Security Incidents mailing list archives
RE: Strange servicepack.exe file (not service.exe) found.
From: "James C Slora Jr" <Jim.Slora () phra com>
Date: Wed, 17 Dec 2003 21:22:21 -0000
Harlan -
How fun is this, though - Symantec's response today says the file contains no malicious code. So nothing ever happened on the machine that had to be rebuilt. Hmmmm.From what I've seen (online, in courses, at work, etc) this seems to be indicative of the state of incident response in the Windows world. Rather than developing a methodolgy, or employing one of the many that are already available, most organizations seem to prefer to sink time and effort into rebuilding systems...even if it may ultimately prove unnecessary.
To be fair to the original poster, in hindsight there was reasonable association from other posts between the suspect file and some complex adware that downloads arbitrary additional components and takes aggressive actions like installing porno dialers similar to what was found. Rebuilding might take less than an hour, while investigation and cleanup might take a little more. Recovery takes less skill and often less time than forensics. That makes it a positive thing provided one investigated enough to know that recovery eliminates any damage that might have occurred.
Of course the servicepack.exe file could have been a downloaded byproduct of another infection on the affected machine.May have been...but one will never know. And if there had been an "infection", it may have been something as innocuous as simple spyware, rather than a worm infection or a full out compromise.
The downside as you say is one will never know. The "infection" vector might not be determined until it happens again. And it would sure be nice to know if the afflicted (if not infected) machine was trying to do anything to the rest of the network or if it was communicating outside the LAN. It is important to know what the machine did while it was in a suspect state, if possible. The rebuild doesn't help enough if, for example, network passwords were compromised. Plus it would really be silly if machine gets rebuilt when a reboot might have sufficed. Windows does love to DoS itself once in a while. - Jim --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Strange servicepack.exe file (not service.exe) found. Chip Mefford (Dec 16)
- RE: Strange servicepack.exe file (not service.exe) found. Bojan Zdrnja (Dec 17)
- SV: Strange servicepack.exe file (not service.exe) found. Peter Kruse (Dec 17)
- Re: Strange servicepack.exe file (not service.exe) found. Eric Chien (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Rob Shein (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. John Ives (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. James C Slora Jr (Dec 17)
- RE: Strange servicepack.exe file (not service.exe) found. Harlan Carvey (Dec 18)
- RE: Strange servicepack.exe file (not service.exe) found. David Gillett (Dec 18)
- Re: Strange servicepack.exe file (not service.exe) found. Doug Foster (Dec 19)
- Re: Strange servicepack.exe file (not service.exe) found. dreamwvr () dreamwvr com (Dec 19)
- Administrivia: Dead Thread - Strange servicepack.exe file (not service.exe) found. Dan Hanson (Dec 19)
- RE: Strange servicepack.exe file (not service.exe) found. Lucretia (Dec 19)
- <Possible follow-ups>
- RE: Strange servicepack.exe file (not service.exe) found. Kolde, Jennifer E. (Dec 18)