WER Could Be an Indicator of Attack on Company Network by Hacker
Security firm Websense observes that Windows Error Reporting (WER), ignored by most businesses, could also be a signal of an attack beating network defenses of an organization. The findings have been released by Websense in the form of a new Whitepaper entitled 'Using Anomalies in Crash Reports to Detect Unknown Threats'.
These error logs could allow eavesdroppers to map out vulnerable endpoints gaining access within network to penetrate further.
Websense observers think that there is an opportunity with every problem as information contained in the error reports could have beneficial effect by not enabling exploits but detecting the exploited. The current invasion is based on the irregularity of detection. Since malware has become expert in hiding itself, modern technology looks for proof of presence rather than the malware itself; that is, the irregularities created by the malware than the malware itself.
The security firm explains that even the most advanced cyber attacks will create anomalies in network and application telemetry which can be used to detect their existence. But the problem with this approach is that the complete network needs to be monitored and Websense wondered if error reports can provide a direct line to those anomalies.
Websense explains that many exploits work with an application to perform unexpectedly which is getting difficult to achieve.
Websense explained "we reversed those exploits and found their location to crash and create fingerprint of (in case the exploit failed) the look of crash report. We then searched 16 million reports for four months and found five reports matching our fingerprint of four different organization".
The security firm found targeted attacks which had breached the security defenses of government agency and got past the network of leading mobile operators.
Websense said: "We found Houdini H-Worm, a Remote Access Trojan (RAT), in both the organizations i.e. government agency and mobile network operator starting on the same day when failed exploit attempt happened".
Alex Watson, Security Research Director with Websense said that the security industry needs to leave signature-based defenses and adopt more intelligence around anomalies and network behavior because hackers improve techniques to break security systems, reported by cbronline.com on February 19, 2014.
» SPAMfighter News - 04-03-2014