Websense Uses Microsoft Error Reporting Program To Uncover New Attacks


Security researchers at Websense have developed a method to use Windows crash information to uncover malware infections and failed attack attempts that until now have gone undetected. The company said its research team has uncovered targeted attacks against point-of-sale systems at retailers and a threat against a government organization and a global telecommunications firm.

"Microsoft has built in ways that result in program crashes when attackers have a failed attack attempt," said Alex Watson, director of security research at Websense, San Diego. "These crash reports happen in the billions every year to find and prioritize bug fixes; we're using this data to detect attack activity or exploits that have failed."

Websense late last year reported that Microsoft's Dr. Watson, a program error debugger that gathers information about the computer when an error occurs, sends information to Microsoft in clear-text, potentially exposing system information and other details to an attacker.

[Related: Attacks Linked To China APT Supplier Target Channel Providers: Study]

Rather than using the information nefariously, Websense researchers are using the reports to detect zero-day exploits in the wild. The company created a method to identify unknown threats and determine the extent of attacks against organizations, which involves analyzing patterns of crashes resulting from malware.

Watson will be presenting additional findings at a presentation at the 2014 RSA Conference in San Francisco. Websense Wednesday released a detailed report (.PDF) of the findings and methods to enable organizations to conduct their own analysis. The firm also publicly released details into how to incorporate threat indicators from crash data into security information event management tools.

"People need to start better understanding anomalies provided by their security infrastructure because it's not always going to be a smoking gun. This is subtle information that provide clues to previously unseen attacks," Watson told CRN. "Once you know where it started, you can fill in the gaps from other existing systems to build a complete picture of an attack that you never knew existed in the first place."

Watson said the program provides information that can be used to provide risk indicators of ongoing attacks. The crash reports include information about applications, services and hardware, including the specific machine ID operating system on each PC and the specific update and Service Pack level the system is running. In addition, it provides BIOS information and browser data, including the specific browsers running and their extensions and plugins.

The program also lists every application installed on the PC and keeps a log of failed application updates, USB device and smartphone connections and sometimes TCP timeouts between computers on the network. 

NEXT: Websense Uncovers Previously Unseen Attacks Using Crash Analysis Method