Windows Error Reporting used to discover new attacks

Posted by   Virus Bulletin on   Feb 19, 2014

No excuse for sending error reports in cleartext.

All happy programs are the same. But each unhappy program crashes in its own way.

In a report published yesterday, security firm Websense has shown how Windows Error Reporting can be used to detect hitherto unknown attacks.

Windows Error Reporting was introduced by Microsoft with Windows XP. It sends information on program crashes, and the system on which they occurred, to Microsoft's servers. This information is then used to identify and prioritise bug fixes.

Exploits tend to work by forcing applications to run in unintended ways and, unsurprisingly, many exploits merely cause the targeted application to crash. Reports on such crashes carry unique fingerprints and these can be used to discover new attacks, Websense says.

The report shows how the company used reports on failed CVE-2013-3893 (a use-after-free vulnerability in Internet Explorer 6 through 11, discovered last year) exploit attempts to find a number of new targeted attacks, including one on a mobile network operator. The same technique was also used to discover how a variant of the Zeus trojan with RAM-scraping capability was used to target point-of-sale devices.

The use of error reports to detect attacks is only one half of the story, though. Websense writes: "Unfortunately, hackers can access these reports because they usually are sent in unencrypted, cleartext format."

This isn't merely a theoretical possibility. In December, we learned that the NSA uses such information "to gather detailed information and better exploit your system," as it wrote in a mock-up of a Windows error message. It is well possible that other agencies use the same technique.

There really is no good reason why such information should be sent out in cleartext. It is great when error reports, sent with the explicit permission of the system's administrator, are used to harden systems and discover attacks. But it isn't anyone else's business how and why your system crashes.

Have you discovered new attacks by using Windows error reports? Or have you found how information sent by such reports can use used against the system? Why not submit an abstract for VB2014, which takes place 24-26 September 2014 in Seattle. 'Malware & botnets' and 'Hacking & vulnerabilities' are two of the six themed sessions for this conference. The deadline for submissions is 7 March 2014.

Posted on 19 February 2014 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

VB2019 call for papers closes this weekend

The call for papers for VB2019 closes on 17 March, and while we've already received many great submissions, we still want more!

Registration open for VB2019 ─ book your ticket now!

Registration for VB2019, the 29th Virus Bulletin International Conference, is now open, with an early bird rate available until 1 July.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.