Worm thought to have been used against Microsoft had links to Chinese system

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO56474,00.html

By DAN VERTON
January 17, 2001

Some security analysts now say that a worm thought to have been used
by malicious hackers who broke into Microsoft Corp.'s internal
computer network last fall was set up to transmit passwords and other
sensitive data to an e-mail account in China. But they add that it's
uncertain whether the attackers were actually based in that country.
Microsoft hasn't confirmed that the QAZ worm was even involved in the
network intrusion, which was discovered in October and reported to the
FBI. But a report issued last month by security consulting firm
LogiKeep Inc. in Dublin, Ohio, said QAZ communicated with an e-mail
account located in the Chinese capital of Beijing.

LogiKeep, which was founded by two former Navy intelligence officers,
included analysis of the worm as part of an overall assessment of the
network security threats facing companies that do business in China.
Brad Johnson, a LogiKeep spokesman, said the IP address linked to QAZ
was owned by Chinanet, one of the country's four primary gateways to
the Internet.

Motoaki Yamamura, group development manager at Symantec Corp.'s
AntiVirus Research Center, confirmed the China link and said QAZ first
appeared in that country last July. According to Yamamura, QAZ was
configured to steal passwords and e-mail them to an account in China.

But, he added, that account has since been taken out of service. And
an advisory that's posted on Symantec's Web site said the company's
antivirus unit downgraded its threat rating on QAZ last month "due to
a decrease in submissions" about attacks involving the worm.

A former U.S. intelligence official who spoke on condition of
anonymity said there's an "abiding Chinese interest in infiltrating
business computer networks and using software code development to
install trapdoors, worms, data sniffers and other such techniques"
that can help intruders steal data or gain clandestine access to
corporate systems.

However, Yamamura said there's no way to tell if the attackers
responsible for the Microsoft intrusion were located in China or
remotely compromised the Chinese system in order to use it as part of
the break-in. Many analysts have previously said that the intrusion
appeared to have been initiated from St. Petersburg, Russia.

John Pescatore, a security analyst at Gartner Group Inc. in Stamford,
Conn., also said QAZ seems to have come out of China. But like
Yamamura, he noted that the IP addresses embedded in viruses usually
aren't reliable indicators of who created them. "Most viruses have
multiple versions," Pescatore said. "So I just don't see this as a
smoking gun."

A Microsoft spokesman declined to comment on the link between QAZ and
systems in China, while also continuing the company's policy of not
discussing whether the worm played a role in the intrusion. "We have
never confirmed that QAZ is responsible for this," he said. "What we
know is that somebody was able to obtain a set of valid network
credentials."

After discovering the intrusion last fall, Microsoft said the
attackers were able to view some source code that was "under
development for a future product." But, the company added that there
was no evidence that the code had been modified or corrupted. The FBI
is still investigating the incident.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".