[Infowarrior] - Vista DRM could hide malware
Richard Forno
rforno at infowarrior.org
Thu Apr 12 19:58:43 UTC 2007
Vista DRM could hide malware
11 Apr 2007 17:05
Security researcher releases proof-of-concept program that hackers could
exploit to target Microsoft Vista systems
A security researcher has released a proof-of-concept program that hackers
could use to exploit Windows Vista digital rights management processes to
hide malware.
Alex Ionescu claims to have developed the program D-Pin Purr v1.0 that
will arbitrarily enable and disable protected processes in Vista,
Microsoft's latest operating system.
Screenshots on Ionescu's blog suggest the program can be run successfully.
Ionescu included stack information related to one of the processes that is
by default protected on Vista. Try to retrieve that information using
Process Explorer and you get an error message. In Ionescu's screenshot,
taken after allegedly removing the protection, the information is visible.
The binary for the program, which is available for download, is currently
being tested by security experts. Fraser Howard, a principal virus
researcher at security vendor Sophos, told ZDNet UK that the program looks
feasible. At the time of writing Howard had managed to get it running, but
had not managed to successfully protect and unprotect processes on his
machine.
"I have not confirmed it, but I have little doubt it will work as intended
[to remove protection]," said Howard. "This should mean it is perfectly
possible to add protection to processes as well."
The source code for the program is not available. Should the source code of
the program become available to hackers, this could mean that other
processes would not be able to properly "inspect" the hacked protected
process, according to Howard.
"The fact that the DRM within Vista presents a mechanism through which code
may attempt to restrict what other processes including security
applications are able to do, is a problem in itself. The presence of that
problem creates a hive of activity with people trying to hijack the
mechanism, either as a proof of concept, or as a malicious attack," Howard
said. "In this case, the source code has not been released, just a binary
which can be used to demonstrate the issue. Had there been source code, I am
sure we would see malware authors trying to add that functionality to
malware. As it is, supposing the claims are valid, there will no doubt be
authors looking to include such functionality themselves into their
malware."
With no release of any source code or details, Howard was unable to comment
on how Ionescu had managed to develop D-Pin Purr v1.0. "The binary
deliberately uses obfuscation to limit the number of people who could
reverse engineer and misuse that knowledge," said Howard. "But it does use a
driver Microsoft states in its documentation that people should not use a
driver to bypass the protection mechanism."
Howard said that to run the binary to add and remove protection, users need
to be running the code with elevated privileges.
Microsoft could offer no comment at the time of writing.
Story URL: http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm
Copyright © 1995-2006 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET NEtworks, Inc. ZDNET Logo is a
service mark of CNET Networks, Inc.
More information about the Infowarrior
mailing list