Re: strange software > winsupdater.exe

From: Nick FitzGerald (nick_at_virus-l.demon.co.uk)
Date: 03/24/05

  • Next message: Brian Eckman: "Re: Pubstro rash" 
    Date: Thu, 24 Mar 2005 19:50:22 +1200
To: incidents@securityfocus.com

    Jeremy Anderson to me:

    > > Filenames are all but totally useless for diagnosing malware, spyware
    > > _AND_ the normal operation of a system.
    >
    > Actually, I'd say they're fairly useful, if you plug them into google.
    > Sites like iamnotageek.com have pretty good information repositories on
    > what is legitimate and what is not.

    You are, of course, quite wrong, but as this is not uncommonly believed
    by those who should know better, I'll try to explain it for you. I
    mean, there are all manner of sites like the one you mentioned, so it
    is obviously a well-entrenched error to believe that such information
    alone is useful.

    It is quite simple -- filenames are purely arbitrary.

    Now think for a moment about what that means...

    Correct -- it means that if all you know is a filename, or even a
    filename and the file's full path, you still know nothing about what
    the thing in the file is no matter how many pages Google returns saying
    that this filename belongs to the FooBar backdoor, the Windows XP
    telnet client, or whatever.

    Such information _can_ be _VERY slightly_ useful to an informed,
    intelligent and resourceful investigator, but as I said, not much use
    -- in fact, "all but totally useless" because informed, intelligent and
    resourceful investigators will quickly discover many, and much more
    diagnostically useful, additional things about such "unknown" files.

    Sadly, the less informed, intelligent and resourceful investigators are
    left to the mercy of the accuracy (or otherwise) of any and all of the
    material Google will regurgitate in response to a filename search and
    the haphazard quality of their "best guesses" -- often the Google-
    returned material is apparently contradictory and at least the better
    sites always note that most any file can be renamed to most anything
    and still retain its original functionality... (If the better "name
    that file" sites carry such warnings, what real value can such sites
    have beyond generating the odd bit of click-thru revenue from their
    banner ads?????)

    Anyway, back to searching filenames as a diagnostic approach...

    The still less informed will even go so far as to waste the informed
    folks time by not only posting a "What does foobar.exe do?" type
    message to a mailing list, but then have them spend even more time
    explaining _why_ such questions are a waste of time.

    > a filename is no substitute for actual forensic analysis, ...

    True, but that was not my point. Well, maybe it was a part of my
    point, but it was not the main thrust of my claim. Lest you still do
    not understand, I'll give you a teensy, weensy piece of clue to play
    with...

    > ... but it can
    > give you a good leg up on many, many pieces of spyware and malware.

    That kind of inductive reasoning leaves one _VERY_ likely to commit the
    most unprofessional of errors, treating the wrong thing the wrong way.
    Maybe they don't take this approach where you went to school, but a
    true professional, starting from the position of "first do no further
    harm" will not jump into a "fix it" session (nor direct anyone via
    Email, etc to do the same) on the basis of such a shabby diagnosis as
    "That filename is known to have been used by the FooBar Trojan...".

    Maybe now you can see why posts such as the OP's, and worse, responses
    such as "sounds like FooBar", and even worse "it is BarFoo, just delete
    it" are truly worrying to folk who understand how *** happens???

    If you can't, members of the latter group would suggest that you would
    be better off to just STFU and watch and listen for a while. 

    -- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
  • Next message: Brian Eckman: "Re: Pubstro rash"