Windows error reports are spewed out daily from systems and usually ignored by most organizations. But a security vendor says they could also be a signal that an attacker has beaten an organization’s network defences.
The idea is that the reports might indicate changes in network behavior and therefore an additional way to detect attacks, says Alex Watson, director of research at Websense Inc., a maker of Web gateways.
Traditional network anomaly detection looks for patters like a computer in the HR department is sending a lot of file s to a computer in the development environment.
But crash reports have a lot of information that could also be indicators that an attacker is moving through a network, says Watson and not just everyday software problems.
“In addition to the normal security deployment that can tell you about things that you know about, I think it’s important for organizations to start thinking about signals like this. Start with an anomaly and then enrich it with whatever security intelligence you have” could give insight into things most security systems wouldn’t see, he said.
To make it really effective organizations need to share security information around the world – such as the telecom industry suddenly seeing a particular exploit – he said, to put the crash data and other local data into context.
(Download the full report here)
Many exploits work by forcing an application to perform in an unexpected way, he argues, and then getting the application to jump to a section in memory containing code that allows the attacker to compromise the computer. It often fails, though, the app crashes and the result is an error report.
Watson reasoned that if this can be correlated with other exploits across different operating systems and applications, it be a way to both retroactively detect when attacks happened, and detect anomalies indicative of new attacks that have made it past organizations defenses.
He admits that it’s a “bold assertion” that the relatively small information in a standard crash report generated by Windows could be a signal of a zero day attack or an intruder. But after a few test cases using data pulled from Websense customers Watson believes it’s worth pursuing.
He’ll present detailed findings at next week’s RSA conference in San Francisco, but released a report today.
The first test was whether data could detect the known CVE-2013-3893 exploit, used last year in targeted attacks against high tech manufacturers in Taiwan and major financial institutions in Japan.
Using a Windows debugger, Websense created what it calls a “crash fingerprint” of the failed processes from that exploit. For example, the system would crash if Microsoft Office wasn’t on the PC because it’s a target application. Zero day exploits look for specific apps or versions of apps or operating systems, Watson said.
Websense then collected and searched some 16 million crash logs over four months from customer data and found five fingerprint matches in four organizations. One was a government department, another was a cellular carrier.
Next, researchers found evidence of suspicious network activity in the Websense data feeds from its security appliances on the same day as the crashes. There was also evidence that a remote access worm had successfully penetrated one of the four organizations and was signaling a command and control server within a day of a failed exploit.
In essence, Watson acknowledged, that test showed how crash data could find something after an attack based on a known exploit.
To see whether crash data could find a new attack, Websense researchers tried to see if crash reports could be used to warn of unknown malware attacking Windows-based point of sale devices of a retailer, which apparently happened to the Target retail chain recently.
Websense analyzed POS application crash reports apps of a large U.S. clothing retailer. A cluster of the crashes over a few days couldn’t be explained by normal program activity. A software developer may see it as a debugging problem, Watson said, but an IT security staffer should see it as a possible sign of code infection.
At the same time the cluster of crashes was seen Websense also saw in its data feeds evidence of a Zeus exploit targeting retailers, Watson said. That led it to warn the customer something was going on, possibly a variety of Zeus with a RAM scraping capability.
“When you put all these indicators together you can reach a conclusion I don’t think we would have reached with any one,” Watson said.
Watson next wants to look crash reports from other sources such as SCADA networks, as well as particular industry sectors.
