Sony Rootkit and blocking F4I's ActiveX control CodeSupport CLSID

(Mods, I wasn't sure where to post this).

I was wondering whether this might make sense (actually I suppose that others might have already come up with the same question; I'm not sure).

First a little intro:
There are those two long threads at DSLR/BBR-security:
Microsoft will wipe Sony's 'rootkit' and more
http://www.dslreports.com/forum/remark,14802823
DRM implementors == black hats
http://www.dslreports.com/forum/remark,14699728

Well, ZOverlord posted there info and some Code concerning the danger of the related ActiveX.
I see in his postings this line:

Quote:

<OBJECT CLASSID="CLSID:4EA7C4C5-C5C0-4F5C-A008-8293505F71CC"

So, we have a CLSID.

Questions I was wondering about:

1.
Does it make sense to block this CLSID ?
2.
Is this CLSID already listed in SpywareBlaster ?
I can imagine that Javacool might be reluctant to add it.
I can understand that.
3.
Well, if it make sense to block it, we can block it on our own by using for example SpywareBlaster (maybe by using other tools too).


More in general:
If blocking this CLSID makes sense, it is only part of the whole story.
It's about F4I's ActiveX control called CodeSupport.
Quoting both antiserious and the washingtonpost.com :
- quotes from antiserious -
from the washingtonpost.com story on how the 'patch' opens up a new, bigger security hole - based on F4I's ActiveX control called CodeSupport:

"CodeSupport remains on your system after you leave Sony's site, and it is marked as safe for scripting, so any Web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site.

"Unfortunately, CodeSupport doesn't verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user's permission."
- end quotes -

And ZOverlord:
- quotes from ZOverlord -
NOW any SCRIPT kiddie can include this HTML in a web page, Email, or as an attachment.

It matters little if you HAD/HAVE any of the First4Internet/Sony CD software on a system.
--snip--
Once this ActiveX is installed, ANYONE can re-boot your system, and there is currently NO tool to remove it!
- end quotes -

First: sorry for the bad lay-out of my previous posting....

Second: maybe the thread-title should have been something like:
Sony Rootkit and blocking F4I's ActiveX control CodeSupport CLSID

Well, blocking ActiveX in general might save you on this part of the whole issue
(there never ever should have been something like ActiveX !!!).

Programs like for example RegDefend and RegRun would warn you on this part of the whole story, I suppose

http://www.dslreports.com/forum/remark,14802823

Quote from Philip Sloss

Quote:

Speaking of bits, has anyone tried setting the appropriate kill bit(s) for these CLSIDs -- or published instructions to that effect? Or has Javacool already covered that?

Hi Philip,

That is exactly the same reason why I started this thread

I am not on my own system at the moment, so I do not want to do it here.

The killbit is posted (quoted from ZOverlord) in a previous posting in this thread.

The instructions about how to do it in generally, are here:
http://www.wilderssecurity.com/showthread.php?t=13684

Javacool, Pieter, Tony: any thoughts from you my old friends

Cheers, Jan.

Hi Jan,

Sounds like a good idea to me, and it takes about 30 seconds to do. The Sony RK thing won't effect me, but here it is loaded into SpywareBlaster if others want to try it.

http://img148.imageshack.us/img148/7286/sony18or.png

Thanks


StevieO

Hi StevieO,

Shouldn't there be accolades ?
See first posting and screenshot by Pieter here:
http://www.wilderssecurity.com/showthread.php?t=13684

Cheers, Jan.

Hi Jan,

In the link you just gave there appears to be a discrepancy between the images and what is written ?

http://img456.imageshack.us/img456/527/swbis1a7vt.png

The funny thing is that SB reported that i had 0 items disabled, but i guess that you're correct as the other entries in the other sections do have the { accolades }

I've ammended my custom block list and reposted a screen shot to reflect this.

http://img456.imageshack.us/img456/4499/sony1a0sy.png

Thanks,


StevieO

[jayt]

I found this post in another forum. It might be helpful since there still seems to be a lot of questions about this issue.

http://forums.techguy.org/t417243.html

Hi Stevie,

Some screenshots to follow about adding it to the Custom Blocking in SpywareBlaster.
(All being done on my W98SE machine).

And thanks to jayt for pointing to that thread at techguy and to Tom for his posting there (maybe later more about that).

OK,
I clicked on Tools in the left-hand panel of SpywareBlaster,
I clicked on the Custom Blocking button,
I clicked on Add item.

I myself decided to give the item another name, as you can see in the screenshot.

Then I got the window to add the CLSID.

As you can see in the screenie it is by default within accolades :

Now I did put there that CLSID, within accolades !

See screenie :

And now I have what this screenie shows :

I checked that item box.
And I clicked on the Protect Against Checked Items button.

So far with respect to adding this CLSID to SpywareBlaster.

Now about what it is protecting :

I do not think that this is protecting you against the complete Sony DRM Rootkit.
I think that it is only protecting you against that particular ActiveX component.
That is why I said in an previous posting in this thread that it would be better to give this thread the name "Sony Rootkit and blocking F4I's ActiveX control CodeSupport CLSID".
I would like to thank the mods for changing that title !
And most certainly I would like to apologize for any confusion that I caused

Of course, any comment (both on adding that CLSID in SpywareBlaster and on what it is protecting) are most welcome !

Cheers, Jan.

[Pieter_Arntz]

Have a look here as well:
http://www.antivirus-online.de/english/feed-fs.php

Quote:

If you have already used the ActiveX uninstaller that was available until Sony stopped distributing it, you are vulnerable to a remote code execution attack. You should remove the vulnerable ActiveX component. If you want, set a kill-bit for it (the CLSID is {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}) just to be sure.

To effectively block the CLSID using SpywareBlaster you will have to include the accolades IMO. So in the Field labelled Add New Custom Blocking Item enter: {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}

Regards,

Search for the MS KB article 240797 on the MS-site, and you'll get the guidelines from MS about how to put a killbit manually.
How to stop an ActiveX control from running in Internet Explorer

http://support.microsoft.com/kb/240797

Quote:

Originally Posted by Pieter_Arntz

Have a look here as well:
http://www.antivirus-online.de/english/feed-fs.php

To effectively block the CLSID using SpywareBlaster you will have to include the accolades IMO. So in the Field labelled Add New Custom Blocking Item enter: {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}

Regards,

Thanks Pieter for jumping in; much appreciated !

Cheers, Jan.

PS:
Sorry Pieter, your reply # 14 and mine # 15 just crossed (I didn't see your posting while I was posting mine # 15 )

[lotuseclat79]

All,

I just ran across the Microsoft Security Response Center Blog which contains an important addition to previous posts in this thread - an additional CLSID entry to make like the previous one:

Add: {80E8743E-8AC5-46F1-96A0-59FA30740C51}

to the previous entry. You can probably name it something like SONY1.

-- Tom

Reference: http://blogs.technet.com/msrc/

[beetlejuice69]

Thanks for that one Tom.