Microsoft Corp. Sunday changed its story concerning the hacker that broke into its corporate network using a Trojan horse virus known as QAZ. The software giant is now saying that it was aware of the intrusion for two weeks and was monitoring the hacker’s movements during that time.
“Our ongoing investigation has continued to narrow the scope of this situation,” Microsoft announced Sunday. “Microsoft security became aware of the illegal activity shortly after it first occurred and tracked the hacker’s attempts to expand his unauthorized access to our network over a 12 day period from Oct. 14 to Oct. 25.”
But Stephen K. Gielda, owner of Cotse.com, a security information Web site, said he finds that explanation hard to believe.
“If that were true, I find it highly curious why they had to rapidly shut down 39,000 machines’ access to the Internet and basically stopped business,” Gielda told InternetNews.com. “If they were monitoring the machine, it should never have gotten live to the rest of the company, causing them to interrupt business. It sounds highly implausible that they were monitoring it from the get-go.”
Additionally, Gielda said the epicenter of the infection was probably a Microsoft server at the address http://egg.Microsoft.com. Gielda said that the Australian 2600 mailing list reported on Oct. 17 that the egg.Microsoft.com server had not been patched for a Unicode IIS exploit even though Microsoft Product Security had warned that the exploit could be used to remotely execute files. That same day, Cotse.com lambasted Microsoft for the security lapse in an editorial.
“It strikes me as extreme coincidence that hackers were running around and playing egg.Microsoft.com on the 17th of October and before,” Gielda said. “Then, shortly, within a couple of weeks after, Microsoft gets hacked completely, the trojan’s spread around the company and they’re playing spin control. And as they play spin control, the time frame keeps narrowing to the exact time frame of this hacked machine. And the fact that it had gone around hacker lists and people were playing with it just leads me to believe that that was the machine that was the injection point.”
However, Microsoft Spokesman Adam Sohn said the egg.Microsoft.com server was not the injection point, adding that he hadn’t heard of that particular machine. He also said the Unicode IIS exploit was not the entry vehicle.
“What happened in this particular incident was not the result of a product vulnerability,” he said. “The Unicode IIS exploit I doubt would allow what was allowed.”
Sohn also denied that Microsoft shut down its network in response to the hack.
“We never shut down the network,” he said. “I think we disabled some remote access services. We took the appropriate steps at the appropriate times to ensure that no unauthorized access was happening.”
He added, “The network was never down. People were working at Microsoft all the way through.”
A source close to the situation said that allowing a hacker access and monitoring his or her movements is a by-the-book scenario.
“Everybody does it because you want to catch these people so they can’t do it again,” the source said. “You want to catch the guy whether or not it’s going to be Microsoft or the local police department or the FBI that does it.
The source said Microsoft allowed the hacker access but not to any sensitive files.
“Often somebody will get to play in a network for a little while even though they can’t really do anything but look around,” he said. “That’s really what was going on.”
Reports of the hack first surfaced last Friday, and the Federal Bureau of Investigation is looking into the incident. At the time Microsoft said its employees discovered the break-in on Wedne
sday, Oct. 25. Early reports suggested the hackers may have stolen the source code for valuable products like Office and the latest version of the Windows OS, but Microsoft has since said that only the source code for a future product may have been seen.
“…there is no evidence that the intruder gained access to the source code for Office or any Windows products,” the company said Sunday. “There is no evidence to suggest that any of Microsoft’s online services have or will be affected by the incident, and we have no reason to believe that any customers have been or will be affected in any way. The security breach did not involve a security vulnerability in any Microsoft product.
“Also as stated earlier, the hacker may have viewed some source code under development for a future product. We remain confident based on all the evidence that no code has been modified or corrupted in any way.”
InternetNews Radio host Brian McWilliams contributed to this story