Linux Today: Linux News On Internet Time.

Hackers Saw Microsoft Source Code

Oct 30, 2000, 13:56 (18 Talkback[s])
(Other stories by Andrew Craig, Ian Lynch)

By Ian Lynch and Andrew Craig, VNU Net

Microsoft has admitted that source code for some of its products under development was seen by hackers who gained access to its corporate network.

The FBI last week began an investigation into the computer break-in at the Redmond giant, which Microsoft said gave intruders access to its corporate network for 12 days. However, it said it was aware of the incident for much of this time.

Microsoft initially said "the integrity of our source code remains intact," but late Friday admitted that the hacker "was able to view some source code under development". However, Microsoft said source code for its existing Windows and Office software was not seen.

The break-in, as well as damaging Microsoft's reputation, raised fears that the hacker could have modified products, making them damaging to end users. Microsoft claims "no modifications or corruptions" were made and "no source code was downloaded".

Speaking to the Associated Press newswire on Sunday, Microsoft spokesman Rick Miller said: "We start[ed] seeing these new accounts being created, but that could be an anomaly of the system. After a day or two, we realised it was someone hacking into the system."

According to the Wall Street Journal, the break-in was discovered on Wednesday after Microsoft security staff detected passwords being remotely sent to an email account in St Petersburg, Russia.

A Microsoft spokeswoman said of the hackers, who could have had undetected access since July: "This has been a deplorable act of industrial espionage and we are working with law enforcement agencies to protect our intellectual properties."

Access to the network was gained by emailing a program, called the QAZ Trojan, into Microsoft's network that created a 'back door' for the intruders, according to the paper's sources.

These internal passwords may have been used to transfer source code outside of the Microsoft campus. By yesterday, the software giant had begun to check every file on the compromised areas of its network that had been modified for any reason in the past three months.

Microsoft said: "We are implementing an aggressive plan to protect our corporate network from unauthorised attempts to gain access, and are working on both immediate and long-term solutions."

Paul Rogers, network security analyst at MIS Corporate Defence Solutions, said the QAZ Trojan theory is "certainly one of the three most likely scenarios in this case and seems perfectly plausible".

Another involves scanning the network for weaknesses, while a third cause could be a disgruntled employee disabling security protection methods such as firewalls.

Rogers expressed surprise that the hack could possibly have gone undetected for so long. "Large organisations such as Microsoft should be more proactive in their security. The QAZ Trojan hasn't had much publicity but is well known within the security industry," he said.

Graham Cluley, senior technology consultant at antivirus software firm Sophos, told vnunet.com: "The QAZ surfaced in July but we didn't issue our first alert until 29 August as it was only then reports of the virus began to filter through.

"If it is the QAZ Trojan, then it becomes a question of how many computers were affected and exactly what the users had access to. Microsoft should be able to identify what hasn't been affected easily enough, but it will be harder for them to identify what may have been altered.

"But really, a decent firewall or updated antivirus software should have stopped this happening."

Related Stories: