Microsoft crash reports reveal Houdini hack campaign hitting firms

A new hack campaign using the Houdini malware has been uncovered by security firm Websense.

Websense ‎director of security research Alex Watson told V3 the company spotted a campaign targeting an unnamed mobile network operator and government body using the Houdini remote access Trojan (RAT) while testing a new detection strategy. He said the strategy involves researchers cross-referencing Microsoft application and software crash reports to spot cyber attacks.

"Every time an application crashes it sends a report to Microsoft. The report includes a variety of information about the app and the computer. This isn't just application software data. It includes everything from information about the computer's basic input/output system [BIOS], down to hardware changes. It will even let you know if someone's plugged a USB or smartphone into the machine," he said.

"In general, this is so Microsoft can prioritise fixes, but we thought about using it for a different application and using the information to detect attack activity. We wanted to use it to make an anomaly detector."

Watson said while testing the technique, Websense examined 16 million crash reports, five of which indicated potential foul play. The Websense director said the company discovered the attacks while examining the five potential positive alerts.

"We reversed exploits from the point of fail [crashes] and took in 16 million reports over four months from third-party feeds. Of these we found five matches, four of which indicated the possibility an exploit had tried to get into the networks. Upon further investigation we found two organisations had Houdini in their systems," he said.

Houdini is a particularly dangerous remote access Trojan that can be used by criminals for a variety of purposes. "Houdini opens the door for pretty much anything [a hacker] could want to do. It can be used for everything from installing password trackers, to grabbing information about the network or pulling files," Watson said.

Watson said Websense also uncovered evidence of a new variant of the notorious Zeus malware targeting a "large clothing retailer" located in the eastern United States. He said the crash logs used in the investigation indicated hackers had tried to infect the company with a similar malware to the Zeus Trojan.

He added that despite having similar data-stealing powers the malware interacted with command and control servers in an atypical manner, indicating it could be tailored to target the wholesale and retail industry.

The Houdini and Zeus campaigns are two of many advanced threats discovered this year. Researchers from advanced threat protection specialist FireEye reported uncovering a fresh cyber campaign targeting US military veterans' website VFW.org, codenamed Operation Snowman, earlier in February.

Security experts from Kaspersky Labs Global Research and Analysis Team reported uncovering another advanced "Mask" hack campaign targeting numerous governments and companies mere days earlier.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Internet
• Hacking
• malware
• cyber-crime
• Websense