'

Experts ponder the Microsoft attack

The recent attack on Microsoft appears to many security professionals to have been perpetrated by an amateur. However security experts debate the question of how the QAZ trojan got into Microsoft's systems in the first place.

The recent attack on Microsoft appears to many security professionals to have been perpetrated by an amateur who happened to get inside the company's defensive perimeter.

And in cases of amateur attack, there is often a fairly clear trail leading back to its launch point. The trail of the Microsoft attack leads to St. Petersberg, Russia, and will probably end there, said Bill Spernow, an analyst at Gartner Group, who has been active in training Secret Service, Federal Bureau of Investigation and Customs Service agents in cybercrime investigation.

A server in St. Petersberg "could have been a reflector site," forwarding an attack that arrived under an alias that prevents further tracking of the perpetrator. Even when a trail can be followed, it has to lead to persuasive evidence - as it did in the Philippines in the case of the LoveBug virus - that can be used against an intruder.

Finding a network trail and "executing a warrant at the front door" remain two different things, he said. In the case of the LoveBug author, no charges could be lodged because there was no law on the books in the Philippines against creating a computer virus.

Investigators from the U.S. often find authorities in other countries reluctant to assist them because they do not have the same stake in catching an intruder. But one factor in Microsoft's favor, he said, is that if Russian authorities cooperate, investigators will have complete access to telephone records, which are under control of the state.

The intruder may not himself be Russian, several security experts emphasized. A knowledgeable hacker will make use of a server in a difficult-to-track region, such as Russia or Algeria or Iraq, and launch an attack. It is also possible to simply purchase anonymity on the Web by subscribing to an offshore service, such as Freedom.net, which guarantees its customers that their activities will not be monitored or opened up to law enforcement agencies, Spernow said.

"We only catch the dumb ones," he noted.

The most likely avenue into Microsoft, company officials have said, was through an employee's unprotected home computer. The possibility that Microsoft was the target of an industrial espionage attempt can't be ruled out, given its position in the industry, with the at-home employee playing an unwitting role. If the home system lacked virus protection and was both logged in to the Microsoft network and active on the Web, an attack could have come from many sources, Spernow noted.

And there are other possibilities. "It may have been a disgruntled employee inside the company," he said.

Gary McGraw, co-author of the book, Securing Java, and senior research scientist at Cigital, a security software vendor, said the QAZ Trojan found at Microsoft is a form of remote execution software that is planted on a computer through an e-mail attachment, a Word document.

Once the document is opened, an underlying Word Macro or application script is activated and sends a malicious hacker a message that it has infected a given machine. The QAZ Trojan then sits in hiding on the machine, awaiting one of three instructions: to upload a program, to run a program or to quit a program.

"The QAZ Trojan is a well-know piece of malicious code. It leaves a recognizable signature" and can be detected by all leading firewalls and anti-virus products on the market, said G. Mark Hardy, managing director at Guardent, an online security service.

The QAZ Trojan also tends to reserve a specific port on an Internet-attached server that it claims as its own, port 7597, which makes it possible for intrusion-detection systems, such as Intruder Alert from Axent Technologies or RealSecure 5.0 from Internet Security Systems. The systems monitor activity on a network, looking for patterns, such as password-guessing or snooping for vulnerabilities on servers, that indicate a malicious hacker, also called a cracker.

The discovery of a QAZ Trojan inside Microsoft has lead the security community to question how it got there. Microsoft officials have said it is likely that it came in through an infected machine in an employee's home.

McGraw said another possibility is an employee who took his laptop on the road and worked on it with the virus protection shut off. The machine became infected through an e-mail exchange and then was carried back inside Microsoft, past the firewall perimeter guards, and replugged into the network.

Once inside, the QAZ Trojan would have sent a message to the St. Petersburg server that it had infected a computer, and allowed a malicious hacker to gain access to that server and take control of it as a system administrator. A QAZ Trojan could activate a password-sniffing program and capture user IDs and passwords, sending them out to the cracker and giving him or her multiple means of entry, noted McGraw. But the shipment of passwords out of Microsoft's defensive perimeter could have been one of the things that set off the intrusion detection alarms, he said.

Microsoft said at first it had been experiencing an intrusion for six weeks, then shortened the time period to a little over a week, according to an Oct. 28 story in The New York Times citing its chief security officer, Howard Schmidt.

McGraw said during an attack Microsoft security professionals would immediately begin combing server logs looking for the first evidence of the Trojan's activity and "try to triangulate" from various logs on where the infection first entered its network. The location would provide clues as to how the Trojan horse appeared and what employee might have been inadvertently responsible.

If the cracker succeeded in stealing passwords as a first step, the trail will be harder to uncover, because she or "he could change credentials frequently," entering the system as legitimate users, said Jim Magych, manager of the Computer Vulnerability Response Team at Network Associates; his team offers a rapid-response service to customers experiencing security threats. If the intruder is skilled, Magych said, he or she covers up his or her trail and sanitizes server logs that have captured evidence of password sniffing or back-door entry.

"It's quite possible the hacker is right next door to Microsoft" but used a St. Petersburg server to cover his or her tracks, said Hardy.

In order to unravel that trail, said Rob Clyde, vice president of Axent, Microsoft needed to observe the intruder over a period of time, gaining the cooperation of network administrators along the intruder's route, to follow the trail backward. "It's a lot like tracing a telephone call," he noted.

"Chances are, he [or she] made all kinds of hops," in hopes of covering his or her tracks, Clyde said. The fact that the Wall Street Journal and The New York Times published stories on the incident early in the investigation indicates that Microsoft wasn't ready to announce the break-in to the world, but word leaked out, he said.

"Their first story indicated [the cracker] got some source code. Then they said he [or she] didn't really have time to download source code. The inconsistency tells me this wasn't a planned announcement," he said.

"If Microsoft can be penetrated, any one can be," said Network Associates' Magych.