Attacks/Breaches
2/19/2014
04:46 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Microsoft Windows Crash Reports Reveal New APT, POS Attacks

Researchers discover zero-day attacks after studying the contents of various "Dr. Watson" error reports

You never know what you'll glean from a Windows crash report: security researchers recently unearthed a previously unknown advanced persistent threat campaign as well as a new point-of-sale system attack by perusing and analyzing those crash reports also known as Dr. Watson.

RSA Conference 2014
Click here for more articles about the RSA Conference.

Researchers at Websense -- who recently exposed weaknesses in Microsoft's Windows crash reports that could be abused by attackers or spies -- today released free source code online for enterprises to employ the crash reports for catching potential security breaches in their organizations. The researchers next week at the RSA Conference in San Francisco will release indicators of compromise for the two attack campaigns that can be incorporated into intrusion prevention systems.

Alex Watson, director of security research for Websense, says his team spotted a targeted attack waged against a mobile network provider and a government agency, both outside the U.S., as well as a Zeus-based attack aimed at the point-of-sale system of wholesale retailers. In both cases, the attacks have been suspended and the command-and-control infrastructures disrupted.

"We wanted to prove that we can detect zero-day or unknown [attacks] by a little information in crash reports," Watson says. So he and his team created crash "fingerprints" to filter and search for real-world attack intelligence in Dr. Watson reports.

Watson says the team scoured some 16 million Microsoft Windows Error Report logs over a four-month period, searching for a crash fingerprint that mimics the behavior of the Internet Explorer zero-day exploit used in attacks last year against Taiwanese high-tech equipment makers and Japanese financial institutions, the CVE-2013-3893 memory corruption vulnerability patched by Microsoft in October of last year.

Websense found five crash reports from four different organizations that appeared to indicate exploit attempts – one of which was the mobile network provider, which it would not name. Websense also spotted traffic going to a remote access Trojan typically associated with targeted attacks called Houdini H-Worm. The government agency target was spotted with a machine communicating to the RAT command-and-control during the same period, according to Websense.

The researchers then found crash reports akin to the POS malware used against Target and other retailers, mostly from a large clothing retailer in the Eastern U.S. "This was massively different from a normal Zeus infection. It appears to be a very targeted Zeus just going after the wholesale industry," Watson says. The Windows crashes appear to indicate code injection attempts, he says, and there's no evidence thus far that the attacks are related to Target or Neiman Marcus.

"As far as we can tell, no information was stolen. The command and control was blocked on outbound," he says. "This Zeus-based malware was able to steal credit cards using RAM-scraping."

Good News, Bad News

The bad news is that Microsoft's automated Windows error report feature mostly transmits crash log data unencrypted and in the clear, leaving organizations that use the function vulnerable to targeted attacks, according to Websense Security Labs. The team studied risks posed by some popular applications and services that use Microsoft Windows Error Reporting, which automatically sends to the software giant details of a system crash. The sensitive information in these reports, which includes the make and model of the machine, BIOS version, ID, and applications, can help bad guys and even the National Security Agency profile potential targeted machines and networks.

Wolfgang Kandek, CTO at Qualys, says it's not so simple for bad guys to glean intel from Windows crash reports, however. "I'm not quite sure bad guys can easily get to that information. That would mean intercepting the communication of your machine to Microsoft. Maybe they would be monitoring your router or your firewall," he says. "I'm not sure it was be that easy unless they are already in your network ... and you would have bigger problems" then, he says.

But the good news is that the reports can also be used for good, as Websense found with its fingerprinting method that exposed the previously unknown targeted attack and POS campaign.

[The NSA is reportedly using crash dumps to collect feedback on its attempts to exploit flaws in targeted companies and networks, but crash dumps still remain a successful defensive technology. See How Windows 'Crash Dumps' Aid Defenders.]

The reports absolutely can provide good information to enterprises, as well as to Microsoft, Kandek says. "A certain number of crashes may be normal across your organization ... but if it spikes up, it's worth investigating," Kandek says.

The full Websense report is available here (PDF) for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shjacks55
50%
50%
shjacks55,
User Rank: Apprentice
3/7/2014 | 9:42:21 AM
re: Microsoft Windows Crash Reports Reveal New APT, POS Attacks
Win7/8 not XP.
kjhiggins
50%
50%
kjhiggins,
User Rank: Strategist
2/20/2014 | 4:56:46 PM
re: Microsoft Windows Crash Reports Reveal New APT, POS Attacks
Good point, dritchie. I'll add that to the piece. In the meantime, here's the link:

https://github.com/zredlined/d...
dritchie
50%
50%
dritchie,
User Rank: Strategist
2/20/2014 | 3:26:20 PM
re: Microsoft Windows Crash Reports Reveal New APT, POS Attacks
Why is there no link to the "today released free source code online"?
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.