Sony DRM phone home Bleeding Snort IDS rules
Results 1 to 3 of 3

Thread: Sony DRM phone home Bleeding Snort IDS rules

  1. #1
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324

    Sony DRM phone home Bleeding Snort IDS rules

    Not sure if anyone has posted this or not, but bleeding snort has released rules (a couple of days ago) that detect the sony rootkit phoning home. If you auto update your bleeding snort malware rules, you should already have it enabled. If not, it in the bleeding-malware rule set.

    http://www.bleedingsnort.com/cgi-bin...RM?view=markup

    I'm using both the bleeding snort rules and the delayed rules release. I didn't see anything in the official rules regarding sony's rootkit... but then again, I didn't look that hard.

    I just wanted to see if any of our lusers had installed this on their machines. So far, we're looking good.

    Another good article @ http://www.cbronline.com/article_new...C-499BEDA78251
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  2. #2
    Senior Member
    Join Date
    Jun 2003
    Posts
    236
    Blake Hartstein from Demarc Security just added a new rule to that, the rule he added actually catches if a malicious website is trying to exploit the big vulnerablity in Acitve-X left by the removal tool.
    That which does not kill me makes me stronger -- Friedrich Nietzche

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    LOL. More specifically...

    Uninstaller
    The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It's called "RebootMachine". If you have installed Sony's ActiveX control, follow the link to invoke the RebootMachine method. I don't even want to know what the ExecuteCode method does...

    The InstallUpdate method has a bigger security hole, see freedom-to-tinker.com's post about the uninstaller hole. They refer that trying my reboot demo to test if you're vulnerable might make things worse, this is because I copypasted the html from F4I's site so it used to prompt to install the ActiveX control. I have since changed it, since F4I could change their interfaces anytime anyway, doesn't serve any purpose to provide the install ability in the demo.

    Scriptable methods left behind
    The uninstaller leaves behind lots of methods, here are the names:

    GenerateRequestPacket
    ExecuteCode (can crash browser, apparently removed in latest ocx)
    Uninstall
    RebootMachine (exploitable, see demo)
    GetProgress
    OnLoaded
    InitializeDiscScan
    GetNumberOfDiscs
    IsDRMServerValid
    GetAlbumArtist
    GetAlbumName
    GetMaxBurnCount
    GetCurrentBurnCount
    GenerateIncrementPacket
    IsContentOwnerValid
    DoIncrement
    GetInstalledSoftwareVersion
    IsXCPDiscPresent
    InstallUpdate (exploitable)
    GetInstallProgress
    GetCompletionStatus
    IsXCPDiscPresentAsLong
    IsAdministrator

    Complete story here:

    http://hack.fi/~muzzy/sony-drm/
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides