Hackers accidentally give Microsoft their code

Hackers accidentally give Microsoft their code

Summary: When hackers crash their systems while developing viruses, the code is often sent directly to Microsoft, according to one of its senior security architects, Rocky Heckman.

TOPICS: Microsoft, Security

When hackers crash their systems while developing viruses, the code is often sent directly to Microsoft, according to one of its senior security architects, Rocky Heckman.

When the hacker's system crashes in Windows, as with all typical Windows crashes, Heckman said the user would be prompted to send the error details — including the malicious code — to Microsoft. The funny thing is that many say yes, according to Heckman.

"People have sent us their virus code when they're trying to develop their virus and they keep crashing their systems," Heckman said. "It's amazing how much stuff we get."

At a Microsoft Tech.Ed 2010 conference session on hacking today, Heckman detailed to the delegates the top five hacking methods and the best methods for developers to avoid falling victim to them. Heckman explained how to create malicious code that could be used in cross-site scripting or SQL injection attacks and, although he said it "wasn't anything you couldn't pick up on the internet", he suggested delegates use the code responsibly to aid in their protection efforts.

According to Heckman, based on the number of attacks on Microsoft's website, the company was only too familiar with what types of attacks were most popular.

"The first thing [script kiddies] do is fire off all these attacks at Microsoft.com," he said. "On average we get attacked between 7000 and 9000 times per second at Microsoft.com," said the senior security architect.

"I think overall we've done pretty good, even when MafiaBoy took down half the internet, you know, Amazon and eBay and that, we didn't go down, we were still up."

Heckman said there were two reasons why the top hacking methods of cross-site scripting and SQL injection had not changed in the past six years.

"One, it tells me that the bad guys go with what they know, and two, it says the developers aren't listening," he said.

Heckman said that developers should consider all data input by a user as harmful until proven otherwise.

Josh Taylor travelled to Tech.Ed as a guest of Microsoft.

Topics: Microsoft, Security


Armed with a degree in Computer Science and a Masters in Journalism, Josh keeps a close eye on the telecommunications industry, the National Broadband Network, and all the goings on in government IT.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Some of the hackers code gets through.
    Most of them, because they're hackers, would already know if the system crashes it sends the code out. So they perform testing on a non-production machine that is not connected to the internet.
    They are hackers at the end of the day right?
  • I think microsoft is getting cocky on what they think they are getting - why would some one develop a system breaker on a machine thats connected to the internet where all sorts of 'big brother' backdoors are looking in?
  • Because the majority of hackers, like the majority of criminals in general, are not particularly smart. That's not to say there's not smart hackers/criminals out there, it's just they're in the minority I would say.
    Dean Harding
  • and that;s assuming they have internet connection.
  • The journalistic category of 'hacker' has always tended to bundle together activities and intentions that diverge wildly.

    A great many 'script kiddies' are playing with tools they don't understand on systems they operate with very little real understanding. The tools they play with are not to be discounted - many of the most potent wild code outbreaks have been the result of unintended consequences, but nevertheless very effective and efficient at spreading.

    the co-opting of 'hacker' by a journalist waay back when, because it sounded 'good', has stuck. Not the least because of the enthusiasm for the topic in the late 80s and early 90s. Being unable to adequately differentiate serious intentional behaviours from unintentional, or even unaware playing, significantly diminishes out ability to discuss the spectrum of activities, and their consequences, in meaningful ways.

    [Even 'black hat' and 'white hat' are inadequate to distinguish activities and intentions here - hence the rise of the equally vague 'grey hat' as a term.]
  • "would already know if the system crashes it sends the code out."

    Er no, if your computer crashes you get a blue screen while usually the OS manages to dump relevant sections of memory into a file. The code is not "automatically" sent out. When you reboot you get a dialog box saying "Report this problem" or "Cancel". If you click "Report this problem", only THEN the memory dump is sent.
  • Though they *may* be hackers, in this instance the correct term is "cracker".
  • I can't help but agree that much of what gets provided to Microsoft's servers are the result of inexperienced individuals. I've been in the IT field as a network admin/engineer, and software engineer for over 20 years and I've seen a lot of interesting technological changes over time. However, the one thing that has remained static is that there's always someone who's willing, ready, and quite able to test your network or application security, hoping that you left a hole somewhere, or if not, that they can make one. As a result, I've seen attacks and probes that range from the very simplistic to the ultra-sophisticated--in fact, some were so good that I was tempted to let them go through, because their technique was so novel and clever (no, duty always won over curiosity and I shut their @$$'s down). But the bottom line is that it's not the millions of attacks you detect and/or stop that matter--it's the one you didn't...
  • Who is to say that the intent was not to have to code sent off to M$... Obviously, you can assume that for 99.9% of these reports it is because the people are sloppy.... But .01% of the time the upload might not be what you think, a sloppy hacker exposing his sourcecode.... What if the error dump was an attack in itself... That would be a slick hacker, no??
  • I agree--but not completely. IMHO, I think it's less a matter of intelligence and more a matter of laziness due to the proliferation of code generators and visual programming GUIs. Why should they write 500 lines of code when they can simply click-drag-drop and set some properties in a dialog box? Nevertheless, I do think that while there are certainly a good number of brilliant techo-deviants in the world, there are those who are, shall we say, not the most clever line of code in the app... ;-)
  • Seems like it was Sun Tzu in his Art of War who said to always expect the unexpected (but maybe it wasn't) and this would certainly fall into that category. Actually, such an attack would probably be more appropriately categorized as a Trojan Horse attack. In any event, I do think it's highly likely that MS's security team could be getting just a bit over-confident. However, the flip side of this scenario is that MS is trying a bit of psych warfare because it doesn't make sense to me that they would, in essence, tell the world's malicious coders, "Oh, BTW, stop sending us your code in a crash dump file..." if that very data is what they use to help defend against it. So, either MS has something up their sleeve and this is bait, or they've been very, very, stupid--both of which are, IMHO, equally likely.
  • Anyone who is XSS attacked or SQL injected deserves it. It's been around for ages, and only willful ignorance or laziness are the reasons it will happen to you.
    Charles Stover
  • Excuse the obvious question, but how does M$ know that these are hackers, and not victims of malicous code themselves? Granted, the malicous code may certainly indicate that it is intended for 'hacking', but how do they know that the machine they recieved it from is the original hacker? Perhaps its an unsuspecting 3rd party, infected, providing the 'hack by proxy'. I mean, even dumb hackers know better than to waste time sending code dumps to M$. I never send my errors, even when its an M$ application causing them. If you deal with sensitive data, or care about your own privacy, you would never send code dumps to anyone. I would bet that only the most naive user, would actually send it, foolishly thinking that M$ would actually do anything about it. Remember M$ created the ability to do these kinds of hacks in the first place, they were never a part of the original (non-M$) HTML spec. Transparent empty gloating, now that sounds more like M$.
  • True network security is accomplished through DOD Internet rule #1 (when it was their network) Never ever execute arbitrary code from a remote source. All these scripts, ActiveX, and Java applets, etc. are what....arbitrary executable code coming over the wire. Who created this mess? Those who realized that code has no moving parts, and if correct, would never wear out, which is bad for a business that needs to make money on upgrades, and the latest a greatest version of regurgitated code. Turn your automatic updates off, turn off scripting and ActiveX, and any other plugin thing in your browser and use only pure 1.1 compliant HTML and your surfing will be secure (and faster as well). Granted lots of websites no longer support such simplified browsing, but maybe then they will learn how much it really costs to keep up with the M$ Jones.
  • Next time we will see MS sending out a patch that stops malformed dump files that could cause a hacker to gain system access...
  • 1) When someone gives you a head start you _should_ win.
    2) If you do win; don't fill people in on the head start.
    3) If the head start & even the win won't give you sustained glory, don't bother bragging.

    ... and those are just a few of the things Microsoft still doesn't get.

    But don't count out the possibility that some day they'll learn how to build an OS that can cope with malicious code adequately.
  • Some kids forgot to turn off the automatic error sending...
  • The Windows system copes efficiently against malicious code in comparison to other systems. It's just more attacked than other systems.
  • They must be some badass hackers.
  • xss lol alert("who's bad?");