New account of Microsoft attack

[William Knowles <wk () C4I ORG>]

http://www.msnbc.com/msn/482011.asp

Oct. 29, 2000

[Spin control from the same folks that has in the past let the
marketing department discuss security problems? -WK]

The intruder who broke into Microsoft's internal network may have done
so through an employee's home machine connected to the network,
Microsoft officials told the New York Times. In a report published
Sunday, the software company's corporate security officer also told
the Times that the break-in was first noticed when irregular new
accounts began appearing more than a week ago.

MICROSOFT ACKNOWLEDGED on Friday that its security had been breached
and that outsiders using a "Trojan horse" virus had gotten a look at
but did not corrupt a valuable software blueprint, or "source code,"
for a computer program under development.

(MSNBC is a Microsoft-NBC joint venture.)

In hacking terms, a trojan is quite similar to the Trojan Horse of
Greek mythology. It looks like a normal attachment in an e-mail, such
as a Word document or picture, but it contains a hidden code that can,
in effect, take limited control of the recipient's computer. Once
inside, the virus can be used to deliver passwords from one computer
to another or even destroy files.

The Washington Post, citing a source close to the investigation,
reported Saturday that the targeted material was related to
Microsoft's .NET strategy, a sweeping plan to to build the Internet
into all its software.

Contrary to earlier reports and information that Microsoft itself had
provided, the episode spanned only one week, not six, the Times
reported Sunday. Howard Schmidt, the company's corporate security
officer, told the Times on Saturday that the confusion stemmed from
initial uncertainty over whether routine virus incidents in September
were related. They had now "definitively" ruled out any connection, he
said.

Microsoft officials declined to discuss in detail with the Times the
method used, but said the intruder did not directly attack the
software company's computer networks. But in describing one possible
chain of events, they said the intruder entered through an employee's
home machine, which was connected to the company's network.

Schmidt told the Times his staff first noticed the problem on Oct. 17,
when they noticed new accounts "being created that did not match our
normal audit logs." Schmidt and his staff then monitored the intruder
for two days as he or she created new accounts with varying degrees of
access to the network. It was during that time, Microsoft said, that
the intruder came across the source code for the computer program
under development. Microsoft said it was not part of the company's
core products.

At first Microsoft decided simply to deny access to the trespasser,
and shut down the new accounts on Oct. 20, a Friday, Schmidt said. But
the intruder returned on Monday through the same route and created
more accounts. On Tuesday, Schmidt told the Times, the company shut
down all the new accounts and alerted law enforcement officials on
Wednesday. The attack is currently being investigated by the FBI.

The Wall Street Journal, which first reported the attack on Friday,
said Microsoft security personnel discovered the break-ins after
detecting passwords being sent to an e-mail account in St. Petersburg,
Russia. Russia is known as a haven for criminal hackers who, among
other exploits, have been fingered for stealing millions of dollars
from banking networks. There was no mention of a Russian connection in
the Times' story Sunday.

The Journal also reported that electronic logs showed that the
internal passwords had been used to transfer source code outside
Microsoft's Redmond headquarters. That was denied by Schmidt in his
account to the Times, who said there was no such record of a transfer,
and that it was highly unlikely the intruder did more than get a brief
look at the code.

WELL-KNOWN WORM VIRUS

A person familiar with the break-in told The Journal that it appeared
the hackers accessed Microsoft's system by e-mailing software, called
QAZ Trojan, to the company's network and then opening a so-called back
door through the infected computer. The account given by Microsoft
officials to the Times also cited the use of QAZ Trojan.

Computer security experts said QAZ was a well-known worm virus that
first surfaced in China several months ago. Major anti-virus software
makers updated their programs to identify QAZ by mid-July, raising the
question of whether a Microsoft employee disabled the antivirus
software and then inadvertently let the Trojan horse get through.

"This is very worrying [that Microsoft has been hit], because we have
had detection for it for three months, and we regard it only a medium
threat'' rather than a new, high-risk virus, said Raimond Genes of the
Japan-based computer security company Trend Micro.

Microsoft spokesman Rick Miller said the company was investigating how
the hackers were able to gain access to its computer network, an act
he termed "a deplorable act of industrial espionage."

Another company spokesman, Matt Pilla, said the company was "taking
some very aggressive steps" to secure its network in light of the
intrusion.

ANALYSTS: DAMAGE COULD BE SERIOUS

While Microsoft officials downplayed the long-term significance of the
attack, some analysts said that if the code was copied and
disseminated the long-term impact could be significant.

"For Microsoft, that's a significant loss of intellectual property and
a significant loss of a competitive edge," said Simon Perry, a
computer security expert with Computer Associates of Islandia, N.Y.
"What we would expect is that code now either will appear on the
Internet or it will be sold off to the highest bidder, probably
overseas."

Microsoft's source codes are the most coveted in the
multibillion-dollar industry. With access to them, competitors could
write programs and challenge Microsoft's products. Hackers also could
use the codes to identify software flaws, making break-ins and
virus-writing easier. Microsoft has shared parts of its source code
with partners, but it has kept the vast majority of the data secret.

But company officials said the program affected won't be finished for
years and will go through many changes before then. "This situation
appears to be much narrower than originally reported" Friday by The
Wall Street Journal, the company said in a statement Friday. "Our
investigation shows no evidence that the intruder gained access to the
source code for our major products, such as Windows Me, Windows 2000
or Office."

FBI INVESTIGATING

While no motive for the break-in has been disclosed, hackers in the
past have tried to hold companies for ransom after accessing
information from their computers and threatening to publish it on the
Internet.

Others have cracked computer systems just for the notoriety of
defeating complex security barriers.

Hacking experts with the FBI's National Infrastructure Protection
Center are taking the lead on the investigation. Prosecutors with the
Justice Department's computer crimes section will help determine what
crimes may have been committed.

The FBI is now poring over log files and tracking leads, but no firm
suspects or motive have been identified yet, sources familiar with the
investigation said.

The Post, citing a source close the investigation, reported Saturday
that there was no evidence that a competitor was involved or that
Microsoft had received a ransom note or other contact regarding stolen
code.

The world has become increasingly familiar with destructive viruses
over the past two years as Melissa in 1999 and the Love Bug this year
infected millions of computers, bringing some business communications
to a grinding halt.

While the Melissa attack immediately made itself known by propagating
itself into huge volumes of outgoing e-mail messages, computer
security experts long have feared a more stealthy virus, or "worm,"
that could lurk in the background, doing its damage invisibly.

Microsoft's software has long been a favorite target of hackers, many
of whom criticize its security features as being inadequate. But this
breach of the company's network is the first time intruders have been
known to overcome the company's corporate defenses, which are believed
to be state of the art.

"We've been forecasting worm-based industrial espionage to happen for
quite some time," said Mikko Hyppnen, anti-virus researcher for
F-Secure Corp. "It has finally happened. I'm just surprised it
happened at the top."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".