kanotix.com :: Thema anzeigen - Microsoft's Calling Home Problem

kanotix.com

Anything goes - Microsoft's Calling Home Problem

piper - 13.06.2006, 00:03 Uhr
Titel: Microsoft's Calling Home Problem

h2 - 13.06.2006, 01:06 Uhr
Titel: RE: Microsoft

On the bright side, things like this are going to speed up desktop linux adoption more than anything else possibly could.

The old giant is not walking with the same powerful steps it did in its youth. I can only applaud these moves on their part, it's time for a change, and this should help motivate a decent chunk of techies to switch. Spyware is spyware, it doesn't matter what it's called, or who distributes it.

stryder - 13.06.2006, 04:16 Uhr
Titel: RE: Microsoft

Yes, I went through this some weeks ago and I was indeed fooled by microsoft telling me that it is installing crucial updates. When I checked and found out what it was installing I immediately cancelled the installation. Then I found that there was no way for me to get to security updates without going through that particular update. So I stopped updating totally. Now windows tells me everyday that I am at risk but that annoyance is better than installing something that microsoft tells me that I cannot uninstall ever! What crap it is to tell me that knowing I have original XP is an advantage. I know I have an original XP. I paid for it. Microsoft validated it.

t-bone - 13.06.2006, 05:48 Uhr
Titel: RE: Microsoft

MS is stepping over its limits.

eco2geek - 13.06.2006, 07:00 Uhr
Titel:

A few things to note here:

There are 3 kinds of "Windows Genuine Advantage" (WGA) software that Microsoft is foisting on people at the moment. First, in order to run Windows Update on XP, you have to accept a piece of WGA software. Patched versions of its "LegitCheckControl.dll" are floating around out there. This was a dumb decision on Microsoft's part, because it means there are now fewer computers being updated with the latest security patches.
Next is the WGA Validation Tool, which is completely optional. You can tell Windows Update not to install it (for now, anyway). If you've turned on automatic updates, you got it by default, but you can disable it. (Apparently it "calls home" when you boot into Windows, so I don't know if it could be defeated by a software firewall or not.)
(The very name, "Windows Genuine Advantage Validation Tool," is deceptive. It gives you, the user, absolutely no advantages whatsoever. In fact, it uses up your memory, CPU cycles, and bandwidth, and gives Microsoft information about you.)
Finally, there's a validation routine they're starting to put in things like the IE7 beta installer and some others (I think they've also put it in the DirectX and Windows Media Player installers). It looks like, sooner or later, you won't be able to install any Microsoft "freeware" without going through a mandatory validation scheme of some sort.

Ultimately, the only thing Microsoft cares about is money. If you think it's overstepping its bounds, vote with your wallet.

t-bone - 13.06.2006, 07:42 Uhr
Titel:

Linux has my vote. My wallet is happy! Sehr glücklich

schnorrer - 13.06.2006, 12:08 Uhr
Titel:

a good HW-firewall with paket-filtering and the right rules should handle that with M$$$.

My wallet is more than happy with linux, and my friends got nosupport nor help with ExpERIMENTAL MS.

piper - 13.06.2006, 23:45 Uhr
Titel:

First of all, always use Windizupdate for windows updates using Firefox not IE

The TOOL works perfectly ..............

but the name is incorrect.
It's called the "Microsoft Genuine Disadvantage Trojan"

Start in safe mode and find the file /WINDOWS/System32/WgaLogon.dll. Edit the
file properties and remove the execute and write permissions for all users
including System. The daily checkin and the WGA System Tray tool are both
started from this DLL so making it non-executable kills the whole WGA
Notification system. Making it read-only stops windows update from 'repairing
it' and installing future versions.

Copy the text below into notepad (including the Windows Registry Editor Version 5.00 heading), then save the file as a .reg file. Double click on the file to apply the registry patch.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
“Logon”=”WLEventLogon”
“Logoff”=”WLEventLogoff”
“Startup”=”WLEventStartup”
“Shutdown”=”WLEventShutdown”
“StartScreenSaver”=”WLEventStartScreenSaver”
“StopScreenSaver”=”WLEventStopScreenSaver”
“Lock”=”WLEventLock”
“Unlock”=”WLEventUnlock”
“StartShell”=”WLEventStartShell”
“PostShell”=”WLEventPostShell”
“Disconnect”=”WLEventDisconnect”
“Reconnect”=”WLEventReconnect”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000000
“SafeMode”=dword:00000001
“MaxWait”=dword:ffffffff
“DllName”=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
“Event”=dword:00000001
“InstallNotifyShown”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
“Data”=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,69,56,c4,80,41,b9,4a,43,bf,97,3b,98,06,7e,34,57,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,14,d8,49,b1,9b,43,d1,7b,\
b9,7c,85,a2,9c,f6,c8,b7,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,e4,\
59,49,a2,0f,ee,a6,23,78,e5,c8,91,3e,f7,40,64,70,06,00,00,1a,2b,76,12,0e,6c,\
b9,0e,f2,68,c3,ba,11,32,b8,e4,1c,4d,63,45,b4,42,e6,b8,95,49,31,9c,45,ab,21,\
39,25,c2,a5,6d,36,3d,63,a4,75,e7,97,05,c7,62,52,76,9b,71,26,06,ae,28,08,77,\
22,d0,21,9d,1b,f9,ea,7a,b3,b1,07,2c,6b,17,48,06,10,1e,10,48,06,32,a6,fb,16,\
cf,b7,2e,d6,00,42,d8,2e,47,ad,87,45,2a,7e,c8,5a,1c,e3,99,dc,3c,8c,a7,29,a4,\
cd,ad,c8,d9,52,64,d9,16,00,81,ff,66,fd,f2,d2,17,ee,92,8d,a4,38,06,70,63,f9,\
0b,55,be,b5,c0,5a,8a,3e,b9,fb,13,8c,c1,df,50,61,d5,60,89,9a,0d,36,0d,3f,2e,\
77,7c,04,ef,8d,76,41,07,75,27,d2,ac,11,62,1a,7f,91,35,22,4f,0e,92,6d,2d,45,\
e9,e3,ad,0e,33,46,b4,03,b5,94,2d,9b,d7,f1,62,f9,0e,b1,9f,56,bd,80,7a,44,06,\
9f,80,19,45,bd,04,56,9c,5d,eb,fb,10,59,cd,5e,02,66,b6,af,de,d0,4e,08,ca,ff,\
44,d6,e6,a6,b1,50,cd,e9,de,f6,b9,06,90,45,f8,c7,ec,44,73,b8,8f,0f,3d,27,a7,\
32,42,2d,04,c1,a2,e2,c2,23,70,97,10,09,a2,05,00,58,95,00,94,7f,74,4e,18,e0,\
0d,e7,be,3e,2c,3e,7c,5d,c4,26,fd,bb,08,e0,c8,01,2e,db,5a,51,80,8f,f4,3e,6e,\
53,52,3d,a7,52,aa,c6,8e,fd,33,26,03,e8,3d,81,d8,c5,82,0a,ce,14,ae,29,d4,16,\
0f,7d,83,30,d1,4d,13,d9,72,52,8f,db,4c,43,63,cb,dc,97,a8,86,83,85,e6,ad,00,\
a2,13,23,c8,3a,f0,50,a7,58,ae,eb,b3,e6,1f,a4,5f,6f,5d,a1,1b,c8,1f,9e,c4,ed,\
48,53,1d,82,0d,1c,a2,6f,b6,8a,67,1a,bc,c8,de,2a,56,d9,7a,b6,e9,83,28,ab,44,\
fb,06,0b,3b,0d,9f,3e,e5,3e,5f,ff,97,eb,0c,9f,b8,4a,8b,6a,fc,91,34,64,ac,7e,\
e8,41,5d,ae,3c,59,71,2f,67,08,9c,a2,d6,88,8f,3c,e9,a9,eb,fc,b9,77,c6,ff,b6,\
66,24,b7,65,31,0e,95,64,5f,5e,af,f1,a3,f1,f2,16,f9,53,52,f1,46,77,31,4b,ad,\
62,ed,38,93,d4,c0,e9,50,db,b8,7f,68,c5,89,c9,58,a6,e2,17,9c,5b,35,54,3b,9e,\
28,6e,39,8c,bf,01,b8,3a,7a,2f,ee,07,54,ec,84,90,4b,a2,4e,24,06,19,da,e9,f3,\
1d,b1,a0,f8,1d,fc,c3,42,1a,d0,42,ba,95,8b,4b,af,16,6d,35,3e,a2,d3,9b,a1,39,\
2f,d7,a0,50,51,8e,2c,52,87,67,17,26,54,7e,de,7d,ed,68,97,66,1b,5a,c0,3f,8d,\
22,b7,8f,21,1b,51,7a,28,67,d4,ed,81,cf,fc,94,0b,ca,14,c6,8d,85,2b,e2,a5,5e,\
2a,70,50,70,59,1e,a2,aa,d8,cc,eb,59,89,36,ca,b8,15,e9,3b,14,82,86,20,9f,8a,\
45,cd,35,0c,fb,1f,52,d0,26,27,f8,ff,e3,ae,b4,80,75,c6,7b,b1,11,ab,47,8e,3f,\
11,fc,b5,1f,f9,65,e3,8a,e1,6b,68,20,e4,c3,cb,91,1e,03,99,84,48,00,a2,18,9e,\
c8,ae,54,4c,92,99,fd,03,66,17,aa,b0,d7,38,3f,d2,d6,a0,10,f1,ab,09,79,9f,ef,\
0d,5c,45,01,01,1d,cc,12,ce,d0,a4,de,e2,b2,42,45,be,ba,a9,d4,8c,7c,05,d8,7c,\
0e,48,8b,3b,0a,a5,74,90,6e,fa,ce,5f,42,93,51,19,8e,5f,6e,bd,a1,ce,cc,a3,89,\
a6,28,70,e6,0a,c7,38,56,4d,4f,89,35,8d,e1,73,2c,e6,ab,24,aa,d2,dc,cb,09,5e,\
97,aa,f6,cf,9d,ed,4f,4f,b6,27,28,ba,fe,78,f4,be,82,68,86,fb,9f,77,d2,6a,dd,\
72,86,b5,ce,da,bb,29,37,d7,e1,0e,5e,80,77,61,57,1b,6e,ae,ae,11,ae,46,98,3d,\
da,fb,3a,92,a4,8e,68,b7,24,1a,cf,8e,06,8b,63,c3,8b,55,15,c2,df,b1,97,b4,b0,\
4a,99,7d,f7,1b,8b,48,38,74,24,1c,be,c3,57,35,75,ec,ba,3e,3e,f9,03,d7,a6,9f,\
75,8b,91,73,37,27,d9,a1,4c,64,19,28,f4,54,76,81,22,1e,8a,63,c6,b0,5f,f3,f3,\
7e,d8,f6,e1,3a,06,4e,2f,3b,d6,a8,8f,a9,49,26,3d,3d,16,e4,cb,ce,8d,46,26,52,\
38,95,0d,2a,98,77,f1,c7,11,b9,da,1c,f1,c9,60,b1,97,14,4a,d5,40,53,02,f8,5e,\
de,53,27,58,94,bd,00,74,4b,04,16,35,8d,00,b0,dd,fe,43,ef,3f,84,eb,b5,f8,1d,\
72,45,b0,7a,94,99,c9,91,11,59,d5,f6,e6,69,d4,4f,e6,69,d3,cf,75,73,53,9f,82,\
2b,94,68,e4,c2,af,1e,4b,99,ea,c3,1c,9d,20,8f,cd,8d,40,af,bf,e1,be,93,02,de,\
05,40,56,2f,e2,2d,57,c0,24,f3,63,43,0d,3c,4d,de,28,ed,98,96,74,59,a5,83,8e,\
d8,be,09,15,9a,7e,f5,df,95,24,15,07,27,06,11,6a,a1,82,d8,20,35,71,9e,c5,9b,\
56,64,45,43,96,a0,55,23,c4,57,8a,c2,bc,ab,a8,ef,04,a7,27,8b,98,9c,83,5c,a7,\
55,11,d2,61,15,47,e7,d4,da,f9,33,6e,bd,de,9e,5a,eb,39,f2,9b,b2,f8,44,40,01,\
ec,5e,8b,4d,79,d3,df,b2,db,0b,b8,80,b8,9a,7e,fe,1d,08,c9,5d,21,43,23,50,1d,\
0c,a2,aa,d6,53,b9,a6,4c,9f,a2,3e,ee,65,21,46,5c,3c,63,79,68,58,60,94,87,ce,\
3f,f3,82,e9,03,b3,7e,91,ce,3d,dd,42,2a,cd,a6,01,0f,b7,51,0e,1a,b4,bd,7b,7e,\
7d,22,19,15,c3,7f,40,9f,70,de,6a,27,f7,05,b1,e0,95,31,fe,6c,6f,49,62,a1,37,\
be,7e,66,1d,35,7b,ee,1c,e2,46,ef,10,94,d5,c4,97,7d,06,fc,a1,11,9b,1c,17,08,\
5f,8f,d2,5f,fe,2f,56,19,f5,a5,49,b0,9b,ee,5a,e4,88,c1,77,d2,83,90,1f,5b,8a,\
54,77,d5,ca,9d,81,a1,7b,73,a2,31,31,d4,27,57,dc,11,f0,0b,a9,e9,f4,2f,5b,6a,\
3c,db,49,3a,5c,90,19,b9,bc,07,7f,1b,b9,ae,3f,fe,a1,f8,9f,39,0e,34,10,fe,a1,\
8a,04,cd,48,47,c9,ba,a6,35,cc,36,61,51,36,96,a9,2a,a8,c5,61,0c,c3,97,c2,c5,\
71,ae,93,b4,f4,37,68,fb,b9,9a,77,a1,6c,9f,c3,1a,e6,10,63,0c,44,fe,ce,68,44,\
86,07,91,e3,d2,6f,b7,1b,81,5b,14,9b,33,1b,1b,78,31,e8,3e,60,aa,38,59,f2,91,\
e9,75,90,a7,1e,a9,c8,13,c9,a9,3e,0c,8b,44,72,ec,cc,45,d3,11,7b,0e,1c,ac,76,\
ac,0e,52,72,89,17,9d,23,13,af,7c,65,45,76,1d,d5,ab,f5,b0,9e,b4,20,6b,be,b2,\
57,e6,73,ff,6b,69,dc,4a,76,13,c3,e3,e7,41,62,88,a0,54,11,6a,6a,31,f9,b1,25,\
cc,c2,06,dc,d3,88,02,82,69,70,2e,09,9f,64,40,88,c9,ff,6a,ee,66,69,5d,ca,79,\
b9,f0,03,23,b8,c9,1b,d9,f6,9b,d4,65,85,4c,d4,c4,09,fd,a5,45,ad,ad,49,bb,c7,\
fb,b8,2a,46,e1,15,09,1a,5e,1c,e7,16,e6,a7,8b,e4,42,d1,07,8a,ec,b4,eb,d0,09,\
c9,bd,24,89,1f,28,65,99,72,bd,3b,ca,6b,fd,f2,24,63,2a,0b,d9,c7,9a,4b,c1,29,\
21,17,7b,23,60,2c,06,db,ac,64,b7,7d,83,80,0d,ef,58,a8,a5,6f,df,9c,16,0c,5d,\
ff,ec,db,de,72,80,66,7f,0c,65,82,45,c3,b8,9a,5e,cd,0f,3d,bf,5f,cf,93,db,fc,\
5f,89,de,8b,82,88,33,ad,83,d6,bb,fd,f2,24,f5,df,ee,14,00,00,00,af,22,08,52,\
f6,a0,30,d5,4e,c6,b8,bf,fd,67,be,a7,73,67,db,7d

Fix your router

There seem to be 2 ranges. The CIDR ranges are a safe bet.

Candidates: 64.4.21.61, 64.4.21.93, 64.4.21.189, 64.4.21.125, 64.4.21.189, 64.4.23.221
CIDR: 64.4/18 (HOTMAIL)

Candidates: 207.46.19.93, 207.46.144.219, 207.46.156.25, 207.46.156.254, 207.46.157.30, 207.46.157.61, 207.46.198.93, 207.46.250.185, 207.46.253.93, 207.46.253.125, 207.46.250.185, 207.46.244.253
CIDR: 207.46/16 (MICROSOFT-GLOBAL-NET)

Some Candidates are more popular than others. Ie. they occur more often in my statistic. the 207.46/16 range is more common than the 64.4/18 range. When blocking /32 ranges or other small ranges this may lead to miss some rare Windows Update IPs hence the noted /18 and /16 is a safe bet.

To get these IP addresses i just ran a little script which did a DNS query on update.microsoft.com every 10 sec.

To make sure an IP hosts Windows Update make a connection to the IP port 80 (preferably not with ActiveX-enabled browser) and you'll see the Windows Update website running. After you blocked it you can try to use Windows Update, auto-refreshing it in a little window (for example with Avant Browser).

Blocking all data to/from these IPs may stop some additional Microsoft.com websites or services to function. One solution for this is suggested later hereunder. Another one is explicitly allowing these services. Also, the IP addresses and ranges may change. If you block traffic to/from those IP addresses and change the DNS as well and use an alternative to Windows Update such as manually getting patches from Microsoft.com or by using Windiz Update [1] you've tied it down pretty well IMO since then BOTH the hostname. One could also force HTTP traffic over a transparant, local proxy such as Squid or Privoxy and use ACLs in that software eventually together with a tight firewall rulset. Provided the Windows Update data flows over HTTP, this would be blocked either way.

The DNS reply changes every X sec and returns 3 IPs so this is not blockable by blocking access to the hostnames. You need to block the IPs in your firewall.

An IDS or layer-7 packet filter (as add-on to above solution) would even be better. A very strict firewall may also work better. My problem with strict firewalls would be P2P software, YMMV.

Important! For a good IDS ruleset or firewall ruleset, the above has to be tested. It could be possible, albeit unlikely, the data concerning the privacy encumbered information is send to a different IP address and/or port and/or using encryption.

WGA = William Gates Attitude The cause of much misery.....

Software is like sex...it's better when it's free.

MLVP (Microsoft's Least Valuable Professional)

Cathbard - 24.06.2006, 15:41 Uhr
Titel:

I had to do some work on my parent's pc just the other day. It runs Kanotix primarily but has Winblows for one small task. While I was there the Genuine Disadvatage Tool "update" came through.
I called over my father who is about as pc illiterate as you can get to read what it said. All he uses is Firefox to look up stuff about his car club activities but even he walked away shaking his head.
"Assistance?" he said. "Is that what they call it now? I suppose a murderer is assisting you to make the decision whether to live or die too." Lachen