Microsoft Gets Hacked – What Can We Learn?

As many of you have heard by now, the software giant Microsoft recently admitted to having one of their internal developers’ networks compromised by an attacker. According to the most recent information released by Microsoft, they are currently undergoing an intensive review of all systems affected by this attack, examining each and every file that has been modified for whatever reason since the system breach was detected.

Even if no data was stolen or modified, the cost of verifying this could be rather high, and the affected project will most likely need to be delayed as the investigation progresses. In the end, not only does Microsoft suffer, but so will consumers, as the delays and the increased cost of development will inevitably be passed on to them. We should take this event at face value, and learn from it, because if it can happen to a high profile company like Microsoft that spends millions of dollars each year on security, it can certainly happen to you.

How Did It Happen?

What mighty force of nature allowed the crackers to corrupt the nigh-impenetrable shield of Microsoft’s security system? The answer, as many of you know, is a fairly simple and elegant program called Troj.Qaz.A (QAZ). QAZ is a Trojan application, meaning that it gains access to a system by passing itself off as something that it is not. In this case, it enters a system by renaming Notepad.exe to note.com, then copying itself into the system as Notepad.exe. When the Trojan is launched on the victim computer, it scans the Windows network (this scan is not restricted to mapped drives) looking for all instances of Notepad.exe on remote computers. Once found, it copies itself onto the new victims and proliferates at an incredible rate. You need only launch Notepad once for this program to do its damage, as it will create a registry entry to force execution of the Trojan every time the system boots.

To hide its nefarious activities, this Trojan will launch itself and then note.com (the real Notepad program), thus giving no external signs to the user that anything is amiss on their system. Once a computer is infected, not only will the Trojan proliferate across the network to other victims; in addition, the computer’s IP address will be emailed to the rogue application’s author automatically. The backdoor portion of the Trojan then uses WinSock to open a port (7597) and awaits incoming connections, allowing anyone with knowledge of this open port to access the system. Further information on detecting and removing QAZ can be found here.

But how did such an application manage to find its way onto the normally restricted developers’ network? It is now generally agreed that some as yet unknown Microsoft employee received an email carrying the Trojan in some form, and inadvertently installed it on their home system (which was connected to the Microsoft network). Once QAZ had worked its network magic with the internal network, the Trojan authors had a full list of the IP addresses of all machines on the compromised portion of the developers’ network. Some experts say that it is possible that this mutated version of QAZ may have even downloaded additional tools to the victim systems to aid the culprits in gathering data from the compromised systems. One such program was designed to collect employee logins and passwords, which were automatically sent to a Russian email drop. From here it would be relatively simple for the attackers to gain virtually unlimited access to the network. They may have created accounts for themselves to add to their credibility. (It is conceivable that they acquired an administrator’s password, thus granting them total control of the network). With "legitimate" accounts in place, it would’ve been easier for the attackers to pass themselves off as Microsoft employees who were simply working off-campus. Having this level of trust with the development team, the attackers could go about their business without so much as an eyebrow being raised.

How Does It Affect You?

While reading this, you may be asking yourself: "Well, what about antivirus software? Why wasn’t the Trojan, which is detectable by every major AV program out there, not found?" More often than not, developers take system security for granted. Since it is not their job to keep their machines secure, they generally disregard it. Simple precautions like installing antivirus software or even protecting their home network with a firewall are often disregarded – which leads us to an interesting point. In a distributed development environment where coders and designers are able to work away from the office by remotely accessing their work machines, how do we go about ensuring that all machines authorized to connect to the developers’ net are compliant with our security policies?

Just because the QAZ Trojan couldn’t get any IP information out of the developers’ network (because of a firewall blocking port 7597) does not mean that those machines were not vulnerable. A compromised trusted machine was still allowed in, thus bypassing many of the security measures in place. And because the developers felt that they were protected from the outside world by the security group’s shroud, they did not take the simple precaution of installing and running antivirus software. You can think of it as, once the hard outer shell was penetrated, the soft innards were completely exposed to whoever knew how to break or bypass the shell.

This break-in will affect various groups differently. For the average desktop user, the code leak will most likely have no effect at all, as the code that was stolen is for an application that won’t see the light of day for at least a year. The possibility certainly exists that code from other programs’ codebases is reused in this stolen application. From this, code analysis may be possible. Theoretically, if the code reuse was significant enough, holes in existing released applications could be found and exploited. However, I wouldn’t lose any sleep over this if I were you.

Open source developers are a completely different matter. If any code that Microsoft claims to own shows up in an open source or free software application, the ramifications are downright scary. In some ways, this break-in gives Microsoft carte blanche to go in and claim that code appearing in independently developed applications was stolen from them. If a judge believes this claim, the project could be pulled completely with the developers held responsible for unauthorized use of proprietary information.

Microsoft officials claim that during the compromise of their systems, no source code was modified. However, if we view this in less optimistic eyes, isn’t that exactly what they would say? I for one wouldn’t go around telling my customers that software to be purchased from us in the future may have been tampered with by someone outside of our sphere of influence. Doing so would destroy any confidence the consumer had in my products, and in all likelihood cause them to go elsewhere for their software. If the cracker was sophisticated enough to gain access to the Microsoft network, do you think they would have been happy just to view the source code for the next generation of Microsoft software? Wouldn’t it be tempting to modify the source in such a way as to allow access to all computers running this software? The recognition that they would gain in the eyes of their peers (other crackers) might be enough motivation for someone to pull a stunt just like that. And since we as consumers do not have access to the source code of any Microsoft applications, we cannot review the code to see if it is doing anything malicious. We must simply trust that there are no undesirable backdoors implanted in the software.

What Can We Learn from This?

1. Keep your antivirus software up to date. There is a reason why these applications are updated at least once a week. Every machine on your network should have at least one good package installed. If you do not already have one of these packages installed, I would recommend Symantec’s Norton AntiVirus or the Antiviral Toolkit from Advanced Virus
   Protection.

2. This sort of attack from a trusted source can happen to anyone. Security is something that necessarily must involve everyone with access to the company’s data and system. If even one machine is left without the proper level of security chances, are it will eventually be targeted as the weak link in your network.

3. Power users are just as likely as inexperienced users (if not more so) to breach the security policies of an office. Advanced computer users often look upon the computer illiterate with a good deal of disdain, regarding those with lesser computer skills as somehow inferior to those who are more knowledgeable. However, the reality of the matter is that the more experienced a user becomes with a computer, the more cocky and arrogant they become about their systems knowledge.

   By mastering one specific area of computers, they can lull themselves into the false sense that they know all there is to know about their machines. This arrogance eventually leads to disregard for company-mandated computer usage policies, something that an inexperienced user is most likely incapable of. In many ways an inexperienced user’s machine that has been properly set up by security-conscious people will remain far more secure than the systems of a power user who modifies their environment without regard.

   Once, when setting up a customer’s machine, I told them that they should make sure that they update their virus software at least twice a month. About 14 months later, they phoned with a question. The first comment I heard was that "We’ve been updating that virus software every week! I hope it isn’t a virus." How many power users are that diligent about keeping their computer security current?

References

A full description of the original Troj.QAZ application http://securityportal.com/research/virus/profiles/trojqaza.html