Someone broke into Microsoft’s network and accessed the basic codes for the company’s latest software, Microsoft president Steve Ballmer said today.
“They did in fact access the source codes,” Ballmer said from Stockholm, Sweden. “You bet this is an issue of great importance. I can also assure you that we know that there has been no compromise of the integrity of the source codes, that it has not been tampered with in any way.”
But malicious hackers don’t need to tamper with the source codes to use them to create destructive software, experts said. (The source code is the basic blueprint of a piece of software, allowing programmers to disassemble it and use its parts elsewhere.)
Owners of current Microsoft products have nothing to worry about, according to the company, but the break-in may make future products more vulnerable to attacks.
“The hacker appears to have obtained some source code for the development of future products,” Microsoft spokesman Rick Miller said.
The circumstances of the break-in are, right now, mysterious. Microsoft is working with the FBI to track down the culprits and said none of their currently on-the-market software has been corrupted.
The incursion was discovered on Wednesday, Miller said, but the attackers may have had access to Microsoft systems for a considerable period of time — something under three months.
“We consistently monitor our networks looking for any irregularities on the network, and this was discovered as something that struck us as odd,” he said.
Oliver Roll, senior director of Microsoft in the United Kingdom, said he didn’t know who had broken in, or why.
Microsoft wouldn’t comment on which future products were affected. Competitors could theoretically use the code to steal features from the new products, and malicious hackers could use it to design viruses or other programs that exploit unpublicized security flaws.
“Industrial espionage takes many forms. It could be someone with a big ego; it could also be someone that wants to copy our software; it could also be someone that wants to use our software in their own software,” Roll said.
The Wall Street Journal reported in today’s editions that Microsoft passwords had been sent to St. Petersburg, Russia. Microsoft declined to comment on that report.
Attackers, Not Competitors
Computer experts said the code wouldn’t be of much use to competitors. It’s just too high-profile. Anyone trying to blackmail Microsoft, to sell illegal copies or to use parts of the code in their own products would probably get run to ground by Microsoft and the FBI, said Graham Cluley of British antivirus company Sophos.
“You could try and write a competing product, but even that is very risky,” he said.
But the code could be of use to computer attackers. A top security consultant with the firm @Stake, known by the hacker name Weld Pond, said it wasn’t uncommon for hackers to steal and circulate source code.
“Source code circulates in the underground all the time. I have heard of source code for [Sun’s] Solaris and some of those other [operating systems] circulating,” he said.
The danger is that malicious hackers could write new viruses or other programs based on unpublicized flaws in the code. They could even build components that look exactly like Microsoft programs — like the Windows calculator or Notepad, say — but secretly do damage or open up back doors in computers.
That’s one point raised by advocates of “open source” software like the Linux operating system, where everyone can have access to the source code. With a world’s worth of programmers looking at the code, few weaknesses go unnoticed and unfixed, Linux partisans say.
Right now, nobody’s quite clear on how the hackers got into the network.
Knowledgeable sources in the computer security industry said the QAZ Trojan was involved. A well-known threat that anti-virus companies have been tracking since August, QAZ appears as an attachment to an e-mail. When a user opens the attachment, QAZ replaces the Windows Notepad with a copy of itself and opens a “back door” into the computer that hackers can access.
The problem is, all popular recent antiviral software protects against QAZ, Cluley said. Microsoft says that they update their antiviral software every day. QAZ also can’t get through a properly configured firewall, which would block the back door.
Microsoft refused to comment on whether employees could turn off antiviral software, but said it’s against company policy to do so. Miller said he didn’t know whether the company’s firewall blocks port 7597, the back door QAZ uses.
Ironically, QAZ was written with Microsoft’s own Visual C++ development program, antiviral company F-Secure said.
How’d They Do It?
Weld Pond said a modified form of QAZ may have been used, or the program may have been lurking in Microsoft’s system since before August. Other experts have speculated that a Microsoft employee may have turned off antivirus software on an office PC.
Perhaps QAZ was on an unsecured laptop computer outside Microsoft’s physical network, and that’s how the hackers got the passwords, Cluley speculated. Microsoft officials, for their part, aren’t saying.
“If it was just one laptop of one guy on the road, maybe his anti-virus wasn’t up to date, naughty him,” Cluley said.
Microsoft does allow access to its internal network from “off-campus” laptops, Miller said, but he added that the company considered that access to be secure.
Microsoft is a common target for malicious hackers and virus writers. Their products are used by more than 90 percent of U.S. PC users, so anyone seeking notoriety goes after their software. And they’re widely hated by the hacker community for what hackers say are secretive, unfriendly and monopolistic business practices.
Microsoft officials said they’re stepping up security efforts.
“We are implementing an aggressive plan to protect our internal corporate network from unauthorized attempts to gain access,” the company said in a statement. The Associated Press contributed to this story.