Bloatware Banned from Bank
The Network: A bank serving multiple states on the U.S. East Coast with a headquarters and several dozen branch offices; 500+ servers and 2,000+ workstations.
The Expectation: The bank buys computer systems from reputable manufacturers who are assumed to provide clean systems.
The Catch: The unknown process feature of the Netsurion sensor detected a first-time-seen alert for the HP Analytics Touchpoint Client. The program was installed by a system account.
The Find: HP says it is: “A service we have offered since 2014 as part of the HP Support Assistant. It collects information about hardware performance that is used anonymously. No data is shared with HP unless access is expressly granted. Customers can opt-out or uninstall the service at any time.” While this was not consciously installed, it appears it was as a result of a Windows Update. Analysis of this package shows that it is capable of the following:
- Modifies file/console tracing settings (often used to hide footprints on system)
- Malicious artifacts seen in the context of a contacted host
- Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- Reads the active computer name
- Reads the cryptographic machine GUID
- Tries to sleep for a long time (more than two minutes)
- Requested access to a system service
- Sent a control code to a service
- Contains ability to listen for incoming connections
- Found a potential IP address in binary/memory
- Modifies Software Policy Settings
- Modifies proxy settings
- Reads the registry for installed applications
- Contains the ability to query the machine version
The Fix: Stop the services for HP Touchpoint Analytics Client on these systems by removing it.
The Lesson: Despite buying new systems from reputed manufacturers, IT must reimage them with a company approved image to minimize the possibility of bloatware. If this is not possible, then monitor for first-time-seen programs as well as any attempts to “phone home” which may result in data leakage.