Microsoft - burned by anti-virus tools?

Security software makers Symantec, Trend Micro or Computer Associates may have missed the QAZ Trojan horse that struck the Redmond giant, but the anti-virus firms say no.
Written by Robert Lemos, Contributor
Security software makers Symantec, Trend Micro or Computer Associates may have missed the QAZ Trojan horse that struck the Redmond giant.

Did anti-virus software makers fail Microsoft?

On Friday, analysts questioned whether Symantec Corp., Trend Micro, or Computer Associates may have left open the gate to the so-called QAZ Trojan horse.

All three companies provide some level of anti-virus protection to the Redmond, Wash., giant, whose corporate network was infiltrated by hackers in an attack reported Friday.

While the recent push in the anti-virus industry has been to research ways to update users' virus-definition files more quickly, software makers may have missed the forest for the trees, said Rob Rosenberger, editor for Virus Myths, a Web site following the anti-virus industry.

"If your anti-virus vendor doesn't have its act together, then instant updates don't matter," he said.

Roaming around for months
On Friday, the Wall Street Journal reported that Microsoft had found evidence that an intruder had been roaming around its networks for as long as three months.

The report cited unnamed sources who fingered the QAZ Trojan horse as the method of entry for the intruder.

Identified in mid-July, the QAZ Trojan - also referred to as a worm - infects a computer system when a user opens an e-mail attachment containing the program.

The Trojan horse then replaces the NotePad text editor on the system with its code, searches for other shared hard drives to infect, sends the IP address of the infected machine to a - reportedly - Russian e-mail address, and listens for a response.

While it was first found in China, the worm's full name - QAZWSX.HSQ - is derived from the left-most six keys on the English QWERTY-style keyboard.

Precautions taken in August
All major anti-virus software makers included patterns in their scanners to identify the Trojan horse by early August of this year, but somehow it still got through.

Problems with virus definitions are nothing new for the anti-virus industry.

Early this month, Symantec released a set of virus definitions that misidentified Network ICE's BlackICE firewall as a Trojan horse. The result: The anti-virus software disabled the firewall and left many home users' PCs vulnerable.

But anti-virus vendors said their software is not to blame for the Microsoft hack.

Instead, a Microsoft employee, consultant, or outside developer with internal network access had not been running a scanner, said Vincent Weafer, director of Symantec's AntiVirus Research Center.

Anti-virus firms: Not our fault
"Literally, it only takes a single machine," said Weafer. "After that, unless you have a really tightly managed network, it's difficult to eradicate."

That's one reason why the QAZ Trojan has stayed in the top four of Symantec's virus-prevalence charts for the past three months, he said.

QAZ jumps from hard drive to hard drive around a company's network, cropping up in many places at once. Such "network infectors" are hard to completely quash and can easily come back, said Piers McMahon, Computer Associates' senior business manager for security.

"Security is only strong as the weakest link," he said. "You have to have comprehensive coverage to stop this one."

Editorial standards