Chineese Font may support new Trojan


::In Photoshop, scrolling through the available fonts the application
would freeze. Suspecting a font corruption, I scanned my
C:\Windows\Fonts folder and noticed several large unrecognized fonts.::
::Upon examining the properties of several large font files, I found
that they were of Chinese origin and were installed under the Security
Group: TrustedInstaller.::
::TrustedInstaller is not defined to my Security as a user or group. I
do understand that TrustedInstaller.exe is a MS system file used in an
OS process ? ::
::My thoughts are: What a great way to social engineer the insertion of
a rouge Chinese font with a Trojan program ? masquerade a bogus security
group with the same name as a system process. Examining this Chineese
font ?MingLiU-ExtB? I found that the typeface was in Western Ascii. The
Chinese Unicode would support this character set on a Chinese PC . This
would enable a Chinese PC with remote access to read my English data.
If you can sneak a font onto my PC and make it look like it belongs to
an OS process, how difficult would it be to also insert a Trojan and
make it look like something else? AV software only detects what it
knows either by code snippets or patterns. If it not in the Mug Book,
it does exist for AV programs and there is always a way to exploit the
system. ::
::Reading about others comments on TrustedInstaller, I found that
TrustedInstaller was dismissed quickly because it?s a valid MS program.
But it is not a valid SecurityGroup and why on my PC does the
Administrator account or Administrators group not have permissions to
this file? In order to remove the bloated font(s) and there are
several families, I needed to edit into each one through the file
properties, Security Tab, Advanced button for permissions for
authenticated users, Owner Tab, Edit Button, Other users and groups
button, and then add the Administrator account so that I had permission
to remove the file. What a job. And no you can?t just create a
seruciry grou called TrustedInstaller. The security encryption is
created from the name and other hidden variables so adding
TrustedInstaller Account or Group is useless and one needs to reformat
or reassign file owenership inorder to remove these files.::
:: ::
::Here are the properties for the largest font file at 33mb.::
::Title: MingLiU-ExtB; PMingLiU-ExtB; MingLiU-HKSCS-ExtB::
::Copyright: Copyright DynaComware Corp. 2005::
::Group: TrustedInstaller::
::So I am concerned, because I don?t know who or what really put
several TrustedInstaller owned files on my PC . I will rebuild the PC
when I have a few days of downtime and I will look for the
TrustedInstaller owned fonts which are not on any other of my
workstations, leading me to believe I visited the wrong Website or a
virus came in under the wire ?::
::If any reader has definitive information on this issue, please post
as there is a lot of guessing taking place ? even my post is half
conjecture.::


--
mabrams
.