Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Mail Call Time: More Sony Info and Snort Signatures - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mail Call Time: More Sony Info and Snort Signatures
Sony is in the still spotlight with their latest endevours.  Here is some more info and some Snort rules to try.

Here is an interesting tidbit from Juha-Matti Laurio:
It seems that SecurityFocus databas has assigned Sony BMG's DRM uninstallation utility from First 4 as software vulnerability at their new BID 15430:

http://www.securityfocus.com/bid/15430

"The CodeSupport package can be told to download, and then execute arbitrary content from remote Web sites. As it fails to verify that the source of the remote content is from a trusted source, attackers may utilize it to download and execute malicious code from arbitrary sources, facilitating the remote compromise of targeted computers."

Two interesting articles (another is blog entry of BID's reporter) at

http://www.securityfocus.com/brief/48

and

http://www.freedom-to-tinker.com/?p=926

(including demonstration too) available too.


Matt Jonkman let us know that Bleeding Snort had the following signatures available.  Thanks everyone for your hard work at Bleeding Snort!

#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1";
flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase;
uricontent:"&uId="; nocase; classtype:trojan-activity;
reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;
sid:2002675; rev:3;)


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2";
 flow: to_server,established; content:"sonymusic.com"; nocase;
 pcre:"User-Agent:[^
]+SecureNet[^
]+Xtra/i"; classtype:trojan-activity;
reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html;
 sid:2002674; rev:2;)


#by Blake Hartstein
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"BLEEDING-EDGE Malware Sony DRM Related --
CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase;
content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0;
reference:url,www.frsirt.com/english/advisories/2005/2454;
reference:url,www.hack.fi/~muzzy/sony-drm/; classtype:web-application-attack;
sid:2002679; rev:3;)



Link to rules on "Bleeding Snort"








Lorna

165 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!