Microsoft network stung by hack attack

Microsoft Corp. late last month confirmed that its internal computer network was hacked by malicious attackers who were able to view portions of the source code for key software products such as Windows and Office.

The incident, which security experts said could potentially have serious repercussions for Microsoft, was discovered by the company Oct. 25 and reported to the FBI the next day, according to a spokeswoman. The attack, which is now being investigated by the FBI, is believed to have been initiated in St. Petersburg, Russia.

The company, in a statement, said the incident was “narrower” in scope than it had earlier stated.

“This situation appears to be much narrower than originally reported. Our investigation shows no evidence that the intruder gained access to the source code for our major products, such as Windows Me, Windows 2000 or Office. Although the hacker apparently was able to view some source code under development for a future product, the investigation confirmed that there was no modification or corruption of any source code. We are confident that the integrity of Microsoft’s intellectual property remains secure. We have no reason to believe that any of our customers are affected,” the company said.

“We are working with law enforcement to address this deplorable act of industrial espionage. There are regular attempts at unauthorized entry into Microsoft’s network – as well as most large corporations and government agencies around the world. We actively address these issues, and we are working aggressively to isolate this problem and ensure the security of our internal network.”

The Microsoft spokeswoman said the company was “very confident” that none of its source code had been changed or manipulated by the attackers. Microsoft officials couldn’t be reached for additional comment, and an FBI spokesman said only that the agency’s investigators “are aware of the matter and are looking into it.”

Graham Cluley, a security expert at U.K.-based security software vendor Sophos PLC, said it appears that the attackers used a worm known as QAZ to break into Microsoft’s network, although he noted that reports vary about whether Microsoft has confirmed that fact.

“That’s what it looks like it would most likely be,” Cluley said. “[But] there’s really a garbled message coming out now [from Microsoft].” But an attack with a worm such as QAZ “shouldn’t have been possible” if Microsoft had properly configured its firewall and antivirus software and kept them updated, he said.

Cluley said QAZ – also known variously as Troj.QAZ , Worm.QAZ or QAZ.Trojan – is the fifth-most reported worm to the Sophos help desk and has been in circulation for several months. Trend Micro Inc., another antivirus software vendor, rates QAZ ninth on the list of the top 10 viruses and worm programs it’s tracking, with a medium-level risk to users.

But companies such as Sophos, Trend Micro Inc. and Finland-based F-Secure Corp. previously updated their antivirus packages to detect QAZ. And the descriptions of the worm that are posted on their Web sites include steps users can take to protect themselves from QAZ.

According to Trend Micro’s description, the QAZ worm functions as a backdoor tool that gives remote users control of an infected PC. The worm then disguises itself as a NOTEPAD.EXE file and can be spread through a LAN’s shared resources, Trend Micro said. In addition, attackers can use QAZ to upload and execute other malicious programs.

Cluley said an attacker wouldn’t “have to be a genius” to use the worm. But Ira Winkler, a security analyst at Internet Security Advisors Group in Severna Park, Md., said the Microsoft hack “appears to be a very complicated and successful attack.” The attackers “did a lot of work to do this without getting detected” for a period of several months, Winkler added.

To protect themselves from the same kind of attacks, Winkler said, companies should make sure they have a firewall installed, do regular updates of their antivirus software and have a security administrator in place to review system logs to determine if any machines have been penetrated by unauthorized outsiders.

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, said the attack against Microsoft is ironic because so many of the vendor’s applications have included unintentional security holes that have been exploited by virus writers. The tables “appear to have been turned on Microsoft here,” Hemmendinger said.

Mikko Hypponen, antivirus research manager at F-Secure, said in a statement that QAZ makes it relatively easy for an outsider to gain access to confidential data. “We’ve been forecasting that worm-based industrial espionage would happen for quite some time, and it looks like now it has happened big time,” Hypponen said.