Re: strange software > winsupdater.exe

[Nick FitzGerald <nick () virus-l demon co uk>]

Jeremy Anderson to me:

> > Filenames are all but totally useless for diagnosing malware, spyware
> > _AND_ the normal operation of a system.
>
> Actually, I'd say they're fairly useful, if you plug them into google. 
> Sites like iamnotageek.com have pretty good information repositories on
> what is legitimate and what is not.

You are, of course, quite wrong, but as this is not uncommonly believed 
by those who should know better, I'll try to explain it for you.  I 
mean, there are all manner of sites like the one you mentioned, so it 
is obviously a well-entrenched error to believe that such information 
alone is useful.

It is quite simple -- filenames are purely arbitrary.

Now think for a moment about what that means...

Correct -- it means that if all you know is a filename, or even a 
filename and the file's full path, you still know nothing about what 
the thing in the file is no matter how many pages Google returns saying 
that this filename belongs to the FooBar backdoor, the Windows XP 
telnet client, or whatever.

Such information _can_ be _VERY slightly_ useful to an informed, 
intelligent and resourceful investigator, but as I said, not much use
-- in fact, "all but totally useless" because informed, intelligent and 
resourceful investigators will quickly discover many, and much more 
diagnostically useful, additional things about such "unknown" files.

Sadly, the less informed, intelligent and resourceful investigators are 
left to the mercy of the accuracy (or otherwise) of any and all of the 
material Google will regurgitate in response to a filename search and 
the haphazard quality of their "best guesses" -- often the Google-
returned material is apparently contradictory and at least the better 
sites always note that most any file can be renamed to most anything 
and still retain its original functionality...  (If the better "name 
that file" sites carry such warnings, what real value can such sites 
have beyond generating the odd bit of click-thru revenue from their 
banner ads?????)

Anyway, back to searching filenames as a diagnostic approach...

The still less informed will even go so far as to waste the informed 
folks time by not only posting a "What does foobar.exe do?" type 
message to a mailing list, but then have them spend even more time 
explaining _why_ such questions are a waste of time.  

> a filename is no substitute for actual forensic analysis, ...

True, but that was not my point.  Well, maybe it was a part of my 
point, but it was not the main thrust of my claim.  Lest you still do 
not understand, I'll give you a teensy, weensy piece of clue to play 
with...

> ... but it can
> give you a good leg up on many, many pieces of spyware and malware. 

That kind of inductive reasoning leaves one _VERY_ likely to commit the 
most unprofessional of errors, treating the wrong thing the wrong way. 
Maybe they don't take this approach where you went to school, but a 
true professional, starting from the position of "first do no further 
harm" will not jump into a "fix it" session (nor direct anyone via 
Email, etc to do the same) on the basis of such a shabby diagnosis as 
"That filename is known to have been used by the FooBar Trojan...".

Maybe now you can see why posts such as the OP's, and worse, responses 
such as "sounds like FooBar", and even worse "it is BarFoo, just delete 
it" are truly worrying to folk who understand how shit happens???

If you can't, members of the latter group would suggest that you would 
be better off to just STFU and watch and listen for a while.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092