Windows XP SP2 – What is that application ?


If you’ve installed Windows XP SP2 you’ve probably noticed security popups when you run certain applications (Instant Messenger, ActiveSync and others) – this morning when I booted my laptop I got a security message about an application called backweb-8876480.exe – the publisher information was blank – the process name seems a little odd, and without the publisher information I didn’t want to allow the application to have network access.

So what is this mysterious application ? – a quick look at LIUtilities.com showed that this is part of the Logitech Quickcam software (I added a USB WebCam to my laptop yesterday). Isn’t it good to know which applications are trying to get access to the network ?

– Mike


Comments (9)

  1. Smeg says:

    XP for those that want backdoored via LSASS within minuites of installing!!!

  2. Smeg says:

    Yes thats right folks, you dont even need to do ANYTHING, it does YOU! Not even time to get an update from windows update!

  3. Smeg says:

    Hell, not even time to get a cuppa coffee!! What u mean im backdoored! I just installed a minuite ago! Oh wait, its Windows XP.

  4. Smeg says:

    Just block every app silently and drop every packet unless its in a white list, and use MD5 hashing on all binaries in that list. Oh wait, you are using the built in firewall, NEVERMIND, its way over its head.

  5. Smeg says:

    NO ITS NOT BLOODY WELL GOOD TO HAVE 83975927347895348552957994 POPUPS EVERY TIME IT HAS AN APP ACCESS THE DAMN NETWORK.

    YOU MOVED YOU´RE MOUSE, IS IT SAFE TO ACCESS THE NETWORK? YES BLOODY WELL YES DAMMIT.

  6. Mike Dimmick says:

    I can’t count how many times I’ve had to point this out. XP SP2’s firewall is *inbound* *only*. It does not perform egress filtering. It isn’t that backweb is trying to *send* data across the network – it’s opened a port to *listen*. Windows Firewall is smart enough to work out whether you’re trying to use a UDP port to receive or to send messages, which is cool – it doesn’t pop a message for a bound port.

    I wish that dialog would tell you what port it’s trying to open, though. How do I know whether it’s safe to allow Windows Media Player to listen?

  7. Smeg says:

    Here is another Teh funny! IF i have a fully patched machine as my HOST OS and then install XP as a GUEST OS on VPC or VMWare, its vunlerable withing minuites to the LSASS exploits that we all know and love on fresh installs of XP.

    XP should come with a health warning sticker like cigarettes.

    Oh its Teh Funnay!

  8. Pavel Lebedinsky says:

    You can see what port it was trying to open by enabling "process tracking" auditing. Then each time XP firewall blocks an application it will log an event like this:

    Event Type: Failure Audit

    Event Source: Security

    Event Category: Detailed Tracking

    Event ID: 861

    Date: 10/29/2004

    Time: 4:12:07 PM

    User: NT AUTHORITYSYSTEM

    Computer: XXXX

    Description:

    The Windows Firewall has detected an application listening for incoming traffic.

    Name: –

    Path: C:WINDOWSsystem32svchost.exe

    Process identifier: 780

    User account: SYSTEM

    User domain: NT AUTHORITY

    Service: Yes

    RPC server: No

    IP version: IPv4

    IP protocol: UDP

    Port number: 68

    Allowed: No

    User notified: No

    As an added bonus, this allows you to see which non-interactive services have been blocked – the usual pop up dialogs are only generated for interactive apps as far as I can tell.

  9. Smeg says:

    Yes, SVCHOST.exe is going mean ALOT to the kind of people that are running this firewall.