Skip navigation.
Home

Sony DRM Rootkit

sha1: 8fe00da5f0b2114a132f41eb5e7065d46e7741fa $sys$DRMServer.exe
md5sum: $sys$DRMServer.exe
3692633395142b264b0a73e4994f657f *$sys$DRMServer.exe
md5sum: $sys$DRMServer.zip
2daffd7a9c415f1b41868340d32e680b *$sys$DRMServer.zip

This is just the executable. I'll get the other files up soon.

I have uploaded an ida database and flow graph for this as well.

V.

I added the supporting dlls and sys files. Ill see if i can get the installer off the cd as well.

Taken from the current

Taken from the current Bleeding Snort rules
http://www.bleedingsnort.com/
Copyright (c) 2005, Bleedingsnort.com
All rights reserved.


#By Michael Ligh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 1"; flow: to_server,established; uricontent:"/toc/Connect?type=redirect"; nocase; uricontent:"&uId="; nocase; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002675; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE Sony DRM Reporting 2"; flow: to_server,established; content:"sonymusic.com"; nocase; pcre:"User-Agent\:[^\n]+SecureNet[^\n]+Xtra/i"; classtype:trojan-activity; reference:url,www.sysinternals.com/blog/2005/11/more-on-sony-dangerous-decloaking.html; sid:2002674; rev:2;)

" Fuck the fucking fuckers before they fuck you "
- The Rogue Warrior