Re: strange software > winsupdater.exe

From: Paul Laudanski (zx_at_castlecops.com)
Date: 03/28/05

  • Next message: Daniel Hanson: "Administrivia: Re: strange software > winsupdater.exe" 
    Date: Mon, 28 Mar 2005 13:13:29 -0500 (EST)
To: Nick FitzGerald <nick@virus-l.demon.co.uk>

    On Thu, 24 Mar 2005, Nick FitzGerald wrote:

    > > > Filenames are all but totally useless for diagnosing malware, spyware
    > > > _AND_ the normal operation of a system.
    > >
    > > Actually, I'd say they're fairly useful, if you plug them into google.
    > > Sites like iamnotageek.com have pretty good information repositories on
    > > what is legitimate and what is not.
    >
    > You are, of course, quite wrong, but as this is not uncommonly believed
    > by those who should know better, I'll try to explain it for you. I
    > mean, there are all manner of sites like the one you mentioned, so it
    > is obviously a well-entrenched error to believe that such information
    > alone is useful.
    >
    > It is quite simple -- filenames are purely arbitrary.

    Yes there are a lot of sites with the same types of information.
    CastleCops even has the same data sets for example:

    http://castlecops.com/CLSID.html
    http://castlecops.com/LSPs.html
    http://castlecops.com/StartupList.html

    However, to your point, there are many baddies out there which are
    completely random and cannot be accounted for simply by a filename -- just
    because the randomness is large.

    However the filename in the subject "winsupdater.exe" doesn't even come up
    in these lists, or even lists on a Google search. The only thing that
    comes back is this discussion -- except for cyberdefender:

    http://www.cyberdefender.com/risk/html/20050314112300.log.html

    > Correct -- it means that if all you know is a filename, or even a
    > filename and the file's full path, you still know nothing about what
    > the thing in the file is no matter how many pages Google returns saying
    > that this filename belongs to the FooBar backdoor, the Windows XP
    > telnet client, or whatever.

    I agree. A filename in and of itself can be meaningless. Especially if
    it is on an NTFS and we're dealing with streams, not to mention
    steganography. The file should be analyzed further.

    > Maybe now you can see why posts such as the OP's, and worse, responses
    > such as "sounds like FooBar", and even worse "it is BarFoo, just delete
    > it" are truly worrying to folk who understand how *** happens???
    >
    > If you can't, members of the latter group would suggest that you would
    > be better off to just STFU and watch and listen for a while.

    When it comes to things like hijackthis logs, it is preferred that the
    experts deal with them due to the randomness of data. I shudder to think
    what might happen when those inexperienced perform cleanups.

    One can see the experts at hand:

    http://castlecops.com/forum67.html 

    -- 
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
  • Next message: Daniel Hanson: "Administrivia: Re: strange software > winsupdater.exe"