Windows 10 Surveillance Platform weaponized into and back ported Implants delivered seamlessly to Windows 7 and 8 via Windows Update

You may or may not have noticed shenanigans in your windows based 7 and * machines.

Microsoft likes the data they stream from windows 10 machines soo much that they decided to back port functionaly and carve out impants resulting in a of push 4 optional and 2 important windows updates

They will appear in control panel installed updates as

Optional
“Update for Microsoft Windows (KB3068708)”
“Update for Microsoft Windows (KB3075249)”
“Update for Microsoft Windows (KB3080149)”
“Update for Microsoft Windows (KB3022345)”

Important
“Update for Microsoft Windows (KB2952664)”
“Update for Microsoft Windows (KB3021917)”

If you have better things to do than hand eye troll through the list of installed updates then here are two approached to detect the SurveillanceWare Implants.

The referenced KB’s are specific to the surveillance implants which target Windows 7 only. If your running windows 8, 8.1 or 10 your more than likely fighting much more of a loosing battle. So this section is specific so where it may be temporarily possible to remove the Implants.

Detection – Open an elevated command prompt
wmic QFE list full /format:texttablewsys | find “KB3068708”
wmic QFE list full /format:texttablewsys | find “KB3022345”
wmic QFE list full /format:texttablewsys | find “KB3075249”
wmic QFE list full /format:texttablewsys | find “KB3080149”
wmic QFE list full /format:texttablewsys | find “KB3021917”
wmic QFE list full /format:texttablewsys | find “KB2952664”

or alternatively detect with an update to the systeminfo command

systeminfo | findstr “KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664”

To start removal after optionally taking an evidence image or a system backup
wusa /uninstall /kb:3068708 /quiet /norestart
wusa /uninstall /kb:3022345 /quiet /norestart

Then reboot seems required then continue
wusa /uninstall /kb:3075249 /quiet /norestart
wusa /uninstall /kb:3080149 /quiet /norestart
wusa /uninstall /kb:3021917 /quiet /norestart
wusa /uninstall /kb:2952664 /quiet /norestart

———- Windows 7, 8, 8.1 script to detect implants——-
Here is a list and updated DIY detection ready scripting for all 14 (currently known) Surveillance implants. Including Implants for windows 8 and later.

I guess they thought they could catch more fish with 14 baited lines.

Here are two batch files . run the larger script to see whats detected.

Open an elevated command prompt

create a batch file
Name: check-kb.bat

Add the batch script content

@echo off
echo ‘ Only the first parameter is used in the search, the rest display context.
echo ‘
echo ‘
echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9 %10
@echo on
wmic QFE list full /format:texttablewsys | find “%1”
@echo off

Create a batch file, purpose is to check for currently known Implants.
Name: checkfor_NPI_patches.bat

Add the batch script content

@echo off
SetLocal
REM — (as of 2015-08-26):
cls
call Check-kb KB3012973 – Opt in payload – Upgrade to Windows 10 Pro
call Check-kb KB3021917 – Opt in payload – Update to benchmark Windows 7 SP1
call Check-kb KB3035583 – Opt in payload – delivers reminder “Get Windows 10” for Windows 8.1 and Windows 7 SP1
call Check-kb KB2952664 – Opt in payload – Pre launch day push of payload for compatibility update for upgrading Windows 7
call Check-kb KB2976978 – Opt in payload – Pre launch day push of payload for Compatibility update for Windows 8.1 and Windows 8
call Check-kb KB3022345 – Opt in payload – surveillance Telemetry [Replaced by KB3068708]
call Check-kb KB3068708 – Opt in payload – Update for surveillance customer experience and diagnostic telemetry
call Check-kb KB2990214 – Opt in payload – Update that prepares payload to Windows 7 to add surveillance in later installed versions of Windows
call Check-kb KB3075249 – Opt in payload – Update that adds surveillance telemetry to Windows 8.1 and Windows 7
call Check-kb KB3080149 – Opt in payload – Update for CIP and surveillance with diagnostic exfil leveraging telemetry
call Check-kb KB3044374 – Opt in payload – Marketing Windows 10 surveillance payload to windows 8,8.1 devices
call Check-kb KB2977759 – Opt in payload – Windows 10 surveillance Diagnostics Compatibility Telemetry HTTP request response
call Check-kb KB3050265 – Opt in payload – Marking via Windows Update services opting in to Windows 10 surveillance Implant
call Check-kb KB3068707 – Opt in payload – CIP telemetry request response check in for Windows 7,8,8.1

Whatever Surveillance implants revealed in your machine, it can be removed with a customization of the wusa command, just replace the ??????? with the kb numbers reported.

wusa /uninstall /kb:??????? /quiet /norestart
——-Housekeeping QA

Housekeeping checks post removal additional steps. I can foresee someone will prophetically conclude a recommended step 5) Uninstall windows and install a secure *nix variant. Obligatorily mentioned in advance. Thanks.

An eye on post removal Hinkyness had some hits after removals and reboots.

1) Only two of the four uninstalled KB’s reappeared as available optional “Update for Windows 7 for x64 based Systems (KB3075249) and (KB3080149), another reappeared as

Important “Update for Windows 7 for x64 based Systems (KB3068708)”

The important one was the “Update for customer experience and diagnostic telemetry” Important to who, NSA?

The “KB3068708″ Update for customer experience and diagnostic telemetry” did not reappear as an available patch. It may be dependent on one of the other three removed bits
2) Before the uninstall, I had foresight to search the infected file system
for .manifest with a common namespace string called assemblyIdentity which is set to a string value “Microsoft-Windows-Authentication-AuthUI.Resources”

The before removal search listing files which matched the above search constraint yielded 62 matches in 52 manifest files.

The after removal search listing of files which match the above search constraint yields 74 matches in 64 manifest files.
Conclusion, the removal did not remove the manifest files pushed in the original infection.
3) In a read of KB 3080149, it indicated it installed and updates / requires maintenance of a file named utc.app.json

Before removal, the file file was found in 6 places on the infected filesystem
After “removal” the file exists in the same 6 locations, same filesize just waiting for re-use and reinfection.

discovered and removed using the disribed method 22 additional implants
Found all 6 utc.app.json were removed and it had left two backup copies under the name utc.app.json.bk
in
C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings
C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings
in the same directory, found a backed up file telemetry.ASM-WindowsDefault.json.bk

In order to see the hidden system directory, you must elevate to admin
dir wont show the rest of the telemetry files unless you clear the files attributes
An Elevated file explorer will show the files
Files wont be readable until you change owner permissions or change your running user principal context to that which does allow access to the file.

telemetry file content
{
“settings”: {
“Microsoft-ApplicationInsights:::sampleRate”: “100”,
“Microsoft-ApplicationInsights-Dev:::sampleRate”: “100”,
“Microsoft-ApplicationInsights-Dev:::latency”: “Realtime”,
“xbox.xsapi:::sampleRate”: “100”,
“Office:::sampleRate”: “100”,
“Skype:::sampleRate”: “100”,
“Census:::sampleRate”: “100”,
“Microsoft.Windows.Appraiser.General::ms.CriticalData:sampleRate”: “100”,
“Microsoft.Windows.Appraiser.Instrumentation::ms.Telemetry:sampleRate”: “100”,
“Microsoft.Windows.Compatibility.Asl::ms.Telemetry:sampleRate”: “5”,
“Microsoft.Windows.Inventory.General::ms.CriticalData:sampleRate”: “100”,
“MicrosoftTelemetry::ms.CriticalData:sampleRate”: “0”,
“MicrosoftTelemetry::ms.Measures:sampleRate”: “0”,
“MicrosoftTelemetry::ms.Telemetry:sampleRate”: “0”,
“Setup360Telemetry::ms.CriticalData:sampleRate”: “100”,
“SetupPlatformTel::ms.CriticalData:sampleRate”: “100”,
“TelClientSynthetic:HeartBeat_5::sampleRate”: “100”
}}
content file of utc.app.json
{
“settings”: {
“UTC:::GroupDefinition.MicrosoftTelemetry”: “f4-Redacted data-6aa”,
“UTC:::CategoryDefinition.ms.CriticalData”: “140-Redacted data-318”,
“UTC:::CategoryDefinition.ms.Measures”: “71-Redacted data-63”,
“UTC:::CategoryDefinition.ms.Telemetry”: “321-Redacted data-32”,
“UTC:::GroupDefinition.Microsoft-ApplicationInsights”: “0d-Redacted data-d0b”,
“UTC:::GroupDefinition.Microsoft-ApplicationInsights-Dev”: “ba-Redacted data-3d”,
“UTC:::GroupDefinition.xbox.xsapi”: “53b-Redacted data-af3”,
“UTC:::GroupDefinition.Office”: “8DB-Redacted data-155”,
“UTC:::GroupDefinition.Skype”: “9df-Redacted data-a89”,
“UTC:::DownloadScenariosFromOneSettings”: “1”
}

To mitigate future infection, am considering removal alteration or perform a revocation of file permissions to utc.app.json and the hinky manifest files.

4)Re the connections the malware opened, which may or may not have Mitm certificate pinning mitigation. My personal opinion is to mitigate by locking access to the data ex filtration end points.

Firewall now blocks outbound access from your network to
vortex-win.data.microsoft.com
Name: VORTEX-cy2.metron.live.com.nsatc.net
Address: 64.4.54.254
Aliases: vortex-win.data.microsoft.com
vortex-win.data.metron.live.com.nsatc.net
vortex.data.glbdns2.microsoft.com

settings-win.data.microsoft.com
Non-authoritative answer:
Name: OneSettings-bn2.metron.live.com.nsatc.net
Address: 65.55.44.108
Aliases: settings-win.data.microsoft.com
settings.data.glbdns2.microsoft.com

Chances are that anything outbound to “.data.microsoft” should likely be blackholed if you opt out of the “Idiots Do Opt Having Pervasive Surveillance Patches” IDOH-PSP program for short.

Hope this helps to bring most of the malware workflow, as is early info on this new day of vendor sponsored in your face implants, info will likely be incomplete.