Microsoft Can't Spin This Worm

Ocotober, 2000
By Steven J. Vaughan-Nichols, Sm@rt Partner

There's no ignoring the huge security holes the Microsoft crack reveals.

Common lies: This won't hurt a bit. I'll respect you in the morning. The Microsoft security break-in was "not very" damaging.

Come on, Ballmer! That's beyond spin; that ranks right down there with Clinton's "I never had sex with that woman." Cracking Microsoft's internal network is the biggest computer break-in ever.

OK, let's say you were born yesterday and you buy Microsoft President and CEO Steve Ballmer's story that no secrets were laid bare and no real harm was done. So what?

Microsoft wants you to entrust everything on your network to its operating systems, their applications -- and oh yes, its security measures. After all, the ultimate goal of .Net is to replace the existing Internet's infrastructure programs with Microsoft's own software. And now we find that this giant of software companies, the self-proclaimed and de facto leader of desktop software, is vulnerable to a garden-variety worm?

Oh yeah, this really makes me want to put all my business eggs into a Microsoft basket.

Child's play

You see, while it looks like there was a well-organized conspiracy attempting to exploit Microsoft vulnerabilities, the actual attack wasn't anything special. A script kiddie working off a recipe could have done it. Heck, I could have done it in my sleep.

The smoking gun appears to have been a simple Windows-only worm named W32.HLLW.Qaz.A, or the QAZ Worm to friends. It works by -- scream if you've heard this before -- someone opening an e-mail attachment.

Once in place, it replaces the notepad application, but it keeps Notepad's functionally around by renaming the real notepad program note.com and running it whenever you bring up Notepad.

The result? Every time you write a quick note, you get Notepad on your screen while the Trojan tries to infect other machines on the network. Now this is annoying but relatively harmless. The nasty part is that QAZ also creates a backdoor to your system using TCP port 7597, and it then e-mails your computer's IP address to the cracker.

Once in, the cracker can take over your computer and (as appears to be the case at Microsoft) start chasing passwords for bigger and better targets -- say, servers containing the source code for Office 10 or your payroll files.

Oh, QAZ is a baddie, but there's nothing new about its approach. And it's pretty easy to detect and fix. After all, it first showed up in early July, and by July 18, Symantec's Norton AntiVirus programs for both e-mail gateways and PCs could find it, fry it or fix it. So could everyone's anti-viral programs.

So what's Microsoft's excuse?

Answer: Microsoft doesn't have one. First, it's clear that Microsoft doesn't have adequate internal or e-mail gateway anti-viral protection. Second, Microsoft wasn't protecting their network with basic firewall security. There is absolutely no sane reason why port 7597, or any unused TCP port, should have been open in the first place.

A bad trade

And now a point I have beaten to death but that people still don't get: Microsoft's own fundamental operating system principles of enabling data and programs to interoperate at a low level does provide unparalleled ability for programs to interoperate with each other, but it also offers crackers unparalleled access to break into your systems.

To me, it's not a trade worth making. Microsoft's inter-application communication (IAC) leads to Outlook Transmitted Diseases (OTD)s such as Melissa and makes it possible to build Trojans such as QAZ.

Lest we forget, this also makes it easier -- in systems that aren't properly guarded against viruses -- for a worm like QAZ to work for months without being detected. In Microsoft's own case, it took the company three months to find that crackers were raiding Microsoft's data vaults using swiped user IDs and passwords. Worse still, from early descriptions, it seems Microsoft didn't actually spot the infection itself; its security staff only woke up to what was happening when they saw user logs that didn't make sense.

It's bottom-line time: I don't care if not a single Microsoft secret was stolen. The real point is that Microsoft -- Microsoft, of all companies! -- with a combination of bad security practice and its own software, can't protect its own internal machines from crackers.

Not only is it time for Microsoft to take security seriously. It's time for everyone who uses Microsoft products to rethink exactly what they're doing to shield their own crown jewels.

Back To The Study

Home | Contact The Help Desk | Internet & Marketing Services