Slashdot Mirror

← Back to Stories (view on slashdot.org)

Many Hackers Accidentally Send Their Code To Microsoft

Posted by Soulskill on from the not-the-brightest-cookie-in-the-shed dept.

joshgnosis writes "When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman. 'It's amazing how much stuff we get.' Heckman also said Microsoft was a common target for people testing their attacks. 'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com. On average we get attacked between 7000 and 9000 times per second.'"

5 of 220 comments (clear)

  1. Re:How Does It Encapsulate the Source Code? by onlysolution · · Score: 4, Informative

    Crash dumps sent to Microsoft can contain memory used by the Windows process that was hosed by the virus writer, which could very well include whatever machine code was injected in to the process's memory or the invalid input that caused the crash . No phoning home via Visual Studio is required (amazing FUD with your speculation there, by the way,) the nature of the attack means the code/data is going to be exactly in the place it needs to be for MS to get at it without doing anything nefarious.

  2. Re:How Does It Encapsulate the Source Code? by Anonymous Coward · · Score: 4, Informative

    compiled byte code in the utilities they use would do you little good unless you were extremely patient

    Many people in the Windows OS team only debug at assembly level. For e.g. Raymond Chen.

    http://blogs.msdn.com/b/oldnewthing/archive/2004/11/11/255800.aspx

    "1. Once the optimizer has messed with your code source level debugging falls apart.

    2. Most debugging is done remotely. When you have to debug a customer's machine 5000 miles away over a 56k modem, you can't tell them, "First, I want you to install Visual Studio on your domain controller..."

    3. Installing a GUI debugger on the test machine changes the system configuration and therefore influences the test itself. Imagine if Windows XP had some horrific bug that goes away when you install Visual Studio. If all test machines had Visual Studio installed on them, then this bug would never be found!

    4. Just today I had to debug a problem that occurred only immediately after installing the OS. No chance to install VS even if you wanted to.

    5. If you're debugging the OS itself (say the window manager), then you can't use a GUI debugger since it needs the window manager to draw its UI!

    Conclusion: Since so much debugging is done in situations where GUI debugging is not possible, you are quickly forced to become an expert at command line debugging. At which point the incremental benefit of a fancy debugger is rather small.

    "You can't possibly debug any significant size project in this fashion."

    Shhh, don't tell the Windows team. Not all debugging is done at asm-level, but a significant chunk is. They'd be pretty disheartened to learn that what they're doing is impossible.

  3. Re:How Does It Encapsulate the Source Code? by SilverEyes · · Score: 3, Informative

    Not necessarily. Microsoft uses to reports to fix Windows problems or problems with their own products (or third party drivers, etc). They have that source and symbols. All they need from the user is the memory space and exceptions of the faulting process and which version of symbols were used.

    I don't think Microsoft really cares about fixing application crashes other than for their public perception. They would be concerned that a Windows crash was possible in some particular way, and didn't recover/fail gracefully - and this boils down to the code that is sitting below the application code so they wouldn't need your source.

    The only data that could be sent would be data currently in the memory space. So if the process had *str1= "Need to buy groceries: meat, eggs, cheese" , *str2 = "Assassinate the president at 17:30 on Tuesday", they would be able to see that by debugging through the stack variables and looking at where it's stored (i.e. heap). I'm not precisely sure how minidumps are configured - they may not include heap information.

    --
    Interesting.
  4. Re:How Does It Encapsulate the Source Code? by thePowerOfGrayskull · · Score: 5, Informative
    Not sure why this is modded insightful. RTFA doesn't answer the question, except to say

    When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

    it doesn't explain how the "error details" comes to be "including the malicious code". He goes on to say

    "People have sent us their virus code when they're trying to develop their virus and they keep crashing their systems," Heckman said. "It's amazing how much stuff we get."

    System crash implies a bluescreen - which further implies a memory dump -- but R-ing TFA doesn't answer the question one way or the other.

  5. Re:So now crackers have a new way to attack Micros by Nevo · · Score: 3, Informative

    Actually, Microsoft does fix bugs based on these reports. http://blogs.msdn.com/b/oldnewthing/archive/2010/08/04/10045651.aspx