locked
WTF: Microsoft Windows 10 Enterprise 90-day "trial" rootkit? RRS feed

  • Question

  • Hello everyone,

    I've downloaded the evaluation copy of MS Windows 10 Enterprise a few days ago, burned the image onto the DVD-ROM and installed this image per given instructions, however it seems that I have installed a rootkit instead. It is apparrent in the number of executables in the Windows/Windows32 subdirectory, which return with positive virustotal.com results  when queried with the sigcheck prompt (Microsoft System Internal Tools). Also, this image of W10 Ent would not allow me to setup an appropriate firewall protection as any attempt to do so (only allow ports 53, 80 and 443 only for TCP and UDP protocols), for local and remote connections, end either with full network block (local rules seem not be effective) or with these ports getting forwarded onto ports 50000 and up (netstat prompt). Although a lame question (sorry, newbie here! :), are these local ports supposed to be that wide open, or, should they be also limited in the same manner as the remote ports (53,80,443)?

    And finally, is there any other way how to make this image work as a secure OS environment, or, is this some kind of "feature" which the Windows 10 Enterprise evaluation copy is based upon in order for MS to disable the system if anyone then used this licence in excess of these set 90 days, I wonder...?

    Thanks

    Zdenek

    List of executables which returned as "false positives"....

    C:\Windows\System32>sigcheck -u -v

    Sigcheck v2.50 - File version and signature viewer
    Copyright (C) 2004-2016 Mark Russinovich
    Sysinternals - www.sysinternals.com

    C:\Windows\System32\baaupdate.exe:
            Verified:       Signed
            Signing date:   06:10 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    BitLocker Access Agent Update Utility
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/53
            VT link:        https://www.virustotal.com/file/f246602378b9f96ce6e222ffad8da6ce457366951270c9ec166ff1e1602aebfa/analysis/
    C:\Windows\System32\BitLockerWizard.exe:
            Verified:       Signed
            Signing date:   06:10 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    BitLocker Drive Encryption Wizard
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/55
            VT link:        https://www.virustotal.com/file/124cf0f3fa82ad26939a649d4351186e56fcbf47e5b4ae93f356d359dbb4832a/analysis/
    C:\Windows\System32\BitLockerWizardElev.exe:
            Verified:       Signed
            Signing date:   06:10 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    BitLocker Drive Encryption Wizard
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/a578ef511c82d6c7453fbce3956ade75d340bcef4317f69a30d1c87d551d435f/analysis/
    C:\Windows\System32\colorcpl.exe:
            Verified:       Signed
            Signing date:   05:54 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Microsoft Color Control Panel
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/f7c21c2db8775dd333fc1c13c40297b0fbb9738ce04da306d19368cd41b6f7d3/analysis/
    C:\Windows\System32\desk.cpl:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Desktop Settings Control Panel
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/34e466530106210d1e48f7b0ef5adc5c32b8b7cd0fb0562ab033bfe9d5371cf5/analysis/
    C:\Windows\System32\DeviceProperties.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Device Properties
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/52
            VT link:        https://www.virustotal.com/file/9177eff3c32a186cee7b2b73dc18e326cf8a853552acb1d6f688dd22a289c66a/analysis/
    C:\Windows\System32\dnsapi.dll:
            Verified:       Signed
            Signing date:   03:31 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    DNS Client API DLL
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/55
            VT link:        https://www.virustotal.com/file/b51a82ed2d45855ea9018b6269931ca62f3dc430fd513c7e751fc2cb76014bab/analysis/
    C:\Windows\System32\DpiScaling.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Display Control Panel
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/9112432e2517daecab86066de8840ecbafc7ec17b5f8ccc1841eb611676d3e1d/analysis/
    C:\Windows\System32\Fondue.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Windows Features on Demand UX
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/53
            VT link:        https://www.virustotal.com/file/b388e5fd4fc795434bffef1f5719624740731eb53856b61fd99dc5471d4852d8/analysis/
    C:\Windows\System32\fontview.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Windows Font Viewer
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/55
            VT link:        https://www.virustotal.com/file/d70bd91c24a121c36011fc436eed1c9d24462a116a9a1b4af52f8f8242f0a068/analysis/
    C:\Windows\System32\fveprompt.exe:
            Verified:       Signed
            Signing date:   06:10 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    BitLocker Drive Encryption
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/39bd8b96bba685e381fcaed51b5bd8a9bcffdc9a924e48adc427c7e1e21f1e0f/analysis/
    C:\Windows\System32\iscsicpl.exe:
            Verified:       Signed
            Signing date:   05:53 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Microsoft iSCSI Initiator Configuration Tool
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/5a63ada152de5d53d1657859dfa49132ec25f7ba63b41598de62aff6c297f0ff/analysis/
    C:\Windows\System32\kbd101.dll:
            Verified:       Signed
            Signing date:   05:54 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    JP Japanese Keyboard Layout for 101
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/7ee9e098bb277c1a3db795b81a3d3b4b9fabff4f982488b4c8f8fa439d1055b1/analysis/

    Friday, February 26, 2016 9:15 PM

All replies

  • And a bit more...

    C:\Windows\System32\miguiresource.dll:
            Verified:       Signed
            Signing date:   05:51 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    MIG wini32 resources
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/caa32d4616e37731347d54a848422a5c53bf6e4f2c1b90df3c200fdace5f5183/analysis/
    C:\Windows\System32\mobsync.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Microsoft Sync Center
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/996cc0a0b28099bec3f24c97b517abd04b8c76c8093011efbbb9683dc17f4005/analysis/
    C:\Windows\System32\MSchedExe.exe:
            Verified:       Signed
            Signing date:   05:51 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Automatic Maintenance
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/55
            VT link:        https://www.virustotal.com/file/3dd90debdca77d70594ae1c1256794d37731ad86252237adb99abfea9b2d34c6/analysis/
    C:\Windows\System32\Narrator.exe:
            Verified:       Signed
            Signing date:   05:53 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Screen Reader
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/4dcfc392def8bccdc95b776a888e9255f5579c358a481918f09d05d0aae051fc/analysis/
    C:\Windows\System32\provlaunch.exe:
            Verified:       Signed
            Signing date:   05:51 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Provisioning package runtime command launching tool
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/e8883ac9a0aef618228aafb720e66e549ffe49f54b01345f66ddfe4e51667a43/analysis/
    C:\Windows\System32\repair-bde.exe:
            Verified:       Signed
            Signing date:   06:10 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    BitLocker Drive Encryption: Repair Tool
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/047310519bdd2c234cfe98dceafbbb750804d76959c863c50c681e1a5ffda0c3/analysis/
    C:\Windows\System32\resmon.exe:
            Verified:       Signed
            Signing date:   06:10 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Resource Monitor
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/55
            VT link:        https://www.virustotal.com/file/f62e4ff37418288692cc73f7b1bb5e8236a505e95df77786b8497cfc72b920e0/analysis/
    C:\Windows\System32\simpdata.tlb:
            Verified:       Signed
            Signing date:   05:53 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    OLE DB Simple Provider Type Library
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/3f4b572576fb9ab1fbf70e07ea388dce68ee5b034e6ed59cef59e7bfd0632a35/analysis/
    C:\Windows\System32\SppExtComObj.Exe:
            Verified:       Signed
            Signing date:   05:52 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    KMS Connection Broker
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/55
            VT link:        https://www.virustotal.com/file/6b23e062c63532e7bc44f8b9c951180d7b2625d805a1be8285c883af46c91941/analysis/
    C:\Windows\System32\sysdm.cpl:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    System Applet for the Control Panel
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/55
            VT link:        https://www.virustotal.com/file/b52474880eed669a46939f2f31a591f4f675db15f4ca0dbecd87c9bfa751349b/analysis/
    C:\Windows\System32\SystemPropertiesAdvanced.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Advanced System Settings
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/8f3028a5de892b73bb0e1e903d47f0839ba123a41865dca4c427edc434b20318/analysis/
    C:\Windows\System32\SystemPropertiesComputerName.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Change Computer Settings
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   2/53
            VT link:        https://www.virustotal.com/file/1c23255c42cef7e1c952fe41711b02686f03a07b15d80ae76b67fd623d9b3c50/analysis/
    C:\Windows\System32\SystemPropertiesHardware.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Hardware Settings
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   2/53
            VT link:        https://www.virustotal.com/file/c3db04a73c9b7a98be5eeee7ee1dc3c6f5954f2484b8f2e29ef3d9f6ee6566ae/analysis/
    C:\Windows\System32\SystemPropertiesPerformance.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Change Computer Performance Settings
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/d47fb2367f3173da7e26ca68a8f50fee00e969f150d83d2d0137a4e933941707/analysis/
    C:\Windows\System32\SystemPropertiesProtection.exe:
            Verified:       Signed
            Signing date:   05:55 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    System Protection Settings
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/56
            VT link:        https://www.virustotal.com/file/52fdc1475341ff03cb583df22073e008596504afe21542c3d549cedc16095090/analysis/
    C:\Windows\System32\telephon.cpl:
            Verified:       Signed
            Signing date:   05:48 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Telephony Control Panel
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/53
            VT link:        https://www.virustotal.com/file/8b02b9b99628570b13d23fe4326f5f1c2ed62c40cec1ed334be9f602972db1b1/analysis/
    C:\Windows\System32\wextract.exe:
            Verified:       Signed
            Signing date:   05:48 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Win32 Cabinet Self-Extractor
            Product:        Internet Explorer
            Prod version:   11.00.10586.0
            File version:   11.00.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/7f322ad51dcd7f0b09e7b2e24c10b94dfc83471bfc49394228ace2e9afa01e60/analysis/
    C:\Windows\System32\zipcontainer.dll:
            Verified:       Signed
            Signing date:   05:51 30/10/2015
            Publisher:      Microsoft Windows
            Company:        Microsoft Corporation
            Description:    Zip Container DLL
            Product:        Microsoft« Windows« Operating System
            Prod version:   10.0.10586.0
            File version:   10.0.10586.0 (th2_release.151029-1700)
            MachineType:    64-bit
            VT detection:   1/54
            VT link:        https://www.virustotal.com/file/810e77ad14893ecf25000a4a9b867278e7da07e5ec578de1270a8d4b2997ff4a/analysis/

    • Proposed as answer by johnsageek Friday, September 30, 2016 3:15 PM
    • Unproposed as answer by johnsageek Friday, September 30, 2016 3:15 PM
    • Proposed as answer by johnsageek Friday, September 30, 2016 3:15 PM
    Saturday, February 27, 2016 2:52 AM
  • I have been looking into your issue for a while, I have seen no rootkit infections associated with the Windows 10 image you are talkintg about. Here is a couple thought's for consideration. Most extreme 1st....

    1. Could it be that you are a victim of a man in the middle (MIM) attack or an ARP attack?
    2. Could it have been that your system was already infected and ultimately, by attempting to do this install it was (the rootkit) exposed?
    3. Is it possible, that these are "false Negatives". Sometimes VT is a little over agressive as it's findings are reputation based and relatively new files, never having been scanned before have not been "added" or updated to the VT database?

    Ultimately I understand your concern and I even recognize that your issue, from Febuary 2016 has long since been solved, I am sure. I think the real issue is that Microsoft having gotten very bad grades in the "Privacy" sector issues for Windows 10 builds, has been experimenting with technologies that may indeed "Mimick" Some of the same issues. i.e feedback forum, bug reporting tools, etc... Most opf this post are just thoughts,, but I found the issue "intriguing" as you may be one of the few people that actually sniffed out insider preview issue.


    Best Regards John

    Friday, September 30, 2016 3:39 PM