Norton Gets A Bit Less Secure

Hacker attacks on its antivirus software could hurt Symantec's premium brand

What's the newest security threat lurking on your PC? It's not the spam sitting in your inbox luring you to fake Web sites. Or the keystroke-logging malware recording your passwords. It's holes in the software designed to protect you from all that. It's true: Hackers, bored with attacking Microsoft (MSFT ), are going after Symantec Corp. (SYMC ), whose Norton products are the first line of defense on 50 million PCs worldwide. Says Ralph R. Echemendia, an info-tech security instructor at Vigilar's Intense School, a Ft. Lauderdale security training institute: "They've become a new target."

That's bad news for a company trying to differentiate itself from rivals -- including Microsoft Corp., which rolled out two security products on Nov. 29 -- by positioning itself as a premium brand that charges top dollar. "The danger is you turn off consumers," says Andrew Jaquith of market researcher Yankee Group.

How big is the threat to Symantec and its customers? Already, hackers are bypassing or disabling Symantec software in their efforts to access personal information or spread viruses and worms. And there's mounting evidence that hackers are trying to use Symantec software as an actual gateway into corporate servers and PCs. A Nov. 22 report by the SANS Institute, a computer-security watchdog, showed a tenfold increase in attempts to exploit a flaw in a Symantec data-protection program after it was disclosed in May.

Symantec's ubiquity -- a 64% share of the consumer antivirus market -- has made it a prime target. By contrast, rival McAfee Inc., with just 15.7% of the market, according to IDC Research Inc., is experiencing fewer attacks. At the same time, hackers are becoming increasingly sophisticated. Exhibit A: Golden Hacker Defender Forever, Web-based software that promises to cloak any malicious code so that it won't be found by leading antivirus packages. For an extra $125, hackers can even buy "antivirus support," regular updates to the cloaking code designed to stay one step ahead of similar hacker-fighting updates put out by Symantec and others.

Symantec contends it has the wherewithal to take on the hackers. The company has more than 100 researchers combing cyberspace to figure out where hackers are going next and how to protect its customers. "The issue is, when a vulnerability [is found], how quickly do you respond?" says Symantec Chairman and CEO John W. Thompson. "If by some quirk of fate we discover a problem, like firefighters we move quickly to address it." Symantec sends out patches within 28 hours of a vulnerability being exposed, which compares favorably with an average of 51 days for most software firms.


But in a world of industrial-scale hacking, that might not be fast enough. According to, a German virus tracker, Symantec's average response time for the 12 major virus outbreaks during the first half of 2005 was 10 hours, 48 minutes. McAfee scored slightly better with 9 hours, 29 minutes. F-Secure Corp., a Finnish security firm, took 2 hours, 37 minutes. "[A few hours] make a world of difference," says F-Secure President and Chief Executive Risto Siilasmaa. "Viruses infect PCs exponentially."

The threat arrives at a time when Symantec is under unprecedented pressure. While the company continues to sell most of its consumer products through computer stores, late last year McAfee and other rivals began distributing their software through Internet service providers, which give it to subscribers for free. Microsoft's entry into the market is sure to up the price pressure. In an attempt to diversify beyond the increasingly competitive security business, Symantec a year ago bought storage-software maker Veritas. But many investors viewed the $10 billion acquisition as an awkward fit. That perception, and the company's warning on Nov. 1 that revenues in fiscal '06 would be lower than expected, have battered the stock, which, at about $18, is 47% off its 52-week high.

CEO Thompson vows not to be drawn into a price war. Let McAfee target customers lacking even the most basic antivirus software, he says. Symantec is focusing on a more sophisticated suite of security products with fatter margins. But customers will only keep paying up if Symantec is seen as the premier brand. If hackers continue their onslaught, security vulnerabilities could be the least of Thompson's problems.

By Sarah Lacy, with Brian Grow in Atlanta

    Before it's here, it's on the Bloomberg Terminal.