Data Loading...
Global Information Assurance Certification Paper
Copyright SANS Institute Author Retains Full Rights This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Interested in learning more? Check out the list of upcoming events offering "Security Essentials Bootcamp Style (Security 401)" at http://www.giac.org/registration/gsec
The Hacking of Microsoft
ull rig ht s.
Ernest E. Quaglieri In October 2000, the unthinkable occurred when Microsoft Corporation was hacked. While we all realize deep down that no one is invincible, I doubt that any sizable wagers were placed indicating that the mighty Microsoft would be a victim.
re
tai ns f
The irony of it all is that Microsoft was hacked not by some new undetectable technology, but by a Trojan written in a language developed by Microsoft itself. (MS Visual C++) It also appears that the Trojan was spread not by some covert undetectable means, but by carelessness on2F94 the part of aFDB5 Microsoft Key fingerprint = AF19 FA27 998D DE3Demployee(s). F8B5 06E4 A169 4E46
00
2,
Au
th
or
As large companies go, Microsoft is prime material for hacking attempts. The corporation is hated by many because of the alleged monopoly and poor software design. Many underground groups exist solely due to a mutual dislike of the software giant. In light of this, one would think that security for this corporation would be in a constant state of “Red Alert.” Initially, this was reported as a very sophisticated break-in. After examining the facts however, it appears that this incident could be accomplished using very available programs from the web, and a bit of social engineering.
20
00
-2
Microsoft has not released a great deal of information about the attack, but several points are well known. It appears that the QAZ Trojan was used, and it appears that a Microsoft employee working remotely introduced the Trojan into the system.
In
sti
tu
te
The QAZ Trojan was discovered in China in July of 2000. This is how the QAZ Trojan operates. It is distributed via Email or network. If distributed by Email, the social engineering phase is important. It has to be in a message that someone wants to open and not just delete as Spam. The Trojan does not need mapped drives to infect other computers. This Trojan tries to locate other systems using Netbios browsing, looking for other computers where the WINDOWS folder is available.
©
SA
NS
Once activated, the Trojan searches for notepad.exe and will copy itself in place of this file, while renaming the original note.com. This is important because when the victim launches the Trojanized notepad.exe, the note.com program is executed, making it appear that all is well. It also modifies the following system registry entry to execute itself every time the system is started: HKLM\Software\Microsoft\Windows\CurrentVersion\Run StartIE=C:\WINDOWS\NOTEPAD>EXE qazwsx.hsq Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
The backdoor routing is quite simple as it supports only a few commands, Run, Upload and Quit.
ull rig ht s.
The Trojan searches the entire Local Area Network for additional copies of notepad.exe to infect. Once a computer on the LAN is infected, it will mail the IP address to the author of the Trojan, (one address obtained was 202.106.185.107, listed somewhere in China) activate the Winsock and listen on Port 7597. The existence of “note.com” and newly created “notepad.exe” of 120,320 bytes, along with data traffic packets on TCP Port 7597 are indications of infection.
tai ns f
Here is some code from the worm:
20
00
-2
00
2,
Au
th
or
re
2E 68-73 71 00 =00AF19 FA27 qazwsx.hsq Key fingerprint 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 74 65-2E 63 6F 6D %s %s note.com 52 45-5C 4D 69 63 Software\Mic 64 6F-6E 5C 52 75 rosoft\Windows\C 69 6F-6E 5C 52 75 urrentVersion\Ru 45 00-4E 55 4C 4C n startIE NULL 00 00-72 00 00 00 roc * r 65 00-72 00 00 00 notepad.exe r 00 00-6E 6F 74 65 note.com note 00 00-25 64 2E 25 .com %d.% 25 64-2E 25 64 2E d.%d.%d \\%d.%d. 00 00-5C 5C 00 00 %d.%d %s \\ 64 2E-65 78 65 00 %s\ notepad.exe 6F 74-65 70 61 64 SOFTWARE\notepad
tu
te
As the Trojan spreads and more machines from the LAN send their IP addresses, the chance of getting in to a machine that is trusted by an important server grows.
In
sti
Now that we know how it works and how it spreads, the next logical question is, “How did it happen to Microsoft?”
©
SA
NS
It is apparent that an unidentified Microsoft employee received an Email carrying the QAZ Trojan. The Trojan executed on that users computer and when that user connected to the network, the sender of the Trojan had a list of IP’s of all the compromised computers on the LAN. The Trojan apparently could not get any useful information from the Developer's network to which the initial infected machine connected. However, as the Trojan spread, it eventually infected a computer trusted by a network containing other machines with valuable information. It has also been speculated that some mutated form of the Trojan allowed the bad guy to download additional tools to the compromised computers. This would appear logical since Microsoft Security detected that passwords Key werefingerprint sent to a Russian = AF19Email FA27drop. 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
ull rig ht s.
It was simple. So simple that anyone with a little Internet knowledge who visits hacker sites and reads of their conquests could do it. Of course, a little criminal intent is required. So what are the results of such a hack?
20
00
-2
00
2,
Au
th
or
re
tai ns f
It depends on the perspective. For Microsoft, it undoubtedly caused a severe case of embarrassment as well as fears of compromised source code. It probably also caused some resumes to be updated and sent out to on-line job sites. The latest estimates are that the hackers had access to this particular network for 12 days, from October 14 to 25, 2000. It is unknown why Microsoft Security people did not notice any suspicious activity in their logs for=such a lengthy period. Since passwords were "sniffed" leaving Key fingerprint AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46the network bound for Russia, the hacker(s) may have set up their own accounts, even administrator accounts on the compromised servers. Microsoft has been understandably quiet and evasive as to what was seen or taken, but many have speculated that source code for present and future products were either seen or stolen. One obvious concern is that somewhere within the millions of lines of code for a future operating system, the hackers placed a little code of their own, namely a back door into the product to be exploited after release. If the code was simply downloaded and examined, the hackers would have a head start on finding exploits for the product long before it is even released. Microsoft claims that the company was examining every computer file on the compromised system that was modified for any reason during the preceding three months. They were also examining recently shipped computer code for Windows ME, Windows 2000, Outlook, Outlook Express and the Microsoft Office suite of business applications.
sti
tu
te
Another thought on the matter is that Microsoft may later claim that code in a competitor product is actually code stolen from Microsoft. Although this would certainly be an uphill battle for Microsoft, it has to be an issue that open source developers are concerned with.
©
SA
NS
In
Kevin Mitnick, an infamous hacker recently released from prison gave the keynote address at the Software Development Conference and Expo 2000. He gave it via satellite link because his terms of release prohibit him from travel, owning or using a computer or providing computer-consulting services. According to Mitnick, this incident will temporarily raise awareness about computer security, but will not generate the kind of long-term security focus needed to stem the tide of computer attacks. Mitnick says in part that the attack "will raise the awareness for two, three, four months, but then people will relax." He also states, "You think people would learn, but they don't."
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
What can we do to prevent it?
re
tai ns f
ull rig ht s.
There is some debate as to what can be done to prevent such attacks. The answer seems to be that there IS no one answer. Anti-Virus software is somewhat effective provided the vendor has supplied the correct signatures, or the heuristics feature of the program detects the bug. After researching some hacker methods of subverting anti-virus systems, I compressed a popular Trojan using a shareware tool called Neolite. I then Emailed myself the virus and it came through undetected, although my anti-virus program is set up to scan Email attachments. The signatures did not recognize the Trojan now that it was compressed. (Neolite creates a compressed executable version of the program.) Once activated (on a now closed system of course) the anti virus software caught it. If we add a slightly different= twist the scenario however, results may not have happy ending. Key fingerprint AF19toFA27 2F94 998D FDB5the DE3D F8B5 06E4 A169a4E46
00
-2
00
2,
Au
th
or
If the victim takes a corporate laptop home and the virus program is out of date or nonexistent, then upon return to the corporate network other computers are in danger. This is especially true when virus signature updates are left to the user. Another issue is the danger of the Trojan passing by the Email gateway anti-virus protection, because the antivirus program does not recognize the signature due to a program like Neolite. Again, the corporate network is at the mercy of the workers attention to detail, in keeping virus signatures up to date. While using common sense in opening attachments should apply, "sneakier" viruses and Trojans are appearing all of the time that require no user intervention to launch.
20
The lesson. •
©
SA
NS
In
sti
tu
te
Protection must occur at all levels of the network. Users must constantly update AntiVirus programs on client machines. A product that can push new signatures to clients can offer an advantage. • Every machine on the network should have an Anti-Virus program with current updates installed, no exceptions. • Computers connected to the network should not have modems or be dual homed to an ISP or untrusted network. • Virus protection should be installed on the mail gateway as well as the server. • Trained security personnel should inspect laptops that are used for off-site work and then returned to the network, before being allowed on the network. • If physical user policies are not available, be aware of users installing AIM Instant Messenger and other types of software that creates a security risk. • Have a strong and enforceable written policy concerning computer usage. • Review firewall, proxy server and event logs frequently. • Obtain the training you need998D to become in protecting your network. Key fingerprint = AF19that FA27 2F94 FDB5 proficient DE3D F8B5 06E4 A169 4E46 • Close all ports that are not needed. • If your system provides notification services, set it up to dial your pager if an event occurs. The sooner you know, the faster you can act.
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
ull rig ht s.
Keep in mind that power users are just as likely to breach security policy as general users. In fact, they may be more likely since their knowledge of computer systems is greater and with that may come a certain sense of invincibility. In addition, their accounts may carry more privileges than the average user account.
tai ns f
Set a good example for your users. Take the time to explain why all of these annoying procedures are necessary. If you make everyone part of the security "team," you will have a much better chance of protecting your company's resources, and keeping out of the employment line.
re
Sources: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
th
or
Ryder, Josh. "Microsoft Gets Hacked - What Can We Learn?" 30 Oct 2000. URL: http://www.securityportal.com/articles/mshacked20001029.html (5 Jan 2001)
Au
Symantec. "W32HLLW.Qaz.A." 16 Jul 2000. URL: http://www.symantec.com/avcenter/venc/data/qaz.trojan.html (5 Jan 2001)
-2
00
2,
Bridis, Ted and Buckman, Rebecca. "Microsoft Hacked! Code Stolen?" 27 Oct 2000. URL: http://zdnet.com/zdnn/stories/news/0,4586,2645850,00.html (6 Jan 2001)
20
00
Pournelle, Jerry. "QAZ Notepad Trojan Hacks Into Microsoft." 20 Nov 2000. URL: http://www.byte.com/column/BYT20001113S0001 (6 Jan 2001)
©
SA
NS
In
sti
tu
te
McGuire, David. "Mitnick: Microsoft Hack Won't Raise Awareness." 31 Oct 2000. URL: http://www.washtech.com/news/software/4769-1.html (7 Jan 2001)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2002
As part of GIAC practical repository.
Author retains full rights.
Last Updated: March 11th, 2015
Upcoming Training SANS Secure Canberra 2015
Canberra, Australia
Mar 16, 2015 - Mar 28, 2015
Live Event
SANS Houston 2015
Houston, TX
Mar 23, 2015 - Mar 28, 2015
Live Event
SANS Oslo 2015
Oslo, Norway
Mar 23, 2015 - Mar 28, 2015
Live Event
Mentor Session - SEC 401
Brentwood, TN
Apr 09, 2015 - Jun 11, 2015
Mentor
SANS 2015
Orlando, FL
Apr 11, 2015 - Apr 18, 2015
Live Event
SANS 2015 - SEC401: Security Essentials Bootcamp Style
Orlando, FL
Apr 13, 2015 - Apr 18, 2015
vLive
Mentor Session - SEC 401
Chantilly, VA
Apr 16, 2015 - Jun 18, 2015
Mentor
Community SANS Baltimore SEC401
Baltimore, MD
Apr 20, 2015 - Apr 25, 2015 Community SANS
SANS SEC401 London
Apr 27, 2015 - May 02, 2015
Community SANS Columbus SEC401
London, United Kingdom Columbus, OH
Community SANS Seattle SEC401
Seattle, WA
Apr 27, 2015 - May 02, 2015 Community SANS
SANS Bahrain 2015
Manama, Bahrain
May 02, 2015 - May 07, 2015
Live Event
SANS Security West 2015
San Diego, CA
May 03, 2015 - May 12, 2015
Live Event
SANS Secure India 2015
Bangalore, India
May 04, 2015 - May 16, 2015
Live Event
Community SANS Harrison SEC401
Harrison, NJ
May 04, 2015 - May 09, 2015 Community SANS
SANS Secure Europe 2015
Amsterdam, Netherlands May 05, 2015 - May 25, 2015
SANS vLive - SEC401: Security Essentials Bootcamp Style
SEC401 - 201505,
May 05, 2015 - Jun 11, 2015
vLive
Mentor Session - TCP - SEC401
Sacramento, CA
May 13, 2015 - May 20, 2015
Mentor
SANS Pen Test Austin 2015
Austin, TX
May 18, 2015 - May 23, 2015
Live Event
Pen Test Austin 2015 - SEC401: Security Essentials Bootcamp Style SANS Melbourne 2015
Austin, TX
May 18, 2015 - May 23, 2015
vLive
Melbourne, Australia
May 18, 2015 - May 23, 2015
Live Event
SANS Dublin 2015
Dublin, Ireland
Jun 08, 2015 - Jun 13, 2015
Live Event
SANSFIRE 2015
Baltimore, MD
Jun 13, 2015 - Jun 20, 2015
Live Event
SANSFIRE 2015 - SEC401: Security Essentials Bootcamp Style
Baltimore, MD
Jun 15, 2015 - Jun 20, 2015
vLive
SANS Rocky Mountain 2015
Denver, CO
Jun 22, 2015 - Jun 27, 2015
Live Event
Community SANS Madrid SEC401 (in Spanish)
Madrid, Spain
Jun 22, 2015 - Jun 27, 2015 Community SANS
Community SANS Toronto SEC401
Toronto, ON
Jun 22, 2015 - Jun 27, 2015 Community SANS
Cyber Defence Canberra 2015
Canberra, Australia
Jun 29, 2015 - Jul 11, 2015
Live Event
SANS Capital City 2015
Washington, DC
Jul 06, 2015 - Jul 11, 2015
Live Event
SANS London in the Summer
London, United Kingdom Summerville, SC
Jul 13, 2015 - Jul 18, 2015
Live Event
Jul 16, 2015 - Sep 17, 2015
Mentor
Mentor Session - SEC 401
Live Event
Apr 27, 2015 - May 02, 2015 Community SANS
Live Event