Windows error reporting helps researchers uncover attacks

Windows Error Reporting, the program that sends details to Microsoft Corp. each time an application crashes or fails to update, helped researchers find evidence of attacks leveled against an unnamed government agency and a major cellular network provider. That’s according to a report from security solutions provider Websense Inc., released earlier today.

In December 2013, Websense released a white paper explaining how researchers found that Windows Error Reporting (WER) sends details about application crashes in clear text, meaning hackers could intercept that unencrypted data and find weak systems to exploit.

By gaining access to a Microsoft report, a hacker would be able to see specific information about the PC’s installed applications, services, and hardware, as well as all browsers, and USB device and smartphone insertions into the PC. The hacker could then use the information to stage a targeted attack against a victim. That discovery was also linked to the National Security Agency (NSA), with former employee Edward Snowden hinting the NSA was using these reports to reach into its targets’ systems.

While none of that sounds positive, to build on that research, Websense researchers decided to try to see if they could take advantage of what they knew about the error reports to try to find zero-day exploits.

Often, an attacker will try to to trigger an application to perform in an unexpected manner. The application then goes to a section in its memory, which contains code that allows the attacker to gain access to the computer. However, when the attacker fails to do this successfully, the application will crash.

By watching for this pattern, the researchers at Websense recreated their own “crash fingerprint” with a zero-day called CVE-2013-3893, launched against a Windows XP machine. They compared the crash fingerprint to 160 million other Windows Error reports and found some places where attacks might have occurred, as well as new anomalies that suggest there are new zero-day vulnerabilities out there that organizations’ security systems have been unable to block.

For example, there was an exploit attempt on a global telecommunications firm – Websense did not reveal its name – in December 2013. There was also a possible command-and-control attack on a government agency.

“One of the biggest challenges in security today is the persistence of targeted attacks. How many highly publicized attacks were detected quickly? The fact is that most stay on a system for a long time before detection,” wrote Alex Watson, Websense’s director of security research, in a blog post. He was also one of the authors of the white paper.

The other big discovery in Websense’s new white paper was the news there may be a new piece of malware in the wild, one that attacks point-of-sales (POS) systems.

In the last few months, retail giants like Target and Niemen Marcus made headlines, as they suffered data breaches. Those breaches were due to a new kind of malware that specifically attacks POS systems to steal credit card numbers – and something similar may be attacking an unnamed major clothing retailer in the eastern U.S., Websense’s report says.

Websense researchers used application error reports to see if this retailer’s crash logs matched up with a possible code injection of malware into their POS application. They concluded the retailer likely has a new variant of Zeus malware installed, which tried to contact command-and-control servers around the same time as when the POS application reported it was crashing. This is just another example of a targeted attack, Websense researchers said in their paper.

While the attacks against the government agency, cellular network, and retailer have gone unreported until now, Websense wanted to use these examples as a way to warn organizations to be vigilant.

“We wanted to take our research a step further to see if we could create a new method of identifying previously unknown threats,” Watson said in his blog post.

“We hope this research encourages the industry to continue looking beyond analytic and signature-based defenses that are based on expert knowledge of known attacks, and begin integrating advanced anomaly and threat intelligence capabilities.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Candice So
Candice So
Candice is a graduate of Carleton University and has worked in several newsrooms as a freelance reporter and intern, including the Edmonton Journal, the Ottawa Citizen, the Globe and Mail, and the Windsor Star. Candice is a dog lover and a coffee drinker.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs