Windows Crash Reports Used to Find Zero-Day Attacks

Windows Error Reporting, or Dr. Watson, can be used to detect advanced exploits targeting organizations by fingerprinting exploit behaviors and correlating those with system or application crashes.

Windows Error Reporting, also known as Dr. Watson reports, are Windows crash reports sent by default unencrypted to Microsoft, which uses them to fix bugs. The reports are rich with system data that Microsoft also uses to enhance user interaction with its products. Since, however, they are sent in clear text back to Redmond, they are also at risk for interception by hackers who can use the system data to blueprint potential vulnerabilities in order to ultimately exploit them.

While it may sound far-fetched, a German publication reported in late December that the U.S. National Security Agency was doing just that—using its XKeyscore tool to collect crash reports and target exploits accordingly.

The only mitigation is that Windows administrators must manually opt-out of sending crash reports back to Microsoft, something that isn’t happening on a large scale; Microsoft receives billions of these reports from 80 percent of its installed user base.

Security company Websense, in December, urged administrators to be proactive about these reports and use them as a first step in detecting advanced attacks against an organization since exploits generally cause applications to behave abnormally. The company released a report today that demonstrates exactly how to do that and said it was able to find advanced attacks in progress against a major cellular network operator and a Turkish government website. It also threw back the covers on another campaign targeting point-of-sale systems with a variant of the Zeus Trojan built to infect POS devices and backends.

The key is to differentiate between crashes that are indicative of exploits and those that are merely crashes due to a programming bug. For example, crashes that happen outside of programmable memory space could be an indication of an active exploit that enables remote code execution.

“It goes from a breadcrumb to something interesting,” said Alex Watson, director of security research at Websense.

Watson said his company collected 16 million Dr. Watson reports during a four-month period, looking for system crashes caused by previously unseen exploits against CVE-2013-3893, a use-after-free vulnerability in Internet Explorer 6-11 that was used in the Deputy Dog watering hole attacks against a number of companies in high-profile industries in Asia. Those failed processes leading to system crashes enabled Websense to fingerprint the damage caused by an exploit attempt.

Of the 16 million reports, five crash reports in four organizations matched the fingerprint Websense built that included memory locations where IE might crash if it were attacked using a CVE-2013-3893 exploit. As it turned out, both organizations were hit by the HWorm remote access Trojan used in targeted attacks. The RAT beaconed from both organizations at the same time as the failed exploit happened, Watson said.

“We were able to link the failed exploit attempt to the RAT to get some indicator of common techniques,” Watson said.

Websense said it also collected crash data from point-of-sale applications similar to those compromised in the Target and Neiman Marcus breaches by RAM scraper malware which steals credentials and payment card data from the device before it is encrypted and sent to the payment processor. A majority of the crash reports Websense used were from a clothing retailer in the Eastern United States, it said, which was infected with a variant of Zeus that zeroes in on POS devices and applications. Watson said the malware attempted to connect to command and control servers at the same time the applications crashed.

“Most exploits today force applications to behave in a way they’re not supposed to and they end up executing shell code and things like that,” Watson said. “With Microsoft rolling out advanced stuff like ASLR making it really hard for attackers to successfully execute exploits, there’s a much higher chance they’re going to fail. Once attackers gain a foothold in the network and make it past the perimeter-based security system, there’s a mindset that their content is no longer monitored by IPS systems and you’ll see attackers use the most direct path with exploits toward their target, thinking they’re not going to be monitored. Again, there’s a high chance of crashing applications on the network.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.