law enforcement posing as Symantec executive Sam Thomas, started in mid-January and broke down Feb. 6. Negotiations started shortly after the group released source code for 2006 versions of Norton Utilities and PcAnywhere and threatened to release more code from other products.

What follows is the piecing together of the e-mail thread of the negotiations that appeared on the Internet, apparently from Anonymous.

Early Negotiations

From the start, law enforcement officials from an unidentified agency appeared to stall for time, presumably working behind the scenes to trace the whereabouts of the Anonymous group's negotiator. Following the group's request for money, law enforcement officials posing as Sam Thomas said: "Have to check with finance people. We will contact you tomorrow."

Transferring Code Files

Negotiations later turned to discussions on how Yama Tough and his group could send files containing the code to Symantec. Law enforcement officials suggested the files go to a Google Gmail account, since Symantec's network wouldn't take such large files. Yama Tough later said the Gmail account also rejected the attachments.

Law Enforcement: The Gmail account and the internal account are deleting the attachments. Working on another way to get these from you. Hopefully will have a solution over the weekend or on Monday (Jan. 23).

Two days later.

Yama Tough: It's Monday...

The FTP Trick

Law enforcement officials then claimed to be setting up a secure FTP site that would be ready in a couple of days to accept the files. The plan brought a warning from Yama Tough.

Yama Tough: If you are trying to trace with the ftp trick, it's just worthless. If we detect any malevolent tracing action, we cancel the deal. Is that clear?

You Have 30 Minutes

The exact time line is difficult to piece together, but at some point law enforcement officials complain of having network problems in setting up a stand-alone computer for the FTP file transfer. Yama Tough's patience appears to be wearing thin.

Yama Tough: If we don't hear from you in 30 minutes, we make an official announcement and put your code on sale at auction terms. We have many people who are willing to get your code. Don't f--- with us.

The Anonymous Rule

The deadline led to complaints from law enforcement officials that they weren't trying to trick anyone. They just needed more time.

Yama Tough: We have a rule -- and we always follow it: If you are the owner, you have the right to be the first one asked. That is why we kept silent at the time of negotiating with you. We stick to the word given and nothing is going to happen to the code, if we complete the deal. Were we not that way, we would have already sold your code to that willing many.

Name The Price

The conversation soon turned to how much Symantec was willing to pay for the code.

Yama Tough: So, you told us a week ago that you've being requesting a response from Fin dprtmnt. We got no answer for the below question: How much do you consider enough to pay us in order to work all the issues out? Name the price. Clock's tikin.

Liberty Reserve

Discussions eventually turn to the use of a payment processor Liberty Reserve to send the money. Law enforcement asks for the offshore account where the money should be sent. Yama Tough responds that the money will be transferred from one Liberty Reserve account to another. Yama Tough also says that a bank account in Lithuania or Latvia is also an option.

Yama Tough: We are afraid if you can not comply we proceed with the release.

No Guarantees

At one point in the talks, law enforcement asks what assurances the group can provide that once paid, it will destroy the code and not ask for more money.

Yama Tough: What are the guarantees that we won't come back for more? None of course. You have to trust us on this one, if we were really bad guys we would have already released or sold your code at the time of exchanging emails with you which is almost a month and we kept silent all that time and stuck to our word given to you. So no guarantees. Trust us. We won't come back and won't manipulate the code. At least it is worth a try and we assure you we are man of honor. We keep our promise.

The $50,000 Promise

A day or two later, officials say they would like to send $1,000 through Liberty Reserve but it's complicated. They suggest PayPal.

Law Enforcement: We will pay you $50,000 USD total. However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain. You know how the corporate environment works and we have to treat this like a business transaction.

The deal is eventually rejected.

Yama Tough: I am afraid we have to cancel the whole deal because our offshore people won't let us securely get the money because they won't process amounts less than 50k a shot. Therefore we are afraid we cannot proceed with you on the conditions offered.

Time Runs Out

The e-mail thread ends several days later with Yama Tough setting a 10-minute deadline. While it's not clear exactly why, it appears to be to decide how the money will be transferred.

Yama Tough: We give you 10 minutes to decide which way you go. After that, two of your codes fly to the moon pcAnywhere and Norton Antivirus total 2350MB in size. 10 minutes. If no reply from you, we consider it a start. This time we've made mirrors, so it will be hard for you to get rid of it.

Law Enforcement: We can't make a decision in 10 minutes. We need more time.