Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Many Hackers Accidentally Send Their Code To Microsoft

Soulskill posted more than 4 years ago | from the not-the-brightest-cookie-in-the-shed dept.

Security 220

joshgnosis writes "When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman. 'It's amazing how much stuff we get.' Heckman also said Microsoft was a common target for people testing their attacks. 'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com. On average we get attacked between 7000 and 9000 times per second.'"

cancel ×

220 comments

Sorry! There are no comments related to the filter you selected.

How Does It Encapsulate the Source Code? (2, Interesting)

eldavojohn (898314) | more than 4 years ago | (#33391650)

When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

I understand how this would be able to hand you their script or interpreted file but all the compiled byte code in the utilities they use would do you little good unless you were extremely patient. I don't know what percentage of exploits exist in the way scripts are interpreted (unless we're talking Internet Explorer) but I always assumed the really good and juicy exploits are those compiled down -- you know like a fake DLL that needs to be placed in the system path.

Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program? Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

Furthermore, how can you tell if this is a malware developer or the first unfortunate victim? Or even an outlier victim whose machine was luckily not correctly configured for the attack?

One thing's for sure: I hope Microsoft is bright enough to log everything they get so that when an exploit is found in the wild sans source code they can do a Hamming distance or some such analysis on it to pin down its origin and also look at the deltas to figure out what the developer was changing between releases so they can better understand the exploit.

Re:How Does It Encapsulate the Source Code? (4, Interesting)

DigitalSorceress (156609) | more than 4 years ago | (#33391676)

Maybe the report includes a dump of working memory?

Just a thought, thought that would make it kind of big.

Re:How Does It Encapsulate the Source Code? (2, Insightful)

kyrio (1091003) | more than 4 years ago | (#33391682)

RTFA

So now crackers have a new way to attack Microsoft (5, Interesting)

tomhudson (43916) | more than 4 years ago | (#33391798)

An application that generates random gibberish that "look" like a script, then sends it embedded in a fake crash dump to Microsoft for analysis.

"Fuzzing" isn't limited to code on the local machine any more - you can now try it on Microsoft employees.

Then add further fake crash dumps from legitimate apps that didn't crash; enough of them, from enough machines, and Microsoft will be looking for non-existent bugs.

Re:So now crackers have a new way to attack Micros (1, Insightful)

LifesABeach (234436) | more than 4 years ago | (#33392326)

You wrote, "...will be looking..."

Wouldn't a corporate policy change that major require a filing with the SEC?

Re:So now crackers have a new way to attack Micros (1)

recoiledsnake (879048) | more than 4 years ago | (#33392328)

Doubt Microsoft employees directly run the code... they instead look at the assembly code to see what the reason for the crash was. Even otherwise, I am sure they use VMs with network access which are wiped and rolled back once testing is done.

Re:So now crackers have a new way to attack Micros (0, Troll)

SilverEyes (822768) | more than 4 years ago | (#33392356)

I don't know. They are supposed to use their own products, which means they have to use Hyper-V and Virtual PC instead of VMware. I doubt anyone's ability to get those working :P

Re:So now crackers have a new way to attack Micros (0, Redundant)

odies (1869886) | more than 4 years ago | (#33392600)

Uh, do you honestly think that for example Microsoft's graphics team uses Paint instead of Photoshop?

Re:So now crackers have a new way to attack Micros (1)

SilverEyes (822768) | more than 4 years ago | (#33392628)

Never know, I didn't realize MS did lots of graphics work. I would believe they use Hyper-V instead of VMware, and Visual Studio instead of whathaveyou (Dev-cpp or whatever), Team Foundation Server instead of TortoiseSVN or CVS etc. etc.

Re:So now crackers have a new way to attack Micros (0)

Anonymous Coward | more than 4 years ago | (#33392794)

A virtual machine is a virtual machine no matter what software you use to run it.

Re:So now crackers have a new way to attack Micros (3, Interesting)

theskipper (461997) | more than 4 years ago | (#33392394)

Interesting. Then add time as a variable to further complicate detection. Each machine in the botnet sending a report every rand(168) hours. For a large enough set of compromised machines, the statistics of which reported crashes float to the top of the queue would certainly be messed up.

Plus If they were to filter these botnet machines at the IP level for a particular app then it would block real reports from coming in, further skewing the stats. There are real users sitting behind these compromised machines after all.

Ouch.

Re:How Does It Encapsulate the Source Code? (4, Interesting)

Taagehornet (984739) | more than 4 years ago | (#33391926)

Crash reports probably include the script that was running and maybe the binary file running but how could it access the source code of an arbitrary task/thread/program?

According to TFA Heckman gave a presentation of XSS and SQL injection attacks. So, I imagine that what we're talking about here is Microsoft receiving a dump of IE process memory, which of course will include the malicious script.

Furthermore, how can you tell if this is a malware developer or the first unfortunate victim? Or even an outlier victim whose machine was luckily not correctly configured for the attack?

If you get a sequence of error reports from the same IP within a short period of time, where the only difference is that the script bringing IE down has been modified slightly, you've probably got the developer at the other end of the line. (Online source control on a budget? ;-)

Are you saying that they're actually developing this stuff in a Microsoft IDE (like Visual Studio) that actually phones home source code upon program crash? That sounds like a guaranteed way to keep me away from Visual Studio.

Where did that come from?

Re:How Does It Encapsulate the Source Code? (2, Insightful)

Sir_Sri (199544) | more than 4 years ago | (#33392198)

The visual studio thing is actually an interesting question. If, in the process of writing code you crash visual studio, or the whole OS and then send an error report to MS will it contain your source code? To some degree the same applies to any application, if you crash notepad++ and send a crash report to MS it would make sense that it contain well, whatever was being typed in notepad++. if you crash your copy of Mafia 2 does it send the savegame?

It's somewhat outside the scope of the article, but really, all those crash reports you can send to MS have to contain a lot of stuff for them to be useful.

Re:How Does It Encapsulate the Source Code? (3, Informative)

SilverEyes (822768) | more than 4 years ago | (#33392304)

Not necessarily. Microsoft uses to reports to fix Windows problems or problems with their own products (or third party drivers, etc). They have that source and symbols. All they need from the user is the memory space and exceptions of the faulting process and which version of symbols were used.

I don't think Microsoft really cares about fixing application crashes other than for their public perception. They would be concerned that a Windows crash was possible in some particular way, and didn't recover/fail gracefully - and this boils down to the code that is sitting below the application code so they wouldn't need your source.

The only data that could be sent would be data currently in the memory space. So if the process had *str1= "Need to buy groceries: meat, eggs, cheese" , *str2 = "Assassinate the president at 17:30 on Tuesday", they would be able to see that by debugging through the stack variables and looking at where it's stored (i.e. heap). I'm not precisely sure how minidumps are configured - they may not include heap information.

Re:How Does It Encapsulate the Source Code? (1, Informative)

Anonymous Coward | more than 4 years ago | (#33392568)

Debug statements (asserts, etc) would be compiled into the code and sent. Source code, definitely not. VS stores it into an external database (a PDB file which maps code to instructions) and it can be 100s of MBs; sending that crash log would take hours. IIRC crash logs don't include heap memory, just the memory for code (including all DLLs) so that would rule out save games.

Really guys. You're talking about Windows, which has billions of dollars in corporate invested developer money. Microsoft isn't snooping on your revolutionary code. Lay off the FUD please.

Re:How Does It Encapsulate the Source Code? (0, Troll)

internewt (640704) | more than 4 years ago | (#33392726)

Yeap, the integrated spyware in many applications, mostly proprietary ones, is one of the worst things about current software.

The spyware is usually presented to the user as some hand-holding feature, like update checks, or crash reporting. This article does demonstrate though that at least 1 proprietary vendor does get and look at data that could be potentially private. What if IE crashes on a private website, like an intranet or password protected www site for a few friends? MS will get at least some of that data, it looks like.

The article presents the story in the context of nasty hackers (but I think they took out the bit about the hackers being paedo-terr'ist hackers), which is exploiting most users' naivete. The users don't realise that if the baddies can have their privacy violated, the goodies can too. Proper journalism would have addressed this, but ZDNet is just another example of an industry rag trying to promote the industry as wonderful.

The possible extra info leaked when things like crash reporting and update checks are performed has always been enough for me to turn off features like those, or even avoid products with those features. eg MP3Tag gained an update check mechanism, I removed the application and installed the oldest version without the spyware.

Re:How Does It Encapsulate the Source Code? (4, Informative)

onlysolution (941392) | more than 4 years ago | (#33391956)

Crash dumps sent to Microsoft can contain memory used by the Windows process that was hosed by the virus writer, which could very well include whatever machine code was injected in to the process's memory or the invalid input that caused the crash . No phoning home via Visual Studio is required (amazing FUD with your speculation there, by the way,) the nature of the attack means the code/data is going to be exactly in the place it needs to be for MS to get at it without doing anything nefarious.

Re:How Does It Encapsulate the Source Code? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#33392002)

amazing FUD

Remember folks, here at Slashdot, asking a question is Fear, Uncertainty and Doubt.

Re:How Does It Encapsulate the Source Code? (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33392034)

"Would you be less likely to vote for McCain over Bush if you discovered that he had an illegitimate black child?"

Hey, it's just a question; it's not making any claims.

Re:How Does It Encapsulate the Source Code? (0)

Anonymous Coward | more than 4 years ago | (#33392804)

You want to bend McCain over a bush - and do WHAT?!?! You deviant . . .

Re:How Does It Encapsulate the Source Code? (1)

recoiledsnake (879048) | more than 4 years ago | (#33391958)

I guess they find it when Microsoft analyzes the crash logs and is able to see the assembly code trying buffer overflows etc. Think core dump in Linux. I wouldn't think Microsoft would send the source code to themselves.

Re:How Does It Encapsulate the Source Code? (4, Informative)

Anonymous Coward | more than 4 years ago | (#33392080)

compiled byte code in the utilities they use would do you little good unless you were extremely patient

Many people in the Windows OS team only debug at assembly level. For e.g. Raymond Chen.

http://blogs.msdn.com/b/oldnewthing/archive/2004/11/11/255800.aspx [msdn.com]

"1. Once the optimizer has messed with your code source level debugging falls apart.

2. Most debugging is done remotely. When you have to debug a customer's machine 5000 miles away over a 56k modem, you can't tell them, "First, I want you to install Visual Studio on your domain controller..."

3. Installing a GUI debugger on the test machine changes the system configuration and therefore influences the test itself. Imagine if Windows XP had some horrific bug that goes away when you install Visual Studio. If all test machines had Visual Studio installed on them, then this bug would never be found!

4. Just today I had to debug a problem that occurred only immediately after installing the OS. No chance to install VS even if you wanted to.

5. If you're debugging the OS itself (say the window manager), then you can't use a GUI debugger since it needs the window manager to draw its UI!

Conclusion: Since so much debugging is done in situations where GUI debugging is not possible, you are quickly forced to become an expert at command line debugging. At which point the incremental benefit of a fancy debugger is rather small.

"You can't possibly debug any significant size project in this fashion."

Shhh, don't tell the Windows team. Not all debugging is done at asm-level, but a significant chunk is. They'd be pretty disheartened to learn that what they're doing is impossible.

Re:How Does It Encapsulate the Source Code? (0, Flamebait)

Runaway1956 (1322357) | more than 4 years ago | (#33392846)

"5. If you're debugging the OS itself (say the window manager), then you can't use a GUI debugger since it needs the window manager to draw its UI!"

*cough*

In any REAL OS, the window manager isn't part of the OS. All a window manager is supposed to do is - like - you know - MANAGE THE WINDOWS!

Oh, sorry, I forgot. We're talking about Windows OS. My bad.

Re:How Does It Encapsulate the Source Code? (0)

Anonymous Coward | more than 4 years ago | (#33392180)

The binary code can still reveal the vulnerability being worked on, if it includes a serious bug M$ isn't aware of yet.

Re:How Does It Encapsulate the Source Code? (0)

Anonymous Coward | more than 4 years ago | (#33392280)

People who think source code is the be all and end all of programming are often hilarious. "I don't have the source code, therefore I can't understand what the program does." "I don't have the source code, therefore I can't understand what the program is doing." I mean, have you ever used a debugger before, or do you spam your code with thousands of log statements? In most crashes, all you need is a copy of the stack and registers to deduce how it was caused. A hacker can be identified from his continual shifting tactics to exploit a program in a way that works.

To Be Fair (2, Insightful)

sonicmerlin (1505111) | more than 4 years ago | (#33391680)

They're not necessarily all trying to be malicious. For a lot of people learning code requires hands-on experience, and if hacking is their interest and primary motivator to improve their coding skills, what better target to experiment on than one of the most hated software companies in all the lands?

Re:To Be Fair (2, Insightful)

pnewhook (788591) | more than 4 years ago | (#33392682)

Yes thats a great idea. And I want to improve my marksmanship so I'm going to go shoot up some banks and a few police stations. I'm sure they will understand I'm only trying to improve my skills.

::head shake:: (5, Funny)

Pojut (1027544) | more than 4 years ago | (#33391686)

Fucking script kiddies...in MY day, we actually HACKED.

Wait, I was born in '84...

Re:::head shake:: (5, Funny)

oodaloop (1229816) | more than 4 years ago | (#33391784)

Soooooo should I get off your playground, or what?

Re:::head shake:: (1)

Pojut (1027544) | more than 4 years ago | (#33392016)

I'm totally going to use that...awesome :-)

Re:::head shake:: (1)

thijsh (910751) | more than 4 years ago | (#33392066)

Get out of my dystopian future! I'm from 1984...

Re:::head shake:: (1)

inode_buddha (576844) | more than 4 years ago | (#33392294)

I feel old - 1967 here. My first memory of computing involved punch cards.

Re:::head shake:: (1)

Is0m0rph (819726) | more than 4 years ago | (#33392564)

1970 here. I learned to program basic on TRS80s when I was a kid and did most of my early hacking on an Apple 2. My first calls out were on an Apple Cat with an acoustic coupler.

in 6.4kB of RAM (0)

Anonymous Coward | more than 4 years ago | (#33392310)

These days we are actually dealing with 6.4*10^6 kilo-bytes of it.

Re:::head shake:: (2, Funny)

thousandinone (918319) | more than 4 years ago | (#33392352)

I was born in 83. Gimme ur lunch money, kid!

Re:::head shake:: (2, Funny)

PinkFreud (51474) | more than 4 years ago | (#33392642)

I was born in 83. Gimme ur lunch money, kid!

1976. Now get off my lawn.

Re:::head shake:: (2, Funny)

interval1066 (668936) | more than 4 years ago | (#33392868)

'63. Get off of MY lawn.

Re:::head shake:: (1)

sconeu (64226) | more than 4 years ago | (#33392884)

Darned kids today! Why, back in my day, we didn't have no fancy computer or nothing. We had to count on our fingers! In a raging snowstorm! And we liked it that way!

Rassum fassum mumble grumble darned kids...

Now git offn' my lawn!

1962

Re:::head shake:: (1)

confused one (671304) | more than 4 years ago | (#33392498)

damn kids. While you were still being carried around in your Mama's belly, I was already hacking...

So then what's with the wait? (-1, Troll)

damn_registrars (1103043) | more than 4 years ago | (#33391702)

From the summary

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

Re:So then what's with the wait? (2, Funny)

Hinhule (811436) | more than 4 years ago | (#33391754)

Maybe their servers run Linux?

Re:So then what's with the wait? (2, Informative)

Shados (741919) | more than 4 years ago | (#33392056)

I know you're jesting, but aside for their download/msdn sections sometimes being hosted by a third party who actually does run Linux, Microsoft.com for the most part runs on IIS. Not only that, but its actually hosted on SharePoint.

Re:So then what's with the wait? (2, Interesting)

halfaperson (1885704) | more than 4 years ago | (#33391816)

Most likely the majority of those are simple denial of service attacks.

Re:So then what's with the wait? (4, Insightful)

ScentCone (795499) | more than 4 years ago | (#33391858)

why don't they respond quicker?

What makes you think that any of those 7k script kiddie attacks on MS's public-facing web presence actually show with anything the least bit new?

Re:So then what's with the wait? (4, Insightful)

nmoog (701216) | more than 4 years ago | (#33391900)

I'm guessing it's because the real "hackers" don't accidentally click the send button.

Re:So then what's with the wait? (1)

PePe242 (1690706) | more than 4 years ago | (#33392402)

Real hackers use MS-DOS!

Re:So then what's with the wait? (2, Insightful)

interval1066 (668936) | more than 4 years ago | (#33392910)

No, real hackers turn off that stupid "Help" background process.

Re:So then what's with the wait? (4, Insightful)

DIplomatic (1759914) | more than 4 years ago | (#33391968)

From the summary

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

In what possible way does an attack across the internet at Microsoft.com translate to exposing a flaw in the Windows operating system? That's like saying submitting an angry letter to the editor of your newspaper exposes the fact that one of the side windows on your house doesn't close properly.

Re:So then what's with the wait? (0, Troll)

damn_registrars (1103043) | more than 4 years ago | (#33392164)

On average we get attacked between 7000 and 9000 times per second

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

In what possible way does an attack across the internet at Microsoft.com translate to exposing a flaw in the Windows operating system?

If you read the start of the summary:

When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft

So the attack they are describing is actually the malware crap that is being sent in after windows crashes. Hence we aren't actually talking about www.microsoft.com being attacked - although one might expect that to be running windows server anyways - rather we're talking about random workstations around the world being attacked or used as guinea pigs.

Re:So then what's with the wait? (0)

Anonymous Coward | more than 4 years ago | (#33392418)

Summary reading fail

Re:So then what's with the wait? (3, Insightful)

Anonymous Coward | more than 4 years ago | (#33392808)

You're incorrect, though the summary is confusing so I see how you could get lost.

The summary is talking about 2 things

1. "Hackers" who are testing malware that crashes systems often unintentionally send the report of the crash and what caused it to Microsoft.

2. Microsoft.com is often attacked via the web, to the tune of 7000-9000 times per second.

These two things are largely unrelated. Go back and re-read TFS.

Re:So then what's with the wait? (1)

ageoffri (723674) | more than 4 years ago | (#33392618)

I deal with IDS every single day. Now granted MS is being attacked several orders of magnitude greater then what I deal with, but between IDS and firewall nearly every single attack will be blocked before it hits the first MS server. Then hopefully MS is following good security standards and only has the presentation layer in their DMS with more firewall and IDS or IPS and you have a multi-tiered defense that means the actual servers see very, very few attack attempts.

Re:So then what's with the wait? (1)

pnewhook (788591) | more than 4 years ago | (#33392738)

If they get attacked that often, it shouldn't take long for them to find and confirm security holes in Windows. Yet they have been noticeably slow in patching some of those holes; why don't they respond quicker?

Do you really think any of those 7000 to 9000 attacks actually got through? No, so therefore they are already fixed. These are just stupid script kiddies learning to be terrorists. They are probably just modifying code fond on the net that has long since been protected against.

Yes... sure... (0, Troll)

xtracto (837672) | more than 4 years ago | (#33391714)

'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com.

Ahem.. yes... sure... I attack Microsoft machines only by accident... sorry, didn't see what I was writing in the uRL... not that I *want* to fsck with my beloved MS servers... no way, ahem...

kk, now I'm gonna go back to try installing sub-seven to wga.microsoft.com

But (1)

zarathruster (1658981) | more than 4 years ago | (#33391782)

Real hackers don't use windows...

Re:But (5, Funny)

maxwell demon (590494) | more than 4 years ago | (#33391848)

Yes, that's because they live in basements where windows wouldn't be of any use anyway.

Re:But (0, Redundant)

Kaziganthi (824129) | more than 4 years ago | (#33391934)

Well played, sir.

Re:But (4, Funny)

Abstrackt (609015) | more than 4 years ago | (#33391944)

That explains why they enter through the back door.

Re:But (1)

The MAZZTer (911996) | more than 4 years ago | (#33391872)

They have to test their code somehow...

Re:But (0)

Anonymous Coward | more than 4 years ago | (#33392112)

Real hackers definitely develop exploits on the only desktop OS that currently matters- Windows. They also run OS X and Linux, and probably a variant of BSD.

Decription process running....... (-1, Troll)

Anonymous Coward | more than 4 years ago | (#33391786)

Many "Hackers" inadvertently "send" their code to Micro$loth, the hard part is recompiling their hacker code so they can pretend they wrote it. Wait wait thats not what I said. Damn code borrowing fairies. Where is my +4 sword of truth.

Hilarious (0, Troll)

assertation (1255714) | more than 4 years ago | (#33391832)

"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman.

So, even if someone steals a copy of the exam for them, Microsoft still can't pass the test? :)

Re:Hilarious (0)

Anonymous Coward | more than 4 years ago | (#33392038)

HAhahahahah

Re:Hilarious (-1, Troll)

assertation (1255714) | more than 4 years ago | (#33392380)

I see you got modded down too.

I guess there is just too much of a fanboy culture in tech for comments like mine to be seen and taken as a light hearted joke.

Re:Hilarious (1)

halfaperson (1885704) | more than 4 years ago | (#33392656)

Yeah, that or "HAhahahahah" posts just doesn't contribute much to the discussion.

Re:Hilarious (1)

assertation (1255714) | more than 4 years ago | (#33392798)

Really?

I can't tell you how many times I seen jokes, with no informative content or even a good point, get modded all of the way up to "5".

My light hearted joke was modded down because of a fanboy culture

Preview but no fixes? (-1, Troll)

Exitar (809068) | more than 4 years ago | (#33391890)

So they get a "preview" of malware, refuse to fix their OS for months after exploits go live and instead blame people that published info about them?

Re:Preview but no fixes? (1)

Junior J. Junior III (192702) | more than 4 years ago | (#33392200)

Maybe they do fix these 7000-9000/day attacks. Maybe there are yet more attacks that the developers are smart enough not to tip off MS about, and those are the ones that they are not patching.

I'm not saying this is the case, but it's a possibility.

Re:Preview but no fixes? (1)

AvitarX (172628) | more than 4 years ago | (#33392834)

I think there are two different things going on.

Hackers writing actual exploits that are new, and sending crash reports to MS.

And Script Kiddies downlowding and running scripts, which they tend to test on microsoft.com.

The second group are probably low risk, as they are using known code/exploits, the actual hackers on the other hand may actually be revealing some new bugs, with the bug reporting tool. heck, maybe it's intentional.

Re:Preview but no fixes? (1)

The Moof (859402) | more than 4 years ago | (#33392298)

It's all signal to noise ratio. Maybe the majority of those attacks are for vulnerabilities they have already patched, or possibly even not even for their platform. Hell, even when I look at my server logs, there are tons of requests trying to exploit a vulnerability in some package I've never installed. Just a quick peek right now shows 2500+ 404 errors looking for phpMyAdmin.

Funny how TFA stats the same exploits work (0)

Anonymous Coward | more than 4 years ago | (#33391906)

I find it sad in a way that the same exploits (SQL injection, etc.) are still the same old standbys. This is something MS really can't do anything about because it is the app developers who have to sanitize their inputs and use parametrized queries.

Microsoft is doing a good job in trying to make the Windows ecosystem as secure as possible. But what keeps MS from doing so in a lot of cases are third party programmers who write code that crashes if DEP is turned on, won't bother with ASLR, and prompts the user for elevated access often. At least the last part is gone somewhat, although developers screamed bloody murder that they can't assume every user has Administrator rights.

Windows is the only platform I know of where developers don't care about it other than to make money from it. On Linux, OS X, iOS, AIX, and other platforms, software makers refuse to shit where they sleep and they make sure that their code is decently secure and well written.

Re:Funny how TFA stats the same exploits work (1)

LoztInSpace (593234) | more than 4 years ago | (#33392234)

I find it sad in a way that the same exploits (SQL injection, etc.) are still the same old standbys. This is something MS really can't do anything about because it is the app developers who have to sanitize their inputs and use parametrized queries.

You mean escaped outputs rather than sanitized inputs, right? Not that there's anything wrong with making sure your inputs make sense, but it's the output that matters.

Re:Funny how TFA stats the same exploits work (1)

FutureDomain (1073116) | more than 4 years ago | (#33392396)

Nope. SQL Injection occurs when you don't sanitize the inputs and hackers can pass SQL code to your program that gets inserted directly into SQL queries. You're probably thinking of XSS attacks which require not sanitizing the outputs so that raw HTML can be printed to the browser window.

Re:Funny how TFA stats the same exploits work (0)

Anonymous Coward | more than 4 years ago | (#33392404)

Sanitized as in cleaned inputs, to remove the dirty injections

What about the competition? (1)

Fractal Dice (696349) | more than 4 years ago | (#33392040)

Malware is one thing, but how often have competitors made this mistake when developing their products? Is it anti-competitive if Microsoft analyzes competing products that are accidentally sent to them during their development? Would it be practical as a form of corporate espionage?

Re:What about the competition? (1)

SilverEyes (822768) | more than 4 years ago | (#33392194)

It would be utterly impractical. Compare it to just buying the source code or product from their competitor and disassembling it themselves? If they are committed to corporate espionage, why rely on a random variable? VS and Windows don't send source of your project into MS, it sends a crash dump (i.e. core dump) of the process for analysis. Even if you configure a full crash dump it doesn't send source (it would then be full process memory, register state, exception records, maybe pdb's / symbols used of faulting process - not sure).

As others have pointed out though, having symbols and instruction memory can be enough to look for buffer overflow attacks, but I don't think you would want to reconstruct a competitor's product from a crash dump (and most large application products involve more than one process anyway).

...Fixed Title (1)

hggs (904576) | more than 4 years ago | (#33392100)

Many crackers accidentally send their code to Microsoft.
There, fixed that for you.
--
Did I just say that?

Re:...Fixed Title (1)

bigredradio (631970) | more than 4 years ago | (#33392282)

Thank You.

Re:...Fixed Title (1)

cciRRus (889392) | more than 4 years ago | (#33392864)

Resistance is futile. Accept it.

People actually do that? (0, Redundant)

HelioWalton (1821492) | more than 4 years ago | (#33392146)

People actually hit the 'send' button? I always hit 'don't send', even if it is a Microsoft product. The "solutions" they give are almost always generic enough to be completely useless. It's not worth the time to look at them.

Re:People actually do that? (1)

SilverEyes (822768) | more than 4 years ago | (#33392220)

While I agree, I have had a case where it linked a driver update that fixed an application incompatibility/crashing issue. It also provides metrics on the scope of an issue to MS which they may presumably pass on to other companies... oh wait, you said 'almost always'.

Re:People actually do that? (0)

Anonymous Coward | more than 4 years ago | (#33392712)

As a developer, we've had Microsoft contact us on a couple of occasions with crash information about our application that was coming in from people sending in those crash dumps. They are definitely not useless.

What a wank web site (0)

Anonymous Coward | more than 4 years ago | (#33392176)

What a fucking annoying website. You click the link, and you get a nearly blank page (thanks adblock). There is a link to continue to the article, but I figure it won't work as I reject all cookies. So I change my user agent to be the Google bot, and the page loads fine.

Oh well, best inform Google that ZDNet is serving different content to the Google bot than Firefox. I think they de-list sites that do shit like that!

And now once the site has loaded, I see they have used position:fixed to keep some box in people's faces. I'm sorry, but the use of position:fixed to display stuff prominently is about as annoying as pop-up windows full of adverts. And the box is trying to get people to join their site, and a link to twitter. So the content of the pseudo popup is simply about trying to get users back to the site over and over. Not something that is actually what the user might find useful, like the stupid slashdot floaty slider thing for adjusting comments being displayed.

There's some fucking wankers of web designers out there.

7000 - 9000 / sec ?? (1)

bl8n8r (649187) | more than 4 years ago | (#33392188)

Those numbers seem suspiciously inflated. I'm going to guess the majority of these packets are icmp from bots checking ping.

Re:7000 - 9000 / sec ?? (4, Interesting)

IndustrialComplex (975015) | more than 4 years ago | (#33392368)

Those numbers seem suspiciously inflated. I'm going to guess the majority of these packets are icmp from bots checking ping.

There are what, 1-2 billion people currently on the internet at any one time (probably exceeds that) Let's say 99.9% don't develop malware.

That would put the number of currently active malware developers at 2,000,000. If 10% of them write a program that tries to attack microsoft.com, that's 200,000 programs. If each one of those only tries once every 10 seconds, that could be 20,000 individual programs attacking microsoft.com every second.

Ok, so maybe somewhere those numbers are inflated. Cut it down by another order of 100. That would be 200 unique pieces of malware.

Now the magic: It's not 0.1% of the internet users developing malware that targets microsoft.com. It's 40-60% of the internet users whose computers have been compromised and are attacking microsoft.com.

So 10k attacks per second? Not a stretch at all. These things scale.

Surely... (0)

Trelane (16124) | more than 4 years ago | (#33392196)

They immediately share the new virus information with the other anti-virus vendors, right?

Of course! That's how windows is written. (5, Funny)

tekrat (242117) | more than 4 years ago | (#33392222)

Thousands of hackers across the globe send their malware, virii, and trojans to Microsoft, where it is collected, pieced together and compiled. Then MS puts it in a box and calls it an OS.

If you notice, there is a direct correlation between the number of hackers sending their code to MS and the amount of bloat in each new software package released by MS.

Another mystery solved! You're welcome.

Re:Of course! That's how windows is written. (1)

SilverEyes (822768) | more than 4 years ago | (#33392322)

Best comment ever!

I wonder if enough virii and separate malware are compiled together if it can form some kind of evolving ecosystem (and yes, it was in xkcd, but the idea is far older than that). The next version of Windows will be watching you... you know... more than normal.

Very confusing article (5, Insightful)

microbee (682094) | more than 4 years ago | (#33392226)

The article is talking about two things: developing virus (and sending crashdump to Microsoft) and attacking Microsoft.com. These are not the same thing.

And a crashdump containing virus does not mean it's the hacker that sent it. It could well be the victim. So while the speaker wants to say something entertaining, I wonder how truthful it actually is.

Re:Very confusing article (1)

BangaIorean (1848966) | more than 4 years ago | (#33392452)

And moreover, the piece of news in the article about MS getting system crash reports caused by 'script kiddies testing their malware' 7000-9000 times per SECOND is just too goddamn high. I'd say, take this article with a drum of salt.

Why do they care? (1)

minstrelmike (1602771) | more than 4 years ago | (#33392248)

Those crash logs are about as useful to Microsoft as the crash logs of Excel or Word. If they aren't paying attention to those, why should they think they could understand anything else?

The basic crashes of first run viruses are probably readable to the employees so that's why they sort of understand what's going on.

Everyone ignores error reporting. (4, Interesting)

dicobalt (1536225) | more than 4 years ago | (#33392316)

One of the first things I do on a fresh install is turn off error reporting. It has always amazed me that I have never seen a corporate network turn it off. Everyday tons of proprietary information is transmitted to Microsoft in error reports.

"between 7000 and 9000 times per second.'" (0)

Anonymous Coward | more than 4 years ago | (#33392338)

Am I understanding this correctly? In the article these are system crashes being sent to MS? 7K-9K of system crashes a SECOND? Wow.

How did MS use these virus snippets? (1)

140Mandak262Jamuna (970587) | more than 4 years ago | (#33392390)

"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman.

And when asked what Microsoft does with these code snippets, Mr Heckman said, "We promptly use it everywhere we could. Otherwise Vista would have been delayed even more. We include all these viruses as BHOs [Browser Helper Objects] in our default distribution. Why should the user endure the trouble and torture of visiting a malware site to acquire the user experience of getting buggy crashing software? We provide it first hand from within Windows itself. We take pride in being backward compatible with every vulnerability, bug and malware that was developed on/for the previous windows platform."

The Gist I Got Of The Article (4, Funny)

Ukab the Great (87152) | more than 4 years ago | (#33392450)

Hackers and Developers are both lazy. This is why things haven't gotten any worse and also why things haven't gotten any better.

They report it !? (1)

confused one (671304) | more than 4 years ago | (#33392546)

Damn. I'm a part-time dev and I turn off that feature because I don't want Microsoft seeing my mistakes. And they're harmless. Pretty damn bold (and stupid) to be writing malicious code and reporting the failures back to the Microsoft.

ROCKY? (0)

Anonymous Coward | more than 4 years ago | (#33392602)

Mr. & Mrs. Hechman were/are fans of Sly?

Possible source of the crash reports? (0)

Anonymous Coward | more than 4 years ago | (#33392666)

I suspect the types of crash dump he's talking about are the ones from Blue screens of death. With Vista and onwards windows gives you the opportunity to send those dumps to Microsoft once you've rebooted to see if it's a common problem and get a fix or for them to analyse it. The proper crash dumps from them are likely to be reasonably informative. Certainly more so than a regular program crash where you report to Microsoft. Given the fact that Virus writers are likely to be trying to hook into low level stuff it is plausible that they would end up with BSOD's as they develop their malware.

Attacks on Microsoft.com (0)

Anonymous Coward | more than 4 years ago | (#33392840)

"On average we get attacked between 7000 and 9000 times per second."

And sometimes we get attacked OVER 9000 times per second!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?