Mail Call Time: More Sony Info and Snort Signatures

Published: 2005-11-17
Last Updated: 2005-11-17 07:40:53 UTC
by Lorna Hutcheson (Version: 2)
0 comment(s)
Sony is in the still spotlight with their latest endevours.  Here is some more info and some Snort rules to try.

Here is an interesting tidbit from Juha-Matti Laurio:
It seems that SecurityFocus database has assigned Sony BMG's DRM uninstallation utility from First 4 as software vulnerability at their new BID 15430:

http://www.securityfocus.com/bid/15430

"The CodeSupport package can be told to download, and then execute arbitrary content from remote Web sites. As it fails to verify that the source of the remote content is from a trusted source, attackers may utilize it to download and execute malicious code from arbitrary sources, facilitating the remote compromise of targeted computers."

Two interesting articles (another is blog entry of BID's reporter) at

http://www.securityfocus.com/brief/48

and

http://www.freedom-to-tinker.com/?p=926

(including demonstration too) available too.


Matt Jonkman let us know that Bleeding Snort had the following signatures available.  Thanks everyone for your hard work at Bleeding Snort!

#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1";
flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase;
uricontent:"&uId="; nocase; classtype:trojan-activity;
reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;
sid:2002675; rev:3;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2";
 flow: to_server,established; content:"sonymusic.com"; nocase;
 pcre:"User-Agent:[^
]+SecureNet[^
]+Xtra/i"; classtype:trojan-activity;
reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;
 sid:2002674; rev:2;)


#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Malware Sony DRM Related --
CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase;
content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0;
reference:url,www.frsirt.com/english/advisories/2005/2454;
reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack;
sid:2002679; rev:3;)



Link to rules on "Bleeding Snort"








Keywords:
0 comment(s)

Comments


Diary Archives