Sony Rootkit and blocking F4I's ActiveX control CodeSupport CLSID

Discussion in 'malware problems & news' started by J at A, Nov 15, 2005.

Thread Status:
Not open for further replies.
  1. J at A

    J at A Guest

    (Mods, I wasn't sure where to post this).

    I was wondering whether this might make sense (actually I suppose that others might have already come up with the same question; I'm not sure).

    First a little intro:
    There are those two long threads at DSLR/BBR-security:
    Microsoft will wipe Sony's 'rootkit' and more
    http://www.dslreports.com/forum/remark,14802823
    DRM implementors == black hats
    http://www.dslreports.com/forum/remark,14699728

    Well, ZOverlord posted there info and some Code concerning the danger of the related ActiveX.
    I see in his postings this line:

    So, we have a CLSID.

    Questions I was wondering about:

    1.
    Does it make sense to block this CLSID ?
    2.
    Is this CLSID already listed in SpywareBlaster ?
    I can imagine that Javacool might be reluctant to add it.
    I can understand that.
    3.
    Well, if it make sense to block it, we can block it on our own by using for example SpywareBlaster (maybe by using other tools too).


    More in general:
    If blocking this CLSID makes sense, it is only part of the whole story.
    It's about F4I's ActiveX control called CodeSupport.
    Quoting both antiserious and the washingtonpost.com :
    - quotes from antiserious -
    from the washingtonpost.com story on how the 'patch' opens up a new, bigger security hole - based on F4I's ActiveX control called CodeSupport:

    "CodeSupport remains on your system after you leave Sony's site, and it is marked as safe for scripting, so any Web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site.

    "Unfortunately, CodeSupport doesn't verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user's permission."
    - end quotes -

    And ZOverlord:
    - quotes from ZOverlord -
    NOW any SCRIPT kiddie can include this HTML in a web page, Email, or as an attachment.

    It matters little if you HAD/HAVE any of the First4Internet/Sony CD software on a system.
    --snip--
    Once this ActiveX is installed, ANYONE can re-boot your system, and there is currently NO tool to remove it!
    - end quotes -
     
  2. J at A

    J at A Guest

    Re: Sony DRM Rootkit and blocking CLSID

    First: sorry for the bad lay-out of my previous posting....

    Second: maybe the thread-title should have been something like:
    Sony Rootkit and blocking F4I's ActiveX control CodeSupport CLSID

    Well, blocking ActiveX in general might save you on this part of the whole issue ;)
    (there never ever should have been something like ActiveX !!!).

    Programs like for example RegDefend and RegRun would warn you on this part of the whole story, I suppose ;)
     
  3. J at A

    J at A Guest

    http://www.dslreports.com/forum/remark,14802823

    Quote from Philip Sloss
    Hi Philip,

    That is exactly the same reason why I started this thread ;)

    I am not on my own system at the moment, so I do not want to do it here.

    The killbit is posted (quoted from ZOverlord) in a previous posting in this thread.

    The instructions about how to do it in generally, are here:
    https://www.wilderssecurity.com/showthread.php?t=13684

    Javacool, Pieter, Tony: any thoughts from you my old friends ;)

    Cheers, Jan.
     
  4. StevieO

    StevieO Guest

  5. J at A

    J at A Guest

  6. StevieO

    StevieO Guest

  7. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Using Spywareblaster to protect against Sony's rootkit

    I found this post in another forum. It might be helpful since there still seems to be a lot of questions about this issue.

    http://forums.techguy.org/t417243.html
     
  8. FanJ

    FanJ Guest

    Hi Stevie,

    Some screenshots to follow about adding it to the Custom Blocking in SpywareBlaster.
    (All being done on my W98SE machine).

    And thanks to jayt for pointing to that thread at techguy and to Tom for his posting there (maybe later more about that).

    OK,
    I clicked on Tools in the left-hand panel of SpywareBlaster,
    I clicked on the Custom Blocking button,
    I clicked on Add item.

    I myself decided to give the item another name, as you can see in the screenshot.
     

    Attached Files:

  9. FanJ

    FanJ Guest

    Then I got the window to add the CLSID.

    As you can see in the screenie it is by default within accolades :
     

    Attached Files:

  10. FanJ

    FanJ Guest

    Now I did put there that CLSID, within accolades !

    See screenie :
     

    Attached Files:

  11. FanJ

    FanJ Guest

    And now I have what this screenie shows :
     

    Attached Files:

  12. FanJ

    FanJ Guest

    I checked that item box.
    And I clicked on the Protect Against Checked Items button.

    So far with respect to adding this CLSID to SpywareBlaster.
     
  13. FanJ

    FanJ Guest

    Now about what it is protecting :

    I do not think that this is protecting you against the complete Sony DRM Rootkit.
    I think that it is only protecting you against that particular ActiveX component.
    That is why I said in an previous posting in this thread that it would be better to give this thread the name "Sony Rootkit and blocking F4I's ActiveX control CodeSupport CLSID".
    I would like to thank the mods for changing that title !
    And most certainly I would like to apologize for any confusion that I caused :oops:

    Of course, any comment (both on adding that CLSID in SpywareBlaster and on what it is protecting) are most welcome ! ;)

    Cheers, Jan.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Have a look here as well:
    http://www.antivirus-online.de/english/feed-fs.php

    To effectively block the CLSID using SpywareBlaster you will have to include the accolades IMO. So in the Field labelled Add New Custom Blocking Item enter: {4EA7C4C5-C5C0-4F5C-A008-8293505F71CC}

    Regards,
     
  15. FanJ

    FanJ Guest

    Search for the MS KB article 240797 on the MS-site, and you'll get the guidelines from MS about how to put a killbit manually.
    How to stop an ActiveX control from running in Internet Explorer

    http://support.microsoft.com/kb/240797
     
    Last edited by a moderator: Nov 17, 2005
  16. FanJ

    FanJ Guest

    Thanks Pieter for jumping in; much appreciated ! :)

    Cheers, Jan.

    PS:
    Sorry Pieter, your reply # 14 and mine # 15 just crossed (I didn't see your posting while I was posting mine # 15 :oops: )
     
    Last edited by a moderator: Nov 17, 2005
  17. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    All,

    I just ran across the Microsoft Security Response Center Blog which contains an important addition to previous posts in this thread - an additional CLSID entry to make like the previous one:

    Add: {80E8743E-8AC5-46F1-96A0-59FA30740C51}

    to the previous entry. You can probably name it something like SONY1.

    -- Tom

    Reference: http://blogs.technet.com/msrc/
     
  18. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Thanks for that one Tom.
     
Loading...
Thread Status:
Not open for further replies.