RE: Strange servicepack.exe file (not service.exe) found.

• Previous message: John Ives: "RE: Strange servicepack.exe file (not service.exe) found."
• Maybe in reply to: Chip Mefford: "Strange servicepack.exe file (not service.exe) found."
• Next in thread: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
• Reply: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <incidents@securityfocus.com>
Date: Wed, 17 Dec 2003 21:22:21 -0000

Harlan -

> > How fun is this, though - Symantec's response today says the file
> > contains no malicious code. So nothing ever happened on the machine
> > that had to be rebuilt. Hmmmm.
>
> From what I've seen (online, in courses, at work, etc) this
> seems to be indicative of the state of incident response in
> the Windows world. Rather than developing a methodolgy, or
> employing one of the many that are already available, most
> organizations seem to prefer to sink time and effort into
> rebuilding systems...even if it may ultimately prove unnecessary.

To be fair to the original poster, in hindsight there was reasonable
association from other posts between the suspect file and some complex
adware that downloads arbitrary additional components and takes aggressive
actions like installing porno dialers similar to what was found. Rebuilding
might take less than an hour, while investigation and cleanup might take a
little more.

Recovery takes less skill and often less time than forensics. That makes it
a positive thing provided one investigated enough to know that recovery
eliminates any damage that might have occurred.

> > Of course the servicepack.exe file could have been a downloaded
> > byproduct of another infection on the affected machine.
>
> May have been...but one will never know. And if there had
> been an "infection", it may have been something as innocuous
> as simple spyware, rather than a worm infection or a full out
> compromise.

The downside as you say is one will never know. The "infection" vector might
not be determined until it happens again. And it would sure be nice to know
if the afflicted (if not infected) machine was trying to do anything to the
rest of the network or if it was communicating outside the LAN.

It is important to know what the machine did while it was in a suspect
state, if possible. The rebuild doesn't help enough if, for example, network
passwords were compromised.

Plus it would really be silly if machine gets rebuilt when a reboot might
have sufficed. Windows does love to DoS itself once in a while.

- Jim

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Previous message: John Ives: "RE: Strange servicepack.exe file (not service.exe) found."
• Maybe in reply to: Chip Mefford: "Strange servicepack.exe file (not service.exe) found."
• Next in thread: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
• Reply: Harlan Carvey: "RE: Strange servicepack.exe file (not service.exe) found."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]