Forgot your password?
typodupeerror
Security It's funny.  Laugh. Microsoft The Internet Technology

Many Hackers Accidentally Send Their Code To Microsoft 220

Posted by Soulskill
from the not-the-brightest-cookie-in-the-shed dept.
joshgnosis writes "When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman. 'It's amazing how much stuff we get.' Heckman also said Microsoft was a common target for people testing their attacks. 'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com. On average we get attacked between 7000 and 9000 times per second.'"
This discussion has been archived. No new comments can be posted.

Many Hackers Accidentally Send Their Code To Microsoft

Comments Filter:
  • When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

    I understand how this would be able to hand you their script or interpreted file but all the compiled byte code in the utilities they use would do you little good unless you were extremely patient. I don't know what percentage of exploits exist in the way scripts are interpreted (unless we're talking Internet Explorer) but I always assumed the really good and juicy exploits are those compiled down -- you know like a fake DLL that needs to be placed in the system path.

    Crash reports probably include the

    • by DigitalSorceress (156609) on Friday August 27, 2010 @09:33AM (#33391676)

      Maybe the report includes a dump of working memory?

      Just a thought, thought that would make it kind of big.

    • Re: (Score:2, Insightful)

      by kyrio (1091003)
      RTFA
    • An application that generates random gibberish that "look" like a script, then sends it embedded in a fake crash dump to Microsoft for analysis.

      "Fuzzing" isn't limited to code on the local machine any more - you can now try it on Microsoft employees.

      Then add further fake crash dumps from legitimate apps that didn't crash; enough of them, from enough machines, and Microsoft will be looking for non-existent bugs.

      • Re: (Score:2, Insightful)

        by LifesABeach (234436)
        You wrote, "...will be looking..."

        Wouldn't a corporate policy change that major require a filing with the SEC?
      • Doubt Microsoft employees directly run the code... they instead look at the assembly code to see what the reason for the crash was. Even otherwise, I am sure they use VMs with network access which are wiped and rolled back once testing is done.

      • by theskipper (461997) on Friday August 27, 2010 @10:30AM (#33392394)

        Interesting. Then add time as a variable to further complicate detection. Each machine in the botnet sending a report every rand(168) hours. For a large enough set of compromised machines, the statistics of which reported crashes float to the top of the queue would certainly be messed up.

        Plus If they were to filter these botnet machines at the IP level for a particular app then it would block real reports from coming in, further skewing the stats. There are real users sitting behind these compromised machines after all.

        Ouch.

      • ... and Microsoft will be looking for non-existent bugs.

        Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them? It's more a metric of how bad a known bug is, that is, how many people are reporting crashes from known bug A as opposed to known bug B.

        • by tlhIngan (30335) <(ten.frow) (ta) (todhsals)> on Friday August 27, 2010 @12:20PM (#33393838)

          Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them? It's more a metric of how bad a known bug is, that is, how many people are reporting crashes from known bug A as opposed to known bug B.

          That Windows Error Reporting actually has an unexpected side effect - spikes in crash reports often indicate a new virus is on the loose...
          http://blogs.msdn.com/b/oldnewthing/archive/2008/05/21/8525411.aspx [msdn.com]

        • by Nevo (690791) on Friday August 27, 2010 @12:23PM (#33393888)

          Actually, Microsoft does fix bugs based on these reports. http://blogs.msdn.com/b/oldnewthing/archive/2010/08/04/10045651.aspx [msdn.com]

        • by shutdown -p now (807394) on Friday August 27, 2010 @03:37PM (#33396628) Journal

          Do you really think that Microsoft has a team of people searching through these reports and actively fixing bugs based on them?

          Being one of those people (as pretty much any other developer in MS), I definitely think so :)

          The system is much more complicated, of course. You can imagine the sheer amount of reports MS is receiving every day (cue the 95 BSOD joke here). Clearly there needs to be some sort of automated processing for it, and there is.

          For starters, there are always those folk running the original pristine IE6 on XP SP1 or something, who are hitting bugs that have been fixed ages ago. Obviously you don't want to investigate that, but it's possible to forward people to a webpage explaining the issue and urging to update (typically a KB for a security vuln on TechNet ;).

          Then it needs to figure out which reports are dupes of which. For "popular" bugs, you can easily have several thousand people hit it in quick succession. I won't even pretend to know how WER (Windows Error Reporting, which is what the mechanism is called) does that kind of analysis. It looks at the nature of the problem (e.g. segfault, stack cookie corruption etc) and at the call stack, that's for sure, but it goes way beyond that. There is a dedicated team somewhere which works on it, and it's the kind of place where you put the sign "dragons and bearded men in glasses be here". Well, or maybe "SkyNet be here" would be more apt these days. Anyway, by liberal application of pixie dust (from employee's grinded iPhones, the rumor goes!), reports are grouped by specific issues, and the product and area within it is tentatively identified for each.

          At that point, it actually lands up in the pile of stuff to do for the team responsible for that area, and stuff goes same as for normal bugs from there - triage, assignment to individual developers, investigation, and (hopefully!) fix.

          Now, mind you, I'm not saying that any bug exposed via a WER report is going to be fixed. In fact most probably aren't. The problem is, this kind of post-mortem debugging is hard - oh, it catches stupid mistakes really well (uninitialized pointers, that kind of thing), but those are exceedingly rare in practice. And for more complicated stuff - especially when anything asynchronous is involved - the code that caused the issue can be very far from where the crash actually happens, and all you get from WER is a report at the latter point. Sometimes you can try to look at it and guess the sequence of user actions (and other conditions) that led to this crash, and actually repro it, and then debug live. Sometimes you can carefully put the pieces of the puzzle together to form enough of the picture to pinpoint the code right away. Often, though, you can't really do much given what you have - and, for privacy reasons, we cannot try to contact people who send the reports.

          Still, I personally fixed a bunch of issues that came in from WER, so it's a net positive.

    • by Taagehornet (984739) on Friday August 27, 2010 @09:52AM (#33391926)

      Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program?

      According to TFA Heckman gave a presentation of XSS and SQL injection attacks. So, I imagine that what we're talking about here is Microsoft receiving a dump of IE process memory, which of course will include the malicious script.

      Furthermore, how can you tell if this is a malware developer or the first unfortunate victim? Or even an outlier victim whose machine was luckily not correctly configured for the attack?

      If you get a sequence of error reports from the same IP within a short period of time, where the only difference is that the script bringing IE down has been modified slightly, you've probably got the developer at the other end of the line. (Online source control on a budget? ;-)

      Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

      Where did that come from?

      • Re: (Score:3, Insightful)

        by Sir_Sri (199544)

        The visual studio thing is actually an interesting question. If, in the process of writing code you crash visual studio, or the whole OS and then send an error report to MS will it contain your source code? To some degree the same applies to any application, if you crash notepad++ and send a crash report to MS it would make sense that it contain well, whatever was being typed in notepad++. if you crash your copy of Mafia 2 does it send the savegame?

        It's somewhat outside the scope of the article, but reall

        • by SilverEyes (822768) on Friday August 27, 2010 @10:23AM (#33392304)
          Not necessarily. Microsoft uses to reports to fix Windows problems or problems with their own products (or third party drivers, etc). They have that source and symbols. All they need from the user is the memory space and exceptions of the faulting process and which version of symbols were used.

          I don't think Microsoft really cares about fixing application crashes other than for their public perception. They would be concerned that a Windows crash was possible in some particular way, and didn't recover/fail gracefully - and this boils down to the code that is sitting below the application code so they wouldn't need your source.

          The only data that could be sent would be data currently in the memory space. So if the process had *str1= "Need to buy groceries: meat, eggs, cheese" , *str2 = "Assassinate the president at 17:30 on Tuesday", they would be able to see that by debugging through the stack variables and looking at where it's stored (i.e. heap). I'm not precisely sure how minidumps are configured - they may not include heap information.
          • Re: (Score:3, Informative)

            by malakai (136531)

            Windows Error Reporting only sends mini-dumps. You won't see code or contents of notepad/word etc. You get the callstack for all running threads, exception information that caused the fault, list of all loaded modules and processor context for all threads.

            • It is possible for a developer investigating a WER report to request that further reports also include the heap of the offending process. It is only used sparingly, to investigate tough issues where some crucial information is on the heap, because it significantly increases the size of the report, and the amount of time it takes to upload it (and therefore the likelihood that the annoyed user will just click "Cancel" before it completes). But it is possible. And heap dump will likely include the "code or co

    • by onlysolution (941392) on Friday August 27, 2010 @09:54AM (#33391956)
      Crash dumps sent to Microsoft can contain memory used by the Windows process that was hosed by the virus writer, which could very well include whatever machine code was injected in to the process's memory or the invalid input that caused the crash . No phoning home via Visual Studio is required (amazing FUD with your speculation there, by the way,) the nature of the attack means the code/data is going to be exactly in the place it needs to be for MS to get at it without doing anything nefarious.
    • I guess they find it when Microsoft analyzes the crash logs and is able to see the assembly code trying buffer overflows etc. Think core dump in Linux. I wouldn't think Microsoft would send the source code to themselves.

    • by Anonymous Coward on Friday August 27, 2010 @10:04AM (#33392080)

      compiled byte code in the utilities they use would do you little good unless you were extremely patient

      Many people in the Windows OS team only debug at assembly level. For e.g. Raymond Chen.

      http://blogs.msdn.com/b/oldnewthing/archive/2004/11/11/255800.aspx [msdn.com]

      "1. Once the optimizer has messed with your code source level debugging falls apart.

      2. Most debugging is done remotely. When you have to debug a customer's machine 5000 miles away over a 56k modem, you can't tell them, "First, I want you to install Visual Studio on your domain controller..."

      3. Installing a GUI debugger on the test machine changes the system configuration and therefore influences the test itself. Imagine if Windows XP had some horrific bug that goes away when you install Visual Studio. If all test machines had Visual Studio installed on them, then this bug would never be found!

      4. Just today I had to debug a problem that occurred only immediately after installing the OS. No chance to install VS even if you wanted to.

      5. If you're debugging the OS itself (say the window manager), then you can't use a GUI debugger since it needs the window manager to draw its UI!

      Conclusion: Since so much debugging is done in situations where GUI debugging is not possible, you are quickly forced to become an expert at command line debugging. At which point the incremental benefit of a fancy debugger is rather small.

      "You can't possibly debug any significant size project in this fashion."

      Shhh, don't tell the Windows team. Not all debugging is done at asm-level, but a significant chunk is. They'd be pretty disheartened to learn that what they're doing is impossible.

    • some programas can be "decompiled" into a more human readable text.

      if you have a *NIX/linux box around, try running something through strace. see all those system and library calls? that and an automated analysis of how the program flows can give you something close to the original source program. now, if the binary still have the debug symbols (i.e. it's not a stripped binary), it's even easier.

    • Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program? Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

      Let me try to explain how this works.

      WER (Windows Error Reporting) applies to any application you run on Windows. If something crashes, you'll be offered to send a report. In fact, third-party application developers can register [microsoft.com] to directly receive reports for their apps through the same system. For MS apps - including Visual Studio - the data ends up at MS.

      The "phone home" process, as of Win7, works that way with the default settings: the initial "phone" on crash is automatic (you will see the "Windows che

  • To Be Fair (Score:3, Insightful)

    by sonicmerlin (1505111) on Friday August 27, 2010 @09:33AM (#33391680)
    They're not necessarily all trying to be malicious. For a lot of people learning code requires hands-on experience, and if hacking is their interest and primary motivator to improve their coding skills, what better target to experiment on than one of the most hated software companies in all the lands?
    • Re: (Score:3, Insightful)

      by pnewhook (788591)

      Yes thats a great idea. And I want to improve my marksmanship so I'm going to go shoot up some banks and a few police stations. I'm sure they will understand I'm only trying to improve my skills.

    • by tehcyder (746570)
      I think that if you want to be a hacker/cracker, it's probably not a good idea to take your first baby steps in public, as it were.
    • This isn't about arresting people, it's about fixing exploits. It doesn't matter how pure or foul their intentions were; if they send the exploit to Microsoft then Microsoft can detect and fix it.

  • by Pojut (1027544) on Friday August 27, 2010 @09:33AM (#33391686) Homepage

    Fucking script kiddies...in MY day, we actually HACKED.

    Wait, I was born in '84...

  • Malware is one thing, but how often have competitors made this mistake when developing their products? Is it anti-competitive if Microsoft analyzes competing products that are accidentally sent to them during their development? Would it be practical as a form of corporate espionage?
    • It would be utterly impractical. Compare it to just buying the source code or product from their competitor and disassembling it themselves? If they are committed to corporate espionage, why rely on a random variable? VS and Windows don't send source of your project into MS, it sends a crash dump (i.e. core dump) of the process for analysis. Even if you configure a full crash dump it doesn't send source (it would then be full process memory, register state, exception records, maybe pdb's / symbols used of f
    • by Nevo (690791)

      Microsoft doesn't look at application crashes for applications they didn't develop. If the vendor is a member of OCA, they pass the crash on to the vendor.

      Microsoft *will* look at a crash if Windows crashed.

  • Those numbers seem suspiciously inflated. I'm going to guess the majority of these packets are icmp from bots checking ping.
    • by IndustrialComplex (975015) on Friday August 27, 2010 @10:28AM (#33392368)

      Those numbers seem suspiciously inflated. I'm going to guess the majority of these packets are icmp from bots checking ping.

      There are what, 1-2 billion people currently on the internet at any one time (probably exceeds that) Let's say 99.9% don't develop malware.

      That would put the number of currently active malware developers at 2,000,000. If 10% of them write a program that tries to attack microsoft.com, that's 200,000 programs. If each one of those only tries once every 10 seconds, that could be 20,000 individual programs attacking microsoft.com every second.

      Ok, so maybe somewhere those numbers are inflated. Cut it down by another order of 100. That would be 200 unique pieces of malware.

      Now the magic: It's not 0.1% of the internet users developing malware that targets microsoft.com. It's 40-60% of the internet users whose computers have been compromised and are attacking microsoft.com.

      So 10k attacks per second? Not a stretch at all. These things scale.

    • "On average we get attacked between 7000 and 9000 times per second.'"

      Why is the average a range? Why not just say "On average we get attacked 8000 times per second.'"

      Or are they just making stuff up?

      -CF
  • by tekrat (242117) on Friday August 27, 2010 @10:15AM (#33392222) Homepage Journal

    Thousands of hackers across the globe send their malware, virii, and trojans to Microsoft, where it is collected, pieced together and compiled. Then MS puts it in a box and calls it an OS.

    If you notice, there is a direct correlation between the number of hackers sending their code to MS and the amount of bloat in each new software package released by MS.

    Another mystery solved! You're welcome.

    • Best comment ever!

      I wonder if enough virii and separate malware are compiled together if it can form some kind of evolving ecosystem (and yes, it was in xkcd, but the idea is far older than that). The next version of Windows will be watching you... you know... more than normal.
    • Re: (Score:3, Funny)

      by theskipper (461997)

      Holy crap, my kingdom for a mod point.

    • Re: (Score:2, Interesting)

      by Darth Hamsy (1432187)
      This is the one error I can't help but correct, apologies. The word is viruses. 'Virii' is completely wrong.
  • by microbee (682094) on Friday August 27, 2010 @10:15AM (#33392226)

    The article is talking about two things: developing virus (and sending crashdump to Microsoft) and attacking Microsoft.com. These are not the same thing.

    And a crashdump containing virus does not mean it's the hacker that sent it. It could well be the victim. So while the speaker wants to say something entertaining, I wonder how truthful it actually is.

  • by dicobalt (1536225) on Friday August 27, 2010 @10:24AM (#33392316)
    One of the first things I do on a fresh install is turn off error reporting. It has always amazed me that I have never seen a corporate network turn it off. Everyday tons of proprietary information is transmitted to Microsoft in error reports.
  • "When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman.

    And when asked what Microsoft does with these code snippets, Mr Heckman said, "We promptly use it everywhere we could. Otherwise Vista would have been delayed even more. We include all these viruses as BHOs [Browser Helper Objects] in our default distribution. Why should the user endure the trouble and torture of visiting a malware site to acquire the user experience of getting buggy crashing software? We provide it first hand from within Windows itself. We take pride in being backward compatible with eve

  • by Ukab the Great (87152) on Friday August 27, 2010 @10:34AM (#33392450)

    Hackers and Developers are both lazy. This is why things haven't gotten any worse and also why things haven't gotten any better.

  • Damn. I'm a part-time dev and I turn off that feature because I don't want Microsoft seeing my mistakes. And they're harmless. Pretty damn bold (and stupid) to be writing malicious code and reporting the failures back to the Microsoft.
  • I'm thinking that saying that the script kiddies are sending you their code is a little like saying that the people throwing bricks through your windows (no pun intended) are giving them to you for your new backyard BBQ pit.

    And one surely hopes that this is not a large part of Microsoft's security research thought it might explain how so many Windows vulnerabilities are announced after they're already seen in the wild.

Programmers do it bit by bit.

Working...