Add Tobii & Queencreek #96
Description
Problem statement
There are 2 other very disturbing apps getting installed on some Windows Intel and nVidia based PC's.
They are called Tobii and QueenCreek (QC).
-
Tobiiis an integrated eye/face tracking software that uploads an AI hashed fingerprint of your face. It's nearly impossible to remove, and re-installs itself on any windows update, unless technically blocked. -
QueenCreekon the other hand, seem to be behaving as a government spyware, that uploads just about everything found on your computer, except the files themselves.
Scripts and many useful comments to remove/block Tobii can be found here:
https://gist.github.com/jcary741/19cc74c93a499f8c23ad7dd5a04faf86
Tobii Summary:
- Uploads encrypted SQLite3 facial/eye pattern DB to their servers via API at:
https://api.statistics.ice.tobii.com/uploadSession - ⬆️ This need to be blocked in all levels. Using Windows Firewall (
WF.mscor viaFirewall.cpl)
Get the IP's used for the above API:
# Resolve-DnsName "api.statistics.ice.tobii.com"
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
api.statistics.ice.tobii.com A 60 Answer 18.154.63.45
api.statistics.ice.tobii.com A 60 Answer 18.154.63.48
api.statistics.ice.tobii.com A 60 Answer 18.154.63.19
api.statistics.ice.tobii.com A 60 Answer 18.154.63.39Important
It seem that the cloudfront.net servers are dynamically rotating the IP addresses, making it nearly impossible to block based on raw IP address alone.
Some other useful powershell commands fore reference:
Resolve-DnsName "statistics.ice.tobii.com"
Resolve-DnsName "ice.tobii.com"
Resolve-DnsName "tobii.com"
# dig api.statistics.ice.tobii.com
# nslookup api.statistics.ice.tobii.com
# Create a FW rule:
# Be careful as you may block unrelated IP's if you use `/24`.
New-NetFirewallRule -DisplayName "Block Tobii Malware API IP addresses" -Direction Outbound -LocalPort Any -Protocol TCP -Action Block -RemoteAddress 18.66.122.1/24
Check out:
https://www.robtex.com/dns-lookup/tobii.com
and consider checking the similar domains.
QueenCreek Summary:
Warning
Another very nasty Intel malware was hogging up my CPU and uploading just about every possible Network setting, including info on every single SW and app installed and a full record of what programs have been running on the CPU. The malware is called QUEENCREEK and is supposed to help you tune your processor... Instead uploading just about everything else about your computer, your network, your connected devices, apart your files themselves!
Upload folders can be found here:
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Intel\SUR\QUEENCREEK\
Program folder here:
C:\Program Files\Intel\SUR\QUEENCREEK\x64\
Registry Keys here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ESRV_SVC_QUEENCREEK\
Service is called ESRV_SVC_QUEENCREEK.
# Stop Service
sc.exe stop ESRV_SVC_QUEENCREEK
# Delete Service
sc.exe delete ESRV_SVC_QUEENCREEK
# Disable scheduled task:
schtasks.exe /change /tn USER_ESRV_SVC_QUEENCREEK /disableUse firewall to block port 49350.
Important
This one is very tricky, hiding in plain sight! 👺
However, if you leave your PC without using anything, you will suddenly find your CPU fans and CPU usage go up massively as all the collection scripts are being run and then uploaded to their spy DB servers. As soon as you touch anything, mouse or key button, it immediately drops back to normal. If you're lucky to find any associated process, you'll only see yet another svchost.exe and nothing else obvious.
List of Contacting IPs
Click to expand
20.69.140.28
20.69.140.28
20.69.140.28
20.99.133.109
20.99.133.109
20.99.133.109
23.32.75.16
23.38.194.13
23.38.194.17
23.46.228.41
23.46.228.49
23.53.122.202
23.53.122.207
23.53.122.208
23.53.122.210
23.53.122.211
23.53.122.212
23.53.122.213
23.53.122.214
23.53.122.216
23.53.122.219
23.55.140.42
23.55.140.42
23.55.140.42
23.55.219.177
23.59.183.74
23.192.230.10
23.196.145.221
23.196.145.221
23.196.193.245
23.196.193.245
23.196.193.245
23.215.176.43
23.215.176.48
23.215.176.56
23.215.176.58
23.215.176.64
23.215.176.65
23.215.176.66
23.215.176.74
23.215.176.75
23.216.147.6
23.216.147.13
23.216.147.22
23.216.147.23
23.216.147.26
23.216.147.32
23.216.147.34
23.216.147.35
23.216.147.35
23.216.147.38
23.216.147.41
52.111.227.11
52.123.130.14
52.123.131.14
52.123.250.133
52.123.250.134
52.123.250.155
52.123.250.159
52.123.250.160
52.123.250.161
52.123.250.162
52.123.250.175
92.38.145.145
104.71.214.69
104.98.118.136
104.98.118.136
104.98.118.137
104.98.118.137
104.98.118.144
104.98.118.144
104.98.118.145
104.98.118.146
104.98.118.146
104.98.118.147
104.98.118.152
104.98.118.152
104.98.118.154
104.98.118.154
104.98.118.155
104.98.118.155
104.98.118.160
104.98.118.161
104.98.118.163
104.98.118.168
104.98.118.171
104.98.118.176
104.98.118.177
104.98.118.178
104.98.118.179
104.98.118.179
142.251.184.94
151.101.22.172
151.101.22.172
184.27.218.92
184.27.218.92
184.27.218.92
199.232.210.172
199.232.214.172
217.20.54.34
a83f:8110:0:0:2000::
a83f:8110:2e00:6900:6e00:6600::
a83f:8110:3f8:ffff:f022:f369:3f8:ffff
a83f:8110:1414:14ff:1414:14ff:1414:14ff
a83f:8110:1414:14ff:1414:14ff:1414:14ff
a83f:8110:3671:a3ff:3671:a3ff:3671:a3ff
a83f:8110:3671:a3ff:3671:a3ff:3671:a3ff
a83f:8110:4646:4646:4646:4646:4646:4646
a83f:8110::1b00:100:2800:0
a83f:8110::4d88:21:0:0
a83f:8110::100:0:1800:0
Proposed solution
Help create scripts to blocking these.
(Sorry I don't have the skills/experience to do this for privacy.sexy.
Alternatives considered
None
Additional information
No response