RealTime IT News

Does Microsoft Have Egg On Its Face?

Microsoft Corp. Sunday changed its story concerning the hacker that broke into its corporate network using a Trojan horse virus known as QAZ. The software giant is now saying that it was aware of the intrusion for two weeks and was monitoring the hacker's movements during that time.

"Our ongoing investigation has continued to narrow the scope of this situation," Microsoft announced Sunday. "Microsoft security became aware of the illegal activity shortly after it first occurred and tracked the hacker's attempts to expand his unauthorized access to our network over a 12 day period from Oct. 14 to Oct. 25."

But Stephen K. Gielda, owner of Cotse.com, a security information Web site, said he finds that explanation hard to believe.

"If that were true, I find it highly curious why they had to rapidly shut down 39,000 machines' access to the Internet and basically stopped business," Gielda told InternetNews.com. "If they were monitoring the machine, it should never have gotten live to the rest of the company, causing them to interrupt business. It sounds highly implausible that they were monitoring it from the get-go."

Additionally, Gielda said the epicenter of the infection was probably a Microsoft server at the address http://egg.Microsoft.com. Gielda said that the Australian 2600 mailing list reported on Oct. 17 that the egg.Microsoft.com server had not been patched for a Unicode IIS exploit even though Microsoft Product Security had warned that the exploit could be used to remotely execute files. That same day, Cotse.com lambasted Microsoft for the security lapse in an editorial.

"It strikes me as extreme coincidence that hackers were running around and playing egg.Microsoft.com on the 17th of October and before," Gielda said. "Then, shortly, within a couple of weeks after, Microsoft gets hacked completely, the trojan's spread around the company and they're playing spin control. And as they play spin control, the time frame keeps narrowing to the exact time frame of this hacked machine. And the fact that it had gone around hacker lists and people were playing with it just leads me to believe that that was the machine that was the injection point."

However, Microsoft Spokesman Adam Sohn said the egg.Microsoft.com server was not the injection point, adding that he hadn't heard of that particular machine. He also said the Unicode IIS exploit was not the entry vehicle.

"What happened in this particular incident was not the result of a product vulnerability," he said. "The Unicode IIS exploit I doubt would allow what was allowed."

Sohn also denied that Microsoft shut down its network in response to the hack.

"We never shut down the network," he said. "I think we disabled some remote access services. We took the appropriate steps at the appropriate times to ensure that no unauthorized access was happening."

He added, "The network was never down. People were working at Microsoft all the way through."

A source close to the situation said that allowing a hacker access and monitoring his or her movements is a by-the-book scenario.

"Everybody does it because you want to catch these people so they can't do it again," the source said. "You want to catch the guy whether or not it's going to be Microsoft or the local police department or the FBI that does it.

The source said Microsoft allowed the hacker access but not to any sensitive files.

"Often somebody will get to play in a network for a little while even though they can't really do anything but look around," he said. "That's really what was going on."

Reports of the hack first surfaced last Friday, and the Federal Bureau of Investigation is looking into the incident. At the time Microsoft said its employees discovered the break-in on Wedne