The intrepid intruder may have gained access through an employee's home machine, Microsoft says in a report just released.

The intruder who broke into Microsoft's internal network may have done so through an employee's home machine connected to the network, Microsoft officials told the New York Times. In an report published Sunday, the software company's corporate security officer also told the Times that the break-in was first noticed when irregular new accounts began appearing more than a week ago.

Microsoft acknowledged on Friday that its security had been breached and that outsiders using a "Trojan horse" virus had gotten a look at -- but did not corrupt -- a valuable software blueprint, or "source code," for a computer program under development. (MSNBC is a Microsoft-NBC joint venture.)

Contrary to earlier reports and information that Microsoft itself had provided, the episode spanned only one week, not six, the Times reported. Howard Schmidt, the company's corporate security officer, told the Times on Saturday that the confusion stemmed from initial uncertainty over whether routine virus incidents in September were related. They had now "definitively" ruled out any connection, he said.

Microsoft security staff monitored the intruder for two days as he or she created new network accounts. It was during that time that the intruder came across the source code for the computer program under development.

Microsoft officials declined to discuss in detail with the Times the method used, but said the intruder did not directly attack the software company's computer networks. But in describing one possible chain of events, they said the intruder entered through an employee's home machine, which was connected to the company's network.

Schmidt told the Times his staff first noticed the problem on October 17, when they noticed new accounts "being created that did not match our normal audit logs." Schmidt and his staff then monitored the intruder for two days as he or she created new accounts with varying degrees of access to the network. It was during that time, Microsoft said, that the intruder came across the source code for the computer program under development. Microsoft said it was not part of the company's core products.

New account of Microsoft hack-in
At first Microsoft decided simply to deny access to the trespasser, and shut down the new accounts on Oct. 20, a Friday, Schmidt said. But the intruder returned on Monday through the same route and created more accounts. On Tuesday, Schmidt told the Times, the company shut down all the new accounts and alerted law enforcement officials on Wednesday. The attack is currently being investigated by the FBI.

The Wall Street Journal, which first reported the attack on Friday, said Microsoft security personnel discovered the break-ins after detecting passwords being sent to an e-mail account in St. Petersburg, Russia. Russia is known as a haven for criminal hackers who, among other exploits, have been fingered for stealing millions of dollars from banking networks. There was no mention of a Russian connection in the Times' story Sunday.

The Journal also reported that electronic logs showed that the internal passwords had been used to transfer source code outside Microsoft's Redmond headquarters. That was denied by Schmidt in his account to the Times, who said there was no such record of a transfer, and that it was highly unlikely the intruder did more than get a brief look at the code.

Well-traveled worm A person familiar with the break-in told The Journal that it appeared the hackers accessed Microsoft's system by e-mailing software, called QAZ.trojan, to the company's network and then opening a so-called back door through the infected computer. The account given by Microsoft officials to the Times also cited the use of QAZ.trojan.

Computer security experts said QAZ was a well-known worm virus that first surfaced in China several months ago. Major anti-virus software makers updated their programs to identify QAZ by mid-July, raising the question of whether a Microsoft employee disabled the anti-virus software and then inadvertently let the Trojan horse get through.

"This is very worrying (that Microsoft has been hit), because we have had detection for it for three months, and we regard it only a medium threat" rather than a new, high-risk virus, said Raimond Genes of the Japan-based computer security company Trend Micro.

Microsoft spokesman Rick Miller said the company was investigating how the hackers were able to gain access to its computer network, an act he termed "a deplorable act of industrial espionage."

Another company spokesman, Matt Pilla, said the company was "taking some very aggressive steps" to secure its network in light of the intrusion.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.