Security Incidents mailing list archives
Re: strange software > winsupdater.exe
From: Harlan Carvey <keydet89 () yahoo com>
Date: Mon, 28 Mar 2005 10:17:28 -0800 (PST)
I'm amazed that this is still an issue...and I'm even more amazed that you'd argue with Nick. ;-)
Actually, I'd say they're fairly useful, if youplug them into google.Sites like iamnotageek.com have pretty goodinformation repositories onwhat is legitimate and what is not.
Nick's got a really good point. Look at some of the recent posts to the SF lists...recently someone had a file that ended up being a new variant of RBot...but a search for the filename only turned up nothing on Google. What happens when someone sees a file called "svchost.exe" and does a lookup? Oh, guess what...it's a legit MS file...*if* it's located in the system32 directory. Folks posting to the lists will mostly just give a filename...no path, no Registry keys the name is associated with, nothing...they don't do any investigation of their own. What happens when you find a file on a Windows system, and you open it up in Dependency Walker? Google may tell you that a file of that name is a backdoor, but provides no MD5 hash, no file size...nothing. But when you open the file up in depends.exe, you don't see a single DLL used by the file that allows for networking...no functions are imported from WinSock32.dll, Wininet.dll...nothing. So, what does that tell you? Maybe Googling for the file name shouldn't be the penultimate method for finding out what a file is/does. Speaking of well-entrenched errors, the same holds true with deleting the contents of the Prefetch directory on XP in order to improve performance. This is incorrect...yet it's been repeated so much that some people take it as gospel. This is the case with this "Google the filename" thing. The interesting thing is that as long as Nick and others have been saying this, I don't think that there's been a huge improvement in the information that's being posted by those who find "unusual" files on their systems. ------------------------------------------ Harlan Carvey, CISSP "Windows Forensics and Incident Recovery" http://www.windows-ir.com http://windowsir.blogspot.com ------------------------------------------
Current thread:
- Re: strange software > winsupdater.exe, (continued)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- RE: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- Re: strange software > winsupdater.exe dave_mikesch (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 17)
- Re: strange software > winsupdater.exe Valdis . Kletnieks (Mar 17)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 17)
- Re: strange software > winsupdater.exe Valdis . Kletnieks (Mar 17)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 17)
- Re: strange software > winsupdater.exe k levinson (Mar 17)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 28)
- Administrivia: Re: strange software > winsupdater.exe Daniel Hanson (Mar 28)