Chineese Font may support new Trojan

[Guest mabrams]

::In Photoshop, scrolling through the available fonts the application

would freeze. Suspecting a font corruption, I scanned my

C:\Windows\Fonts folder and noticed several large unrecognized fonts.::

::Upon examining the properties of several large font files, I found

that they were of Chinese origin and were installed under the Security

Group: TrustedInstaller.::

::TrustedInstaller is not defined to my Security as a user or group. I

do understand that TrustedInstaller.exe is a MS system file used in an

OS process … ::

::My thoughts are: What a great way to social engineer the insertion of

a rouge Chinese font with a Trojan program – masquerade a bogus security

group with the same name as a system process. Examining this Chineese

font “MingLiU-ExtB†I found that the typeface was in Western Ascii. The

Chinese Unicode would support this character set on a Chinese PC . This

would enable a Chinese PC with remote access to read my English data.

If you can sneak a font onto my PC and make it look like it belongs to

an OS process, how difficult would it be to also insert a Trojan and

make it look like something else? AV software only detects what it

knows either by code snippets or patterns. If it not in the Mug Book,

it does exist for AV programs and there is always a way to exploit the

system. ::

::Reading about others comments on TrustedInstaller, I found that

TrustedInstaller was dismissed quickly because it’s a valid MS program.

But it is not a valid SecurityGroup and why on my PC does the

Administrator account or Administrators group not have permissions to

this file? In order to remove the bloated font(s) and there are

several families, I needed to edit into each one through the file

properties, Security Tab, Advanced button for permissions for

authenticated users, Owner Tab, Edit Button, Other users and groups

button, and then add the Administrator account so that I had permission

to remove the file. What a job. And no you can’t just create a

seruciry grou called TrustedInstaller. The security encryption is

created from the name and other hidden variables so adding

TrustedInstaller Account or Group is useless and one needs to reformat

or reassign file owenership inorder to remove these files.::

:: ::

::Here are the properties for the largest font file at 33mb.::

::Title: MingLiU-ExtB; PMingLiU-ExtB; MingLiU-HKSCS-ExtB::

::Copyright: Copyright DynaComware Corp. 2005::

::Group: TrustedInstaller::

::So I am concerned, because I don’t know who or what really put

several TrustedInstaller owned files on my PC . I will rebuild the PC

when I have a few days of downtime and I will look for the

TrustedInstaller owned fonts which are not on any other of my

workstations, leading me to believe I visited the wrong Website or a

virus came in under the wire …::

::If any reader has definitive information on this issue, please post

as there is a lot of guessing taking place – even my post is half

conjecture.::

 

 

--

mabrams

[Guest FromTheRafters]

Maybe this can shed some light on your dilemma

 

http://groups.google.com/group/microsoft.p...782e0e?lnk=raot

 

 

"mabrams" <guest@unknown-email.com> wrote in message

news:b6e5f1a6d2e18cbbf08fdd2f90b60637@nntp-gateway.com...<span style="color:blue">

>

> ::In Photoshop, scrolling through the available fonts the application

> would freeze. Suspecting a font corruption, I scanned my

> C:WindowsFonts folder and noticed several large unrecognized

> fonts.::

> ::Upon examining the properties of several large font files, I found

> that they were of Chinese origin and were installed under the Security

> Group: TrustedInstaller.::

> ::TrustedInstaller is not defined to my Security as a user or group.

> I

> do understand that TrustedInstaller.exe is a MS system file used in an

> OS process … ::

> ::My thoughts are: What a great way to social engineer the insertion

> of

> a rouge Chinese font with a Trojan program – masquerade a bogus

> security

> group with the same name as a system process. Examining this Chineese

> font “MingLiU-ExtB†I found that the typeface was in Western Ascii.

> The

> Chinese Unicode would support this character set on a Chinese PC .

> This

> would enable a Chinese PC with remote access to read my English data.

> If you can sneak a font onto my PC and make it look like it belongs to

> an OS process, how difficult would it be to also insert a Trojan and

> make it look like something else? AV software only detects what it

> knows either by code snippets or patterns. If it not in the Mug Book,

> it does exist for AV programs and there is always a way to exploit the

> system. ::

> ::Reading about others comments on TrustedInstaller, I found that

> TrustedInstaller was dismissed quickly because it’s a valid MS

> program.

> But it is not a valid SecurityGroup and why on my PC does the

> Administrator account or Administrators group not have permissions to

> this file? In order to remove the bloated font(s) and there are

> several families, I needed to edit into each one through the file

> properties, Security Tab, Advanced button for permissions for

> authenticated users, Owner Tab, Edit Button, Other users and groups

> button, and then add the Administrator account so that I had

> permission

> to remove the file. What a job. And no you can’t just create a

> seruciry grou called TrustedInstaller. The security encryption is

> created from the name and other hidden variables so adding

> TrustedInstaller Account or Group is useless and one needs to reformat

> or reassign file owenership inorder to remove these files.::

> :: ::

> ::Here are the properties for the largest font file at 33mb.::

> ::Title: MingLiU-ExtB; PMingLiU-ExtB; MingLiU-HKSCS-ExtB::

> ::Copyright: Copyright DynaComware Corp. 2005::

> ::Group: TrustedInstaller::

> ::So I am concerned, because I don’t know who or what really put

> several TrustedInstaller owned files on my PC . I will rebuild the PC

> when I have a few days of downtime and I will look for the

> TrustedInstaller owned fonts which are not on any other of my

> workstations, leading me to believe I visited the wrong Website or a

> virus came in under the wire …::

> ::If any reader has definitive information on this issue, please post

> as there is a lot of guessing taking place – even my post is half

> conjecture.::

>

>

> --

> mabrams </span>