Microsoft's Backdoor ::::RELOADED:::::

Many have wondered if Microsoft has a backdoor to your system. The answer to that may not be to far from the truth. A few days ago a thread popped up about it and It got me thinking and poking around. Microsoft themselves has said Windows 7 etc does not have back doors. However, what I am about to show you is a remote connection done everyday from your system without your knowledge. The most concerning part about all this is.... Well you will see for yourself...

The service we're talking about here is CryptSvc..

--------------------Description------------------------

Service name: CryptSvc

Description: Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

Path to executable: C:\windows\system32\svchost.exe -k NetworkService

Startup type: Automatic

--------------------Hidden Network Account------------------



------------------CMD.exe Scan-------------------------

Note: Normally you cannot get this type of information without first elevating your CMD.exe to Administrator privileges. I created a log scanning at 10 second intervals. The command used shows the name of the file, ports/IP & what PID number was used.

-Command used: netstat -bo 10 > C:\netstat.txt

---------------------Output--------------------------------

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]

---------------------Final Thoughts---------------------------------

As you can see this connection runs automatically as a service and has a login/password to this service. This account doesn't exist under management users/groups. If you type 64.4.11.42 in your web browser it will resolve to Microsoft. The most concerning of all this....a Crypto service connecting to a HTTP non secured unencrypted web server?? Wow Microsoft really??? Stopping this service will undoubtedly cause issues. So there you have it enjoy your potential security hole.

One of the reasons I don't like Windows much other than video games is because of stuff like this.

IE is itself a security hole made into a program.

I mean this is just stupid. No hex editors,no memory dumps, no manual assembly/c tool writing, no decryption schemes etc.

Just find a middleware program that gives you everything of any importance to hacker on a silver platter without having to do much of any work at all.

That svchost.exe can be a real resource hog sometimes, guess now we know why!

When I seen your title with the word RELOADED in it I thought it had something to do with the scene group. LoL

Didn't they even admit they built a back door into MS stuff just for NSA/Prism? Or was that just their web services? Monday, no mtn dew, confused, blah.

MSCONFIG

Startup

Close back app

reboot

Giver er a try

If not

Reformat install Linux

You can disable the service but it may cause problems with anything that uses certificates so windows updates/signed installers for applications and even browsing the web may be problematic

Probably would be better to use wireshark and record the data going too/from the site to get a more detailed look at the data being sent/recieved but i'd imagine its just going to be checking to see if the certificates it has are still valid and it will need to run as a service with full access due to the low level

An uninformed question: What is a security hole?

reply to post by tigershark1988


something either intentional or not that allows something to happen that shouldn't happen such as finding that a kids RC toy uses the same frequency as a car and can open the doors/boot

reply to post by SLAYER69


Just tried it. Everything is running fine so far. Restarted and when it came back up, I opened a browser and bounced around to a few sites. If anything, it seems a bit faster.

I've been going to ShieldsUP for about a year or so to check my computer and I always get this: THE EQUIPMENT AT THE TARGET IP ADDRESS
DID NOT RESPOND TO OUR UPnP PROBES!
(That's good news!)

Forgive my ignorance, but wouldn't you expect perhaps abit less in your face kind of backdoor? I mean i'm sure it exists but I doubt its even an .exe showing up in your taskbar manager.

Best example I can give is a little plugin called WoWslider ( jquery ) it has this watermark if your using a trial, point is it was one word in a wall of text that activated that. Point being don't you think its something within the code and not so much an application?

If its not officially registered within windows I doubt it will show up on any program. Heck for all we know its a 1 mb partitioned part of your hard drive that we don't even know exists.

Cool find though!

Let's backtrack a few years. There was a leak of the sourcecode for Windows. In that leak there was a conspicious variable called NSA-key. The variable's function was to deliver cryptographic keys to third-parties. This was pretty much a backdoor. The sourcecode for Windows remains to be vetted to this day, and many governments simply do not trust Microsoft at all. Why should you trust the security of a company that implemented such a backdoor?

Let's move a few years forward. You all know Stuxnet, right? For those who didn't remember it, this was a worm malware that caused havoc. The thing most forget about it, is that Stuxnet was deployed using the standard Windows Update function. That's it. Microsoft gave away the key to the government again.

Microsoft's policy is to deny knowledge about their backdoors, while the fact is that they have been caught with their pants down many times. If you want a secure system, you have to have the ability to vet the code yourself. You can't expect to buy a product from USA without a backdoor. The NSA has made it their job to break into as many personal accounts as they can, and they have been complicit in industrial espionage as well. Many things suggest that Microsoft and NSA has an understanding.

reply to post by DAVID64




Every little bitz helps eh...

Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates.

Surely these are services designed to make your system safer. Yes they are automated but they are security systems.

"Confirms the signatures of Windows files" - without this a virus might be replacing your windows files without you noticing. Turing it off would be a monumentally stupid idea.

The rest is to do with certificates and SSL (secure socket Layer) which help keep your computer more secure.

Also Windows updates might not work correctly if you stop this service. If windows updates don't work you leave yourself open to hackers. When Microsoft identifies a security vulnerability they produce a fix for it and send it out in a windows update. Hackers get hold of the updates and back engineer them to see what the security vulnerability is. They then create virus and malware programs to take advantage of this (usually within a single day of the update being released) as they count on some people not using windows update. Some of the largest virus attacks in history have happened this way. I think 'code red' was one example.

So all in all this is not Microsoft has a secret backdoor into your computer its Microsoft trying to keep its system and your data more secure. I think this thread is pretty much born out of paranoia. Turn this service off and you open your computer up to hackers and risk your private data...genius!!

But then some people might want that so then they can bitch about how easy Windows is to hack

TCP 192.168.1.100:49175 64.4.11.42:http ESTABLISHED 1324 CryptSvc [svchost.exe]

192.168.*.* is a private address range, never to be directly connected to the Internet.
It is the default for nearly every home router out there.

192.168.1.100 is likely YOUR computer.
Why did you not run an IPCONFIG /ALL command just to verify?
So you're raising fear in people because your computer talked to itself?


No more fear, uncertainty and doubt, okay?

Your post got me to thinking that it's not cool for me to act the way i did because you are at least trying which is more then a lot of people with a computer and a connection do.

Someone else earlier suggested firing up a Wireshark trace to really see what is ingress and egress to your interface. That's the best bet for seeing what's on your wire in real time. Take for example VOIPSIP calls and how easy they are to decode.

The thing is most governments have access to MS source code Russians get Win 7 source code so pretty much it'll be hard to hide a simple backdoor from your enemies when they're looking at the same lines of code as you are, and thats why MS is making it basically open season for its servers based in the USA to be tapped 24x7 by the NSA etc as its the only place where enemy countries can't get a look at the source code

And how about HP backdoor.

h20566.www2.hp.com... tate%3DdocId%253Demr_na-c03825537-1%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=c om.vignette.cachetoken

SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03825537 Version: 1 HPSBST02896 rev.1 - HP StoreVirtual Storage, Remote Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-07-09 Last Updated: 2013-07-09 Potential Security Impact: Remote unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with the HP StoreVirtual Storage. This vulnerability could be remotely exploited to gain unauthorized access to the device. All HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer. This functionality cannot be disabled today. HP has acknowledged this vulnerability and will provide a patch that will allow customers to disable the support access mechanism on or before July 17, 2013. HP StoreVirtual products are storage appliances that use a custom operating system, LeftHand OS, which is not accessible to the end user. Limited access is available to the user via the HP StoreVirtual Command-Line Interface (CLiQ) however root access is blocked. Root access may be requested by HP Support in some cases to help customers resolve complex support issues. To facilitate these cases, a challenge-response-based one-time password utility is employed by HP Support to gain root access to systems when the customer has granted permission and network access to the system. The one-time password utility protects the root access to prevent repeated access to the system with the same pass phrase. Root access to the LeftHand OS does not provide access to the user data being stored on the system. References: CVE-2013-2352 (SSRT101257) SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. This issue effects LeftHand OS (a.k.a. SAN iQ) software versions 10.5 and earlier. HP StoreVirtual device HP P4300 HP P4500 HP P4300 G2 HP P4500 G2 HP P4800 G2 HP P4900 G2 HP P4000 VSA HP StoreVirtual 4130 HP StoreVirtual 4330 HP StoreVirtual 4530 HP StoreVirtual 4630 HP StoreVirtual 4730 HP StoreVirtual VSA LeftHand NSM2060 Dell PowerEdge 2950 HP DL320S IBM System x3650 LeftHand NSM2060 G2 LeftHand NSM2120 G2 LeftHand VSA

Lefthand Networks Inc. funding.

www.crunchbase.com...

TOTAL $25M FUNDING TOTAL $25M Series C, 9/05 2 Boulder Ventures Sequel Venture Partners Sprout Group Epic Ventures Garage Technology Ventures New World Ventures Ironside Ventures Valhalla Partners Vista Ventures JPMorgan Chase & Co DFJ Portage Ventures Read more: www.crunchbase.com... Follow us: @crunchbase on Twitter | crunchbase on Facebook

.

HP also just bought the company Digital Risk LLC that George Zimmerman worked for spying on all mortgages in Florida for the government. Every thing is still the same they just moved ownership to a shell company in India owned by HP. Helps to keep it offshore so the spying is not done directly in the US and allows the laws to be broken easier.

Most enterprise level companies supplying kit will have some sort of backdoor for support, on one mainframe i worked on they could just dial in and within a minute have full access (was very useful as well when someone balls'd up an update and suddenly no one could log in as they'd turned off the network interfaces - not me may i add), until recently these sort of backdoors required a dial up modem/ISDN link etc for the company to dial in and the usual high tech approach to security was just to unplug the phone line and turn the modem off but these days with everything going over the internet these sort of things are becoming more of an interest (and with more details of their design also being out there makes it much easier)

reply to post by sean


And I am interested in the second key for Microsoft. The one that used to be named NSAKey. Microsoft says they have never used there second key. I wonder if there is a way to track if the second key has ever been used by the NSA or anyone else?