30 october 2000 The QAZ Trojan Program Microsoft Internal Network Hacked; Source Code Stolen ------------------------------------------------------------------------ SUMMARY A break-in into Microsoft's internal network was detected on Wednesday by Microsoft's security department. The intrusion was detected when Microsoft's security employees saw internal network passwords being sent to a Russian e-mail address. Apparently, the source code for Windows and Office was compromised as well. DETAILS Microsoft has confirmed that attackers managed to breach Microsoft's security system and gain access to the internal network. It seems that the source code for the Windows operating system was stolen, along with the source code for MS Office. Possible Attack Scenario This is the attack scenario as it appears from various reports and Microsoft's own description: The attackers apparently used the QAZ Trojan to get access to Microsoft's internal network (a description of the QAZ Trojan is available below). The Trojan was sent by e-mail to one of Microsoft's employees, disguising as a file called 'notepad.exe'. Upon execution, it renamed the notepad.exe file to note.com and created a new, infected, notepad.exe. After that, the Trojan sent a notification to a remote server in Asia, and started listening on TCP port 7597 for further commands from the attacker. The attacker then used this backdoor channel to download several attack tools (for example, packet sniffers) and retrieves sensitive information such as passwords, directory locations, file names, etc. This information was sent by e-mail to a Russian e-mail address in Petersburg. At this point, the attacker has gain full control over the infected computer and the network (using the backdoor, and discovered passwords), allowing him to send back valuable source code via e-mail. About the QAZ Trojan The QAZ Trojan infects via an e-mail attachment, or spreads through IRC chat rooms. Upon infection, the file notepad.exe is renamed to note.com, an infected version of notepad.exe is planted, and the registry is updated to execute the Trojan when the system boots. While it runs, the Trojan listens for incoming connection on TCP port 7597, and enables the attacker to have remote control over the infected computer. The FBI is in the picture Microsoft was regarded as having a very high-security system, being a high-profile target for many attackers. This security breach compromised the source code of the Windows operating systems (including the newly released Windows ME), but according to Microsoft, the source code was not tempered with. While this enables attackers to view the source code and possibly develop advance attack methods against Windows, since they did not have the ability to modify the source code, they were probably not able to plant malicious code in the Windows source code. Microsoft has contacted the FBI and asked for their help in investigated this issue. This backdoor Trojan allows hackers to access and control an infected system. TROJ_QAZ was initially distributed as "Notepad.exe" but might also appear with different filenames. Once an infected file is executed, TROJ_QAZ modifies the Windows registry so that it becomes active every time Windows is started. TROJ_QAZ also renames the original "notepad.exe" file to "note.com" and then copies itself as "notepad.exe" to the Windows folder. This way, the Trojan is also launched every time a user runs Notepad. TROJ_QAZ also attempts to spread itself to other shared drives on local networks. This Trojan does not mass email itself out to lists in the users address book however. How to Clean/Delete the QAZ trojan? The registry needs to edited to delete this Trojan 1.Click START, RUN Type REGEDIT and hit ENTER key 2.In the left panel, click the "+" to the left of the following: HKEY_LOCAL_MACHINE Software Microsoft Windows CurrentVersion Run 3.In the right panel, search for any of the registry key that contains the data value of startIE=XXXX\Notepad.exe. 4.In the right window, highlight the registry key that loads the file and press the DELETE key. Answer YES to delete the entry. Exit the registry. Click START,SHUTDOWN. Choose "Restart" and click OK. 5.Use the Find Tool under the Start Menu to find and rename Note.com to Notepad.exe.