from Hacker News

The Curious Case of QUEENCREEK

by mobeigi on 8/19/24, 12:21 AM with 32 comments

  • by jiggawatts on 8/19/24, 7:05 AM

    The QUEENCREEK components may as well be malware, not just "appearing" to be malware.

    These services are insanely invasive and resource hungry, to the point that I regularly have to scrub them out of my system. If I don't, my CPU fans will spin up and make turbine noises while this monstrosity collects every piece of metadata it possibly can to be sent back to big brother at Intel.

    To expand on the comments in the original article, this is the description text file of one of these services:

        Inte(R) System Usage Report Service
    SystemUsageReportSvc_QUEENCREEK monitors 
    the computer system usage and helps to improve 
    system's performance."
    Intel is misspelled. That's insane for a Fortune 500 company.

    At most such organisations, you'd be raked over hot coals if you did something like this.

    Let us also ignore the missing 'the' or 'your' in "helps to improve system's performance." -- either way this is a flat lie. It doesn't improve performance in any way. It's spyware sending telemetry, that's all it does.

    The industry-wide problem is that there are zero consequences to this type of shoddy code deployed to a billion devices globally. It's just waiting to be next global Crowdstrike-style outage or remote code execution exploit.

    PS: Right next to this spyware in the list of services is the "Intel® Dynamic Application Loader". I won't describe it here, read for yourself what this does "for you", and for state actors that might want to hide malware that even the operating system can't access: https://www.intel.com/content/www/us/en/developer/tools/dal/...

  • by lxgr on 8/19/24, 1:22 PM

    This shows how much of a false sense of security code signing can create when done inconsistently like this: Highlighting unsigned binaries as dangerous, yet displaying an entry `python.exe malware.py` as trustworthy is… not great.

    Relatedly, I really wish runtimes and interpreters would rename their process to the name of the file they are running by default. Finding out which `java` or `python` out of dozen identical processes I need to kill isn’t fun.

  • by mrandish on 8/19/24, 4:07 AM

    I really hate it when major PC vendors name autorun tasks (or really any background task) with cryptic names that don't clearly identify the vendor and application. Yes, I realize we can't trust the name is legit without further verification. But when it is legit, knowing the vendor and app identity right in the name saves time. It would be nice if ALL applications did this but I can forgive a small open source project not doing so. However, when a Fortune 500 tech company with millions of users does it, it's unforgivable.

    It costs nothing to make your user's lives just a little bit easier. Also, for fuck's sake please populate the standard Window's file metadata for all your EXEs and DLLs when you're releasing products. I shouldn't have to run your app to find out the version number, vendor name, app name, release date, etc.

  • by apitman on 8/19/24, 3:26 AM

    Would be interested to know the etymology of the program name. There's a large suburb of Phoenix called Queen Creek.

  • by ashleyn on 8/19/24, 5:01 PM

    Crazy for intel to name it something that sounds exactly like a CIA tailored operations codeword.

  • by staplers on 8/19/24, 3:27 AM

      Furthermore, it opens the door for malware to “join the party”
    Or is a placeholder for state-sanctioned backdoors. Clearly too sophisticated to apply Hanlon's Razor.

  • by londons_explore on 8/19/24, 6:36 AM

    > A vbs script to call a bat script to call an exe.

    Who let that ship? Who did the code review?