Security software makers Symantec, Trend Micro or Computer Associates may have missed the QAZ Trojan horse that
struck the Redmond giant.
Did anti-virus software makers fail Microsoft?
On Friday, analysts questioned whether Symantec Corp., Trend Micro, or Computer Associates may have left open
the gate to the so-called QAZ Trojan horse.
All three companies provide some level of anti-virus protection to the Redmond, Wash., giant, whose corporate
network was infiltrated by hackers in an attack reported Friday.
While the recent push in the anti-virus industry has been to research ways to update users' virus-definition
files more quickly, software makers may have missed the forest for the trees, said Rob Rosenberger, editor for
Virus Myths, a Web site following the anti-virus industry.
"If your anti-virus vendor doesn't have its act together, then instant updates don't matter," he said.
Roaming around for months
On Friday, the Wall Street Journal reported that Microsoft had found evidence that an intruder had been roaming
around its networks for as long as three months.
The report cited unnamed sources who fingered the QAZ Trojan horse as the method of entry for the intruder.
Identified in mid-July, the QAZ Trojan - also referred to as a worm - infects a computer system when a user
opens an e-mail attachment containing the program.
The Trojan horse then replaces the NotePad text editor on the system with its code, searches for other shared
hard drives to infect, sends the IP address of the infected machine to a - reportedly - Russian e-mail address,
and listens for a response.
While it was first found in China, the worm's full name - QAZWSX.HSQ - is derived from the left-most six keys
on the English QWERTY-style keyboard.
Precautions taken in August
All major anti-virus software makers included patterns in their scanners to identify the Trojan horse by early
August of this year, but somehow it still got through.
Problems with virus definitions are nothing new for the anti-virus industry.
Early this month, Symantec released a set of virus definitions that misidentified Network ICE's BlackICE firewall
as a Trojan horse. The result: The anti-virus software disabled the firewall and left many home users' PCs vulnerable.
But anti-virus vendors said their software is not to blame for the Microsoft hack.
Instead, a Microsoft employee, consultant, or outside developer with internal network access had not been running
a scanner, said Vincent Weafer, director of Symantec's AntiVirus Research Center.
Anti-virus firms: Not our fault
"Literally, it only takes a single machine," said Weafer. "After that, unless you have a really
tightly managed network, it's difficult to eradicate."
That's one reason why the QAZ Trojan has stayed in the top four of Symantec's virus-prevalence charts for the
past three months, he said.
QAZ jumps from hard drive to hard drive around a company's network, cropping up in many places at once. Such
"network infectors" are hard to completely quash and can easily come back, said Piers McMahon, Computer
Associates' senior business manager for security.
"Security is only strong as the weakest link," he said. "You have to have comprehensive coverage
to stop this one."