Security Incidents mailing list archives
Re: strange software > winsupdater.exe
From: Paul Laudanski <zx () castlecops com>
Date: Mon, 28 Mar 2005 13:13:29 -0500 (EST)
On Thu, 24 Mar 2005, Nick FitzGerald wrote:
Filenames are all but totally useless for diagnosing malware, spyware _AND_ the normal operation of a system.Actually, I'd say they're fairly useful, if you plug them into google. Sites like iamnotageek.com have pretty good information repositories on what is legitimate and what is not.You are, of course, quite wrong, but as this is not uncommonly believed by those who should know better, I'll try to explain it for you. I mean, there are all manner of sites like the one you mentioned, so it is obviously a well-entrenched error to believe that such information alone is useful. It is quite simple -- filenames are purely arbitrary.
Yes there are a lot of sites with the same types of information. CastleCops even has the same data sets for example: http://castlecops.com/CLSID.html http://castlecops.com/LSPs.html http://castlecops.com/StartupList.html However, to your point, there are many baddies out there which are completely random and cannot be accounted for simply by a filename -- just because the randomness is large. However the filename in the subject "winsupdater.exe" doesn't even come up in these lists, or even lists on a Google search. The only thing that comes back is this discussion -- except for cyberdefender: http://www.cyberdefender.com/risk/html/20050314112300.log.html
Correct -- it means that if all you know is a filename, or even a filename and the file's full path, you still know nothing about what the thing in the file is no matter how many pages Google returns saying that this filename belongs to the FooBar backdoor, the Windows XP telnet client, or whatever.
I agree. A filename in and of itself can be meaningless. Especially if it is on an NTFS and we're dealing with streams, not to mention steganography. The file should be analyzed further.
Maybe now you can see why posts such as the OP's, and worse, responses such as "sounds like FooBar", and even worse "it is BarFoo, just delete it" are truly worrying to folk who understand how shit happens??? If you can't, members of the latter group would suggest that you would be better off to just STFU and watch and listen for a while.
When it comes to things like hijackthis logs, it is preferred that the experts deal with them due to the randomness of data. I shudder to think what might happen when those inexperienced perform cleanups. One can see the experts at hand: http://castlecops.com/forum67.html -- Sincerely, Paul Laudanski .. Computer Cops, LLC. CastleCops(SM)... http://castlecops.com CC Blog ......... http://blog.castlecops.com Staff Blogs ..... http://busterbunny.castlecops.com Our Vision ...... http://castlecops.com/postt63382.html http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
Current thread:
- strange software > winsupdater.exe SDA (Mar 15)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
- Re: strange software > winsupdater.exe Justin (Mar 16)
- Re: strange software > winsupdater.exe Jeremy Anderson (Mar 17)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 28)
- Re: strange software > winsupdater.exe Paul Laudanski (Mar 28)
- Re: strange software > winsupdater.exe Justin (Mar 16)
- Pubstro rash David Gillett (Mar 17)
- Re: Pubstro rash Mark Coleman (Mar 17)
- RE: Pubstro rash Steve Drees (Mar 17)
- RE: Pubstro rash Alexandre Skyrme (Mar 17)
- Re: Pubstro rash Jeff Kell (Mar 18)
- RE: Pubstro rash David Gillett (Mar 18)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
- <Possible follow-ups>
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- RE: strange software > winsupdater.exe Harlan Carvey (Mar 16)