Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Win 10 traffic analysis- it's 100% spyware/malware.

Industry news items concerning VPNs, darknets, crypto, surveillance and secure computing.

Topic Author
anony

Win 10 traffic analysis- it's 100% spyware/malware.

Postby anony » Mon Aug 31, 2015 5:23 am

From:
http://investmentwatchblog.com/a-traffi ... dows-10-2/

All text typed on the keyboard is stored in temporary files, and sent (once per 30 mins) to:

oca.telemetry.microsoft.com.nsatc.net
pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com

Telemetry is sent once per 5 minutes, to:

vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net

typing the name of any popular movie into your local file search starts a telemetry process that indexes all media files on your computer and transmits them to:

df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
cs1.wpc.v0cdn.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com


When a webcam is first enabled, ~35mb of data gets immediately transmitted to:

oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net


Everything that is said into an enabled microphone is immediately transmitted to:

oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.urs.microsoft.com
cs1.wpc.v0cdn.net
statsfe1.ws.microsoft.com

If this weren’t bad enough, this behaviour still occurs after Cortana is fully disabled/uninstalled. It’s speculated that the purpose of this function to build up a massive voice database, then tie those voices to identities, and eventually be able to identify anyone simply by picking up their voice, whether it be a microphone in a public place or a wiretap on a payphone.

Interestingly, if Cortana is enabled, the voice is first transcribed to text, then the transcription is sent to:

pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com
df.telemetry.microsoft.com

While the inital reflex may be to block all of the above servers via HOSTS, it turns out this won’t work: Microsoft has taken the care to hardcode certain IPs, meaning that there is no DNS lookup and no HOSTS consultation. However, if the above servers are blocked via HOSTS, Windows will pretend to be crippled by continuously throwing errors, while still maintaining data collection in the background. Other than an increase in errors, HOSTS blocking did not affect the volume, frequency, or rate of data being transmitted.

http://localghost.org/

http://aeronet.cz/news/analyza-windows- ... h-a-hlasu/

AC

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Win 10 traffic analysis- it's 100% spyware/malware.

Postby parityboy » Mon Aug 31, 2015 9:17 pm

@OP

Many thanks for posting this, it's appreciated. This why my Windows instances will never become my daily drivers.


Topic Author
kittenrocketTEMP

Re: Win 10 traffic analysis- it's 100% spyware/malware.

Postby kittenrocketTEMP » Tue Sep 01, 2015 9:56 am

Wellll I'm going to have to call FUD on this one, or the subject at least. WIN10 is pretty much configured to learn everything about you, yes. The cleanup job is tedious, yes yes :crazy: . But, it's possible to lock it down for the most part from the non-malware type privacy issues (don't mean just clicking the OFF switch in settings...). The concern is really what is inaccessable to the user through registry permissons and obfuscation, ambiguous tasks, services that chatter too much and NSA style super ninja backdoors :shh:. Is it safe to assume win 8.1 +- didn't already have these, as PRISM suggested they might? We will all have to quit using XP eventually :lolno:

oh and adding that list to your 127.0.0.1's (host file) is a must, if it wasn't obvious. there are a few lists like that, this is the one I have compiled and can be copy pasta'd into C:\Windows\System32\drivers\etc\hosts

127.0.0.1 vortex.data.microsoft.com
127.0.0.1 vortex-win.data.microsoft.com
127.0.0.1 telecommand.telemetry.microsoft.com
127.0.0.1 telecommand.telemetry.microsoft.com.nsatc.net
127.0.0.1 oca.telemetry.microsoft.com
127.0.0.1 oca.telemetry.microsoft.com.nsatc.net
127.0.0.1 sqm.telemetry.microsoft.com
127.0.0.1 sqm.telemetry.microsoft.com.nsatc.net
127.0.0.1 watson.telemetry.microsoft.com
127.0.0.1 watson.telemetry.microsoft.com.nsatc.net
127.0.0.1 redir.metaservices.microsoft.com
127.0.0.1 choice.microsoft.com
127.0.0.1 choice.microsoft.com.nsatc.net
127.0.0.1 df.telemetry.microsoft.com
127.0.0.1 reports.wes.df.telemetry.microsoft.com
127.0.0.1 wes.df.telemetry.microsoft.com
127.0.0.1 services.wes.df.telemetry.microsoft.com
127.0.0.1 sqm.df.telemetry.microsoft.com
127.0.0.1 telemetry.microsoft.com
127.0.0.1 watson.ppe.telemetry.microsoft.com
127.0.0.1 telemetry.appex.bing.net
127.0.0.1 telemetry.urs.microsoft.com
127.0.0.1 telemetry.appex.bing.net:443
127.0.0.1 settings-sandbox.data.microsoft.com
127.0.0.1 vortex-sandbox.data.microsoft.com
127.0.0.1 survey.watson.microsoft.com
127.0.0.1 watson.live.com
127.0.0.1 watson.microsoft.com
127.0.0.1 statsfe2.ws.microsoft.com
127.0.0.1 corpext.msitadfs.glbdns2.microsoft.com
127.0.0.1 compatexchange.cloudapp.net
127.0.0.1 cs1.wpc.v0cdn.net
127.0.0.1 a-0001.a-msedge.net
127.0.0.1 statsfe2.update.microsoft.com.akadns.net
127.0.0.1 sls.update.microsoft.com.akadns.net
127.0.0.1 fe2.update.microsoft.com.akadns.net
127.0.0.1 diagnostics.support.microsoft.com
127.0.0.1 corp.sts.microsoft.com
127.0.0.1 statsfe1.ws.microsoft.com
127.0.0.1 pre.footprintpredict.com
127.0.0.1 i1.services.social.microsoft.com
127.0.0.1 i1.services.social.microsoft.com.nsatc.net
127.0.0.1 feedback.windows.com
127.0.0.1 feedback.microsoft-hohm.com
127.0.0.1 feedback.search.microsoft.com
127.0.0.1 rad.msn.com
127.0.0.1 preview.msn.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ads.msn.com
127.0.0.1 ads1.msads.net
127.0.0.1 ads1.msn.com
127.0.0.1 a.ads1.msn.com
127.0.0.1 a.ads2.msn.com
127.0.0.1 adnexus.net
127.0.0.1 adnxs.com
127.0.0.1 az361816.vo.msecnd.net
127.0.0.1 az512334.vo.msecnd.net


havent come across any issues blocking these, there are some more conservative lists out there that will block onedrive etc. will be posting some win10 guides soon for tasks, services, anti-spying software etc.

postscript: the host file is probably bypassed if indeed there are any malware included in win 2*5

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Windows Telemetry vs Acrylic / DNSCrypt

Postby marzametal » Mon Mar 21, 2016 3:41 am

I have a query about Windows Telemetry and DNSCrypt.

As we are well aware, v3 of the Windows Widget will include DNSCrypt. My concern is that domains such as www.download.windowsupdate.com have been proven to bypass HOSTS file entries, even with modification of the dnsapi.dll files located in system32 and SysWOW64. This has been shown in Wireshark; a call is made to www.download.windowsupdate.com, and it receives a valid reply. Another one that couldn't be silenced was related to *msftncsi*.

I have had to implement Acrylic DNS Proxy as a workaround, which nullifies calls to both www.download.windowsupdate.com and *msftncsi*. It also has another beautiful feature, which allows for wildcards such as *. Lots of power.

What I am essentially trying to figure out is if DNSCrypt can nullify replies made to the above two callouts like Acrylic does, or is it only for encrypting DNS traffic? I quote something I found on the DNSCrypt site...

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven't been tampered with.

Please note that DNSCrypt is not a replacement for a VPN, as it only authenticates DNS traffic, and doesn't prevent "DNS leaks", or third-party DNS resolvers from logging your activity.


I also ponder the success rate of combining the two apps, Acrylic + DNSCrypt. As a Windows User, I think the % rate of implementation objectives is sliiiiightly in favour of silencing MS callouts. However, MITM is a bitch in itself. So, better to trust the devil you know, rather than the one you don't, eh? lol...

Thoughts?

User avatar

ntldr
ForumHelper
Posts: 39
Joined: Sun Feb 01, 2015 4:15 pm

Re: Win 10 traffic analysis- it's 100% spyware/malware.

Postby ntldr » Mon Mar 21, 2016 4:34 pm

If this video is any correct then host file or blocking websites is just small portion of what some of you might be doing.

About 1 million websites to block


Return to “crypto, VPN & security news”

Who is online

Users browsing this forum: No registered users and 5 guests

Login