How MS Helped With Own Hack

[William Knowles <wk () C4I ORG>]

http://www.wired.com/news/culture/0,1284,39805,00.html

by Michelle Delio
12:00 p.m. Oct. 27, 2000 PDT

The Qaz worm used to hack into Microsoft's servers on Thursday was not
a particularly elegant piece of coding, but Shakespeare would have
loved it.

As in, Bill Gates was hoisted with his own petard.

Qaz, as it turns out, was written in the company's own programming
language: Microsoft Visual C++.

Security experts say an equally efficient worm could have been written
in another programming language, but Visual C++ is rapidly becoming
the hacking program of choice.

It's relatively easy to learn Visual C programming, and rogue programs
created with C++ are compatible with the majority of applications used
by corporations.

So, it's more ironic than anything that Qaz was used for the latest
Microsoft hack.

"Do I think it was written in C++ specifically to mock Microsoft? No,"
said David Anderson, of Anderson Consulting (a small, freelance
consulting firm not to be confused with the much larger Andersen
Consulting).

"But do I think its amusing that their own application was indirectly
used to attack them? Yes. God, I hate to admit it, but it made me
smile," Anderson added.

"It is interesting in a kind of cruel way that Microsoft has been
eaten by the monsters it created," said Andrew Antipass, a security
consultant.

But Antipass said he finds it more interesting that Microsoft
obviously stored valuable source code on a very accessible server.

"I tell my clients to isolate all valuable information off the
network. There's something about this whole Microsoft hack that
doesn't make sense. Either they thought they were invincible, or they
left a door very open for reasons I can't even begin to guess at."

Jonathan Addams, a freelance security consultant, says that virtually
any firewall can be bypassed if the organization behind that firewall
has "the Outlook e-mail program, a Windows NT box as the server and
just one dim employee."

He wasn't surprised to learn that the worm was written in Visual C++.

"Microsoft products are in wide use," Addams said. "The cracks that
are directed at Microsoft products are partly because they are so
popular. Why crack something that's obscure?

Addams said that this crack is more about people "being stupid" and
opening e-mail attachments -- and systems administrators "being too
lazy" to apply fixes for known problems -- than it is an issue with
the security levels of Microsoft's products.

The Qaz worm was identified in August. It is a network worm with
backdoor capabilities, which allows an attacker entry into an infected
computer system. Once a system has been breached by the worm, it is
possible to grab passwords off the server logs and use those passwords
to enter into other sections of the server.

The worm was considered to be of moderate risk, since it wasn't
spreading quickly and there was a fix for it at available at security
sites such as F-Secure.

Addams said he was troubled by the fact that the crackers had access
to the MS network for three months.

"You'd think someone would have looked at the log, seen unusual
activity and caught it in a day or two," Addams said. "There would
have been significant and odd activity on their servers when this was
happening."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".