Re: strange software > winsupdater.exe

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 03/28/05

  • Next message: James C. Slora, Jr.: "ANI Exploits in Spam" 
    Date: Mon, 28 Mar 2005 10:17:28 -0800 (PST)
To: nick@virus-l.demon.co.uk, incidents@securityfocus.com

    I'm amazed that this is still an issue...and I'm even
    more amazed that you'd argue with Nick. ;-)

    > > Actually, I'd say they're fairly useful, if you
    > plug them into google.
    > > Sites like iamnotageek.com have pretty good
    > information repositories on
    > > what is legitimate and what is not.

    Nick's got a really good point. Look at some of the
    recent posts to the SF lists...recently someone had a
    file that ended up being a new variant of RBot...but a
    search for the filename only turned up nothing on
    Google.

    What happens when someone sees a file called
    "svchost.exe" and does a lookup? Oh, guess
    what...it's a legit MS file...*if* it's located in the
    system32 directory. Folks posting to the lists will
    mostly just give a filename...no path, no Registry
    keys the name is associated with, nothing...they don't
    do any investigation of their own.

    What happens when you find a file on a Windows system,
    and you open it up in Dependency Walker? Google may
    tell you that a file of that name is a backdoor, but
    provides no MD5 hash, no file size...nothing. But
    when you open the file up in depends.exe, you don't
    see a single DLL used by the file that allows for
    networking...no functions are imported from
    WinSock32.dll, Wininet.dll...nothing. So, what does
    that tell you? Maybe Googling for the file name
    shouldn't be the penultimate method for finding out
    what a file is/does.

    Speaking of well-entrenched errors, the same holds
    true with deleting the contents of the Prefetch
    directory on XP in order to improve performance. This
    is incorrect...yet it's been repeated so much that
    some people take it as gospel. This is the case with
    this "Google the filename" thing.

    The interesting thing is that as long as Nick and
    others have been saying this, I don't think that
    there's been a huge improvement in the information
    that's being posted by those who find "unusual" files
    on their systems.

    ------------------------------------------
    Harlan Carvey, CISSP
    "Windows Forensics and Incident Recovery"
    http://www.windows-ir.com
    http://windowsir.blogspot.com
    ------------------------------------------

  • Next message: James C. Slora, Jr.: "ANI Exploits in Spam"

    Relevant Pages

    • Re: gARY justservices.com down
      ... host the Nick A Quid wheels on Lotto-Logix if ... but even the link to Nick A Quid on the bottom of that page ... Google cached is OK to. ... I now guess it's best to stick to a crap server than wait for a new ...
      (rec.gambling.lottery)
    • Re: Francoma: "Were going to let him pitch the way hes more effective."
      ... Talk baseball. ... I use Google. ... Obviously you don't like them...thus the changes to your nick. ... No...you have seen me express my opinion. ...
      (alt.sports.baseball.bos-redsox)
    • Re: gARY justservices.com down
      ... host the Nick A Quid wheels on Lotto-Logix if ... but even the link to Nick A Quid on the bottom of that page ... all looks fine this end and even clicking through Google ... The host company said it would be the most secure upto-date server in ...
      (rec.gambling.lottery)
    • Re: Weird problem with OE
      ... there's one from Kim Andrews re. Macdonalds and another by Nick ... Odell about apricot jam. ... THe thread looks totally different on Google ...
      (uk.media.radio.archers)
    • Open a file from remote Windows and use the content in the file locally
      ... i have been google around for so long on this issue so i ... decided to stop by and bother you guys. ... windows system to run some test. ... so here comes the question, how do i process the log file, so i can use ...
      (comp.lang.tcl)