Websense Uses Microsoft Error Reporting Program To Uncover New Attacks

Security researchers at Websense have developed a method to use Windows crash information to uncover malware infections and failed attack attempts that until now have gone undetected. The company said its research team has uncovered targeted attacks against point-of-sale systems at retailers and a threat against a government organization and a global telecommunications firm.

"Microsoft has built in ways that result in program crashes when attackers have a failed attack attempt," said Alex Watson, director of security research at Websense, San Diego. "These crash reports happen in the billions every year to find and prioritize bug fixes; we're using this data to detect attack activity or exploits that have failed."

Websense late last year reported that Microsoft's Dr. Watson, a program error debugger that gathers information about the computer when an error occurs, sends information to Microsoft in clear-text, potentially exposing system information and other details to an attacker.

[Related: Attacks Linked To China APT Supplier Target Channel Providers: Study ]

Sponsored post

Rather than using the information nefariously, Websense researchers are using the reports to detect zero-day exploits in the wild. The company created a method to identify unknown threats and determine the extent of attacks against organizations, which involves analyzing patterns of crashes resulting from malware.

Watson will be presenting additional findings at a presentation at the 2014 RSA Conference in San Francisco. Websense Wednesday released a detailed report (.PDF) of the findings and methods to enable organizations to conduct their own analysis. The firm also publicly released details into how to incorporate threat indicators from crash data into security information event management tools.

"People need to start better understanding anomalies provided by their security infrastructure because it's not always going to be a smoking gun. This is subtle information that provide clues to previously unseen attacks," Watson told CRN. "Once you know where it started, you can fill in the gaps from other existing systems to build a complete picture of an attack that you never knew existed in the first place."

Watson said the program provides information that can be used to provide risk indicators of ongoing attacks. The crash reports include information about applications, services and hardware, including the specific machine ID operating system on each PC and the specific update and Service Pack level the system is running. In addition, it provides BIOS information and browser data, including the specific browsers running and their extensions and plugins.

The program also lists every application installed on the PC and keeps a log of failed application updates, USB device and smartphone connections and sometimes TCP timeouts between computers on the network.

NEXT: Websense Uncovers Previously Unseen Attacks Using Crash Analysis Method

Over four months, the Websense researchers collected 16 million bug reports. It then created a fingerprint of a failed zero-day exploit targeting Internet Explorer and searched the bug reports for examples of the fingerprint, finding five matching examples across four organizations.

The attacks detected on the four organizations were carried out by a cybercriminal organization against targets in Japan and is believed to be the same group responsible for the Bit9 breach carried out last year. The Websense research indicates that targets are believed to be more widespread, uncovering an attack attempt using the exploit on a global telecommunications firm in December.

Websense also detected and blocked other malware used by the group, including the Houdini worm, a remote access Trojan associated with targeted attacks. In addition to the global telecommunications firm, Websense said it detected an attack on a government organization.

Websense also identified a campaign against point-of-sale systems that uses malware designed to scrape the memory of payment transaction systems to steal credit card numbers, credentials and customer billing information. The company said that the Watson crash reports it examined came from a large clothing retailer located in the Eastern U.S. and appears to be a wave of infections targeting the retail industry with variants of the Zeus malware family.

"The three command-and-control servers that we have observed do not appear to be part of a typical Zeus-based mass-malware infection, but targeted specifically at the wholesale/retailer industry," Websense said in its report. "We believe that these results indicate that malware based on the leaked Zeus and RAM-scraping code is actively targeting point-of-sale terminals to steal customer credit card data."

Solution providers told CRN that Websense, which named former RSA executive Shawn Pearson as its new vice president of worldwide channel sales in August, is responding to a growing need for new threat detection capabilities that can identify sophisticated attacks. The company's research and development arm has developed new capabilities for its line of appliances that go beyond typical features in Web security gateways, they said.

Customers are taking a serious look at being more proactive to security threats, said Paul Radtke, vice president of technology at TSR Solutions, a Germantown, Wis.-based Websense partner. Radtke said TSR Solutions has been conducting more penetration tests for clients to help them reduce vulnerabilities and configuration weaknesses that open up holes.

"Security seems to be getting more and more on the minds of business owners every day," Radtke said. "It's gone beyond compliance because there seems to be new threats in the news all the time."