BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now

Topic

New Reply

Lawrence Abrams has a significant discovery: Microsoft has quietly added a built-in network packet sniffer to the Windows 10 October 2018 Update, and
[See the full post at: BleepingComputer: Win10 version 1809 got a network sniffer, and nobody noticed until now]

7 users thanked author for this post.

RDRguy, lmacri, GreatAndPowerfulTech, Microfix, abbodi86, Flashorn, Cybertooth

Reply | Quote

Replies

Remember when you could use your PC for what you wanted to?  So much for anonymously using your machine.  Wonder if they are going to crack SSL?

Reply | Quote

The article that’s referred to in Bleeping Computer, says that the packet monitor is intended for only your use on your computer, NOT for Microsoft (or any other outfit/person) to spy on what you’re doing on or with your computer.

It’s designed for you to monitor the network traffic to and from your computer yourself using a program within Windows, rather than a third party program such as Wireshark.

Edit for content. Please follow the –Lounge Rules–

3 users thanked author for this post.

Elly, RDRguy, woody

Reply | Quote

If it’s on your computer and you don’t have an extensive background( I Dont) regarding msfts abilities behind the scenes, then that article isn’t going to educate to any great degree.

Why would msft put a tool for ME on the system and not BOTHER to bring it to anyone’s attention? Perhaps because they use it on your system too!

Skeptical

Edit for content.

Reply | Quote

So does this sniffing tool run in the background as part of Microsoft’s Telemetry system ?

3 users thanked author for this post.

ryegrass, GreatAndPowerfulTech, DriftyDonN

Reply | Quote

Nope, you can invoke it from the Command Line or PowerShell prompt.

1 user thanked author for this post.

woody

Reply | Quote

[Flashorn]

Thanks again for this info Woody.

Now, simple question.

Can we get rid of IT.

Windows 10 uses so much more resources (especially CPU) that it does at times interfere with gaming. I still use W7 for gaming but, sometimes, I try it on my W10 machine and go back to 7 every time. My w10 machine is recent and with 1909 installed. It is a stable platform but, at 130 processes compared to 62 on my w7 machine, I Really don’t like it.

Sorry for the rant. My initial question still stands though, if anyone can answer it please.

Thanks

Flashorn.

• This reply was modified 3 years, 6 months ago by Flashorn.

Reply | Quote

Why get rid of it? It is only run if you run it. So, it is a very minor amount of disk storage.

--Joe

1 user thanked author for this post.

woody

Reply | Quote

The larger number of processes on Windows 10 is largely from having the various service host processes load as an individual process rather than lumped together. This improves system stability so that if there is a problem with a process that process can be terminated without terminating several others that are running OK.

Also, all browsers that I know about have multiple processes running for the same reason as the service host processes being split. It makes for a more stable environment. It is also more secure as each process is isolated from the others.

Yes, there is more going on with Windows 10 than with Windows 7. You can take a look at this older information on Windows 10 service tweaking – Black Viper’s Windows 10 Service Configurations. Some may still be useful.

--Joe

3 users thanked author for this post.

Christopher Stone, GreatAndPowerfulTech, Flashorn

Reply | Quote

joep517 wrote:

Why get rid of it? It is only run if you run it. So, it is a very minor amount of disk storage.

Who can guarantee that it won’t be stealthy invoked by Microsoft or used by a rootkit, trojan, botnet… in the future ?

Reply | Quote

Who can guarantee that any program included will not be compromised?

Who can guarantee that any program will not be invoked by Microsoft?

Do you go through and remove all the tools included in Windows just to be safe?

If you are that concerned go to a different OS and take your changes there.

--Joe

1 user thanked author for this post.

zat_so

Reply | Quote

…and take your changes there.

I take it you meant to say “…and take your chances there.” ?

Reply | Quote

joep517 wrote:

Do you go through and remove all the tools included in Windows just to be safe?

If there is no malicious intent adding the tool why isn’t there any Microsoft documentation in 2 years ?

Before BleepingComputer post who knew about the tool ?

2 users thanked author for this post.

Microfix, Tom-R

Reply | Quote

Alex5723 wrote:

If there is no malicious intent adding the tool why isn’t there any Microsoft documentation in 2 years ?

It’s documented by Microsoft with instructions (three days ago) as the preferred method of verifying DoH after setup:

Now that you have Windows configured to use DoH, you should be able to verify it’s working by seeing no more plain text DNS traffic from your device. You can do this by using Packetmon, a network traffic analyzer included with Windows.
Windows Insiders can now test DNS over HTTPS

Reply | Quote

See https://techcommunity.microsoft.com/t5/networking-blog/windows-insiders-can-now-test-dns-over-https/ba-p/1381282

Reply | Quote

Just to keep the tin hat nearby, the article you reference above on testing DoH within Windows 10 was just written this past Wednesday, from what I see of the days/dates things have been written on that page. Granted, Lawrence’s article was posted today, the 16th of May.

I will say this, though: Lawrence doesn’t say anywhere in the article just how he found out about pktmon.exe being in version 1809 in the first place, nor if it might happen to exist in any earlier versions of Win 10.

Things that make you go “Hmmmm”.  😉

1 user thanked author for this post.

Christopher Stone

Reply | Quote

Hey Joe!

Appreciate your response but, my question was not Why but, Can I?

And as Alex has mentioned, I too am weary of MS. It’s not the disk space. have lots of space on this NvME.

As for Viper, I have been aware and reading him since he became Viper. I have also found that , every time we upgrade to a new version, it changes some of his recommendations so, lots of work compared to W7 or Vista or XP.

So, if you could help in me removing this new addition, I would be very grateful.

Thanks again for your input. appreciate it.

Flashorn.

Reply | Quote

Flashorn: If you just want to remove this, it should be pretty straightforward.  Go to %windir%\system32, and just delete or rename the file “PktMon.exe”.

Note though that you’ll get an “Access is denied” message if you attempt this thru a normal command window.  So you’ll need to be a TrustedInstaller.  To do that I use NSudo, which you can download from MajorGeeks at: https://www.majorgeeks.com/files/details/nsudo.html

If you use NSudo to do this, just keep this warning in mind (from the MajorGeeks web page): “NSudo is a handy utility but should only be used by advanced users who understand what it does and the problems it could potentially cause.”

Reply | Quote

From MajorGeeks to download page generates:

 

1 user thanked author for this post.

Tom-R

Reply | Quote

DriftyDonN:  Thanks for letting me know about this.  I’m seeing the file show up as infected now as well.  Just 7 days ago (on 5/9/2020) I was at that same URL to download the same file, and had no issues at all — no sign of any infection then.  But today (5/16/2020) the download link shows up as infected for me too — from two different computers.

I just now sent an email to the MajorGeeks website admin to report this issue.  So hopefully, they’ll either fix the problem or (at least temporarily) disable the download links.  But in the meantime, please do not download or use that newly posted version of the NSudo software — at least not what’s currently posted at the MajorGeeks website.

1 user thanked author for this post.

DriftyDonN

Reply | Quote

Some people really do need protecting from themselves. If you don’t understand what it does, you really shouldn’t be using it (as stated on the download page); a tool that terminates Windows security – surely that’s malicious – except when it’s needed…

Reply | Quote

As this appears as a reply under my post, I assume you are talking TO me. What exactly do you think you know about what you are putting forth here? Your comment is unclear and I am curious what you are talking about?

DDN

Reply | Quote

Did you read the Majorgeeks page before downloading the zip?

No.

A snippet from the middle section:

NSudo is a handy utility but should only be used by advanced users who understand what it does and the problems it could potentially cause. It has a lot of uses, for example, to assist in disabling the Windows Defender Security Health Service. Here’s how you can do that from our friend Snappy Phoenix:

“While you can easily disable Windows Defender and all its startup entries/tasks in task scheduler, there is one service that is protected if you check it in services.msc and won’t allow you to change its status to disabled.

Here is how you can disable it:

There are some useful clues there, some repeated, that may help you to understand what your SmartScreen/security is alerting you to.

1 user thanked author for this post.

Elly

Reply | Quote

You can’t get the refusal screenshot without clicking a download link, browser pre-loading/-fetching/pet cat?

Look at the ‘Threat name’ in your screenshot – it begins with Gen. – Generic (guesswork/looks or acts like) – there’s no real detection other than ‘hey, this is a tool that can be used to turn off Windows security’. That was already stated on the MajorGeeks page and shouldn’t have been a surprise

I did download it, I also extracted it, and uploaded the zip and multiple ‘infected’ .dll and .exe for fresh examination at Virustotal. I’m not convinced that there are any infected files in there at all, it looks like a useful tool that can set off a few tripwires.

Nothing new there, Russinovich had at least three of his Sysinternal tools treated in the same way, Nir Sofer has always had this ‘problem’ with many of his tools.

Are they infected? No. Can they be used nefariously? Yes.

3 users thanked author for this post.

Elly, Rick Corbett, RDRguy

Reply | Quote

satrow:  I use NSudo all the time; and whenever I need to update it I do so via the MajorGeeks website, which I also generally consider a trustworthy source for downloads.  However, having said that, I would advise you to not trust that copy of NSudo that you just downloaded.

Here’s why.  I downloaded NSudo 8.0 from MajorGeeks on 5/9/2020.  At that time I had absolutely no warnings of any kind about any infections in the download file.  However, based on the report here from DriftyDonN, I went back to MajorGeeks and downloaded the allegedly exact same file again on 5/16/2020.  I used the same computer and same browser that I had used previously on 5/9.  But this time the browser popped up a warning that the new file was infected.  So something about that NSudo zip file changed; and it changed within the past week — between 5/9 and 5/16.

As I mentioned in my earlier post, I sent an email to the MajorGeeks website admin to report this issue, including the fact that VirusTotal now lists 19 different detection engines reporting threats with the NSudo file (whereas it was clean previously).  I haven’t heard back yet; but until I do I would consider that new NSudo download file to be highly suspect.  At this point, there’s just too many red flags that I’m seeing.  And again, I’m saying this as a frequent user of the NSudo program and the MajorGeeks website.

2 users thanked author for this post.

DriftyDonN, satrow

Reply | Quote

Virustotal gives me the same pages/hashes for the files I’ve tested from both MajorGeeks and Github downloads:

History
First Submission 2020-03-08 09:37:51
Last Submission 2020-03-26 09:44:25
Last Analysis 2020-05-17 10:03:24
Earliest Contents Modification 2020-01-22 06:10:00
Latest Contents Modification 2020-03-08 05:39:14
Names
NSudo_8.0_All_Components.zip

Individual files flagged up:

Bundled Files
Scanned
Detections
File type
Name
2020-05-17
20
/ 71
Win32 DLL
NSudo_8.0_All_Components/NSudo Devil Mode/Win32/NSudoDM.dll
2020-05-08
4
/ 71
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/Win32/NSudoLG.exe
2020-04-21
3
/ 69
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/Win32/NSudoLC.exe
2020-04-21
1
/ 70
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/ARM/NSudoLC.exe
2020-04-21
1
/ 68
Win32 EXE
NSudo_8.0_All_Components/NSudo Launcher/ARM/NSudoLG.exe

Highest flagged count:

Basic properties
MD5 e5be7c5bf13da3421f31dfa203a41037
SHA-1 89101df4a3fdf2630e71c9641140f519d6e6aad7
SHA-256 413f14bf424cacff67c5395afa2ba25e84b038c8111471fb27ecca3bd3d6132f
Vhash 124056651d15155gz23@z
Authentihash b6aaa215bb5282b980785d3869be35d61d9398a4b7600a90ba3f1b1011eadf70
Imphash 053da52e98b6f21f8418d4bccf9e7633
SSDEEP 384:MXIRI2I5OlyNDWH+cTcvEhJhjU7W/oCKWX6jGEt4:2Bb5WaDWH+c48hzj+WQCfX6yc4
File type Win32 DLL
Magic PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
File size 22.00 KB (22528 bytes)
History
Creation Time 2020-03-07 21:23:52
First Submission 2020-03-09 07:45:21
Last Submission 2020-03-09 07:45:21
Last Analysis 2020-05-17 18:30:45
Names
NSudoDM
NSudoDM.dll

Maybe the only things changed were the malware definitions?

2 users thanked author for this post.

Elly, Tom-R

Reply | Quote

Interesting.  I checked github also; and I see that the zipped download file from there also gets detected as infected by my system and VirusTotal.  Yet the previous download I have (also version 8.0) appears clean.  I don’t have time anymore today; but I’ll try to find time tomorrow to compare the individual files to see what’s different.  In the meantime I’m curious if MajorGeeks admin will reply regarding this.  I would think that they would be concerned about hosting or linking to a file that VirusTotal is complaining about.  It’s very strange.

1 user thanked author for this post.

satrow

Reply | Quote

Has anybody compared it with, say, wireshark?

I noticed that one of pktmon’s commands is ” unload Unload PktMon driver”  I guess that gets loaded only when you run pktmon and then when you’re done packet’ing you can make the driver go away.  Seems fairly safe to me.

1 user thanked author for this post.

GreatAndPowerfulTech

Reply | Quote

[TweakHound]

https://twitter.com/h0x0d/status/1012155038901329920

posted Jun 27, 2018

• This reply was modified 3 years, 6 months ago by TweakHound.

1 user thanked author for this post.

b

Reply | Quote

Oh good grief people. There was no malicious intent regarding telemetry on packaging a CMD based sniffer utility. This function has been optional under a different name for all Windows editions since at least the XP days (and I think since Windows 2000.)

It’s used on demand by sysadmins for network troubleshooting, security auditing and development testing. It does not, nor ever has, sniff traffic unless you turn it on – and even then only for short sessions. (The data output of network sniffers can grow into truly ginormous log files!)

And it cannot sniff your entire LAN unless you know how to set managed network switch parameters for mirroring, or have an old fashioned network “hub” (not a switch) handy.

~ Group "Weekend" ~

4 users thanked author for this post.

Elly, RDRguy, joep517, b

Reply | Quote

How does this compare to npcap?

Reply | Quote