Researcher: CIA, NSA may have infiltrated Microsoft to write malware

Researcher: CIA, NSA may have infiltrated Microsoft to write malware.(ITWorld).By Kevin Fogarty.Did spies posing as Microsofties write malware in Redmond? 
A leading security researcher has suggested Microsoft's core Windows and application development programming teams have been infiltrated by covert programmer/operatives from U.S. intelligence agencies. If it were true it would be another exciting twist to the stories of international espionage, sabotage and murder that surround Stuxnet, Duqu and Flame, the most successful cyberwar weapons deployed so far, with the possible exception of Windows itself.
Nevertheless, according to Mikko Hypponen, chief research officer of antivirus and security software vendor F-Secure, the scenario that would make it simplest for programmers employed by U.S. intelligence agencies to create the Stuxnet, Duqu and Flame viruses and compromise Microsoft protocols to the extent they could disguise downloads to Flame as patches through Windows Update is that Microsoft has been infiltrated by members of the U.S. intelligence community. 
After studying the code for Duqu, security researchers at Kaspersky Labs said the malware was most similar to the kind of work done by old-school programmers able to write code for more than one platform at a time, do good quality control to make sure the modules were able to install themselves and update in real time, and that the command-and-control components ahd been re-used from previous editions.
Having programmers, spies and spy-supervisors from the NSA, CIA or other secret government agencies infiltrate Microsoft in order to turn its technology to their own evil uses (rather than Microsoft's) is the kind of premise that would get any writer thrown out of a movie producer's office for pitching an idea that would put the audience to sleep halfway through the first act.
Not only is it unlikely, the "action" most likely to take place on the Microsoft campus would be the kind with lots of tense, acronymically dense debates in beige conference rooms and bland corporate offices.
Earlier this month the NYT ran a story detailing two years worth of investigations during which a range of U.S. officials, including, eventually, President Obama, confirmed the U.S. had been involved in writing the Stuxnet and Flame malware and siccing them on Iran.
That's far from conclusive proof that the NSA has moved its nonexistent offices to Redmond, Wash. It doesn't rule it out either, however.
Very few malware writers are able to write such clean code that can install on a variety of hardware systems, assess their new environments and download the modules they need to successfully compromise a new network, Kaspersky researchers said.
Stuxnet and Flame are able to do all these things and to get their own updates through Windows Update using a faked Windows Update security certificate. No other malware writer, hacker or end user has been able to do that before.
Knowing it happened this time makes it more apparent that the malware writers know what they are doing and know Microsoft code inside and out.
Even in his own blog, Hypponen makes fun of those who make fun of Flame as ineffective and unremarkable, but doesn't actually suggest moles at Microsoft are to In the end it doesn't really matter. The faked certificates and ride-along on Windows Update demonstrate the malware writers have compromised the core software development operations at Microsoft.
They don't have to live there to do it; virtual compromise on the code itself would do the job more effectively than putting warm bodied programmers in the middle of highly competitive, highly intelligent, socially awkward Microsofties with a habit of asking the wrong question and insisting on an answer.The risk of having any such infiltration discovered is far too high to expose the cyberwar version of Seal Team Six to the perils of Redmond. Still, the assumption seems to be true metaphorically, if not physically, so it's safer to assume Microsoft and its software have both been compromised. Given the track record of Stuxnet, Duqu and Flame for compromising everything they're aimed at, that assumption isn't even much of a stretch.Read the full story here.