How Microsoft copied malware techniques to make Get Windows 10 the world's PC pest

[Batu69]

Here's how to nuke this persistent menace

Microsoft uses techniques similar to aggressive malware to promote its “Get Windows 10” offer.

As many readers have discovered, the persistent and constantly changing methods Microsoft uses to continually reintroduce its “Get Windows 10” tool, or GWX, onto computers means it’s extremely difficult to avoid.

 

Windows users who decline to use it find it is repeatedly reintroduced. The language of the counter-malware industry is more appropriate than the language of enterprise IT for GWX.

 

GWX subverts a channel intended for one purpose (security hotfixes) for another (advertising); it changes its “attack vectors”, it “conceals itself” kinda like a rootkit; it uses “polymorphic” techniques; and it consistently overrides users' actions and permissions.

 

Much of the attention in the tech press on combatting GWX has been has focused on eliminating the work of one patch, KB3035583, which constantly reappears on users' PCs, even after removal. However, an investigation shows that ‘583 is a symptom, rather than the cause, of recurring GWX infestations.

 

The ‘583 patch is most commonly reinstalled by another patch, KB2952664. Once ‘664 is on a system, '583 will be requested for download and installation. Getting rid of, and thereby controlling, '664 could be the key to controlling the sophisticated "Get Windows 10" nagware network.

 

"Current patches do not fully address this situation and I do not believe it ever will, as the author of the GWX patch only addresses the GWX executable plus the '583 update,” writes a reader who conducted a detailed investigation for us.

 

Studying the behaviour of the ‘664 patch explains why controlling GWX is so difficult. The ‘664 patch constantly “mutates” – it is frequently revised to contain a new payload. Microsoft has not documented its behaviour, and has over the years removed explanations of what KB patches actually do.

 

The ‘664 patch has changed often, as these logs show:

Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.1 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.3 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.3.0 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.1 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.4 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.5.3 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.6.1 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.7.4 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.8.2 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.6 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.8 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.10.5 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.14.2 Package_1_for_KB2952664~31bf3856ad364e35~amd64~~6.1.15.2

Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.1.3 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.2.1 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.2.3 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.3.0 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.4.1 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.4.4 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.5.3 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.6.1 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.7.4 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.8.2 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.9.6 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.9.8 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.10.5 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.14.2 Package_for_KB2952664_SP1~31bf3856ad364e35~amd64~~6.1.15.2

Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.1.3 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.1 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.2.3 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.3.0 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.1 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.4.4 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.5.3 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.6.1 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.7.4 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.8.2 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.6 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.9.8 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.10.5 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.14.2 Package_3_for_KB2952664~31bf3856ad364e35~amd64~~6.1.15.2

Windows Update considers each revision to the patch to be a new install instance. So every time Microsoft changes the KB2952664 update nomenclature, all previous attempts by the user to block the update are invalidated.

 

Many users are unaware that uninstalling either KB3035583 or KB295266 only uninstalls a single revision of the patch; later, the patch can reinstall itself using an alternate revision number due to the fact that KB2952664 is being cached in C:\Windows\SoftwareDistribution\Download. A filtered registry dump on our test machine revealed there were more than 80 registry entries relating to the installation of ‘583 and ‘664, located mostly in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\PackageDetect and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

 

Unless the user gets rid of ALL of the "Get Windows 10" system updates and its helpers, the GWX popup will persist. These are:

KB2952664
KB3035583
C:\Windows\System32\GWX
C:\Windows\SoftwareDistribution\Download\*KB2952664*
C:\Windows\SoftwareDistribution\Download\*KB3035583*
ALL registry entries for KB2952664 and
(optionally) KB3035583

The GWX "patch" only hides the "Get Windows 10" reminder from the System Tray; it does not eliminate the actual installation of the assigned Windows 10 updates.

Microsoft has made it exceptionally difficult to remove the reminders in a coherent way. Removal cannot be automated – and if you miss one of the 80 registry entries, the process restarts.

 

The number of registry entries differs according to which, and how many, previous versions of KB2952664 have been installed. Owner permissions need to be reset to change some of the entries, making it more difficult.

 

Our resident sysadmin blogger Trevor Pott advises network administrators to take three steps. Firstly, push the registry change via a Group Policy Object (GPO). Secondly, make sure that the GWX patches are not installed. Thirdly, block them in Windows Server Update Services (WSUS).

 

“The lack of transparency, specifically regarding documetation, creates huge problems for business users. The biggest beef I might have with that s that it’s a 'lie of omission'” says Pott, because for many patches, the documentation doesn't disclose the full extent of their behaviour.

 

“Microsoft is decreasing the number of versions of windows and removing user options for how they control, delay, prune, filter or throttle patches,” says Pott. "Sysadmins want clarity on what's in patches and control over all aspects of their systems – it's a pack of vague lies, outright lies and misinformation.”

Microsoft’s official position is this. The company told us:

Quote

Customers can choose to not install the Windows 10 upgrade or remove the upgrade from Windows Update (WU) by altering the WU settings. The Get Windows 10 app functions within the Windows 7 and Windows 8.1 notification manager control panel and customers can turn off upgrade notifications in the system tray. The Get Windows 10 app icon can also be removed in the system tray.

For IT administrators, it is possible to disable the upgrade using Group Policy settings or by using the DisableUpgrade registry key. All other registry keys are not supported mechanisms for controlling notifications or controlling the upgrade process and are not recommended by Microsoft. Please see KB 3080351 for more information.

 

But that is far from the full picture. The advice doesn’t address the fact that GWX mutates and removing those updates ultimately fails to prevent GWX reappearing.

Last week corporate IT admins had to pull an IE security patch as it had created a new attack vector for GWX. This forced the Get Windows 10 nagware onto domain-attached PCs. It seems no user inconvenience is too great for us, so Microsoft continues to assault with this promotional scheme.

 

Microsoft has been keen to stress that cloud computing won’t succeed without the public’s trust. But its use of hyper-aggressive malware techniques in its GWX, and lack of transparency, suggests it needs to do much to clean up its own backyard.

(Thanks to reader ‘Snake’ for his sleuthing).

 

Article source

[vibranium]

Microsoft should be held accountable for this unprecedented, aggressive campaign of pushing Windows 10.

[straycat19]

No one is going to hold them accountable and the more idiots that install windows 10 lends credence to and justifies their actions.  Just turn off updates and you never have to worry about it again. Updates are over rated anyway.  For every thing they fix they create at least one vulnerability somewhere else.  Based on all the updates they release that is the only logical conclusion other than Windows is like a sieve, so full of holes you couldn't patch it in 20 lifetimes.

[OrbingStorm]

They certainly went down the wrong path IMO.They have created a culture of mistrust and lack of concern for the user as they strive to make more money from cloud services and apps.Perhaps their greed will be their undoing as more migrate to Apple and Linux.The average user not interested in their pc wont care at all though and the ball will keep rolling downhill as the user becomes Microsofts data gold mine.

[steven36]

Sad thing is it would take a miracle to make people switch to Mac OSX and Linux . Still there's some in the Linux Community  that pray the Windows 10 thing will blow up in there face and Linux come out swinging . I simply dont care if you use Windows 10 or not . I just wish they would leave me alone . Telling people to never do updates  they be better off to update to windows 10 . If I didn't want updates id just load up XP . If you dont do updates Microsoft has won . Because its not about making money its about saving money . If you dont do the updates  you're one less person they have to service. You dont hurt Microsoft  you only hurt yourself . What males them mad is people doing updates and being able to get around Windows 10. I been wining so far every since I bought this windows 8.1 rig . They will never win because the day my pc loads up Windows 10 before 2023  when my updates run out  will be the day i wipe it and put Linux  on it and still get updates.  Before windows most people used a word processor , OS/2  then came Windows 3.0 with MS-DOS

 

Quote

Windows 95, 98, 98 SE, and ME pushed DOS further to the background. Windows 95 acted like an operating system of its own, but DOS always lurked in the background. These versions of Windows were still built on DOS. It was only with Windows XP that consumer versions of Windows finally left DOS behind and switched to a modern, 32-bit Windows NT kernel.

http://www.howtogeek.com/188980/pcs-before-windows-what-using-ms-dos-was-actually-like/

 

All people know for 25 years  is Windows really. Its hard to tech a old dog new tricks . But this old dog is still  teachable.

[David]

6 hours ago, steven36 said:

Sad thing is it would take a miracle to make people switch to Mac OSX and Linux . Still there's some in the Linux Community  that pray the Windows 10 thing will blow up in there face and Linux come out swinging . I simply dont care if you use Windows 10 or not . I just wish they would leave me alone . Telling people to never do updates  they be better off to update to windows 10 . If I didn't want updates id just load up XP . If you dont do updates Microsoft has won . Because its not about making money its about saving money . If you dont do the updates  you're one less person they have to service. You dont hurt Microsoft  you only hurt yourself . What males them mad is people doing updates and being able to get around Windows 10. I been wining so far every since I bought this windows 8.1 rig . They will never win because the day my pc loads up Windows 10 before 2023  when my updates run out  will be the day i wipe it and put Linux  on it and still get updates.  Before windows most people used a word processor , OS/2  then came Windows 3.0 with MS-DOS

 

http://www.howtogeek.com/188980/pcs-before-windows-what-using-ms-dos-was-actually-like/

 

All people know for 25 years  is Windows really. Its hard to tech a old dog new tricks . But this old dog is still  teachable.

 

 

ahaha i still have my 486 systema and can still load the windows 3.11

 

still works  but its in the attic now