Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: strange software > winsupdater.exe

from [k levinson] Network Security [Permanent Link]
Subject: Re: strange software > winsupdater.exe
Date: Thu, 17 Mar 2005 10:16:33 -0800 (PST) 
You're both right, sort of.  File names are not
totally useless, but one has to be careful and
understand the caveats.  

Using file names, you can more or less confirm that a
file is suspicious, but you cannot confirm whether a
file is legitimate.  If google doesn't find anything,
or everything it finds is bad, that's not good.  But
if google or any other web site does find legitimate
files with that name, that is inconclusive.

Also, looking at file names does not reliably identify
what the malware is, what variant, what it may have
done to your system, and how to remove it.  

Far more useful and informative is submitting the file
to a place such as www.virustotal.com for instant
analysis, and for simultaneously submitting new
samples to multiple AV vendors.  If you know the file
name, I feel this should be done before searching
google or posting here.

People posting file names here should probably also be
posting 1) the directory path the file was found in,
in case a legitimate file name [e.g. svchost.exe] is
found in a nonstandard folder name.  I would also
suggest such people also 2) post the results of a
google search and 3) results of analysis via one or
more antivirus programs, such as via
www.virustotal.com

Now, if someone was to argue that in the time it took
you to do a google search, you could have more
accurately identified the malware by using one or more
AV scanners, that could be a true statement.  

Or if someone was to say that using file names
incorrectly presents a danger that a junior tech could
look up "svchost.exe" and find that it is legitimate,
or that someone could decide just to delete a bad file
and not realize that passwords have been logged or a
second service undeletes the first deleted file, I
might agree.  Just deleting malware [or reformatting
it away] without accurately identifying it, submitting
it and understanding it can be very bad for your
security.

regards,

Karl



-----Original Message-----
From: Jeremy Anderson [mailto:jeremy@angelar.com] 



Actually, I'd say [filenames are] fairly useful, if

you plug them 

into google.  Sites like iamnotageek.com have pretty

good 

information repositories on what is legitimate and

what is not.


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: strange software > winsupdater.exe, Harlan Carvey
Next by Date:  Re: strange software > winsupdater.exe, Valdis . Kletnieks
Previous by Thread:  Re: strange software > winsupdater.exe, Harlan Carvey
Next by Thread:  Re: strange software > winsupdater.exe, Harlan Carvey
Indexes:  [Date] [Thread] [Top] [All Lists]