Error reports uncover hacks at govt agency, telco

Microsoft's Windows error reporting system Doctor Watson will reveal failed zero-day attack campaigns, security software company Websense has discovered.

The novel approach to detecting new exploits and malware uncovered a failed attack against a large but unidentified government agency and global telecommunications firm, launched using a previously undiscovered version of Zeus with point-of-sale RAM-scraping capabilities.

This was previously revealed as a source of information to help hackers craft exploits, but researchers have now found it could be used by defenders to detect zero-day attacks.The detection worked because failed exploits generated error messages through the Windows Doctor Watson debugger that were sent unencrypted to Microsoft and could be intercepted.

The reports contained information on a machine's hardware, BIOS version and applications, and was revealed to have helped the National Security Agency in its spying exercises.

Websense security research head Alex Watson and his team discovered the new victims of the so-called Deputy Dog attack campaign after they sifted through 16 million error reports over four months in search of those matching the exploit (CVE-2013-3893) used in the attack. That campaign compromised high-profile organisations in Japan and security firm Bit9.

"[Deputy Dog] contained a link that triggered a use-after-free vulnerability in Internet Explorer. It's a tricky exploit to pull off and there's a chance it would fail," Watson said, speaking from San Francisco ahead of his talk next week at RSA's national conference.

Watson's team found that the government agency and telco were infected with the same uncommon Houdini remote access trojan, which began beaconing to command and control servers at the same time as the Deputy Dog exploit failed.

Wholesale exploitation

Analysis of the huge cache of error reports lead to the discovery of a new version of the infamous Zeus trojan targeting retail and wholesale organisations in the United States. Zeus leads the malware pack in raiding banking transactions.

The nameless variant could steal encrypted credit and debit card information from point of sales terminals when the data was briefly transmitted in an unencrypted state.

The capability was also part of the BlackPOS malware thought to be used in the high-profile attack on US Target stores that saw more than 110 million customer records including credit and debit cards breached.

One unnamed large retailer was responsible for the lion's share of crash reports stemming from what Watson said was the Zeus variant targeting their point of sale applications.

Attempts to ferry the data to three Eastern European command and control servers dedicated to raids of retailers and wholesalers were unsuccessful.

News in December that unencrypted Windows error reports were a gold mine of information for hackers to craft attacks lead to Websense researchers calling for Microsoft to lock down and encrypt the messages.

Websense's Watson maintained Microsoft should immediately encrypt the reports, despite such action meaning security researchers would be prevented from uncovering zero-day exploits.

"They should encrypt all of these reports tomorrow," Watson said. "There are a lot of ways we can still leverage the logic."

Watson said the security industry should keep watch for silos of information that may at first look not appear to be a "smoking gun" but were helpful indicators of compromise.