
My application ran away and called home from Redmond - jviide
https://medium.com/sensorfu/how-my-application-ran-away-and-called-home-from-redmond-de7af081100d
======
MzHN
I think the key quote here is

"This opens interesting data leak vector for attacker and also includes some
privacy concerns. It is quite common that even in isolated environments, many
of the Microsoft IP address ranges are whitelisted to make sure systems will
stay up to date. This enables adversary to leak data via Microsoft services
which is extremely juicy covert channel."

As a user, you can just disable automatic sample submission. In fact I'm
pretty sure you can set it during installation, as I've never had to go
through the settings to disable it, but it's still disabled on all my
installations.

But the question is, from an adversary perspective, does your victim have it
disabled?

Most likely they won't, so you can use Microsoft as a mule to exfiltrate data
from otherwise firewalled victims.

~~~
Nextgrid
> you can use Microsoft as a mule to exfiltrate data from otherwise firewalled
> victims

This is actually a smart idea. Make your spyware collect & encrypt data into a
(new and unknown) binary and execute it, relying on the fact that Microsoft
will exfiltrate it for you. When that binary itself is run (within MS'
premises) it will then reach out to you with its embedded data.

~~~
rkagerer
Yet another reason I'm reluctant to upgrade to Windows 10. Too many buttons
and toggles to turn off to arrive at a PC that functions the way I expect it
to, and an update mechanism that's likely turning new ones on faster than I
can spot them.

~~~
naikrovek
This is a Windows Defender thing, not a Windows 10 thing.

Windows Defender on Windows 7 also submits previously unobserved binaries to
Microsoft for the same reason.

Go ahead, blame Win10, though. A non-zero number of people will take your
comment to heart and believe that you knew what you were talking about with
their entire soul, without seeing my comment.

I am so tired of seeing communal ignorance on this topic. People believe
whatever bullshit they want, if it fits the narrative they are trying to sell.

~~~
fiblye
>This is a Windows Defender thing, not a Windows 10 thing.

So Windows Defender isn't bundled as a part of Windows 10?

~~~
wolrah
> So Windows Defender isn't bundled as a part of Windows 10?

It was also bundled as part of Windows 8.1, Windows 8, Windows 7, and Windows
Vista on top of being available as a free download for Windows XP (and even
2000 during the beta phase).

The current form, after the Microsoft Security Essentials package was merged
in, didn't come about until Windows 8 but Windows Defender as a product dates
back to Microsoft's purchase of GIANT Software.

Either way you call it, XP or 8, saying Defender is a Windows 10 thing is like
saying Firefox is an Ubuntu 19.04 thing. Sure, Ubuntu 19.04 does bundle
Firefox, but so did many versions prior.

\---

It's also worth noting that almost every antimalware product has an option to
submit unknown binaries for analysis, and almost every one of those either
enables it by default or very strongly suggests that you do so during setup to
the point that I'd imagine most installations that aren't managed under
corporate policy are submitting samples.

------
AlexandrB
From a copyright law perspective, this seems wild. Microsoft is downloading
and running binaries from entities that may have never given Microsoft license
to do so, including Microsoft's competitors. All based on a permission setting
configured by an unrelated third party (the user).

~~~
gnode
> never given Microsoft license to do so

It's possible that they don't need it. There are fair use exemptions for
reverse engineering and automated analysis. These may be the legal basis on
which anti-malware research can be conducted.

~~~
Analemma_
Indeed, there have to be exceptions like this. Otherwise malware authors could
sue AV companies for infringement, which don’t seem to fit the intention of IP
law.

~~~
zeveb
> Otherwise malware authors could sue AV companies for infringement, which
> don’t seem to fit the intention of IP law.

'You may sue the AV company for $1 million; users who suffered from your
malware will civilly sue for $100 billion, and the government will charge you
with crimes and put you away for a decade. Your move.'

~~~
wtracy
A tangent:

There's this fascinating (to me, anyway) line between "viruses" (including
worms, Trojans, and similar malware) that antivirus programs will tackle, and
adware/spyware that they usually don't.

The difference between the two is whether it not there's a corporation
publicly taking credit for the program and suing antivirus companies for
defamation over calling it a "virus".

Adware/spyware is limited in distribution methods and payload types by the
letter of the law, but otherwise the two classes are functionally identical.

------
0xcde4c3db
If this is Microsoft's idea of performing a security function, I have to
assume that submitted executables are also going into a giant database/archive
that can be turned over to the three-letter agencies with a single National
Security Letter, complete with any secrets embedded therein.

Like Bo Burnham says, I guess I should lower my expectations a lot.

~~~
mirimir
It's already happening.[0]

Marketplace Hansa was running Bitdefender, which pwned them to Europol.

> Europol has been supporting the investigation of criminal marketplaces on
> the Dark Web for a number of years. With the help of Bitdefender, an
> internet security company advising Europol's European Cybercrime Centre
> (EC3), Europol provided Dutch authorities with an investigation lead into
> Hansa in 2016. Subsequent enquiries located the Hansa market infrastructure
> in the Netherlands, with follow-up investigations by the Dutch police
> leading to the arrest of its two administrators in Germany and the seizure
> of servers in the Netherlands, Germany and Lithuania. Europol and partner
> agencies in those countries supported the Dutch National Police to take over
> the Hansa marketplace on 20 June 2017 under Dutch judicial authorisation,
> facilitating the covert monitoring of criminal activities on the platform
> until it was shut down today, 20 July 2017. In the past few weeks, the Dutch
> Police collected valuable information on high value targets and delivery
> addresses for a large number of orders. Some 10 000 foreign addresses of
> Hansa market buyers were passed on to Europol.

0) [https://www.europol.europa.eu/newsroom/news/massive-blow-
to-...](https://www.europol.europa.eu/newsroom/news/massive-blow-to-criminal-
dark-web-activities-after-globally-coordinated-operation)

------
kemonocode
That's frankly alarming. They should be doing nothing but static analysis on
those binaries and if they must execute them, then certainly not giving them
any network access. That's without even touching on any IP law concerns and
how an end user can be unwillingly complicit in such things...

~~~
dahdum
Malware will pull updates and commands from the internet, if they didn’t allow
network access it would be near useless of a service. Attackers can make the
binary pre-update look as innocent as they want.

------
thexa4
Cool, is kind of like STUN but for networks with almost no connectivity.

Create a binary that sends info when started, submit it and wait for it to
send the info from Redmond to your server.

Too bad there is no return channel or you could make IP over windows update.

~~~
Uristqwerty
Can you return a bit by deciding whether the executable gets flagged as
malicious in response to the network activity? Can you set up a timing
difference to send more than one bit per executable?

------
pletnes
Could you do ssh -R and get shell on the testing machine in Redmond? Could
make a nice tunnel for getting US netflix.

~~~
hiccuphippo
You could use it for crypto mining.

~~~
LeoPanthera
Assuming they only run it once, in one sandbox, that would probably not be
particularly profitable.

~~~
philpem
Especially if there's a time limit on execution.

How many bitcoins can you mine in 30 seconds with a silly-low CPU cap?

~~~
dagw
_How many bitcoins can you mine in 30 seconds with a silly-low CPU cap?_

Somewhere in the region of $5e-9 worth of bitcoins.

------
thomasdereyck
Advanced Threat Protection in Office 365 does this as well. It's a security
feature that scans all linked files and attachments sent through Outlook.

A while back in my company we were deploying a client management tool (think
TeamViewer but with more background management and software deployment
capabilities). It needed to be very easy to install, so we just had a link to
an EXE file that needed to be opened by our on-site IT departments. No extra
steps were required.

Imagine our surprise when we suddenly saw machines popping up that were
totally unfamiliar. These were machines connecting from a Microsoft IP, and
all had random (but similarly formatted) usernames. They also provided random
mouse inputs. We could even take control of these machines (!) but apparently
they were short lived VMs that only existed for a few minutes before being
recycled.

I contacted Microsoft support because at first we thought this may be a manual
process (because of the mouse inputs and the user names), and we didn't want
Microsoft employees seeing user data. Afterwards I also commented to the
support person that someone may use these temporary machines as an attack
vector (to use as an anonymous source, or in a DDoS attack), but the ticket
was closed and if I recall correctly this was deemed "working as designed".

~~~
saiya-jin
Anytime somebody here would like to claim that 'new' Microsoft is so much
better and moral than 'old' one, I want to punch them in the face and start
rant about Windows 10. Never met a single person, IT or not, who would not
complain about it after moving from Windows 7.

Now I don't have to, I can just point to this thread and this comment.

This is pure arrogance - they know they have whole corporate world stuck with
Office, even immediate move to Open source would take 20 years due to mostly
Excel tight integration/expertise. We would all benefit from a good
competition in this area...

------
Animats
_" Microsoft Windows 10 sends all new unique binaries for further analysis to
Microsoft by default."_

Even if you're developing? Even if you're developing proprietary applications
not for public use?

 _All your code are belong to us._

~~~
zamadatix
I mean it's either send all or send none, there is not really an inbetween way
to do this method.

------
Silhouette
One of the main reasons we don't want anything to do with most recent
Microsoft software at my office is concern that unspecified data we're working
with -- which might include information obtained under NDAs, clients' trade
secrets, sometimes personal data, etc. -- might get sent up to the mothership
when one of the telemetry systems phones home.

People look at me as if we're crazy for worrying about this possibility, even
though Microsoft of 2019 is notoriously vague about how any of this works and
we could be flagrantly violating multiple laws and contractual obligations if
it happened.

~~~
philpem
This. If they were at least up-front and said what it collects, how, when, and
how to turn it off (or better yet, followed privacy best practice and turned
it into informed opt-in), I'd be more eager to upgrade.

With that said -- there's still room for due diligence. I've built systems
which handle personal data, and we pretty much started with Debian minimal and
worked from there. To make damn sure, we stuck them behind a whitelisted
firewall. They had access only to things we allowed them to see, and only in
the direction we allowed.

------
csande17
> Microsoft Windows 10 sends all new unique binaries for further analysis to
> Microsoft by default.

Interestingly, Apple's now doing sort of the opposite of this. Instead of
having the _end-user_ 's computer upload all executables to Apple for
analysis, Apple requires the _developer_ send them over and have them
"notarized" before they run.

------
throwaheyy
Reminds me of the story about the NSA contractor who had pirated Office on
their laptop, and when Kaspersky AV predictably collected a sample of the
virus-infected keygen to its servers, the US tried to spin it as "Russian data
exfiltration".

~~~
dralley
My recollection was that he had samples of NSA malware on his computer, that
Kaspersky detected this, and that shortly afterwards he was directly targeted
by Russian state hackers.

It was not so much that Kaspersky was acting as malware, but that they were
sending tips to the FSB.

------
2rsf
> Microsoft Windows 10 sends all new unique binaries for further analysis to
> Microsoft by default. They run the executable in an environment where
> network connectivity is available.

how did the author reach to this conclusion ? is it documented somewhere ?

~~~
antsar
He includes this screenshot[0], addressing the "send" part. The "run" part
seems evident from the network traffic coming from MSFT.

[0]
[https://miro.medium.com/max/334/0*g_3L3SxR4IYoBAxD](https://miro.medium.com/max/334/0*g_3L3SxR4IYoBAxD)

------
pnako
>Microsoft Windows 10 sends all new unique binaries for further analysis to
Microsoft by default.

Wait, what? Let's say you write code that you compile using MSVC or MinGW or
whatever to an .exe file.

Surely there is no way this gets automatically sent to MS?

~~~
unionpivo
That is exactly what happens. And it happens with any new executable. I
noticed it when i was trying out how well rust works on windows.

~~~
fortran77
I couldn't even get Rust to install on Windows!

~~~
unionpivo
rustup is your friend. install that, and then rust with rustup.

Edit: forgot link: [https://rustup.rs/](https://rustup.rs/)

------
mschuster91
> They run the executable in an environment where network connectivity is
> available.

Why does MS _run_ unknown executables? On the other hand, should be a nice
DDoS provider for blackhats...

~~~
inanutshellus
Perhaps it's not running the EXE but instead identifying URLs in the code,
cURLing them to see what it gets, and doing so to verify what they get isn't
malware?

~~~
oherrala
The software in question (called Beacon) is designed to call home. The binary
has built-in cryptographic keys and it sends traffic encrypted. The receiving
end, called Home, receives these packets, decrypts it and verifies the sender
and after that gives an alert.

The exe must have been running to be able to generate the proper encrypted
payload and send it to right place. In this case ports 20 and 1025 over TCP.

Disclaimer: I am one of the people who wrote the software.

------
jimnotgym
I was interested in this Beacon software, but then I found you had to contact
them for pricing and I gave up on the idea.

Lesson: clear pricing keeps people like me in the game

~~~
SteveNuts
I've found a lot more software startups and SaaS companies using this method
lately.

When I actually am interested enough to talk to their salespeople (and they're
straightforward enough with me) they've told me it helps them target whales
more easily.

They can charge a lot more to a huge Enterprise and adjust lower for SMBs.

~~~
philpem
Of course the fun part of that is when the sales staff mistake a minnow for a
whale.

Case in point, a large FTSE, NYSE, NASDAQ listed company with largely siloed
internal departments, all with their own budgets. Your yearly budget might be
$20,000 -- but they see the Inc. or Plc. with a turnover in the hundreds of
millions and quote accordingly...

That situation makes for some fun sales calls.

------
anonymousisme
It would be a fun experiment to create a network probe executable that
exfiltrates results back to you, and then push it to Microsoft in this way. I
wonder how secure their test environment could be if it has Internet access...

~~~
zamadatix
I'd imagine the app is run in a DMZ and the internet FW blocks typical malware
behavior once detected. After all the whole point of running it is to find if
the executable is going to do these types of things so they'd be prepared.

------
kazinator
> _Microsoft Windows 10 sends all new unique binaries for further analysis to
> Microsoft by default._

That's not only a privacy concern; it's blatant copyright infringement.

------
zamadatix
I'm surprised the number of people on HN that assume Microsoft's security
group involved in actively trying to find malware by running unknown programs
has absolutely 0 precautions that one of the programs they run would be
malicious.

~~~
opencl
Microsoft does not exactly have the best track record with this.

[https://bugs.chromium.org/p/project-
zero/issues/detail?id=12...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1252&desc=5)

~~~
zamadatix
In what way is "had a RCE CVE" a track record that "Microsoft's security group
involved in actively trying to find malware by running unknown programs has
absolutely 0 precautions that one of the programs they run would be
malicious."

I'm not talking about invulnerable software I'm talking about the comments
assuming Microsoft doesn't expect __malware testing servers__ to run scanning
or DDOS malware.

------
TYPE_FASTER
It looks like you can manually upload submissions here:

[https://www.microsoft.com/en-
us/wdsi/filesubmission](https://www.microsoft.com/en-us/wdsi/filesubmission)

This may be outdated, but you can also configure Defender to always prompt
before sending:

[https://docs.microsoft.com/en-us/windows/security/threat-
pro...](https://docs.microsoft.com/en-us/windows/security/threat-
protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-
server-2016)

It would be interesting to set it to always prompt and see what triggers it.
There must be some level of fingerprinting done on the client (hash of the
binary? network activity, etc.) that can be used to compare against known
threats.

------
maltalex
This shouldn't be hard to test.

Just create a native executable in your language of choice that connects to a
hardcoded address of a server you have access to and try executing it on a
windows machine with sample submission enabled.

------
Havoc
Also seems like a viable vector to DOS something - if Microsoft runs this on
some sort of cloud infra with a fat pipe

~~~
Terr_
I think that's less likely, if MS gets a thousand identical copies of a
binary, they probably aren't going to bother test-analyzing more than one.
There also might be some rate-limiting on what they'll do from a particular
machine.

So your attack might require first controlling a swam of Windows 10 machines,
in which case you might as well do it directly :P

~~~
dTal
Who said anything about identical binaries? It's trivial to make two
completely differently obfuscated binaries that do the same thing. If it were
possible to determine behavior by static analysis, they wouldn't need to run
it...

------
TeMPOraL
Ok, so if I compile an executable that pops up a screen with a picture I drew
+ lots of personal and medical information about me, and phones me whenever
it's executed, and then just leave it on my machine only for it to phone home
from Redmond, can I sue them for copyright, GDPR, HIPAA violations and
whatnot? How good is their "new unique binaries" detection? Could I do the
same with just a bunch of files wrapped in a good ol' self-extracting archive?

Seriously, what in hell? Like always, blatant violations of users in the name
of "security".

~~~
lazyasciiart
I'm not sure how you would invoke HIPAA with no medical professionals
involved. It doesn't just magically apply because you wrote down your own
medical information.

~~~
Silhouette
You could replace HIPAA with GDPR again, since almost any medical information
about an identifiable individual will constitute sensitive personal data that
requires the stronger protections under that law.

~~~
icebraining
Microsoft might claim it's a Legitimate Interest (recital 49 might be useful
here, though I'm not sure it applies).

~~~
Silhouette
I suppose it could _claim_ that, but I suspect it would be a tough sell with
the regulators if Microsoft is uploading large amounts of data the user
probably didn't even know about _and_ some of that data turned out to include
sensitive personal data.

~~~
crummy
Are many folks compiling sensitive personal data into binaries?

~~~
Silhouette
Presumably most people don't compile that sort of data into executables, but
the situation seems to be unclear about whether other types of file might also
be uploaded through similar mechanisms, and there also seems to be something
going on involving MS executing the files and allowing remote connectivity, so
the issue still seems relevant.

------
alyandon
It's not just executables. I once caught Microsoft Defender sending copies of
sensitives files like places.sqlite out of my Firefox profile directory to
Redmond. Needless to say, I disabled that feature permanently via local
policy.

------
foota
I'm amazed they run these with internet access. I understand though that
without it a malicious program may not run the same.

It probably also allows them to do some spying on networks used by malware.

------
PeterStuer
They probably limit the execution resources available or you would have
yourself a free albeit unpredictable cloud execution platform for all your
memory/CPU intensive processes.

