Kaspersky Labs Int. comments on the recent virus incident
Cambridge, UK, October 28, 2000 - As disclosed on Friday, the corporate network of Microsoft, the world's largest software developer, was attacked by unknown hackers. The hackers used the QAZ network worm to penetrate into the network. As a result, the hackers gained access to the resources in which Microsoft stores the source code of its products, and may have copied some of them illegally.
Kaspersky Labs Int. presumes that at the moment there is little evidence to support the claim that Russian hackers from St.Petersburg performed the hacking. This scenario was introduced because the data from Microsoft's internal network was transferred to an e-mail address in Russia's northern capital. However, it is a well-known fact that the location of an e-mail box is not necessarily the same as the location of its owner. The e-mail address in St.Petersburg could be owned by anyone, from any country around the world. This email address could have been used in order to mislead the official investigation and the crime's actual origin, has yet to be discovered.
More important is the fact that the hacking was performed using the QAZ network worm. This worm was originally discovered earlier this year in July and Kaspersky Lab has received several reports of examples of this worm in-the-wild. Protection against the QAZ worm was immediately added to AntiViral Toolkit Pro (AVP) and other major anti-virus products' anti-virus databases. This raises the question: how did Microsoft's security systems miss the worm and make penetration possible? An enterprise's security policy should ensure that anti-virus protection is under the full control of highly qualified network administrators. It is therefore hard to believe that a workstation had no anti-virus software installed or that it had not been updated for a long time. It is more likely that a user had intentionally or accidentally disabled the anti-virus protection and allowed the worm to infect the computer.
More amazing still, even if the worm had penetrated into the Microsoft network it should not have been able to gain access to the worm's backdoor-component from the outside. Attempts to achieve this should have been squashed immediately by a firewall, that blocks data transfer from using certain communication ports, including the port used by the QAZ worm. In other words, hackers should not be able to control the malicious code from outside the network. Hence it appears that it is impossible to steal anything (including source code) from Microsoft's internal network using the QAZ worm, even if the hackers know passwords and login information.
Kaspersky Lab has no reason to question the competence of Microsoft's network administrators; it is easy to accidentally overlook a port that is commonly used by malicious programs.
Despite the recent incident, Kaspersky Lab does not agree with the sharp criticism aimed at Microsoft's security systems. It should not be forgotten that Microsoft has one of the largest internal networks in the world. The fact that this is its first serious incident of hacking over recent years only proves that Microsoft is actually doing very well. In fact, many other big corporations have been hacked successfully more often than Microsoft.
Besides, there is still no evidence that the hacking was done not from outside, but, rather, perhaps from within the company. In other words it may not be a problem of Microsoft's security systems, but Microsoft's security in general.
"Once again, we would like to draw users' attention to the fact that the installation of anti-virus software cannot be considered the only requirement for comprehensive anti-virus protection. The problem is complex and far reaching, it comes in direct contact with other security aspects and is an essential part of enterprise security in general," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab.
The technical description of the QAZ worm is available at Kaspersky's Virus Encyclopedia.