Can someone actually do something productive like following the url's backward and searching dll's and exe files for keylogging stuff? At least find out which applications write to what data files and stuff?
I'm too distracted with a party here lol anyway.. Smorg, if you are around, check these diagtrack.dll and diagtrack_win.dll against your vortex.data.microsoft.
I'll be doing so but I've had a busy week so it's just a matter of finding the time I have all the tools on a copy of Enterprise 10 to do the network tracing and reversing.
What about just doing it instead of to pussyfoot around? Finally it is just about finding it.... I mean you are online here every day talking....
We can look through the Windows registry for that cause all of that stuff will be there. Going through the Wireshark report after blocking Application Data reporter IP: 65.55.108.23 Additional Addresses to block: 66.39.117.230 23.218.212.69 - Akamai Technolgies 134.170.30.202 137.116.81.24 statsfe2.ws.microsoft.com vortex.data.microsoft.com 131.253.34.30 - settings-sandbox.data.microsoft.com 131.253.34.23 - vortex-sandbox.data.microsoft.com We need to do some blocking outside the host file for 134.170.30.202.
Well yah, but I'm trying to figure out what gets logged or not. If the keylogger is only running during IE, then someone can run chrome for some privacy, but if it's running all the time, they cannot.
The testing I am doing is just creating a txt file such as sample.txt. When I had wireshark running in parallel with this all application data was being run across the eth0 network pipe. This is most alarming as I was running it for no more than 5 minutes. I would not be surprised if all applications in someway shape or form report across the network. However it seemed all of that was being directed to: 65.55.108.23 Now lets get along to looking at IE. Additional IPs: 137.116.81.24 (Application data) Primary Encryption means: TLSv1.2 (is secure)
Ahh right.. the constant logging of which programs are being ran makes it harder to determine which ones is keylogging. I dunno what to suggest then... We know it's related to auto-fill stuff... so perhaps some creativity in IE and/or the search boxes...
Ya that's the problem. Everything is being logged so nailing down what does what is like playing whack a mole. However that being said most of the traffic goes over: 65.55.108.23
smorg, how does one go about finding these things? Do you run wireshark to find out which ip addresses they are using? I've ip address searched a few things like the google and their cloud thing the other day. But, I really wanna get a clue about this stuff for when win10 progresses. You know how people were finding out about the Mark Monitor crap in win8? I didn't know about that stuff till like months after and I feel like I wish I did. Can you recommend some strategies for spying out this crap?
I run Wireshark. Well Its handy when you put a reversing / network monitoring pack together so all the tools are there for you. Run Wireshark for about 1 minute while using programs under Windows 10. (Why so little time?) because of the sheer amount of information you get from it which is probably not good but hey least you have plenty to go off of. This means any programs run. This will trigger the logging of data from the machine your on to be pushed over the network card to MS. You will get a ton of information from that however in order to consolidate it down look for those IP's I mentioned.
Yah I definitely think I'm going to be learning a lot more about this IP sleuthing before forking out money for win10. I don't like the way they were previously talking about how win10 was going to be all cloud. Plus they got the mark monitor, which we know monitors a system's whereabouts using the name servers. Plus they're the FISA court's bi**h. Ugh... even if they don't include this ridiculous spyware in the RTM, we're still gonna probably have to block like 10 addresses. Right now we already sorta block the 3 kms addresses and I guess we ignore the mark monitor stuff. We're sloppy man... We need to tighten this ship up.
We can somewhat tighten up and find what is going where. I don't like where this is going in terms of blocking IPs. And Keep your pants on YEN I'm working on it (tttthhbbbttt)
Even adding entries to the host file is iffy protection at best. I remember when xp sp2 came out windows started bypassing the host file.
in other topic around here was also sugested to use, confirm it? Code: 127.0.0.1 telecommand.telemetry.microsoft.com.nsatc.net
Only 134.170.30.202 bypasses the host file at this time. @badboy77 go ahead and add that as well we can make a list of what should be blocked by the host file in Windows 10 TP.