On Thu, 24 Mar 2005, Nick FitzGerald wrote:
Filenames are all but totally useless for diagnosing malware, spyware
_AND_ the normal operation of a system.
Actually, I'd say they're fairly useful, if you plug them into google.
Sites like iamnotageek.com have pretty good information repositories on
what is legitimate and what is not.
You are, of course, quite wrong, but as this is not uncommonly believed
by those who should know better, I'll try to explain it for you. I
mean, there are all manner of sites like the one you mentioned, so it
is obviously a well-entrenched error to believe that such information
alone is useful.
It is quite simple -- filenames are purely arbitrary.
Yes there are a lot of sites with the same types of information.
CastleCops even has the same data sets for example:
http://castlecops.com/CLSID.html
http://castlecops.com/LSPs.html
http://castlecops.com/StartupList.html
However, to your point, there are many baddies out there which are
completely random and cannot be accounted for simply by a filename -- just
because the randomness is large.
However the filename in the subject "winsupdater.exe" doesn't even come up
in these lists, or even lists on a Google search. The only thing that
comes back is this discussion -- except for cyberdefender:
http://www.cyberdefender.com/risk/html/20050314112300.log.html
Correct -- it means that if all you know is a filename, or even a
filename and the file's full path, you still know nothing about what
the thing in the file is no matter how many pages Google returns saying
that this filename belongs to the FooBar backdoor, the Windows XP
telnet client, or whatever.
I agree. A filename in and of itself can be meaningless. Especially if
it is on an NTFS and we're dealing with streams, not to mention
steganography. The file should be analyzed further.
Maybe now you can see why posts such as the OP's, and worse, responses
such as "sounds like FooBar", and even worse "it is BarFoo, just delete
it" are truly worrying to folk who understand how shit happens???
If you can't, members of the latter group would suggest that you would
be better off to just STFU and watch and listen for a while.
When it comes to things like hijackthis logs, it is preferred that the
experts deal with them due to the randomness of data. I shudder to think
what might happen when those inexperienced perform cleanups.
One can see the experts at hand:
http://castlecops.com/forum67.html
--
Sincerely,
Paul Laudanski .. Computer Cops, LLC.
CastleCops(SM)... http://castlecops.com
CC Blog ......... http://blog.castlecops.com
Staff Blogs ..... http://busterbunny.castlecops.com
Our Vision ...... http://castlecops.com/postt63382.html
http://cuddlesnkisses.com http://justalittlepoke.com http://zhen-xjell.com
