Jeremy Anderson to me:
Filenames are all but totally useless for diagnosing malware, spyware
_AND_ the normal operation of a system.
Actually, I'd say they're fairly useful, if you plug them into google.
Sites like iamnotageek.com have pretty good information repositories on
what is legitimate and what is not.
You are, of course, quite wrong, but as this is not uncommonly believed
by those who should know better, I'll try to explain it for you. I
mean, there are all manner of sites like the one you mentioned, so it
is obviously a well-entrenched error to believe that such information
alone is useful.
It is quite simple -- filenames are purely arbitrary.
Now think for a moment about what that means...
Correct -- it means that if all you know is a filename, or even a
filename and the file's full path, you still know nothing about what
the thing in the file is no matter how many pages Google returns saying
that this filename belongs to the FooBar backdoor, the Windows XP
telnet client, or whatever.
Such information _can_ be _VERY slightly_ useful to an informed,
intelligent and resourceful investigator, but as I said, not much use
-- in fact, "all but totally useless" because informed, intelligent and
resourceful investigators will quickly discover many, and much more
diagnostically useful, additional things about such "unknown" files.
Sadly, the less informed, intelligent and resourceful investigators are
left to the mercy of the accuracy (or otherwise) of any and all of the
material Google will regurgitate in response to a filename search and
the haphazard quality of their "best guesses" -- often the Google-
returned material is apparently contradictory and at least the better
sites always note that most any file can be renamed to most anything
and still retain its original functionality... (If the better "name
that file" sites carry such warnings, what real value can such sites
have beyond generating the odd bit of click-thru revenue from their
banner ads?????)
Anyway, back to searching filenames as a diagnostic approach...
The still less informed will even go so far as to waste the informed
folks time by not only posting a "What does foobar.exe do?" type
message to a mailing list, but then have them spend even more time
explaining _why_ such questions are a waste of time.
a filename is no substitute for actual forensic analysis, ...
True, but that was not my point. Well, maybe it was a part of my
point, but it was not the main thrust of my claim. Lest you still do
not understand, I'll give you a teensy, weensy piece of clue to play
with...
... but it can
give you a good leg up on many, many pieces of spyware and malware.
That kind of inductive reasoning leaves one _VERY_ likely to commit the
most unprofessional of errors, treating the wrong thing the wrong way.
Maybe they don't take this approach where you went to school, but a
true professional, starting from the position of "first do no further
harm" will not jump into a "fix it" session (nor direct anyone via
Email, etc to do the same) on the basis of such a shabby diagnosis as
"That filename is known to have been used by the FooBar Trojan...".
Maybe now you can see why posts such as the OP's, and worse, responses
such as "sounds like FooBar", and even worse "it is BarFoo, just delete
it" are truly worrying to folk who understand how shit happens???
If you can't, members of the latter group would suggest that you would
be better off to just STFU and watch and listen for a while.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
