[Emerging-Sigs] Microsoft's SeaPort Search "Enhancement"

Matt Jonkman jonkman at jonkmans.com
Tue Aug 17 09:38:39 EDT 2010


The definition of spyware we've operated under to date has been 
essentially anything that reports private information or reports 
activity to a remote host that the user may or may not be aware of. But 
generally we've trusted the major providers, but none have ever really 
gone this far across the line. I mean heck, at least TRY to obfuscate 
what you're doing or something. I feel a bit insulted they didn't even 
try to hide it. :)

This sig will go into the use_agents ruleset anyway, so we don't really 
have to make that blatant call it bad or not determination.

I'll post it momentarily, and I'm interested to see where this goes.

Matt

On 8/17/10 8:51 AM, L0rd Ch0de1m0rt wrote:
> Hello.  Wouldn't this classify as "spyware"?  I mean, yea it is
> Microsoft but how is the behaviour different from other spyware?  I
> recommend that AV vendors also be made aware so they can detect and
> quarantine this privacy invading "enhancement".
>
> -L0rd Ch0de1m0rt
>
> On Mon, Aug 16, 2010 at 6:24 PM, Eoin Miller
> <eoin.miller at trojanedbinaries.com>  wrote:
>>   Been seeing a bunch of requests with the "User-Agent: SeaPort/2.0" in
>> them. Apparently this is part of the Windows Live/MSN/Bing toolbars
>> downloading and updating themselves. If you install anything involved
>> with Windows Live or a whole bunch of other things, this program also
>> gets installed and runs on boot constantly. I think this is worth
>> creating an ET POLICY sig on, I created one and it immediately lit up
>> like a Christmas tree. The program sends all sorts of URI's back to
>> Microsoft, the whole uri. So if you have some poorly coded web
>> applications that put the session id (or worse, username and password)
>> in them, it will get transported right on over to Microsoft. Example:
>>
>> GET
>> /8SE/41?MI=C8A4068186754D2B812F964D83636FE1-8&LV=1.2.123.0&OS=5.1.2600&AG=488&TE=1&TV=sv1.2.123.0%7ctl100%7cbvI8.0%7calen-us%7chaM%7cco0%7cciE01F2AF9%7crf1%7cts20100816160418926%7ctz%2b420%7csq21%7cwi3700%7crw3700%7ceuhttp%3A%2F%2Fwww.facebook.com%2Fplugins%2Flike.php%3fhref%3dhttp%3A%2F%2Fwww.facebook.com%2FNPR%26layout%3dstandard%26show_faces%3dfalse%26width%3d450%26action%3dlike%26colorscheme%3dlight%26height%3d35
>>
>> HTTP/1.1..User-Agent: SeaPort/1.2..
>> Host: g.ceipmsn.com..
>> Cache-Control: no-cache....
>>
>> Ugh.
>>
>> Signature:
>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST
>> SeaPort User-Agent Detected"; flow:established,to_server;
>> content:"User-Agent: SeaPort"; http_header; classtype:bad-unknown;
>> sid:5600113; rev:1)
>>
>> Seriously though, its like getting hit in the face with a firehose.
>>
>> -- Eoin
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

-- 

----------------------------------------------------
Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


More information about the Emerging-sigs mailing list