FEATURES AND COMMENTARY
Dan Verton reported: Some security analysts now say that a worm thought to have been used by malicious hackers who broke into Microsoft’s internal computer network last fall was set up to transmit passwords and other sensitive data to an e-mail account in China. But they add that it’s uncertain whether the attackers were actually based in that country.
Microsoft hasn’t confirmed that the QAZ worm was even involved in the network intrusion, which was discovered in October and reported to the FBI. But a report issued last month by security consulting firm LogiKeep Inc. in Dublin, Ohio, said QAZ communicated with an e-mail account located in the Chinese capital of Beijing.
LogiKeep, which was founded by two former Navy intelligence officers, included analysis of the worm as part of an overall assessment of the network security threats facing companies that do business in China. Brad Johnson, a LogiKeep spokesman, said the IP address linked to QAZ was owned by Chinanet, one of the country’s four primary gateways to the Internet.
Motoaki Yamamura, group development manager at Symantec Corp.’s AntiVirus Research Center, confirmed the China link and said QAZ first appeared in that country last July. According to Yamamura, QAZ was configured to steal passwords and e-mail them to an account in China.
But, he added, that account has since been taken out of service. And an advisory that’s posted on Symantec’s Web site said the company’s antivirus unit downgraded its threat rating on QAZ last month “due to a decrease in submissions” about attacks involving the worm.
A former U.S. intelligence official who spoke on condition of anonymity said there’s an “abiding Chinese interest in infiltrating business computer networks and using software code development to install trapdoors, worms, data sniffers and other such techniques” that can help intruders steal data or gain clandestine access to corporate systems.
However, Yamamura said there’s no way to tell if the attackers responsible for the Microsoft intrusion were located in China or remotely compromised the Chinese system in order to use it as part of the break-in. Many analysts have previously said that the intrusion appeared to have been initiated from St. Petersburg, Russia.
John Pescatore, a security analyst at Gartner Group in Stamford, Conn., also said QAZ seems to have come out of China. But like Yamamura, he noted that the IP addresses embedded in viruses usually aren’t reliable indicators of who created them. “Most viruses have multiple versions,” Pescatore said. “So I just don’t see this as a smoking gun.”
A Microsoft spokesman declined to comment on the link between QAZ and systems in China, while also continuing the company’s policy of not discussing whether the worm played a role in the intrusion. “We have never confirmed that QAZ is responsible for this,” he said. “What we know is that somebody was able to obtain a set of valid network credentials.”
After discovering the intrusion last fall, Microsoft said the attackers were able to view some source code that was “under development for a future product.” But, the company added that there was no evidence that the code had been modified or corrupted. The FBI is still investigating the incident.