November 16th, 2005 02:51 PM
Sony DRM phone home Bleeding Snort IDS rules
Not sure if anyone has posted this or not, but bleeding snort has released rules (a couple of days ago) that detect the sony rootkit phoning home. If you auto update your bleeding snort malware rules, you should already have it enabled. If not, it in the bleeding-malware rule set.
I'm using both the bleeding snort rules and the delayed rules release. I didn't see anything in the official rules regarding sony's rootkit... but then again, I didn't look that hard.
I just wanted to see if any of our lusers had installed this on their machines. So far, we're looking good.
Another good article @ http://www.cbronline.com/article_new...C-499BEDA78251
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
November 16th, 2005 06:10 PM
Blake Hartstein from Demarc Security just added a new rule to that, the rule he added actually catches if a malicious website is trying to exploit the big vulnerablity in Acitve-X left by the removal tool.
That which does not kill me makes me stronger -- Friedrich Nietzche
November 16th, 2005 08:28 PM
LOL. More specifically...
The uninstaller requires you to install an ActiveX control to your system before you can even request for an uninstall url. Turns out, the uninstaller activex marks itself safe for scripting, and has plenty of interesting methods available for everyone to use. Although I have not analyzed them in depth, I have tested one of them to confirm it really does what I think it does. It's called "RebootMachine". If you have installed Sony's ActiveX control, follow the link to invoke the RebootMachine method. I don't even want to know what the ExecuteCode method does...
The InstallUpdate method has a bigger security hole, see freedom-to-tinker.com's post about the uninstaller hole. They refer that trying my reboot demo to test if you're vulnerable might make things worse, this is because I copypasted the html from F4I's site so it used to prompt to install the ActiveX control. I have since changed it, since F4I could change their interfaces anytime anyway, doesn't serve any purpose to provide the install ability in the demo.
Scriptable methods left behind
The uninstaller leaves behind lots of methods, here are the names:
ExecuteCode (can crash browser, apparently removed in latest ocx)
RebootMachine (exploitable, see demo)
Complete story here:
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden