Microsoft's Windows Error Reporting service sends billions of crash reports back to the company and its partners each year. The information in these reports is extraordinarily detailed and largely unprotected, according to one vendor, which may create an opportunity for attackers to identify exactly where their targets are vulnerable.
Researchers at San Diego-based application security vendor Websense Inc. have been exploring just what information can be gleaned from Windows Error Reporting. The reporting function, built into each version of Windows since XP, is intended to give Microsoft feedback on application crashes, but late last year German news magazine Der Spiegel reported that the National Security Agency's Tailored Access Operations (TAO) unit may have used the reports as part of its covert targeting efforts.
The revelations, prompted by former NSA contractor Edward Snowden's leaks, indicated that TAO can enter an IP address or other unique identifier for a machine and search through troves of collected Internet traffic for related crash reports, providing what the NSA refers to as passive access to a victim. Such information is then used to implant the U.S. spy agency's malware onto vulnerable targets.
Websense's findings, released today, present a mixed bag for enterprises, according to Alex Watson, Websense's director of security research. While he confirmed that Windows Error Reporting may be misused, it can provide companies with piles of useful data to assist with anomaly detection.
Protecting error reports
After the Der Spiegel report, Microsoft told CBS News that the information included in Windows Error Reporting is limited, but that's not what Websense's research revealed. In fact, the reports offer highly detailed information, including BIOS versions, application versions, browser versions and even whether a smartphone or other device was connected to the machine via USB.
Even worse, unless an organization specifically implements encryption for error reports on its pre-Windows 8 systems, according to Websense, it is likely sending valuable system profile information to Microsoft in clear text. Windows 8 introduced TLS encryption for error reporting, a feature lacking in previous Windows versions.
The reports are currently outside the reach of most attackers, according to Watson, though the NSA and other nation-state hackers likely have the ability to use them.
"The real threat is upstream interception of the reports," Watson said. "So if you're a global organization, do you trust all the ISPs between you and Microsoft?"
Still, as security professionals have seen with the likes of Stuxnet and other sophisticated attacks, the capabilities utilized by cutting-edge nation-state hacking groups are soon being deployed by common cybercriminals. If attackers gain the ability to intercept an organization's Windows Error Reporting data, Watson warned that they could glean the ways in which that organization could easily be compromised, reducing the need for malicious actors to utilize sophisticated attacks in their arsenals.
"That's really all an attacker needs to figure out how to target a network. If you know all the application versions running on a target's network, it's unlikely you'll even need to use a zero-day because you'll probably find a computer running a two-year-old version of Flash that can be compromised," Watson said. "Then attackers can pick an exploit that will work on versions they've seen deployed on the network, but also one with a really low chance of being detected or failing.
"It's a scary scenario when someone has access to that level of detail about your environment," Watson said.
In a statement to SearchSecurity, Microsoft said Windows Error Reporting sends only "limited information" back to the software giant. Microsoft declined to directly address the Websense report.
Improving security through error reports
Watson said that malware, just like any program, is prone to failure, especially because Microsoft has introduced new Windows security technologies such as address space layout randomization that trip up attackers. Such instances trigger crash reports, which he indicated could be used to spot previously unknown attacks through anomaly detection.
With a data set consisting of 16 million crash reports during a four-month span, Websense conducted two case studies to prove such security measures were feasible. In one case, its researchers looked for signs that a known Internet Explorer zero-day exploit, CVE-2013-3893, which was associated with the DeputyDog attack campaign, may have triggered crashes. Using Microsoft's WinDbg debugger, Websense researchers were able to create a "crash fingerprint" based on where the IE exploit is likely to fail when targeting an XP machine.
By applying that fingerprint across the data set, Watson said Websense researchers found multiple matches at a handful of separate organizations, including a major cellular network provider and a U.S. government agency. With that information, Websense used its own security products to look for more context, eventually discovering that H-Worm, a remote access Trojan, was found beaconing traffic back to a command-and-control (C&C) server within 24 hours of those failed compromises.
In a related effort, Websense focused on point-of-sale (POS) crashes, based on recent high-profile attacks on such systems at numerous retailers, including Target and Neiman Marcus. The company searched through crash reports for instances that involved the pos.exe application and possibly involved code injection, which Watson said was likely in cases where the failure occurred "outside of memory space."
Three organizations were found to have the incredibly pervasive Zeus malware beaconing out botnet traffic, Watson said, which would normally not be considered either unusual or an indication of a highly targeted attack. When the traffic was analyzed, however, Websense discovered that the traffic being sent to the server in question was originating solely from wholesale retailers.
Watson believes the Zeus source code, originally leaked on the Internet around two years ago, had likely been modified to target POS systems specifically as part of a previously unreported attack campaign. In both cases, Watson indicated that the affected organizations reported no loss of data because the C&C traffic was spotted by other security products.
Watson admitted it was a "pain" for Websense to figure out how to sort through all the data included in the error reports, which may serve as a barrier for some organizations looking to implement similar processes, but said that organizations utilizing Windows Error Reporting for anomaly detection could see huge benefits.
Specifically, Watson recommended that organizations set up a corporate server to which all crash reports can be directed and collected, utilize the data for anomaly detection efforts and then encrypt the reports, ideally with TLS 1.2, before sending them to Microsoft.
"Instead of starting with a signature for something that you know about," an approach that is increasingly ineffective against targeted attacks, Watson said, "an organization can evolve its security approach to search for things that it doesn't know about yet."