How To: Block Windoze 7/8/8.1 Spyware Implants ('Updates')

[bigbrosbitch 65]

Introduction

From Win 10's 'privacy' statement:
 

"we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have good faith belief that doing so is necessary."

​

Three levels of surveillance are built in - get in your electronic pen sheeple:
 

"As you use Windows, we collect performance and usage information that helps us identify and troubleshoot problems as well as improve our products and services. We recommend that you select Full for this setting."

"Basic information is data that is vital to the operation of Windows. This data helps keep Windows and apps running properly by letting Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. If you select this option, we’ll be able to provide updates to Windows (through Windows Update, including malicious software protection by the Malicious Software Removal Tool), but some apps and features may not work correctly or at all."

"Enhanced data includes all Basic data plus data about how you use Windows, such as how frequently or how long you use certain features or apps and which apps you use most often. This option also lets us collect enhanced diagnostic information, such as the memory state of your device when a system or app crash occurs, as well as measure reliability of devices, the operating system, and apps. If you select this option, we’ll be able to provide you with an enhanced and personalized Windows experience."

"Full data includes all Basic and Enhanced data, and also turns on advanced diagnostic features that collect additional data from your device, such as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred. This information helps us further troubleshoot and fix problems. If an error report contains personal data, we won’t use that information to identify, contact, or target advertising to you. This is the recommended option for the best Windows experience and the most effective troubleshooting."

​

"But wait... there's more!"

 

The Problem with Recent Windoze 7/8/8.1 'Important/Optional' Backports/Updates

It is overdue for Windoze junkies to disable as much spyware data leakage as possible that goes back to the mothership.

 

Be aware that recent 'important' and 'optional' updates have been fraudulently backported through to Win 7 and 8/8.1 Windoze users (!) which gives your desktop the same data leakage as Windoze 10.

In other words, you are an open book - like last year's Penthouse centerfold in her birthday suit...

Apparently the NSA is not happy enough with being buried in Windows 10 shit; they want all data in accordance with their OCD hoarding complex and 'Own the Net' initiative (look it up).

Never forget Spyware O/S^TM it is a hostile black box endorsed by authoritarian fuckwits. This should tell you everything you need to know. So if you won't wipe over it completely with a real operating system, then tie it down a little so it doesn't go completely rogue.

Luckily our little friends in the Schneier cookie collective have identified ways to kill feedback to Microhack headquarters for known (obvious) data leaks.

So, follow these instructions below if you insist on using Windoze 7, 8 or 8.1, or continue to be a corporate bitch on a hourly basis.

Your choice.

 

After all, logically there is no point running VPNs and Tor and other privacy enhancing software if your own base system betrays you. The quote starts below - italics etc are mine.

 

Microhack Spyware Implants

Microsoft likes the data they stream from windows 10 machines soo much that they decided to back port functionaly and carve out impants resulting in a of push 4 optional and 2 important windows updates

They will appear in control panel installed updates as

Optional
"Update for Microsoft Windows (KB3068708)"
"Update for Microsoft Windows (KB3075249)"
"Update for Microsoft Windows (KB3080149)"
"Update for Microsoft Windows (KB3022345)"

Important
"Update for Microsoft Windows (KB2952664)"
"Update for Microsoft Windows (KB3021917)"

If you have better things to do than hand eye troll through the list of installed updates then here are two approached to detect the SurveillanceWare Implants.

The referenced KB's are specific to the surveillance implants which target Windows 7 only. If your running windows 8, 8.1 or 10 your more than likely fighting much more of a loosing battle. So this section is specific so where it may be temporarily possible to remove the Implants.
 

Detection - Open an elevated command prompt
wmic QFE list full /format:texttablewsys | find "KB3068708"
wmic QFE list full /format:texttablewsys | find "KB3022345"
wmic QFE list full /format:texttablewsys | find "KB3075249"
wmic QFE list full /format:texttablewsys | find "KB3080149"
wmic QFE list full /format:texttablewsys | find "KB3021917"
wmic QFE list full /format:texttablewsys | find "KB2952664"

​

or alternatively detect with an update to the systeminfo command
 

systeminfo | findstr "KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664"

​

To start removal after optionally taking an evidence image or a system backup

wusa /uninstall /kb:3068708 /quiet /norestart
wusa /uninstall /kb:3022345 /quiet /norestart

​
Then reboot seems required then continue

wusa /uninstall /kb:3075249 /quiet /norestart
wusa /uninstall /kb:3080149 /quiet /norestart
wusa /uninstall /kb:3021917 /quiet /norestart
wusa /uninstall /kb:2952664 /quiet /norestart

​
 

---------- Windows 7, 8, 8.1 Script to Detect Implants-------


Here is a list and updated DIY detection ready scripting for all 14 (currently known) Surveillance implants. Including Implants for windows 8 and later.

I guess they thought they could catch more fish with 14 baited lines.

Here are two batch files . run the larger script to see whats detected.

Open an elevated command prompt
 

create a batch file
Name: check-kb.bat

​
Add the batch script content
 

@echo off
echo ' Only the first parameter is used in the search, the rest display context.
echo '
echo '
echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9 %10
@echo on
wmic QFE list full /format:texttablewsys | find "%1"
@echo off

​
Create a batch file, purpose is to check for currently known Implants.
Name: checkfor_NPI_patches.bat

Add the batch script content
 

@echo off
SetLocal
REM --- (as of 2015-08-26):
cls
call Check-kb KB3012973 - Opt in payload - Upgrade to Windows 10 Pro
call Check-kb KB3021917 - Opt in payload - Update to benchmark Windows 7 SP1
call Check-kb KB3035583 - Opt in payload - delivers reminder "Get Windows 10" for Windows 8.1 and Windows 7 SP1
call Check-kb KB2952664 - Opt in payload - Pre launch day push of payload for compatibility update for upgrading Windows 7
call Check-kb KB2976978 - Opt in payload - Pre launch day push of payload for Compatibility update for Windows 8.1 and Windows 8
call Check-kb KB3022345 - Opt in payload - surveillance Telemetry [Replaced by KB3068708]
call Check-kb KB3068708 - Opt in payload - Update for surveillance customer experience and diagnostic telemetry
call Check-kb KB2990214 - Opt in payload - Update that prepares payload to Windows 7 to add surveillance in later installed versions of Windows
call Check-kb KB3075249 - Opt in payload - Update that adds surveillance telemetry to Windows 8.1 and Windows 7
call Check-kb KB3080149 - Opt in payload - Update for CIP and surveillance with diagnostic exfil leveraging telemetry
call Check-kb KB3044374 - Opt in payload - Marketing Windows 10 surveillance payload to windows 8,8.1 devices
call Check-kb KB2977759 - Opt in payload - Windows 10 surveillance Diagnostics Compatibility Telemetry HTTP request response
call Check-kb KB3050265 - Opt in payload - Marking via Windows Update services opting in to Windows 10 surveillance Implant
call Check-kb KB3068707 - Opt in payload - CIP telemetry request response check in for Windows 7,8,8.1

​

Whatever Surveillance implants revealed in your machine, it can be removed with a customization of the wusa command, just replace the ??????? with the kb numbers reported.
 

wusa /uninstall /kb:??????? /quiet /norestart

​


-------Housekeeping QA

Housekeeping checks post removal additional steps. I can foresee someone will prophetically conclude a recommended step 5) Uninstall windows and install a secure *nix variant. Obligatorily mentioned in advance. Thanks.

An eye on post removal Hinkyness had some hits after removals and reboots.

1) Only two of the four uninstalled KB's reappeared as available optional "Update for Windows 7 for x64 based Systems (KB3075249) and (KB3080149), another reappeared as

Important "Update for Windows 7 for x64 based Systems (KB3068708)"

The important one was the "Update for customer experience and diagnostic telemetry" Important to who, NSA?

The "KB3068708" Update for customer experience and diagnostic telemetry" did not reappear as an available patch. It may be dependent on one of the other three removed bits


2) Before the uninstall, I had foresight to search the infected file system
for .manifest with a common namespace string called assemblyIdentity which is set to a string value "Microsoft-Windows-Authentication-AuthUI.Resources"

The before removal search listing files which matched the above search constraint yielded 62 matches in 52 manifest files.

The after removal search listing of files which match the above search constraint yields 74 matches in 64 manifest files.
Conclusion, the removal did not remove the manifest files pushed in the original infection.


3) In a read of KB 3080149, it indicated it installed and updates / requires maintenance of a file named utc.app.json

Before removal, the file file was found in 6 places on the infected filesystem
After "removal" the file exists in the same 6 locations, same filesize just waiting for re-use and reinfection.

discovered and removed using the disribed method 22 additional implants
Found all 6 utc.app.json were removed and it had left two backup copies under the name utc.app.json.bk
in
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings
C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings
in the same directory, found a backed up file telemetry.ASM-WindowsDefault.json.bk

In order to see the hidden system directory, you must elevate to admin
dir wont show the rest of the telemetry files unless you clear the files attributes
An Elevated file explorer will show the files
Files wont be readable until you change owner permissions or change your running user principal context to that which does allow access to the file.

telemetry file content

{
"settings": {
"Microsoft-ApplicationInsights:::sampleRate": "100",
"Microsoft-ApplicationInsights-Dev:::sampleRate": "100",
"Microsoft-ApplicationInsights-Dev:::latency": "Realtime",
"xbox.xsapi:::sampleRate": "100",
"Office:::sampleRate": "100",
"Skype:::sampleRate": "100",
"Census:::sampleRate": "100",
"Microsoft.Windows.Appraiser.General::ms.CriticalData:sampleRate": "100",
"Microsoft.Windows.Appraiser.Instrumentation::ms.Telemetry:sampleRate": "100",
"Microsoft.Windows.Compatibility.Asl::ms.Telemetry:sampleRate": "5",
"Microsoft.Windows.Inventory.General::ms.CriticalData:sampleRate": "100",
"MicrosoftTelemetry::ms.CriticalData:sampleRate": "0",
"MicrosoftTelemetry::ms.Measures:sampleRate": "0",
"MicrosoftTelemetry::ms.Telemetry:sampleRate": "0",
"Setup360Telemetry::ms.CriticalData:sampleRate": "100",
"SetupPlatformTel::ms.CriticalData:sampleRate": "100",
"TelClientSynthetic:HeartBeat_5::sampleRate": "100"
}}

​
content file of utc.app.json

{
"settings": {
"UTC:::GroupDefinition.MicrosoftTelemetry": "f4-Redacted data-6aa",
"UTC:::CategoryDefinition.ms.CriticalData": "140-Redacted data-318",
"UTC:::CategoryDefinition.ms.Measures": "71-Redacted data-63",
"UTC:::CategoryDefinition.ms.Telemetry": "321-Redacted data-32",
"UTC:::GroupDefinition.Microsoft-ApplicationInsights": "0d-Redacted data-d0b",
"UTC:::GroupDefinition.Microsoft-ApplicationInsights-Dev": "ba-Redacted data-3d",
"UTC:::GroupDefinition.xbox.xsapi": "53b-Redacted data-af3",
"UTC:::GroupDefinition.Office": "8DB-Redacted data-155",
"UTC:::GroupDefinition.Skype": "9df-Redacted data-a89",
"UTC:::DownloadScenariosFromOneSettings": "1"
}

​

To mitigate future infection, am considering removal alteration or perform a revocation of file permissions to utc.app.json and the hinky manifest files.

4)Re the connections the malware opened, which may or may not have Mitm certificate pinning mitigation. My personal opinion is to mitigate by locking access to the data ex filtration end points.
 

Firewall now blocks outbound access from your network to
vortex-win.data.microsoft.com
Name: VORTEX-cy2.metron.live.com.nsatc.net
Address: 64.4.54.254
Aliases: vortex-win.data.microsoft.com
vortex-win.data.metron.live.com.nsatc.net
vortex.data.glbdns2.microsoft.com

settings-win.data.microsoft.com
Non-authoritative answer:
Name: OneSettings-bn2.metron.live.com.nsatc.net
Address: 65.55.44.108
Aliases: settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com

​

Chances are that anything outbound to ".data.microsoft" should likely be blackholed if you opt out of the "Idiots Do Opt Having Pervasive Surveillance Patches" IDOH-PSP program for short.

Hope this helps to bring most of the malware workflow, as is early info on this new day of vendor sponsored in your face implants, info will likely be incomplete.

Additional Steps to Block Windoze Malware

https://github.com/WindowsLies/BlockWindows

Stop Windows 7 through 10 Nagging and Spying updates, Tasks, IPs, and services. Works with Windows 7 through 10

 

FILES

BlockWindows.bat Right Click and "Run as Admin"

hosts.bat Works with Windows 7 and 8. Appends current hosts file. Run from your Downloads directory. Doesn't work on Windows 10, copy hosts file to your router or firewall if using Windows 10

hosts DNS file of MS hosts to block

hostlist MS Hosts file to blocking for router or firewall use

hosts-dnsmasq Hosts file for dd-wrt and other routers

HideWindowsUpdates.vbs Hides blocked updates, to reinstall click 'show hidden updates'

DisableWiFiSense.reg Adds registry to disable WiFi Sense, which steals your wifi password without your consent.

JavaScript HashCalc

http://sourceforge.net/projects/hash-calculator/

​

[Casper31 73]

Introduction

 

From Win 10's 'privacy' statement:

 

"we will access, disclose and preserve personal data, including your content (such as the content of your emails, other private communications or files in private folders), when we have good faith belief that doing so is necessary."

​

 

Three levels of surveillance are built in - get in your electronic pen sheeple:

 

>

"As you use Windows, we collect performance and usage information that helps us identify and troubleshoot problems as well as improve our products and services. We recommend that you select Full for this setting."

 

"Basic information is data that is vital to the operation of Windows. This data helps keep Windows and apps running properly by letting Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also turns on basic error reporting back to Microsoft. If you select this option, we’ll be able to provide updates to Windows (through Windows Update, including malicious software protection by the Malicious Software Removal Tool), but some apps and features may not work correctly or at all."

 

"Enhanced data includes all Basic data plus data about how you use Windows, such as how frequently or how long you use certain features or apps and which apps you use most often. This option also lets us collect enhanced diagnostic information, such as the memory state of your device when a system or app crash occurs, as well as measure reliability of devices, the operating system, and apps. If you select this option, we’ll be able to provide you with an enhanced and personalized Windows experience."

 

"Full data includes all Basic and Enhanced data, and also turns on advanced diagnostic features that collect additional data from your device, such as system files or memory snapshots, which may unintentionally include parts of a document you were working on when a problem occurred. This information helps us further troubleshoot and fix problems. If an error report contains personal data, we won’t use that information to identify, contact, or target advertising to you. This is the recommended option for the best Windows experience and the most effective troubleshooting."

​

 

"But wait... there's more!"

 

The Problem with Recent Windoze 7/8/8.1 'Important/Optional' Backports/Updates

 

It is overdue for Windoze junkies to disable as much spyware data leakage as possible that goes back to the mothership.

 

Be aware that recent 'important' and 'optional' updates have been fraudulently backported through to Win 7 and 8/8.1 Windoze users (!) which gives your desktop the same data leakage as Windoze 10.

 

In other words, you are an open book - like last year's Penthouse centerfold in her birthday suit...

 

Apparently the NSA is not happy enough with being buried in Windows 10 shit; they want all data in accordance with their OCD hoarding complex and 'Own the Net' initiative (look it up).

 

Never forget Spyware O/S^TM it is a hostile black box endorsed by authoritarian fuckwits. This should tell you everything you need to know. So if you won't wipe over it completely with a real operating system, then tie it down a little so it doesn't go completely rogue.

 

Luckily our little friends in the Schneier cookie collective have identified ways to kill feedback to Microhack headquarters for known (obvious) data leaks.

 

So, follow these instructions below if you insist on using Windoze 7, 8 or 8.1, or continue to be a corporate bitch on a hourly basis.

 

Your choice.

 

After all, logically there is no point running VPNs and Tor and other privacy enhancing software if your own base system betrays you. The quote starts below - italics etc are mine.

 

 

Microhack Spyware Implants

 

Microsoft likes the data they stream from windows 10 machines soo much that they decided to back port functionaly and carve out impants resulting in a of push 4 optional and 2 important windows updates

 

They will appear in control panel installed updates as

 

Optional

"Update for Microsoft Windows (KB3068708)"

"Update for Microsoft Windows (KB3075249)"

"Update for Microsoft Windows (KB3080149)"

"Update for Microsoft Windows (KB3022345)"

 

Important

"Update for Microsoft Windows (KB2952664)"

"Update for Microsoft Windows (KB3021917)"

 

If you have better things to do than hand eye troll through the list of installed updates then here are two approached to detect the SurveillanceWare Implants.

 

The referenced KB's are specific to the surveillance implants which target Windows 7 only. If your running windows 8, 8.1 or 10 your more than likely fighting much more of a loosing battle. So this section is specific so where it may be temporarily possible to remove the Implants.

 

Detection - Open an elevated command prompt

wmic QFE list full /format:texttablewsys | find "KB3068708"

wmic QFE list full /format:texttablewsys | find "KB3022345"

wmic QFE list full /format:texttablewsys | find "KB3075249"

wmic QFE list full /format:texttablewsys | find "KB3080149"

wmic QFE list full /format:texttablewsys | find "KB3021917"

wmic QFE list full /format:texttablewsys | find "KB2952664"

​

 

or alternatively detect with an update to the systeminfo command

 

systeminfo | findstr "KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664"

​

 

To start removal after optionally taking an evidence image or a system backup

wusa /uninstall /kb:3068708 /quiet /norestart

wusa /uninstall /kb:3022345 /quiet /norestart

​

Then reboot seems required then continue

wusa /uninstall /kb:3075249 /quiet /norestart

wusa /uninstall /kb:3080149 /quiet /norestart

wusa /uninstall /kb:3021917 /quiet /norestart

wusa /uninstall /kb:2952664 /quiet /norestart

​

 

---------- Windows 7, 8, 8.1 Script to Detect Implants-------

 

 

Here is a list and updated DIY detection ready scripting for all 14 (currently known) Surveillance implants. Including Implants for windows 8 and later.

 

I guess they thought they could catch more fish with 14 baited lines.

 

Here are two batch files . run the larger script to see whats detected.

 

Open an elevated command prompt

 

create a batch file

Name: check-kb.bat

​

Add the batch script content

 

@echo off

echo ' Only the first parameter is used in the search, the rest display context.

echo '

echo '

echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9 %10

@echo on

wmic QFE list full /format:texttablewsys | find "%1"

@echo off

​

Create a batch file, purpose is to check for currently known Implants.

Name: checkfor_NPI_patches.bat

 

Add the batch script content

 

@echo off

SetLocal

REM --- (as of 2015-08-26):

cls

call Check-kb KB3012973 - Opt in payload - Upgrade to Windows 10 Pro

call Check-kb KB3021917 - Opt in payload - Update to benchmark Windows 7 SP1

call Check-kb KB3035583 - Opt in payload - delivers reminder "Get Windows 10" for Windows 8.1 and Windows 7 SP1

call Check-kb KB2952664 - Opt in payload - Pre launch day push of payload for compatibility update for upgrading Windows 7

call Check-kb KB2976978 - Opt in payload - Pre launch day push of payload for Compatibility update for Windows 8.1 and Windows 8

call Check-kb KB3022345 - Opt in payload - surveillance Telemetry [Replaced by KB3068708]

call Check-kb KB3068708 - Opt in payload - Update for surveillance customer experience and diagnostic telemetry

call Check-kb KB2990214 - Opt in payload - Update that prepares payload to Windows 7 to add surveillance in later installed versions of Windows

call Check-kb KB3075249 - Opt in payload - Update that adds surveillance telemetry to Windows 8.1 and Windows 7

call Check-kb KB3080149 - Opt in payload - Update for CIP and surveillance with diagnostic exfil leveraging telemetry

call Check-kb KB3044374 - Opt in payload - Marketing Windows 10 surveillance payload to windows 8,8.1 devices

call Check-kb KB2977759 - Opt in payload - Windows 10 surveillance Diagnostics Compatibility Telemetry HTTP request response

call Check-kb KB3050265 - Opt in payload - Marking via Windows Update services opting in to Windows 10 surveillance Implant

call Check-kb KB3068707 - Opt in payload - CIP telemetry request response check in for Windows 7,8,8.1

​

 

Whatever Surveillance implants revealed in your machine, it can be removed with a customization of the wusa command, just replace the ??????? with the kb numbers reported.

 

wusa /uninstall /kb:??????? /quiet /norestart

​

 

 

-------Housekeeping QA

 

Housekeeping checks post removal additional steps. I can foresee someone will prophetically conclude a recommended step 5) Uninstall windows and install a secure *nix variant. Obligatorily mentioned in advance. Thanks.

 

An eye on post removal Hinkyness had some hits after removals and reboots.

 

1) Only two of the four uninstalled KB's reappeared as available optional "Update for Windows 7 for x64 based Systems (KB3075249) and (KB3080149), another reappeared as

 

Important "Update for Windows 7 for x64 based Systems (KB3068708)"

 

The important one was the "Update for customer experience and diagnostic telemetry" Important to who, NSA?

 

The "KB3068708" Update for customer experience and diagnostic telemetry" did not reappear as an available patch. It may be dependent on one of the other three removed bits

 

 

2) Before the uninstall, I had foresight to search the infected file system

for .manifest with a common namespace string called assemblyIdentity which is set to a string value "Microsoft-Windows-Authentication-AuthUI.Resources"

 

The before removal search listing files which matched the above search constraint yielded 62 matches in 52 manifest files.

 

The after removal search listing of files which match the above search constraint yields 74 matches in 64 manifest files.

Conclusion, the removal did not remove the manifest files pushed in the original infection.

 

 

3) In a read of KB 3080149, it indicated it installed and updates / requires maintenance of a file named utc.app.json

 

Before removal, the file file was found in 6 places on the infected filesystem

After "removal" the file exists in the same 6 locations, same filesize just waiting for re-use and reinfection.

 

discovered and removed using the disribed method 22 additional implants

Found all 6 utc.app.json were removed and it had left two backup copies under the name utc.app.json.bk

in

C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings

C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings

in the same directory, found a backed up file telemetry.ASM-WindowsDefault.json.bk

 

In order to see the hidden system directory, you must elevate to admin

dir wont show the rest of the telemetry files unless you clear the files attributes

An Elevated file explorer will show the files

Files wont be readable until you change owner permissions or change your running user principal context to that which does allow access to the file.

 

telemetry file content

{

"settings": {

"Microsoft-ApplicationInsights:::sampleRate": "100",

"Microsoft-ApplicationInsights-Dev:::sampleRate": "100",

"Microsoft-ApplicationInsights-Dev:::latency": "Realtime",

"xbox.xsapi:::sampleRate": "100",

"Office:::sampleRate": "100",

"Skype:::sampleRate": "100",

"Census:::sampleRate": "100",

"Microsoft.Windows.Appraiser.General::ms.CriticalData:sampleRate": "100",

"Microsoft.Windows.Appraiser.Instrumentation::ms.Telemetry:sampleRate": "100",

"Microsoft.Windows.Compatibility.Asl::ms.Telemetry:sampleRate": "5",

"Microsoft.Windows.Inventory.General::ms.CriticalData:sampleRate": "100",

"MicrosoftTelemetry::ms.CriticalData:sampleRate": "0",

"MicrosoftTelemetry::ms.Measures:sampleRate": "0",

"MicrosoftTelemetry::ms.Telemetry:sampleRate": "0",

"Setup360Telemetry::ms.CriticalData:sampleRate": "100",

"SetupPlatformTel::ms.CriticalData:sampleRate": "100",

"TelClientSynthetic:HeartBeat_5::sampleRate": "100"

}}

​

content file of utc.app.json

{

"settings": {

"UTC:::GroupDefinition.MicrosoftTelemetry": "f4-Redacted data-6aa",

"UTC:::CategoryDefinition.ms.CriticalData": "140-Redacted data-318",

"UTC:::CategoryDefinition.ms.Measures": "71-Redacted data-63",

"UTC:::CategoryDefinition.ms.Telemetry": "321-Redacted data-32",

"UTC:::GroupDefinition.Microsoft-ApplicationInsights": "0d-Redacted data-d0b",

"UTC:::GroupDefinition.Microsoft-ApplicationInsights-Dev": "ba-Redacted data-3d",

"UTC:::GroupDefinition.xbox.xsapi": "53b-Redacted data-af3",

"UTC:::GroupDefinition.Office": "8DB-Redacted data-155",

"UTC:::GroupDefinition.Skype": "9df-Redacted data-a89",

"UTC:::DownloadScenariosFromOneSettings": "1"

}

​

 

To mitigate future infection, am considering removal alteration or perform a revocation of file permissions to utc.app.json and the hinky manifest files.

 

4)Re the connections the malware opened, which may or may not have Mitm certificate pinning mitigation. My personal opinion is to mitigate by locking access to the data ex filtration end points.

 

Firewall now blocks outbound access from your network to

vortex-win.data.microsoft.com

Name: VORTEX-cy2.metron.live.com.nsatc.net

Address: 64.4.54.254

Aliases: vortex-win.data.microsoft.com

vortex-win.data.metron.live.com.nsatc.net

vortex.data.glbdns2.microsoft.com

 

settings-win.data.microsoft.com

Non-authoritative answer:

Name: OneSettings-bn2.metron.live.com.nsatc.net

Address: 65.55.44.108

Aliases: settings-win.data.microsoft.com

settings.data.glbdns2.microsoft.com

​

 

Chances are that anything outbound to ".data.microsoft" should likely be blackholed if you opt out of the "Idiots Do Opt Having Pervasive Surveillance Patches" IDOH-PSP program for short.

 

Hope this helps to bring most of the malware workflow, as is early info on this new day of vendor sponsored in your face implants, info will likely be incomplete.

 

Additional Steps to Block Windoze Malware

 

https://github.com/WindowsLies/BlockWindows

 

Stop Windows 7 through 10 Nagging and Spying updates, Tasks, IPs, and services. Works with Windows 7 through 10

 

 

FILES

 

BlockWindows.bat Right Click and "Run as Admin"

 

hosts.bat Works with Windows 7 and 8. Appends current hosts file. Run from your Downloads directory. Doesn't work on Windows 10, copy hosts file to your router or firewall if using Windows 10

 

hosts DNS file of MS hosts to block

 

hostlist MS Hosts file to blocking for router or firewall use

 

hosts-dnsmasq Hosts file for dd-wrt and other routers

 

HideWindowsUpdates.vbs Hides blocked updates, to reinstall click 'show hidden updates'

 

DisableWiFiSense.reg Adds registry to disable WiFi Sense, which steals your wifi password without your consent.

 

JavaScript HashCalc

 

http://sourceforge.net/projects/hash-calculator/

​

bigbrosbitch,Thank you,for the info and explenation.

[Guest]

O lawd. This was a bit more than I expected

[OmniNegro 155]

Thank you for the insight. Do you by chance happen to know a good range of numbers to use for the values in "telemetry.ASM-WindowsDefault.json.bk"? For instance, are smaller numbers better, or should I replace them with larger, and presuming larger, anyone know how big I can use and what it means to the spyware/malware M$ is forcing on us stupid Winblows users?

 

Honestly I am just waiting for someone with way more knowledge that myself to make a program that will run in the system tray and update itself from a whole range of IPs to nuke the latest anti M$ malware. Microsoft has lost me forever. Right now the NSA is equally trustworthy. How far they have fallen. They cannot recover this time.

 

Game developers, hear me now. I will never again buy a game made for Windows only. I am moving to Linux. And my trivial money is moving with me.

 

AMD, hear me too, you need to fix your binary Linux "drivers" for your GPUs or I will never buy another GPU from you for any price.

 

*Edit* Typos.

[rickjames 106]

Wow, what a mess windows is.

It would be faster to install linux or some bsd flavor.

[tancrackers 0]

Something to keep an eye out for:

http://www.forbes.com/sites/gordonkelly/2015/07/28/windows-10-automatic-download/

https://www.reddit.com/r/Windows10/comments/3ewa8r/psa_here_is_how_to_check_if_windows_10_is/

 

The Windows 10 upgrade actually downloads in the background, despite your knowledge.

I find this to be a disgraceful practice.

[triplehyper 2]

Hi to OP or anyone, please continue to update this post. Help us quarantine m$'s future spywares.

[Lee47 23]

thanks great effort and time put into the guide to make windows hopefully more privacy friendly !

 

One look at your guide makes me feel like looking at linux forever

 

Honestly I am just waiting for someone with way more knowledge that myself to make a program that will run in the system tray and update itself from a whole range of IPs to nuke the latest anti M$ malware. Microsoft has lost me forever. Right now the NSA is equally trustworthy. How far they have fallen. They cannot recover this time.

 

Software is already out there which can tweak and optimize windows to make it more secure and private or less phoning home like Ashampoo AntiSpy and O&O shutup, but I do like peerblock + I-blocklist subscription (think its $10 per year), they update not only bad Microsoft IPs but lots of other companies and organizations which can phone home or invade your privacy & security.

 

http://www.peerblock.com/

https://www.iblocklist.com/

[zhang888 1066]

Sorry for the off-topic, but is very surprising to see how the way that people use their OS have changed.

About 10 years ago, pretty much about anything on Linux/BSD required hours of reading manuals, tweaking your

system to find the right configuration, and by that I especially mean the network part, where you had to double

check everything to ensure there are no leaks in our out of your network.

 

Now the world changed - Linux became friendlier and many distros are secure by default, just install and use.

While Windows people now have to read many manuals, find scripts, making sure that they won't forget to include

new hosts that MS will push with the next update, and so on. On the usability side, things are degrading. I still

did not manage to remember that key combination to get out of that Metro UI thing when you suddenly click the wrong

menu in the Start button, and this is one example out of many more.

[go558a83nk 362]

Linux still isn't there.  I installed Mint 17.2 on my laptop just a few days ago but I couldn't get satisfactory video out of it.  I tried installing the latest drivers over the one supplied by kernel.  Just too much tearing.  (discrete nvidia card alongside intel onboard)

[rickjames 106]

Linux still isn't there.  I installed Mint 17.2 on my laptop just a few days ago but I couldn't get satisfactory video out of it.  I tried installing the latest drivers over the one supplied by kernel.  Just too much tearing.  (discrete nvidia card alongside intel onboard)

 

 

I have a workstation that runs 1440p on debian with no issues what so ever using only intel onboard. Its also tied into a hd tv and plays anything and everything via xbmc like a dream. Nvidia has even better support and a nice control panel. My gaming pc runs a nvidia gtx780 and games wonderfully.

 

The issue is most likely in your xorg.conf. That or mint just being a fluffy mess.

And if you're using a laptop that has onboard intel as well as nvidia it can get a little tricky. Not all distros have the driver support to pick up this type of multiple hardware setup. People not running setups like this normally have 0 issues.

 

@xorg

Using Xorg -configure will leave you with a completely worthless and often broken xorg.conf. Better off not running Xorg -configure or try backing up then deleting the xorg.conf currently in use.

 

There's a few tricks when only using intel onboard as well, or for when there's nvidia hardware next to the onboard intel. Essentially you only add in the driver section after installing the appropriate intel driver 'if the hardware isn't recognized'

Section "Device"
        Identifier  "Intel Graphics"
        Driver      "intel"
        Option      "AccelMethod" "sna"
        BusID       "PCI:0:2:0"
EndSection

 

You'll need to find out your BusID:

BusID       "PCI:0:2:0"

Often looking in your current xorg.conf will show you whats where.

 

For the most part though none of the above is needed unless you have some oddball hardware. And some distros have more up2date versions of xorg providing better hardware support.

 

All in all even if modification of the xorg.conf is needed, its about 100x less work than attempting to make windows even somewhat secure.

[OmniNegro 155]

I tried playing some games that are on both Windows and Linux and Linux wins every time. (Portal 2 is my test game.)

 

Vsynch is a requirement either way if you suffer any screen tearing. (And double/triple buffering.)

 

I use a Radeon 5850 as my GPU and it can run circles around the same games on Linux as opposed to Windows.

[OpenSourcerer 1435]

While all of those updates have something to do with CEIP (Customer Experience Improvement Program), not all of them are part of the Diagnostic and Telemetry Services.

1. A way easier way is to just block connections to vortex-win.data.microsoft.com and settings-win.data.microsoft.com (by extent: *.data.microsoft.com, although not sure what this one will break additionally). Because these two are the destination addresses Telemetry uses to send diagnostic data to.
2. For example, KB2952664 is Win7-specific. If you install this "important" update you will just be able to directly upgrade to Win8 without side effects. It's rated important because there will be people who actually want to upgrade, and Microsoft just.. well, improves their experience with upgrading. Wow, look, that's what CEIP is there for, aye?!
3. I wouldn't call it spyware. Basic telemetry services are online since the first days of Vista. 2007, if I remember it right. No one called it spyware back then.
4. I don't want to discredit the post, but the commands just look professional; thing is, they are command line versions of operations you can do with Windows Update GUI, at least on Windows 8.1 and lower.

People, don't panic. Just don't upgrade to Win10 yet.

[zhang888 1066]

There is also a popular open source project worth mentioning, called DWS:

 

https://github.com/Nummer/Destroy-Windows-10-Spying/releases

 

 

Simple #NET app that does what the above scripts do, with some other features as well.

If you installed Windows 10 for testing, you may want to give it a try.