Websense Finds Cyber-Crime Evidence by Analyzing Network Crash Data

Combining Windows error reports with application data, Websense analyzed crash patterns to find a previously unknown cyber-crime campaign targeting retailers.

A research project aimed at detecting cyber-attacks by analyzing the application crash data has borne fruit.

The technique, which uses the crash dumps created by the Windows operating system, helped unveil a cyber-crime campaign that targeted retailers, researchers from security firm Websense said on Feb. 19.

Using the information created and submitted by Microsoft's Windows Error Reporting tool, also known as "Dr. Watson," researchers at Websense discovered that certain anomalous patterns are signs that an attacker is trying to exploit a vulnerability and inadvertently caused an application to crash, Alex Watson, director of security research at Websense, told eWEEK.

"Instead of trying to identify a specific attack, we look for indicators that could be a sign of attacker activity," Watson said. "When we combine it with other intelligence, we get a picture of a possible campaign."

Application crashes are an all-too-frequent annoyance for computer users and developers alike. Yet security researchers view an application crash as a signal that a vulnerability exists in the software—a vulnerability that could be exploited to compromise the computer system. The technique gained widespread attention when documents leaked from the National Security Agency by former contractor Edward Snowden indicated that intelligence analysts had used the crash reports to identify applications that could potentially be exploited.

After confirming that the technique could be used to identify attack pathways, Websense collected crash reports from point-of-sale applications and created an attack fingerprint from the data. The information, combined with other telemetry, helped pinpoint an attack using Zeus malware at an East Coast retailer that happened over a three-day period, Watson said. Looking more widely, the company identified other retailers exhibiting the same signs of infection.

"When we took all the information together, we saw companies in a single industry, which is the wholesale/retail sector, that were all communicating out to the same command-and-control servers," he said. "So we are likely looking at a new variant of Zeus that is targeting point-of-sale systems."

Websense is not the first company to collect crash data to detect potential attacks on computer systems. Leviathan Security, a security technology and consulting company, has been using a similar technique to detect advanced and targeted malware that would likely escape other detection mechanisms.

Initial Windows error reports are unencrypted and contain information on the applications, services and hardware of a system following a crash. An attacker could use the information to gain insight into a company's environment, while a defender can use the information to find anomalous crashes that may be a sign that an attacker is attempting to exploit a system.

Websense plans to expand the system to gather crash reports from other operating systems and other types of devices. Industrial control systems, such as supervisory control and data acquisition (SCADA) networks, and financial networks would likely benefit from the techniques, Watson said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...