Feb 19 2008
I spent the weekend in DC at the Shmoocon hacker annual. It was a lot of fun and a great learning opportunity. Simple Nomad made an historical reference to a Chinese trojan that a lot of people probably aren’t aware of or don’t remember. In October of 2000, Microsoft’s internal security staff detected account passwords being sent to a Russian email address. The investigation later revealed that an internal machine had been compromised by a Chinese trojan called QAZ. The trojan gave remote access to the attacker who may have been able to retrieve the source code for some Microsoft products. Network forensic information also indicated that the infected machine sent a notification to a remote server in Asia.Most of the articles indicate that an internal Microsoft computer recieved the QAZ trojan as an email attachment. Later reports indicated that Microsoft thought a remote attacker may have used a Microsoft employee’s home computer. The later makes much more sense.Simple Nomad suggested that someone just scanned home computer networks located in the Redmond area and compromised one or more until he was able to get access to a user with VPN access to Microsoft. This makes a lot of sense because the QAZ trojan listens on a high-numbered TCP port which wouldn’t have been permitted through Microsoft’s perimeter. Also, if PAT/NAT was used, another firewall rule would have been required to redirect the traffic from a public address to the private address. An attacker could have routed through a home-user’s VPN connection if the VPN permitted split-tunneling.The attacker could have just as easily spammed Redmond-specific email lists rather than scanning for vulnerabilities directly.If anyone has any details that were not widely covered in the media, let me know.
3 Responses to “Shmoocon 2008”