Microsoft Israel R&D Center

Microsoft Israel R&D Center is one of the biggest Microsoft sites outside Redmond. It hosts a lot of projects, for example, Forefront Threat Management Gateway and Zune media player were developed here.

I was working on project that in the beginning was developed under Microsoft Forefront Threat Management Gateway, and later was transferred to be part of the Windows Defender. It was included into Windows 7 networking stack.

Work Experience

  • Started in 2009, finished in 2010.
  • Position: Student Software Engineer.

As a part of GAPA team, I was responsible for monitoring all BitTorrent data transfers in the world. I monitored the SQL server which logged the external and internal IP addresses of the seed, of the peer, the name of the transferred file, the timestamps, and even sampled a part of the file. Suing the persons responsible for sharing copyrighted data with this information would be a child’s play.

My accomplishments

I was working in the group that was implementing the Generic Application-Level Protocol Analyzer. Essentially, we were analyzing all the incoming and outgoing traffic, parsing the packets, checking the data inside, applying a template, and in case of a positive match the code was performing the task associated with the template. The task could be anything, — dropping the packet altogether, altering the header (i. e. redirecting it to the security team), altering the payload (i. e. replacing some words in the text message), dumping the packet into a file for sending it later for antivirus analysis, sampling the following packets in order to capture the full conversation etc.. We could change the QoS of the packets, allowing the web to be surfed at full speed, but making audio or video calls unstable due to low connection quality. We could prevent downloads of specific files, or disable any file transfers. We could parse IM text messages and, if the words „manager” and „idiot” were encountered in the same message, we could forward the whole conversation to the mentioned manager. There’s no limits to what can be done when you’re working inside the OS at the networking subsystem level.

I was sharing the room with Kira Radinsky, famous Israeli computer scientist and startup co-founder in the field of predictive data mining.

The main task, of course, was malware prevention. We could stop Blaster before it had any chance to infect the OS. Actually, my team stopped SMB2 packet of death on the second day after it was discovered. (Propagation of the fix through the Windows Update took some time, though).

One of the things I created was a tool to compare two Windows Defender Definitions files. Windows Defender Definitions file is encrypted, and the encryption algorithm is kept secret, because otherwise a hacker could pose its server as a Windows Update server, upload there an altered Windows Defender Definitions file, and with the abilities of the GAPA tool that I outlined above the hacker could basically access all traffic of the unsuspecting victim and use it to harm the victim. (Imagine getting access to nude photos of an employee being sent in a private chat and then blackmailing this employee). Therefore, I didn’t have access to the encryption algorithm. Nevertheless, I succeeded to capture the list of items included in the Definition file, and provided a nice table that shows what items are present in both files and what items are present in only one of them.

Kira Radinsky needed viruses to test her modifications of the antivirus. She needed an infected testing computer. Where does one find a lot of computer viruses fast? Of course, at keygen sites and at p0rn sites. Now, imagine the picture: our manager walks into the room, sees Kira browsing p0rn sites, stares in disbelief, she explains that this is for work purposes, and he walks out, shocked. Ahh, the golden days of our past!.. 🙂

I parsed the DNS protocol and created a rule that prevented abusing the packets for overcoming security restrictions. The DNS packets are used for determining the IP address of a server according to its name. But there is a possibility to add comments to the DNS packets and the DNS responses. By adding payload to the comment field of the DNS packets and specifying a DNS server that supports parsing this payload, and adding another payload to the DNS responses, someone could send and receive any data he would like to, including browsing forbidden sites and transferring forbidden information into and out of a protected network. Of course, that requires the DNS server to be located outside of the protected network, but the protected networks’ firewalls rarely check DNS packets, because it’s assumed they carry no comments.

I also documented the legacy code, using nice UML diagrams.

After a year of my work at Microsoft, this project was finally transferred from Forefront TMG server department to Windows Defender department, and all of our work was transferred to Redmond. The group in Israel R&D Center was disbanded. Some of my coworkers relocated to USA to work on the Office for Windows Mobile, some joined other projects, and I decided to leave.