Massive Spy Ring Uncovered? 329 Injections into "Persistent Routes" Whats that about?

had 329 entries under "persistentroutes" (TCPIP) stack. "Normal" entries by the system appear like "0.0.0.0,0.0.0.0,192.168.0.1,-1" (IP/Subnet/Gateway) Another important comment will be found below.

Looks like a little "redirect" going on here? https://www.youtube.com/watch?v=ZL-WlfJaYCk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\PersistentRoutes]

Whats this about? Who and what would have added these? And why? How do these entries work with the TCPIP stack? What does "=" do, what does "1" do? What does "-1" do, in relation to the 'legit' entries? Could this be used for reverse HTTP/TCP/VPN? or something of the like? "Normal" entries by the system appear like "0.0.0.0,0.0.0.0,192.168.0.1,-1" (IP/Subnet/Gateway) What does this mean in reverse?

 

Whois

 

So a very strange thing occurred the other day while I was logged into windows. After disabling a few entries in the registry governing hardware "redirect" (aka remote control and access to the hardware of my PC, as demonstrated in the first link above) Registry entries grew from ~461000, to ~540000. A massive hidden layer of my registry was uncovered that I had never seen or knew about before; I should have made a backup of this, because I can no longer access it anymore; After trying to disable some very persistent redirect registry keys, which re-enabled upon boot, 1/5'th of my registry vanished again. All the entries I had previously searched for and changed, are no longer visible in my registry. For example.

Windows 7 64 SP1

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000000

I had changed these from 1, to 0. Some of them were persistent on reboot; they would switch back to 1 again. It wasn't long before I was no longer able to find them anymore; I had not deleted them.

It is as though some remote admin was redirecting a huge chunk of my registry / O/S and hardware. (or THEY were a huge chunk of my o/s and hardware) I was shocked to see these hidden registry keys unlocked; In the process of disabling the redirect settings, twice as many or more more redirect keys became available to me on the next boot (upon searching). You can find these keys by searching for "DeviceRedirect" and or "allowredirect". Many are not accessible in the group policy GUI (even updated with Microsoft security compliance manager)

These six objects also disappeared.

[HKEY_USERS\S-1-5-21-2240875929-447784991-1091042645-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{007A0536-350C-47ED-9868-DF5C42F80CEA}Machine\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000000

[HKEY_USERS\S-1-5-21-2240875929-447784991-1091042645-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{2228C782-A61F-4964-BF35-039C64C5762A}Machine\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000000

[HKEY_USERS\S-1-5-21-2240875929-447784991-1091042645-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{971B4056-B53A-4932-85C0-1C67D70BFD18}Machine\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000000

[HKEY_USERS\S-1-5-21-2240875929-447784991-1091042645-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{AF3CE3F0-520B-435A-A45C-312C2374AB79}Machine\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000000

[HKEY_USERS\S-1-5-21-2240875929-447784991-1091042645-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{DA63EBEF-85CB-4B8A-AC11-43F92721699F}Machine\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000000

[HKEY_USERS\S-1-5-21-2240875929-447784991-1091042645-1000\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects{E615A4B9-1522-4ED3-82A0-03A4B4BD5848}Machine\Software\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]

I uncovered all of this while finding possible shady group policy entries for Chrome browser.
One of the steps I took that may have uncovered my hidden registry entries was followed here:
https://www.bleepingcomputer.com/vi...ome-extension-installed-by-your-administrator

I ran RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy"
gpupdate /force

A chrome extension (GhostVPN) had access to system settings and had injected a group policy to allow access to system Proxy settings;

Registry Group Policy Objects \SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy Objects{FC974C88-F4E9-4026-B8E4-839875341946}Machine\Software\Policies\Google\Chrome\ExtensionInstallWhitelist\1 = nhippelchacimnkamngddemhkifekini

 

Wow thats gonna set some heads spinning, is it Windows 10?

 

Windows 7 64 SP1

 

93.184.215.200 Europe MCI Communications Services, Inc. d/b/a Verizon Business AS15133

MCI Communications Services, Inc. dba Verizon Business Services
(formerly Cybertrust)

Verizon fully participates in the GSA Schedules (also referred to as Multiple Award Schedules (MAS) and Federal Supply Schedules) program. Under this contract, Verizon offers security, identity management and HSPD-12 services to federal and state and local government clients and their authorized contractors. Offerings covered under Verizon’s GSA IT Schedule 70 contract include:

Special Item Number 132-51 Information Technology (IT) Professional Services
Special Item Number 132-52 Managed Security Services - Federal Edition
Special Item Number 132-61 Public Key Infrastructure (PKI) Shared Service Providers (PKI SSP) Program
Special Item Number 132-62 Homeland Security Presidential Directive 12 (HSPD-12) Product and Service Components

 

The great old homeland insecurity, why am I not surprised. The ethical hackers out there are gonna have a field day this one. #anonamous

Here is your block list:

 

Ok I have confirmed some of these missing registry keys in fact are due to running; RD /S /Q "%WinDir%\System32\GroupPolicyUsers"
RD /S /Q "%WinDir%\System32\GroupPolicy" which cleared out all custom administrative templates under group policy; and setting USB redirect from 1 to 0 in the registry did not disable them, a setting of "1" does, and this is how it is set by group policy. I still cannot seem to find the other redirect settings; this may have been added to the registry later by some application or who knows what.

these reappeared after re-applying the group policy via gpedit; and require 1 for disabling.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceRedirect\Restrictions]
"AllowRedirect"=dword:00000001

 

So, do you think the routing table is being applied by GP?

 

I haven't seen any entries there suggesting as such. Filters freeze my GPO. Where exactly should I check? I've installed Group Policy Compliance Manager 4.0

 

Ok no, sorry I misunderstood your earlier post about clearing gp templates, I thought you did that because of suspicion that gp client was receiving and applying templates (from somewhere) that added those addresses to the routing table.

 

Oh I see, well I thought about it quite a bit since you have asked; its possible there may have been "allowredirect' and or "deviceredirect" entries in group policy that had been injected via the registry; there were at least 6 entries that were not visible in group policy pointing to "allowredirect" that did disappear after clearing gp templates. At that time I was able to apply filters to my group policy and had only seen a few entries. 6 were unaccounted for. I never searched for the id strings they were referring to; So I'm not sure what was being redirected where, and how. They may or may not have any connection to the persistent routs. Seeing that others have since reappeared since re-applying group policy updates (USB redirect in particular)... they may have been changes I made personally. I can't apply filters to my group policy without it freezing and there are 1700 entries to scan through. Maybe later.

 

"The PersistentRoutes subkey contains entries representing routes that permanently stored in the IP routing table. Unlike active routes, which are deleted when you shut down or restart Windows, permanent routes are stored in the registry and remain in the IP routing table until you remove them.

Because Windows does not create persistent routes, the PersistentRoutes subkey is empty by default. You must add persistent routes manually by using the -p switch with the Route add command at the command line. The Windows Route program, Route.exe, writes the route to the routing table and to the PersistentRoutes subkey. To remove a persistent route from the routing table and from the registry, use the Route delete command.
Each entry in the PersistentRoutes subkey represents one route entry in the routing table.

We add static routes, which will not change if the network is changed or reconfigured.
Static routing can be used to define an exit point from a router when no other routes are available or necessary. This is called a default route.
Static routing can be used for small networks that require only one or two routes. This is often more efficient since a link is not being wasted by exchanging dynamic routing information.
Static routing is often used as a complement to dynamic routing to provide a failsafe backup in the event that a dynamic route is unavailable.
Static routing is often used to help transfer routing information from one routing protocol to another (routing redistribution).
As I know, "1" means metric and you can type the command route printe to have a view"
Anybody have any more clue what is going on here, how these work and how they can be used for malicious activity and spying?

 

So what is happening to my computer when I connect to the internet with these static routes? Does this mean the given Ip's have unhindered access directly to my PC via the TCPIP stack? Also, if you have them, please answer the other questions I have laid out in the original post, regarding "=" and the fact these addresses appear to be laid out in reverse, compared to other entries apparently inserted by the system.

 

"=" the character doesn't mean something. Since there is no value data under the entries, it displays as

"<routes>" ="null"

I have found no information regarding malware and Persistent routes anywhere.

I just want to reiterate, these unwanted injected entries are laid out in reverse compared to system entries.

"0.0.0.0,0.0.0.0,192.168.0.1,-1" (IP/Subnet/Gateway). vs "96.17.204.25,255.255.255.255,0.0.0.0,1"=""

What does this suggest? Seem like it suggests MY Ip and subnet mask is set as their address, and that routes are laid for me to connect to the internet through their addresses; or they are through mine, possibly through a form of device redirection; or reverse or perhaps bi-directional VPN

Suggestions welcome... thank you very much.

 

This is my TCPIP registry file at the time these were discovered; note the "\\" before "DisableIPSourceRouting"=dword:00000002"

Suggesting they had disabled it altogether;

 

Seems these may have been added by the application ancile; the same list was found here:

https://wiki.installgentoo.com/index.php/Windows_10

Ancile is used to disable and block windows telemetry, though in the process may be doing something far more insidious.

 

Ok ancile is what is doing this; it blocks the same addresses in windows firewall, and the hosts file, then it adds them to the routing table in reverse; perhaps it is acting similar to a "hosts" file ; or making the pc directly accessible to microsoft and other corporations; I'm not sure but it seems unlikely; Seeing that it blocks the ips via firewall & hosts, the routing table would have to be capable of bypassing these as well. https://voat.co/v/Ancile/1677949

https://bitbucket.org/ancile_development/ancileplugin_networking/downloads/modify_Hosts.data.zip
https://bitbucket.org/ancile_development/ancileplugin_networking/downloads/modify_Routing.data.zip
https://bitbucket.org/ancile_development/ancileplugin_networking/downloads/modify_WINFirewall.data.zip