Site icon Sophos News

Blue Screen of Death meets cybercrime – true or false?

Over the past week or so, an intriguing story has appeared around and about the web.

It falls short of a meme, but sits higher than a rumour, and it’s attracted attention because it deals with an increasingly-endangered event: a BSoD.

BSoD, of course, stands for Blue Screen of Death, which is what Windows does when the whole operating system crashes to the point that there’s no purposeful, or even possible, way to recover.

In the Linux kernel, it’s called a Panic; on the Amiga it was a Guru Meditation; Novell’s NetWare (remember that?) would abnormally end, or ABEND for short.

All of these outcomes are terminally bad for your running programs or your server’s uptime: you’ll need to restart the computer, and to hope that whatever caused the crash won’t recur and get you into a death spiral of reboots.

The hue of Windows crashes has changed over the years, from an almost royal blue back in the 1990s to more of a petrel blue in the 2010s.

But BSoDs are blue nevertheless, and they’re still bad news, for all that they’re a lot less frequent (or perhaps much more infrequent) than, dare we say it, back in the crash-happy days of Windows XP.

Anyway, the not-quite-a-meme we’re talking about here claimed that Microsoft has added a QR code to its BSoD screens, starting with Windows 10 Insider Preview 14316.

A screenshot apparently proved the point:

According to the original poster on Reddit, “The first thing the new build did in my VM was crash, but instead of just the usual smiley I was greeted by a QR code as well.”

Good or bad?

In some ways, this is a great idea.

If your laptop just crashed, you can’t use it to search for advice on the likely cause and what to do next, so you might as well reach for your phone…

…except that typing in windows DOT com SLASH stopcode and then MANUALLY_INIT­IATED_CRASH on the average phone keyboard is just adding injury to insult, so packing that detail into a QR code seems like a forward step.

Of course, as The Register quickly pointed out, it’s also a terrible idea, because technical support scammers and other cybercrooks will just love it.

You can’t easily tell where the QR code will lead, or what personalised tracking data is buried in the URL under cover of encoding the bugcheck code (as Windows euphemistically calls the reason for the crash).

You can imagine the trick: you run some not-obviously-malicious program, or load some deceptive web page, and up pops a fake BSoD screen with a handy “what to do” code.

You visit the QR code from your phone for advice on what to do next, and, lo!, moments later, your phone rings, because the crooks know your “customer ID” from the URL you just visited, and getting your phone number from their database of “customers” is a fraction of second’s work.

Most scams and phishes you’ve seen recently, or fake calls you’ve received, probably had little idea who you were, starting off with a generic “Dear Customer” or a simple “Hello.” But not all of them: a lot of data breaches give away more than just your email address, and crooks who buy up stolen data can pitch much more personalised and believable scams as a result.

What next?

If there’s a problem here, we think it’s in the story itself.

A few things don’t add up.

The bugcheck code was 0xE2, or MANUALLY_INITIATED_CRASH. This usually means just what it says: you used a special testing trick built into Windows that lets you trigger a BSoD on purpose, rather than deliberately coding a severe bug into a test program to cause a crash. You have to think that this wasn’t, as claimed, “the first thing the new build did.”

The QR code in the image isn’t laid out cleanly. Microsoft’s new look-and-feel for Windows is very 2010ish: a flat, open layout with clear, unfussy fonts, avoiding tightly-packed content. Yet the QR code, placed on an otherwise mostly blank canvas, is curiously close to the text it abuts, and ill-aligned. You have to imagine a designer at Microsoft throwing his chair across the room at such a casual approach to visual space.

The QR code doesn’t do anything useful. If you scan it in, you just get http://windows.com/stopcode, which is displayed on the screen anyway, and hardly onerous to type in on its own. The useful trick of encoding the bugcheck reason is missing. You have to imagine a security wonk at Microsoft saying, “Enough with the QR code already. Lose it now.”

The BSoD screen doesn’t hang around for long enough for a QR code to be worthwhile. In most cases, the BSoD doesn’t stay on the screen for more than a second or three, while Windows restarts automatically. You have to wonder what purpose the QR code would serve except to alarm you about what you just missed.

The QR code doesn’t actually appear. More precisely, we couldn’t make it show up, and we tried provoking the same bugcheck code on the same Insider Preview version, where Windows stubbornly and repeatedly gave us this:

Can you help?

What’s the truth?

Do you have a recent Windows 10 Insider Preview version?

Have you had a genuine, unexpected BSoD? Did you see a QR code when it happened?


Exit mobile version