[MzHN]

I think the key quote here is

"This opens interesting data leak vector for attacker and also includes some privacy concerns. It is quite common that even in isolated environments, many of the Microsoft IP address ranges are whitelisted to make sure systems will stay up to date. This enables adversary to leak data via Microsoft services which is extremely juicy covert channel."

As a user, you can just disable automatic sample submission. In fact I'm pretty sure you can set it during installation, as I've never had to go through the settings to disable it, but it's still disabled on all my installations.

But the question is, from an adversary perspective, does your victim have it disabled?

Most likely they won't, so you can use Microsoft as a mule to exfiltrate data from otherwise firewalled victims.

[Nextgrid]

> you can use Microsoft as a mule to exfiltrate data from otherwise firewalled victims

This is actually a smart idea. Make your spyware collect & encrypt data into a (new and unknown) binary and execute it, relying on the fact that Microsoft will exfiltrate it for you. When that binary itself is run (within MS' premises) it will then reach out to you with its embedded data.

[zelon88]

And it all slips through the firewalls and whitelists because it looks just like official "Microsoft Telemetry" data. Wow.

[undersuit]

Free data uploads. You could make unique binaries that when run start seeding a torrent. Maybe MS will put the kibosh on you uploading Seinfeld_S1_E1_obfuscated.exe to their cloud, but... how about a worm serving up its own updates through MS IPs?

[rkagerer]

Yet another reason I'm reluctant to upgrade to Windows 10. Too many buttons and toggles to turn off to arrive at a PC that functions the way I expect it to, and an update mechanism that's likely turning new ones on faster than I can spot them.

[naikrovek]

This is a Windows Defender thing, not a Windows 10 thing.

Windows Defender on Windows 7 also submits previously unobserved binaries to Microsoft for the same reason.

Go ahead, blame Win10, though. A non-zero number of people will take your comment to heart and believe that you knew what you were talking about with their entire soul, without seeing my comment.

I am so tired of seeing communal ignorance on this topic. People believe whatever bullshit they want, if it fits the narrative they are trying to sell.

[rkagerer]

You're splitting hairs on semantics. However you slice it, the software is present after a fresh OS installation, with a default setting that broadcasts my files to Microsoft.

Since you brought up Windows 7, I'll point out in those days Microsoft had the decency to inherit the setting from a choice made during OS installation (but even then you had to dig a little to discern the connection): https://i.imgur.com/SpqXmod.png. You further had to visit a SpyNet enrollment screen before it collected more "advanced" metadata like filenames, location, etc: https://i.imgur.com/z3qtuxp.png

On Windows 10, even if you turn off ALL three pages of privacy-hostile options during installation: https://i.imgur.com/RjXSM6S.png

...you still wind up with a Defender that broadcasts your files: https://i.imgur.com/1M7z3nH.png

Incidentally, the Privacy Policy links in that screenshot all just forward to the generic Microsoft one (https://privacy.microsoft.com/en-US/privacystatement), so who even knows what additional metadata each feature sucks up.

This is what I'm talking about when I complain about all the buttons and toggles to turn off just to get my OS to function the way I expect (in this case, stop indiscriminately bleeding my bits and bytes to the cloud).

[naikrovek]

They aren't indiscriminately doing anything. Only executables with hashes not previously seen are sent by default, and clearly you know how to turn that off.

They're legally bound by their privacy policy. They can't use info obtained by those executables to blackmail you or turn you in to authorities; they can only use that data to improve the anti-malware service they offer. And, as previously mentioned, you know how to turn it off.

The information about this isn't hidden. An operating system is complex, and thus operating system configuration is likely to be complex. Microsoft could have made things less difficult to find, you're right, and they are basing their defaults on the vast majority of people, like me, who are completely fine with doing what we can to improve their anti-malware service.

You're angry and that's fine.

Imagine the anger (and the fallout) if yet another malware worm used Windows to propagate across the world. People were absolutely LIVID last time, and there were lots of lawsuits against Microsoft for ILOVEYOU and Code Red and others of the era. The default settings you see today are a direct result of those events and other, smaller ones, like them.

[fiblye]

>This is a Windows Defender thing, not a Windows 10 thing.

So Windows Defender isn't bundled as a part of Windows 10?

[wolrah]

> So Windows Defender isn't bundled as a part of Windows 10?

It was also bundled as part of Windows 8.1, Windows 8, Windows 7, and Windows Vista on top of being available as a free download for Windows XP (and even 2000 during the beta phase).

The current form, after the Microsoft Security Essentials package was merged in, didn't come about until Windows 8 but Windows Defender as a product dates back to Microsoft's purchase of GIANT Software.

Either way you call it, XP or 8, saying Defender is a Windows 10 thing is like saying Firefox is an Ubuntu 19.04 thing. Sure, Ubuntu 19.04 does bundle Firefox, but so did many versions prior.

---

It's also worth noting that almost every antimalware product has an option to submit unknown binaries for analysis, and almost every one of those either enables it by default or very strongly suggests that you do so during setup to the point that I'd imagine most installations that aren't managed under corporate policy are submitting samples.

[mirimir]

Sure. But Windows users often installed it on Windows 7. And on Windows XP, as I recall.

Also, other anti-malware apps typically upload novel binaries. And their test machines likely run them, with network access, for the same reasons that Microsoft does.

So this exfiltration channel may well have existed for decades. Whether it's been used or not is an open question, though.

Edit: style

[mikepurvis]

I'm a Windows 10 user— I switched back after a decade of MacOS, and I've been really satisfied with it. It's a huge step forward from Windows 7/8.

[mikepurvis]

Seems nuts that they'd just randomly run every binary that comes to them in a crash report.

[mirimir]

I don't think that this is about crash reports.

Windows Defender, like many anti-malware apps, checks hashes of binaries. Anything that's new gets uploaded for testing.

[MzHN]

Here's another thought. Could you use this to instead _attack_ someone from Microsoft's IP range?

Maybe not DDoS, but if the range is naively whitelisted, maybe something more precise due to the fact that the victim believes the environment to be isolated.

[joosters]

Hopefully MS block their sandboxes from contacting known ports, e.g. < 1024, so it would be difficult to attack common services, but who knows?

[jmvoodoo]

Based on the article it seems low ports work. Port 20 was posted by the beacon.

[mirimir]

Also, in the image caption ...

> Because of Windows Defender automatic sample submission, Beacon binary was uploaded to Redmond and Beacon called Home from there.

... and below ...

> They run the executable in an environment where network connectivity is available.

Why would they do that? To see what happens?

And it's not just Microsoft. Many anti-malware apps (now, probably most) upload binaries. And I'm guessing that many run them. Maybe even with network access.

SensorFu might want to repeat this test using other anti-malware apps.

[Uristqwerty]

Consider: Malware that doesn't do anything suspicious unless it can first fetch a plausible benign file from what looks like a CDN. If the goal is to properly inspect the behaviour of potentially-malicious code, what it does after successfully fetching a set of ads is as, if not more important than what it does when the connection is blocked. Perhaps a multiplayer game with a backdoor triggered by the MotD service, through intentionally-vulnerable-to-buffer-overflows string processing code.

[philpem]

For bonus points, the C&C server realises the incoming IP has Microsoft's name attached, and only sends back the adverts. For anyone else, it sends a malicious image file as part of the drop, which exploits an intentional security vulnerability in the dropper...

That's actually disturbingly sneaky.

[mirimir]

OK, that makes sense.

So how would one block this exploit? You can't test the malware properly without letting it reach its servers. So then you're also letting it upload its exfiltrated data. Which would likely be encrypted.

[philpem]

I think you'd more or less have to block *.microsoft.com at the gateway, then add explicit allows for WGA and Windows Update.

Or a group policy update to tell Defender not to upload stuff to MS.

[mirimir]

Sorry. I meant how would Microsoft (and other anti-malware) firms block it. When they're testing binaries obtained from users' machines.

For users, sure, try to lock down Windows. Or (my preference) just don't use it. Or don't give it network access, if it contains any information that you care about.

[antsar]

> But the question is, from an adversary perspective, does your victim have it disabled?

Does it even matter? Extrapolating from that quote: a submitted sample could make abusive network requests against the victim (from MSFT's network, which is "trusted"), as well as network requests back to the attacker's server for control and/or data collection.

[Buge]

>As a user, you can just disable automatic sample submission.

I don't think disabling it really helps. It sounds like the goal is to prevent malware on your machine from ever leaking data on your machine to some external server. But even if you disable automatic sample submission, the malware on your machine could still submit a program on its own to Microsoft that leaks your data.

[api]

I think the key is that Windows 10 sends all new binaries to Microsoft by default. This is a total security and privacy (they're the same thing) nightmare.