|
|
|
|
| |
| A break-in into Microsoft's internal network was detected on Wednesday by Microsoft's security department. The intrusion was detected when Microsoft's security employees saw internal network passwords being sent to a Russian e-mail address. Apparently, the source code for Windows and Office was compromised as well. |
| |
Credit:
For more information about the QAZ Trojan, see:
Qaz.trojan Infects Networks
|
| |
Microsoft has confirmed that attackers managed to breach Microsoft's security system and gain access to the internal network.
It seems that the source code for the Windows operating system was stolen, along with the source code for MS Office.
Possible Attack Scenario
This is the attack scenario as it appears from various reports and Microsoft's own description:
The attackers apparently used the QAZ Trojan to get access to Microsoft's internal network (a description of the QAZ Trojan is available below). The Trojan was sent by e-mail to one of Microsoft's employees, disguising as a file called 'notepad.exe'. Upon execution, it renamed the notepad.exe file to note.com and created a new, infected, notepad.exe.
After that, the Trojan sent a notification to a remote server in Asia, and started listening on TCP port 7597 for further commands from the attacker.
The attacker then used this backdoor channel to download several attack tools (for example, packet sniffers) and retrieves sensitive information such as passwords, directory locations, file names, etc. This information was sent by e-mail to a Russian e-mail address in Petersburg.
At this point, the attacker has gain full control over the infected computer and the network (using the backdoor, and discovered passwords), allowing him to send back valuable source code via e-mail.
About the QAZ Trojan
The QAZ Trojan infects via an e-mail attachment, or spreads through IRC chat rooms. Upon infection, the file notepad.exe is renamed to note.com, an infected version of notepad.exe is planted, and the registry is updated to execute the Trojan when the system boots.
While it runs, the Trojan listens for incoming connection on TCP port 7597, and enables the attacker to have remote control over the infected computer.
How do I remove the QAZ Trojan?
To learn more about how to remove the QAZ Trojan once you were infected see the following website:
http://www.pchell.com/virus/qaz.shtml
The FBI is in the picture
Microsoft was regarded as having a very high-security system, being a high-profile target for many attackers. This security breach compromised the source code of the Windows operating systems (including the newly released Windows ME), but according to Microsoft, the source code was not tempered with.
While this enables attackers to view the source code and possibly develop advance attack methods against Windows, since they did not have the ability to modify the source code, they were probably not able to plant malicious code in the Windows source code.
Microsoft has contacted the FBI and asked for their help in investigated this issue.
|
|
|
|
|
|
|
|
|
|
