Slashdot Mirror
Many Hackers Accidentally Send Their Code To Microsoft
joshgnosis writes "When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman. 'It's amazing how much stuff we get.' Heckman also said Microsoft was a common target for people testing their attacks. 'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com. On average we get attacked between 7000 and 9000 times per second.'"
When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.
I understand how this would be able to hand you their script or interpreted file but all the compiled byte code in the utilities they use would do you little good unless you were extremely patient. I don't know what percentage of exploits exist in the way scripts are interpreted (unless we're talking Internet Explorer) but I always assumed the really good and juicy exploits are those compiled down -- you know like a fake DLL that needs to be placed in the system path.
Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program? Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.
Furthermore, how can you tell if this is a malware developer or the first unfortunate victim? Or even an outlier victim whose machine was luckily not correctly configured for the attack?
One thing's for sure: I hope Microsoft is bright enough to log everything they get so that when an exploit is found in the wild sans source code they can do a Hamming distance or some such analysis on it to pin down its origin and also look at the deltas to figure out what the developer was changing between releases so they can better understand the exploit.
My work here is dung.
They're not necessarily all trying to be malicious. For a lot of people learning code requires hands-on experience, and if hacking is their interest and primary motivator to improve their coding skills, what better target to experiment on than one of the most hated software companies in all the lands?
Fucking script kiddies...in MY day, we actually HACKED.
Wait, I was born in '84...
Living With a Nerd
'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com.
Ahem.. yes... sure... I attack Microsoft machines only by accident... sorry, didn't see what I was writing in the uRL... not that I *want* to fsck with my beloved MS servers... no way, ahem...
kk, now I'm gonna go back to try installing sub-seven to wga.microsoft.com
Ubuntu is an African word meaning 'I can't configure Debian'
Maybe their servers run Linux?
Real hackers don't use windows...
An application that generates random gibberish that "look" like a script, then sends it embedded in a fake crash dump to Microsoft for analysis.
"Fuzzing" isn't limited to code on the local machine any more - you can now try it on Microsoft employees.
Then add further fake crash dumps from legitimate apps that didn't crash; enough of them, from enough machines, and Microsoft will be looking for non-existent bugs.
Most likely the majority of those are simple denial of service attacks.
Jesus had a UNIX beard.
"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman.
So, even if someone steals a copy of the exam for them, Microsoft still can't pass the test? :)
why don't they respond quicker?
What makes you think that any of those 7k script kiddie attacks on MS's public-facing web presence actually show with anything the least bit new?
Don't disappoint your bird dog. Go to the range.
I'm guessing it's because the real "hackers" don't accidentally click the send button.
I find it sad in a way that the same exploits (SQL injection, etc.) are still the same old standbys. This is something MS really can't do anything about because it is the app developers who have to sanitize their inputs and use parametrized queries.
Microsoft is doing a good job in trying to make the Windows ecosystem as secure as possible. But what keeps MS from doing so in a lot of cases are third party programmers who write code that crashes if DEP is turned on, won't bother with ASLR, and prompts the user for elevated access often. At least the last part is gone somewhat, although developers screamed bloody murder that they can't assume every user has Administrator rights.
Windows is the only platform I know of where developers don't care about it other than to make money from it. On Linux, OS X, iOS, AIX, and other platforms, software makers refuse to shit where they sleep and they make sure that their code is decently secure and well written.
From the summary
On average we get attacked between 7000 and 9000 times per second
If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?
In what possible way does an attack across the internet at Microsoft.com translate to exposing a flaw in the Windows operating system? That's like saying submitting an angry letter to the editor of your newspaper exposes the fact that one of the side windows on your house doesn't close properly.
Malware is one thing, but how often have competitors made this mistake when developing their products? Is it anti-competitive if Microsoft analyzes competing products that are accidentally sent to them during their development? Would it be practical as a form of corporate espionage?
I know you're jesting, but aside for their download/msdn sections sometimes being hosted by a third party who actually does run Linux, Microsoft.com for the most part runs on IIS. Not only that, but its actually hosted on SharePoint.
Many crackers accidentally send their code to Microsoft.
There, fixed that for you.
--
Did I just say that?
Did I just say that??
People actually hit the 'send' button? I always hit 'don't send', even if it is a Microsoft product. The "solutions" they give are almost always generic enough to be completely useless. It's not worth the time to look at them.
On average we get attacked between 7000 and 9000 times per second
If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?
In what possible way does an attack across the internet at Microsoft.com translate to exposing a flaw in the Windows operating system?
If you read the start of the summary:
When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft
So the attack they are describing is actually the malware crap that is being sent in after windows crashes. Hence we aren't actually talking about www.microsoft.com being attacked - although one might expect that to be running windows server anyways - rather we're talking about random workstations around the world being attacked or used as guinea pigs.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
What a fucking annoying website. You click the link, and you get a nearly blank page (thanks adblock). There is a link to continue to the article, but I figure it won't work as I reject all cookies. So I change my user agent to be the Google bot, and the page loads fine.
Oh well, best inform Google that ZDNet is serving different content to the Google bot than Firefox. I think they de-list sites that do shit like that!
And now once the site has loaded, I see they have used position:fixed to keep some box in people's faces. I'm sorry, but the use of position:fixed to display stuff prominently is about as annoying as pop-up windows full of adverts. And the box is trying to get people to join their site, and a link to twitter. So the content of the pseudo popup is simply about trying to get users back to the site over and over. Not something that is actually what the user might find useful, like the stupid slashdot floaty slider thing for adjusting comments being displayed.
There's some fucking wankers of web designers out there.
Those numbers seem suspiciously inflated. I'm going to guess the majority of these packets are icmp from bots checking ping.
boycott slashdot February 10th - 17th check out: altSlashdot.org
They immediately share the new virus information with the other anti-virus vendors, right?
--
Given enough personal experience, all stereotypes are shallow.
Maybe they do fix these 7000-9000/day attacks. Maybe there are yet more attacks that the developers are smart enough not to tip off MS about, and those are the ones that they are not patching.
I'm not saying this is the case, but it's a possibility.
You see? You see? Your stupid minds! Stupid! Stupid!
Thousands of hackers across the globe send their malware, virii, and trojans to Microsoft, where it is collected, pieced together and compiled. Then MS puts it in a box and calls it an OS.
If you notice, there is a direct correlation between the number of hackers sending their code to MS and the amount of bloat in each new software package released by MS.
Another mystery solved! You're welcome.
If telephones are outlawed, then only outlaws will have telephones.
The article is talking about two things: developing virus (and sending crashdump to Microsoft) and attacking Microsoft.com. These are not the same thing.
And a crashdump containing virus does not mean it's the hacker that sent it. It could well be the victim. So while the speaker wants to say something entertaining, I wonder how truthful it actually is.
Those crash logs are about as useful to Microsoft as the crash logs of Excel or Word. If they aren't paying attention to those, why should they think they could understand anything else?
The basic crashes of first run viruses are probably readable to the employees so that's why they sort of understand what's going on.
It's all signal to noise ratio. Maybe the majority of those attacks are for vulnerabilities they have already patched, or possibly even not even for their platform. Hell, even when I look at my server logs, there are tons of requests trying to exploit a vulnerability in some package I've never installed. Just a quick peek right now shows 2500+ 404 errors looking for phpMyAdmin.
These days we are actually dealing with 6.4*10^6 kilo-bytes of it.
One of the first things I do on a fresh install is turn off error reporting. It has always amazed me that I have never seen a corporate network turn it off. Everyday tons of proprietary information is transmitted to Microsoft in error reports.
You wrote, "...will be looking..."
Wouldn't a corporate policy change that major require a filing with the SEC?
Doubt Microsoft employees directly run the code... they instead look at the assembly code to see what the reason for the crash was. Even otherwise, I am sure they use VMs with network access which are wiped and rolled back once testing is done.
This space for rent.
Am I understanding this correctly? In the article these are system crashes being sent to MS? 7K-9K of system crashes a SECOND? Wow.
I don't know. They are supposed to use their own products, which means they have to use Hyper-V and Virtual PC instead of VMware. I doubt anyone's ability to get those working :P
Interesting.
"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman.
And when asked what Microsoft does with these code snippets, Mr Heckman said, "We promptly use it everywhere we could. Otherwise Vista would have been delayed even more. We include all these viruses as BHOs [Browser Helper Objects] in our default distribution. Why should the user endure the trouble and torture of visiting a malware site to acquire the user experience of getting buggy crashing software? We provide it first hand from within Windows itself. We take pride in being backward compatible with every vulnerability, bug and malware that was developed on/for the previous windows platform."
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Interesting. Then add time as a variable to further complicate detection. Each machine in the botnet sending a report every rand(168) hours. For a large enough set of compromised machines, the statistics of which reported crashes float to the top of the queue would certainly be messed up.
Plus If they were to filter these botnet machines at the IP level for a particular app then it would block real reports from coming in, further skewing the stats. There are real users sitting behind these compromised machines after all.
Ouch.
Real hackers use MS-DOS!
Summary reading fail
Hackers and Developers are both lazy. This is why things haven't gotten any worse and also why things haven't gotten any better.
Damn. I'm a part-time dev and I turn off that feature because I don't want Microsoft seeing my mistakes. And they're harmless. Pretty damn bold (and stupid) to be writing malicious code and reporting the failures back to the Microsoft.
Uh, do you honestly think that for example Microsoft's graphics team uses Paint instead of Photoshop?
Mr. & Mrs. Hechman were/are fans of Sly?
I deal with IDS every single day. Now granted MS is being attacked several orders of magnitude greater then what I deal with, but between IDS and firewall nearly every single attack will be blocked before it hits the first MS server. Then hopefully MS is following good security standards and only has the presentation layer in their DMS with more firewall and IDS or IPS and you have a multi-tiered defense that means the actual servers see very, very few attack attempts.
-- Slashdot, making the Left look conservative since 1997.
Never know, I didn't realize MS did lots of graphics work. I would believe they use Hyper-V instead of VMware, and Visual Studio instead of whathaveyou (Dev-cpp or whatever), Team Foundation Server instead of TortoiseSVN or CVS etc. etc.
Interesting.
I suspect the types of crash dump he's talking about are the ones from Blue screens of death. With Vista and onwards windows gives you the opportunity to send those dumps to Microsoft once you've rebooted to see if it's a common problem and get a fix or for them to analyse it. The proper crash dumps from them are likely to be reasonably informative. Certainly more so than a regular program crash where you report to Microsoft. Given the fact that Virus writers are likely to be trying to hook into low level stuff it is plausible that they would end up with BSOD's as they develop their malware.
If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?
Do you really think any of those 7000 to 9000 attacks actually got through? No, so therefore they are already fixed. These are just stupid script kiddies learning to be terrorists. They are probably just modifying code fond on the net that has long since been protected against.
Tesla was a genius. Edison however was a overrated hack who liked to torture puppies.
A virtual machine is a virtual machine no matter what software you use to run it.
You're incorrect, though the summary is confusing so I see how you could get lost.
The summary is talking about 2 things
1. "Hackers" who are testing malware that crashes systems often unintentionally send the report of the crash and what caused it to Microsoft.
2. Microsoft.com is often attacked via the web, to the tune of 7000-9000 times per second.
These two things are largely unrelated. Go back and re-read TFS.
I think there are two different things going on.
Hackers writing actual exploits that are new, and sending crash reports to MS.
And Script Kiddies downlowding and running scripts, which they tend to test on microsoft.com.
The second group are probably low risk, as they are using known code/exploits, the actual hackers on the other hand may actually be revealing some new bugs, with the bug reporting tool. heck, maybe it's intentional.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
"On average we get attacked between 7000 and 9000 times per second."
And sometimes we get attacked OVER 9000 times per second!
No, real hackers turn off that stupid "Help" background process.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
..perhaps reciprocate?
From the summary
On average we get attacked between 7000 and 9000 times per second
If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?
Smart attackers do not aim new types of attack at MS or other targets where there is likely to be clueful attentiveness. As anyone who is engaged in clueful attentiveness to external attacks against heavily-attacked systems knows, the actual risk is not evenly spread across all attacks and the overwhelming majority of attacks are completely harmless for minimally protected systems. For example: I have managed systems that have seen SSH password guessing attacks bursting into the hundreds/second order of magnitude, but purely passive and simple protective measures (including default configurations of some components) made those "attacks" completely harmless. They didn't even amount to a DoS attack, because they were entirely the result of being a high profile target of a lot of idiots rather than being a really high value target of anyone with half a clue. High profile targets attract every script kiddy on the net, high value targets are usually well enough protected that they aren't useful detection systems. This is why the concept of the "honeypot" exists: a system with a relatively low profile that is made to look like a weakly-protected high-value target in order to attract serious attacks.
thanks for telling.
Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them? It's more a metric of how bad a known bug is, that is, how many people are reporting crashes from known bug A as opposed to known bug B.
The only thing worse than a Democrat is a Republican.
I'm thinking that saying that the script kiddies are sending you their code is a little like saying that the people throwing bricks through your windows (no pun intended) are giving them to you for your new backyard BBQ pit.
And one surely hopes that this is not a large part of Microsoft's security research thought it might explain how so many Windows vulnerabilities are announced after they're already seen in the wild.
CUR ALLOC 20195.....5804M
They do tend to use Hyper-V and Med-V, but those kind of work.
Visual Studio lives side by side with many other options such as Source Insight (as an IDE), WinDbg (as a debugger), ntsd, kd, etc.. WinDbg might be the most popular tool there, and it is also a Microsoft tool.
Different projects use different source control systems, but Source Depot is very common. That's a variant of Perforce.
Designers likewise use whatever they want. Site licenses exist for Photoshop.
This shouldn't be a surprise. Much fuss is made outside of Microsoft about how many Microsoft employees use iPhones.
You can learn a lot from an internship.
So microsoft proudly boasts that they get the source for some of these viruses and they still can't send out a patch in time? Heckman must have his foot so far in his mouth he can lick his own heel. I should not complain, I make plenty of money cleaning out virus crippled windows machines while my own Slackware powered machines hum along happily.
Maybe their servers run Linux?
If their servers ran Linux, it would not survive the 7000-9000 attacks.
That Windows Error Reporting actually has an unexpected side effect - spikes in crash reports often indicate a new virus is on the loose...
http://blogs.msdn.com/b/oldnewthing/archive/2008/05/21/8525411.aspx
I'm guessing it's because the real "hackers" don't accidentally click the send button.
haha right - well played.
Actually, Microsoft does fix bugs based on these reports. http://blogs.msdn.com/b/oldnewthing/archive/2010/08/04/10045651.aspx
Are we to take that as 7000-9000 windows machines crashing per second?
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
.. out of which 0.1% is developing malware?
Or even better, of which 40-60% are malwared and target MS.com?
That would imply that those 1-2 billion concurrent user all use a Windows computer.
Please share your references used with us
But I don't have time to do a complete check. Nonetheless I only have to say,
If there was any increase in the traffic microsoft was getting then it would be over 9000.
Or maybe the fact that these viruses are attempts that failed and don't actually need to be patched against.
you mean 7000-9000 per second
Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them?
Being one of those people (as pretty much any other developer in MS), I definitely think so :)
The system is much more complicated, of course. You can imagine the sheer amount of reports MS is receiving every day (cue the 95 BSOD joke here). Clearly there needs to be some sort of automated processing for it, and there is.
For starters, there are always those folk running the original pristine IE6 on XP SP1 or something, who are hitting bugs that have been fixed ages ago. Obviously you don't want to investigate that, but it's possible to forward people to a webpage explaining the issue and urging to update (typically a KB for a security vuln on TechNet ;).
Then it needs to figure out which reports are dupes of which. For "popular" bugs, you can easily have several thousand people hit it in quick succession. I won't even pretend to know how WER (Windows Error Reporting, which is what the mechanism is called) does that kind of analysis. It looks at the nature of the problem (e.g. segfault, stack cookie corruption etc) and at the call stack, that's for sure, but it goes way beyond that. There is a dedicated team somewhere which works on it, and it's the kind of place where you put the sign "dragons and bearded men in glasses be here". Well, or maybe "SkyNet be here" would be more apt these days. Anyway, by liberal application of pixie dust (from employee's grinded iPhones, the rumor goes!), reports are grouped by specific issues, and the product and area within it is tentatively identified for each.
At that point, it actually lands up in the pile of stuff to do for the team responsible for that area, and stuff goes same as for normal bugs from there - triage, assignment to individual developers, investigation, and (hopefully!) fix.
Now, mind you, I'm not saying that any bug exposed via a WER report is going to be fixed. In fact most probably aren't. The problem is, this kind of post-mortem debugging is hard - oh, it catches stupid mistakes really well (uninitialized pointers, that kind of thing), but those are exceedingly rare in practice. And for more complicated stuff - especially when anything asynchronous is involved - the code that caused the issue can be very far from where the crash actually happens, and all you get from WER is a report at the latter point. Sometimes you can try to look at it and guess the sequence of user actions (and other conditions) that led to this crash, and actually repro it, and then debug live. Sometimes you can carefully put the pieces of the puzzle together to form enough of the picture to pinpoint the code right away. Often, though, you can't really do much given what you have - and, for privacy reasons, we cannot try to contact people who send the reports.
Still, I personally fixed a bunch of issues that came in from WER, so it's a net positive.
Real "hackers" would probably just disable WER entirely.
You are hilarious! Do you do stand up? :)
Microsoft, good security standards... You are killing me.
If I were God, wouldn't I protect my churches from acts of me?
Developers can also sign up to receive the WER reports for their "in the wild" applications: http://msdn.microsoft.com/en-us/library/bb513641(VS.85).aspx
Chance favors the prepared mind.
Perfect is the enemy of good.
Yeah, here is when you sign up for that. And people are encouraged to do so - it's better to provide a single unified UI for the users to do the same thing across many apps, not to mention the quality of analysis tools that MS already has is likely better than what most organizations can afford to develop on their own.
are you assuming they look at them?
Link swallowed in another post, sorry. Here:
http://www.microsoft.com/whdc/winlogo/maintain/StartWER.mspx
Actually, when I was first learning C++, I wrote a program that did nothing but attempt to divide by zero to see what would happen. Of course, the program crashed and the little "Would you like to tell Microsoft about this problem" dialog box came up. So I made a script that would continually run the program and send a report to Microsoft. I hope they're still trying to figure out why my computer wasn't able to divide by zero hundreds of times.
While trying to read nonexistent pages on my server results in 402 Payment Required (pay me and I'll write this page for you), the URLs for most comon IIS exploits all return 301 Moved Permanently with a redirect to Microsoft. I don't know how many hacker tools support 301, but I guess some do...
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
I suppose this is like a bank robber who robs a bank, then promptly asks to deposit their newfound loot into their account at the same bank.
Disabling Error Reporting helps. Firing up wireshark shows up huge results checking in to Microsoft http://www.wireshark.org/ (formerly known as Ethereal) I have no need to tell Nix users about Snort and Acid http://www.snort.org/ or how microsoft has an epileptic fit if you run Cain and Able http://www.oxid.it/ Most hackers are not 31337 but idiots, My old friends at the the old place pulltheplug but now http://www.overthewire.org/ had root in less than 1 minute in a war game memorable war game. I really do not know what to say apart from do your own research, it is your own responsibility to protect yourself online but sadly some people are just not that smart. Be brave /.ers.I am not a hacker from Cult of the Cow.... Meow! :)
All cows eat grass!
... that ALL developers send their code to Microsoft every time it crashes?
From the summary
On average we get attacked between 7000 and 9000 times per second
If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?
Because those attacks are against a web site, which doesn't have anything to do with the OS people run on their home computers.
They didn't say they get 7000+ crash dump reports per second, and from my own personal experience most crashes I've seen are more a fault of the program not the OS itself. Figure your average click-happy user who will gladly install a file called "deleteallmyshitforme.exe" will also click 'submit' on the crash report when it starts deleting core system files. So most of what they get isn't going to be all that useful for fixing actual security holes in the first place.