Skip to main content
ad info technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Worm possibly used against Microsoft had links to China


(IDG) -- Some security analysts now say that a worm thought to have been used by malicious hackers who broke into Microsoft's internal computer network last fall was set up to transmit passwords and other sensitive data to an e-mail account in China. But they add that it's uncertain whether the attackers were actually based in that country.

Microsoft hasn't confirmed that the QAZ worm was even involved in the network intrusion, which was discovered in October and reported to the FBI. But a report issued last month by security consulting firm LogiKeep Inc. in Dublin, Ohio, said QAZ communicated with an e-mail account located in the Chinese capital of Beijing.


LogiKeep, which was founded by two former Navy intelligence officers, included analysis of the worm as part of an overall assessment of the network security threats facing companies that do business in China. Brad Johnson, a LogiKeep spokesman, said the IP address linked to QAZ was owned by Chinanet, one of the country's four primary gateways to the Internet.

Motoaki Yamamura, group development manager at Symantec Corp.'s AntiVirus Research Center, confirmed the China link and said QAZ first appeared in that country last July. According to Yamamura, QAZ was configured to steal passwords and e-mail them to an account in China.

But, he added, that account has since been taken out of service. And an advisory that's posted on Symantec's Web site said the company's antivirus unit downgraded its threat rating on QAZ last month "due to a decrease in submissions" about attacks involving the worm. INFOCENTER
Related Stories
Visit an IDG site search

A former U.S. intelligence official who spoke on condition of anonymity said there's an "abiding Chinese interest in infiltrating business computer networks and using software code development to install trapdoors, worms, data sniffers and other such techniques" that can help intruders steal data or gain clandestine access to corporate systems.

However, Yamamura said there's no way to tell if the attackers responsible for the Microsoft intrusion were located in China or remotely compromised the Chinese system in order to use it as part of the break-in. Many analysts have previously said that the intrusion appeared to have been initiated from St. Petersburg, Russia.

John Pescatore, a security analyst at Gartner Group in Stamford, Conn., also said QAZ seems to have come out of China. But like Yamamura, he noted that the IP addresses embedded in viruses usually aren't reliable indicators of who created them. "Most viruses have multiple versions," Pescatore said. "So I just don't see this as a smoking gun."

A Microsoft spokesman declined to comment on the link between QAZ and systems in China, while also continuing the company's policy of not discussing whether the worm played a role in the intrusion. "We have never confirmed that QAZ is responsible for this," he said. "What we know is that somebody was able to obtain a set of valid network credentials."

After discovering the intrusion last fall, Microsoft said the attackers were able to view some source code that was "under development for a future product." But, the company added that there was no evidence that the code had been modified or corrupted. The FBI is still investigating the incident.

McAfee antivirus update gives NT 4.0 the flu
December 21, 2000
'Kriz' virus waiting for Christmas strike
December 21, 2000
FBI: 'Tis the season for cyberattacks
December 18, 2000
Author of 'Prolin' worm eludes authorities
December 12, 2000
Low-risk Internet worm is making the rounds
November 24, 2000

Federal IT systems still vulnerable to attack, misuse
Federal agency warns about DOS attacks
How to prevent one-click hack attacks
Military mulls battening down net hatches
(Network World Fusion)
Cyberattacks against Pentagon on the rise
'Ramen' worm hits some Red Hat Linux servers
Sophos ranks year's ten most troubling viruses


Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.