The virus and security story of the week has to be the announcement last Friday that the security of Microsoft's internal network had been breached. Early reports of the seriousness of the attack and what may have been accessed by the attackers varied significantly.
The spin-doctors were rapidly on the scene trying to downplay any concerns that the source code of any major products or related trade secrets may have been copied offsite, but those damage control efforts did not prevent the "escape" of many contradictory reports from Microsoft officials, press releases and the like. For example, Microsoft CEO Steve Ballmer, was reported from the same meeting near Stockholm to have "said nothing", to have denied that any of the company's source code had been accessed and to have said "[t]hey did in fact access the source codes".
Careful reading of the swathe of press reports suggests that the attackers may have been "inside" Microsoft's network for some time (periods of up to three months have been mentioned) and may have been detected and monitored recently (perhaps just a day or two before the story broke). One thing is clear though -- according to Microsoft's own "official" statements there is sufficient confusion over what really happened to suggest that Microsoft has either not told the whole story or, more worryingly, that it does not know what the whole story is. Given the official Microsoft spin is "it is all under control and we
knew what they were doing", either possibility raises serious concerns over the security of Microsoft's Redmond campus network.
Microsoft hacked with Qaz Trojan
The Qaz Trojan, first reported in the newsletter two months ago, was reputedly used to allow hackers to gain access to Microsoft's internal networks. Once installed, Qaz allows attackers to transfer any other programs to the compromised machine and run them. This feature of Qaz may have been used by Microsoft's attckers to install password sniffing programs and Microsoft admitted that it did detect usercodes and passwords being sent via e-mail from inside its network to Russian (and, according to some reports Chinese) locations. There has been much speculation about what other possible "damage" may have been done by the hackers, but at the least, Microsoft's reputation has probably been besmirched by this incident.
Following initial speculation as to how the Qaz Trojan may have got into Microsoft's internal network, some reports suggest that it was via infection of an employee's home machine. Still, the fact that machine could then attack the Microsoft campus network does not play well for the network security profile of the Redmond network. A good, albeit cynical, summary of the best part of a week's media coverage of this story, can be found at The Register (linked below).
Detailed descriptions of the Qaz Trojan can be found at the antivirus developer links below.
Antivirus developer's descriptions of Qaz:
Sonic worm not so friendly
Although few infections have been reported, this worm seems to be beginning to spread. Aside from the obvious dangers of allowing unknown code to run on one's machine, Sonic opens up the spectre of much worse. Like a small umber of its predecessors, but as part of an increasing trend, Sonic is designed to "update itself". It does this by checking for new portions of code from a web site and downloading and running these updates. Aside from this nasty trick, which means Sonic can do things in future that we are unaware of now, it sends itself to all addresses in its victims' Outlook address lists.
The worm will normally arrive at a potential victim's machine as an e- mail message with an attachment. The Subject: line of the message will be "Choose Your Poison" or "I'm your poison" and the attachment will be named girls.exe or lovers.exe. The message itself will be blank. As observed previously, although that should sound loud warning bells to any slightly security-conscious user, it does not seem to be warning enough for many...
Users can protect themselves by not running executables that arrive unexpectedly via e-mail. Managers of corporate e-mail systems that do not already strip excutable content from all incoming e-mail should be reconsidering this weakness in their current system design.
Antivirus developer's descriptions of Sonic:
Update released for Exchange Server 5.5
Microsoft has released a patch for the "Malformed MIME Header" vulnerability in Exchange Server 5.5. Although the details of this security flaw have not been divulged, it is recommended that anyone
running Exchange Server 5.5 in environments where the server has to process e-mail from potentially untrustworthy sources should apply the patch or the soon to be released SP4 for Exchange Server 5.5. This would include all servers on, or processing messages relayed from, Internet e-mail sources.
The vulnerability is said to arise from mishandling of a particular form of invalid MIME message header. Exchange Server processes some MIME headers when moving a message from their queues. The nature of this vulnerability is such that if an unpatched server started processing a
message that had been specially made to exploit this issue, the service handling the message would crash. This provices a form of "denial of service" (DoS) attack against the server. To correct this situation, the server administrator would have to restart the affected service and delete the message at the head of its queue so that message does not cause the service to crash again when it next processes that queue.
The update must be applied to Exchange Server 5.5 SP3 -- if SP3 has not been applied to a server, it will have to be brought up to that SP-level before applying this patch. Also note that the hot-fix number of this patch matches one that was first released in December 1999. If you already have applied that hot-fix, do not be deceived by this as the hot-fix has been updated several times since its release.
The message from the bugtraq mailing list archive, linked below, suggests that this problem may be due to MIME "Content-Type:" headers that have their "boundary=" fields set to a null string.
This vulnerability does not affect Exchange Server 2000.
Possible explanation in bugtraq archive
Patch for MS Network Monitor released
Several unchecked buffers in the Network Monitor (Netmon) component could allow an attacker to crash Netmon or run arbitrary code on the machine using Netmon. As Netmon must be run by an administrator equivalent user, the latter is a serious concern. However, the nature of any possible attack based on this vulnerability means that it is not a high risk. The problem is actually in some of the protocol parsers and exploitation of the problem would require an attacker be able to inject specially malformed network frames into a network that was being monitored by a vulnerable copy of Netmon.
Users of all NT 4.0 Server versions (including Terminal Server and Enterprise) and all Windows 2000 Server versions, and all users of SMS v1.2 or v2.0 who use the Netmon component shipped in those products should consider installing the patch. As this is unlikely to be an urgent issue for many administrators, waiting for the next service pack for each affcted product may be the better option, as service packs are given more thorough regression testing before they are released and Microsoft is assuring its customers that this update will be in the ext service pack for all affected products.
Note that this does not affect NT 4.0 Workstation nor Windows 2000 Professional users unless they use the Netmon component of SMS.