[Emerging-Sigs] Microsoft's SeaPort Search "Enhancement"
jonkman at jonkmans.com
Tue Aug 17 09:38:39 EDT 2010
The definition of spyware we've operated under to date has been
essentially anything that reports private information or reports
activity to a remote host that the user may or may not be aware of. But
generally we've trusted the major providers, but none have ever really
gone this far across the line. I mean heck, at least TRY to obfuscate
what you're doing or something. I feel a bit insulted they didn't even
try to hide it. :)
This sig will go into the use_agents ruleset anyway, so we don't really
have to make that blatant call it bad or not determination.
I'll post it momentarily, and I'm interested to see where this goes.
On 8/17/10 8:51 AM, L0rd Ch0de1m0rt wrote:
> Hello. Wouldn't this classify as "spyware"? I mean, yea it is
> Microsoft but how is the behaviour different from other spyware? I
> recommend that AV vendors also be made aware so they can detect and
> quarantine this privacy invading "enhancement".
> -L0rd Ch0de1m0rt
> On Mon, Aug 16, 2010 at 6:24 PM, Eoin Miller
> <eoin.miller at trojanedbinaries.com> wrote:
>> Been seeing a bunch of requests with the "User-Agent: SeaPort/2.0" in
>> them. Apparently this is part of the Windows Live/MSN/Bing toolbars
>> downloading and updating themselves. If you install anything involved
>> with Windows Live or a whole bunch of other things, this program also
>> gets installed and runs on boot constantly. I think this is worth
>> creating an ET POLICY sig on, I created one and it immediately lit up
>> like a Christmas tree. The program sends all sorts of URI's back to
>> Microsoft, the whole uri. So if you have some poorly coded web
>> applications that put the session id (or worse, username and password)
>> in them, it will get transported right on over to Microsoft. Example:
>> HTTP/1.1..User-Agent: SeaPort/1.2..
>> Host: g.ceipmsn.com..
>> Cache-Control: no-cache....
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST
>> SeaPort User-Agent Detected"; flow:established,to_server;
>> content:"User-Agent: SeaPort"; http_header; classtype:bad-unknown;
>> sid:5600113; rev:1)
>> Seriously though, its like getting hit in the face with a firehose.
>> -- Eoin
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
Open Information Security Foundation (OISF)
More information about the Emerging-sigs