Information Security News mailing list archives
New account of Microsoft attack
From: William Knowles <wk () C4I ORG>
Date: Sat, 28 Oct 2000 20:24:24 -0500
http://www.msnbc.com/msn/482011.asp Oct. 29, 2000 [Spin control from the same folks that has in the past let the marketing department discuss security problems? -WK] The intruder who broke into Microsoft's internal network may have done so through an employee's home machine connected to the network, Microsoft officials told the New York Times. In a report published Sunday, the software company's corporate security officer also told the Times that the break-in was first noticed when irregular new accounts began appearing more than a week ago. MICROSOFT ACKNOWLEDGED on Friday that its security had been breached and that outsiders using a "Trojan horse" virus had gotten a look at but did not corrupt a valuable software blueprint, or "source code," for a computer program under development. (MSNBC is a Microsoft-NBC joint venture.) In hacking terms, a trojan is quite similar to the Trojan Horse of Greek mythology. It looks like a normal attachment in an e-mail, such as a Word document or picture, but it contains a hidden code that can, in effect, take limited control of the recipient's computer. Once inside, the virus can be used to deliver passwords from one computer to another or even destroy files. The Washington Post, citing a source close to the investigation, reported Saturday that the targeted material was related to Microsoft's .NET strategy, a sweeping plan to to build the Internet into all its software. Contrary to earlier reports and information that Microsoft itself had provided, the episode spanned only one week, not six, the Times reported Sunday. Howard Schmidt, the company's corporate security officer, told the Times on Saturday that the confusion stemmed from initial uncertainty over whether routine virus incidents in September were related. They had now "definitively" ruled out any connection, he said. Microsoft officials declined to discuss in detail with the Times the method used, but said the intruder did not directly attack the software company's computer networks. But in describing one possible chain of events, they said the intruder entered through an employee's home machine, which was connected to the company's network. Schmidt told the Times his staff first noticed the problem on Oct. 17, when they noticed new accounts "being created that did not match our normal audit logs." Schmidt and his staff then monitored the intruder for two days as he or she created new accounts with varying degrees of access to the network. It was during that time, Microsoft said, that the intruder came across the source code for the computer program under development. Microsoft said it was not part of the company's core products. At first Microsoft decided simply to deny access to the trespasser, and shut down the new accounts on Oct. 20, a Friday, Schmidt said. But the intruder returned on Monday through the same route and created more accounts. On Tuesday, Schmidt told the Times, the company shut down all the new accounts and alerted law enforcement officials on Wednesday. The attack is currently being investigated by the FBI. The Wall Street Journal, which first reported the attack on Friday, said Microsoft security personnel discovered the break-ins after detecting passwords being sent to an e-mail account in St. Petersburg, Russia. Russia is known as a haven for criminal hackers who, among other exploits, have been fingered for stealing millions of dollars from banking networks. There was no mention of a Russian connection in the Times' story Sunday. The Journal also reported that electronic logs showed that the internal passwords had been used to transfer source code outside Microsoft's Redmond headquarters. That was denied by Schmidt in his account to the Times, who said there was no such record of a transfer, and that it was highly unlikely the intruder did more than get a brief look at the code. WELL-KNOWN WORM VIRUS A person familiar with the break-in told The Journal that it appeared the hackers accessed Microsoft's system by e-mailing software, called QAZ Trojan, to the company's network and then opening a so-called back door through the infected computer. The account given by Microsoft officials to the Times also cited the use of QAZ Trojan. Computer security experts said QAZ was a well-known worm virus that first surfaced in China several months ago. Major anti-virus software makers updated their programs to identify QAZ by mid-July, raising the question of whether a Microsoft employee disabled the antivirus software and then inadvertently let the Trojan horse get through. "This is very worrying [that Microsoft has been hit], because we have had detection for it for three months, and we regard it only a medium threat'' rather than a new, high-risk virus, said Raimond Genes of the Japan-based computer security company Trend Micro. Microsoft spokesman Rick Miller said the company was investigating how the hackers were able to gain access to its computer network, an act he termed "a deplorable act of industrial espionage." Another company spokesman, Matt Pilla, said the company was "taking some very aggressive steps" to secure its network in light of the intrusion. ANALYSTS: DAMAGE COULD BE SERIOUS While Microsoft officials downplayed the long-term significance of the attack, some analysts said that if the code was copied and disseminated the long-term impact could be significant. "For Microsoft, that's a significant loss of intellectual property and a significant loss of a competitive edge," said Simon Perry, a computer security expert with Computer Associates of Islandia, N.Y. "What we would expect is that code now either will appear on the Internet or it will be sold off to the highest bidder, probably overseas." Microsoft's source codes are the most coveted in the multibillion-dollar industry. With access to them, competitors could write programs and challenge Microsoft's products. Hackers also could use the codes to identify software flaws, making break-ins and virus-writing easier. Microsoft has shared parts of its source code with partners, but it has kept the vast majority of the data secret. But company officials said the program affected won't be finished for years and will go through many changes before then. "This situation appears to be much narrower than originally reported" Friday by The Wall Street Journal, the company said in a statement Friday. "Our investigation shows no evidence that the intruder gained access to the source code for our major products, such as Windows Me, Windows 2000 or Office." FBI INVESTIGATING While no motive for the break-in has been disclosed, hackers in the past have tried to hold companies for ransom after accessing information from their computers and threatening to publish it on the Internet. Others have cracked computer systems just for the notoriety of defeating complex security barriers. Hacking experts with the FBI's National Infrastructure Protection Center are taking the lead on the investigation. Prosecutors with the Justice Department's computer crimes section will help determine what crimes may have been committed. The FBI is now poring over log files and tracking leads, but no firm suspects or motive have been identified yet, sources familiar with the investigation said. The Post, citing a source close the investigation, reported Saturday that there was no evidence that a competitor was involved or that Microsoft had received a ransom note or other contact regarding stolen code. The world has become increasingly familiar with destructive viruses over the past two years as Melissa in 1999 and the Love Bug this year infected millions of computers, bringing some business communications to a grinding halt. While the Melissa attack immediately made itself known by propagating itself into huge volumes of outgoing e-mail messages, computer security experts long have feared a more stealthy virus, or "worm," that could lurk in the background, doing its damage invisibly. Microsoft's software has long been a favorite target of hackers, many of whom criticize its security features as being inadequate. But this breach of the company's network is the first time intruders have been known to overcome the company's corporate defenses, which are believed to be state of the art. "We've been forecasting worm-based industrial espionage to happen for quite some time," said Mikko Hyppnen, anti-virus researcher for F-Secure Corp. "It has finally happened. I'm just surprised it happened at the top." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- New account of Microsoft attack William Knowles (Oct 30)