The Curious Case of QUEENCREEK
The article highlights risks of automated software like QUEENCREEK, initially suspected as malware but found legitimate. It emphasizes the need for vigilance in identifying potential threats using tools like Sysinternals Autoruns.
Read original article
The article discusses the potential risks associated with software that runs automatically on systems, particularly focusing on a case involving a program named QUEENCREEK. The author, Mo Beigi, highlights how malware often exploits automated executables to maintain persistence on a system. Using Microsoft’s Sysinternals Autoruns tool, Beigi examines various entries that trigger automatically, including QUEENCREEK, which initially appears suspicious. Despite being a digitally signed binary, further investigation reveals that it is part of the legitimate Intel PROSet/Wireless WiFi Software. The author critiques the convoluted execution path of QUEENCREEK, which involves multiple layers of script execution, mimicking techniques used by malware. This complexity can confuse users and antivirus software, raising concerns about security practices. Ultimately, the article emphasizes the importance of vigilance when inspecting automated software entries to distinguish between legitimate applications and potential threats.
- Automated software can be exploited by malware to maintain persistence on systems.
- QUEENCREEK was initially suspected of being malicious but was found to be a legitimate Intel application.
- The execution method of QUEENCREEK mimics common malware techniques, complicating detection.
- Tools like Sysinternals Autoruns are essential for identifying suspicious automated entries.
- Vigilance is crucial in distinguishing between legitimate software and potential threats.
Related
Windows: Insecure by Design
Ongoing security issues in Microsoft Windows include vulnerabilities like CVE-2024-30080 and CVE-2024-30078, criticized for potential remote code execution. Concerns raised about privacy with Recall feature, Windows 11 setup, and OneDrive integration. Advocacy for Linux desktops due to security and privacy frustrations.
Windows: Insecure by Design
The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.
Crashes and Competition
The article explores Windows OS design, kernel access impact on security firms, CrowdStrike crash consequences, Microsoft's limitations due to agreements, and regulatory implications for system security and functionality balance.
Marcus Hutchins-Microsoft claim that CrowdStrike was enabled by EU rule is false [video]
A malware expert discusses the CrowdStrike outage, misconceptions about antivirus software, and Windows security challenges, highlighting issues with kernel rootkits, ineffective measures in Vista, and UAC circumvention by malware.
Mac and Windows users infected by software updates delivered over hacked ISP
Hackers compromised an ISP to deliver malware to Windows and Mac users via software updates, affecting multiple applications. Users are advised to avoid insecure updates and use secure DNS protocols.
8 commentsThese services are insanely invasive and resource hungry, to the point that I regularly have to scrub them out of my system. If I don't, my CPU fans will spin up and make turbine noises while this monstrosity collects every piece of metadata it possibly can to be sent back to big brother at Intel.
To expand on the comments in the original article, this is the description text file of one of these services:
Inte(R) System Usage Report Service
SystemUsageReportSvc_QUEENCREEK monitors
the computer system usage and helps to improve
system's performance."
At most such organisations, you'd be raked over hot coals if you did something like this.
Let us also ignore the missing 'the' or 'your' in "helps to improve system's performance." -- either way this is a flat lie. It doesn't improve performance in any way. It's spyware sending telemetry, that's all it does.
The industry-wide problem is that there are zero consequences to this type of shoddy code deployed to a billion devices globally. It's just waiting to be next global Crowdstrike-style outage or remote code execution exploit.
PS: Right next to this spyware in the list of services is the "Intel® Dynamic Application Loader". I won't describe it here, read for yourself what this does "for you", and for state actors that might want to hide malware that even the operating system can't access: https://www.intel.com/content/www/us/en/developer/tools/dal/...
Relatedly, I really wish runtimes and interpreters would rename their process to the name of the file they are running by default. Finding out which `java` or `python` out of dozen identical processes I need to kill isn’t fun.
It costs nothing to make your user's lives just a little bit easier. Also, for fuck's sake please populate the standard Window's file metadata for all your EXEs and DLLs when you're releasing products. I shouldn't have to run your app to find out the version number, vendor name, app name, release date, etc.
Furthermore, it opens the door for malware to “join the party”
Who let that ship? Who did the code review?
Related
Windows: Insecure by Design
Ongoing security issues in Microsoft Windows include vulnerabilities like CVE-2024-30080 and CVE-2024-30078, criticized for potential remote code execution. Concerns raised about privacy with Recall feature, Windows 11 setup, and OneDrive integration. Advocacy for Linux desktops due to security and privacy frustrations.
Windows: Insecure by Design
The article discusses ongoing security issues with Microsoft Windows, including recent vulnerabilities exploited by a Chinese hacking group, criticism of continuous patch releases, concerns about privacy invasion with Recall feature, and frustrations with Windows 11 practices. It advocates for considering more secure alternatives like Linux.
Crashes and Competition
The article explores Windows OS design, kernel access impact on security firms, CrowdStrike crash consequences, Microsoft's limitations due to agreements, and regulatory implications for system security and functionality balance.
Marcus Hutchins-Microsoft claim that CrowdStrike was enabled by EU rule is false [video]
A malware expert discusses the CrowdStrike outage, misconceptions about antivirus software, and Windows security challenges, highlighting issues with kernel rootkits, ineffective measures in Vista, and UAC circumvention by malware.
Mac and Windows users infected by software updates delivered over hacked ISP
Hackers compromised an ISP to deliver malware to Windows and Mac users via software updates, affecting multiple applications. Users are advised to avoid insecure updates and use secure DNS protocols.