Security Incidents mailing list archives

Re: strange software > winsupdater.exe

From: Paul Laudanski <zx () castlecops com>
Date: Mon, 28 Mar 2005 13:13:29 -0500 (EST)

On Thu, 24 Mar 2005, Nick FitzGerald wrote:

Filenames are all but totally useless for diagnosing malware, spyware
_AND_ the normal operation of a system.


Actually, I'd say they're fairly useful, if you plug them into google. 
Sites like iamnotageek.com have pretty good information repositories on
what is legitimate and what is not.


You are, of course, quite wrong, but as this is not uncommonly believed 
by those who should know better, I'll try to explain it for you.  I 
mean, there are all manner of sites like the one you mentioned, so it 
is obviously a well-entrenched error to believe that such information 
alone is useful.

It is quite simple -- filenames are purely arbitrary.


Yes there are a lot of sites with the same types of information.  
CastleCops even has the same data sets for example:

http://castlecops.com/CLSID.html
http://castlecops.com/LSPs.html
http://castlecops.com/StartupList.html

However, to your point, there are many baddies out there which are 
completely random and cannot be accounted for simply by a filename -- just 
because the randomness is large.

However the filename in the subject "winsupdater.exe" doesn't even come up 
in these lists, or even lists on a Google search.  The only thing that 
comes back is this discussion -- except for cyberdefender:

http://www.cyberdefender.com/risk/html/20050314112300.log.html

Correct -- it means that if all you know is a filename, or even a 
filename and the file's full path, you still know nothing about what 
the thing in the file is no matter how many pages Google returns saying 
that this filename belongs to the FooBar backdoor, the Windows XP 
telnet client, or whatever.


I agree.  A filename in and of itself can be meaningless.  Especially if 
it is on an NTFS and we're dealing with streams, not to mention 
steganography.  The file should be analyzed further.

Maybe now you can see why posts such as the OP's, and worse, responses 
such as "sounds like FooBar", and even worse "it is BarFoo, just delete 
it" are truly worrying to folk who understand how shit happens???

If you can't, members of the latter group would suggest that you would 
be better off to just STFU and watch and listen for a while.


When it comes to things like hijackthis logs, it is preferred that the 
experts deal with them due to the randomness of data.  I shudder to think 
what might happen when those inexperienced perform cleanups.

One can see the experts at hand:

http://castlecops.com/forum67.html

-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html

http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com

Current thread:

strange software > winsupdater.exe SDA (Mar 15)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
  - Re: strange software > winsupdater.exe Justin (Mar 16)
    - Re: strange software > winsupdater.exe Jeremy Anderson (Mar 17)
    - Re: strange software > winsupdater.exe Nick FitzGerald (Mar 28)
    - Re: strange software > winsupdater.exe Paul Laudanski (Mar 28)
    - Pubstro rash David Gillett (Mar 17)
    - Re: Pubstro rash Mark Coleman (Mar 17)
    - RE: Pubstro rash Steve Drees (Mar 17)
    - RE: Pubstro rash Alexandre Skyrme (Mar 17)
    - Re: Pubstro rash Jeff Kell (Mar 18)
    - RE: Pubstro rash David Gillett (Mar 18)
- Re: strange software > winsupdater.exe Mike Barushok (Mar 16)
- <Possible follow-ups>
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- RE: strange software > winsupdater.exe Harlan Carvey (Mar 16)

(Thread continues...)