Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Mail Call Time: More Sony Info and Snort Signatures SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Mail Call Time: More Sony Info and Snort Signatures
Sony is in the still spotlight with their latest endevours.  Here is some more info and some Snort rules to try.

Here is an interesting tidbit from Juha-Matti Laurio:
It seems that SecurityFocus databas has assigned Sony BMG's DRM uninstallation utility from First 4 as software vulnerability at their new BID 15430:

"The CodeSupport package can be told to download, and then execute arbitrary content from remote Web sites. As it fails to verify that the source of the remote content is from a trusted source, attackers may utilize it to download and execute malicious code from arbitrary sources, facilitating the remote compromise of targeted computers."

Two interesting articles (another is blog entry of BID's reporter) at


(including demonstration too) available too.

Matt Jonkman let us know that Bleeding Snort had the following signatures available.  Thanks everyone for your hard work at Bleeding Snort!

#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1";
flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase;
uricontent:"&uId="; nocase; classtype:trojan-activity;
sid:2002675; rev:3;)

(msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2";
 flow: to_server,established; content:""; nocase;
]+Xtra/i"; classtype:trojan-activity;
 sid:2002674; rev:2;)

#by Blake Hartstein
(msg:"BLEEDING-EDGE Malware Sony DRM Related --
CodeSupport ActiveX Attempt"; flow:from_server,established; content:"CLSID"; nocase;
content:"4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"; nocase; distance:0;
reference:url,; classtype:web-application-attack;
sid:2002679; rev:3;)

Link to rules on "Bleeding Snort"


165 Posts
ISC Handler
Nov 17th 2005

Sign Up for Free or Log In to start participating in the conversation!