[ISN] Vista DRM could hide malware

From: InfoSec News (alerts@private)
Date: Fri Apr 13 2007 - 00:28:02 PDT


http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm

By Tom Espiner  
ZDNet UK
12 April 2007

A security researcher has released a proof-of-concept program that 
hackers could use to exploit Windows Vista digital rights management 
processes to hide malware.

Alex Ionescu claims to have developed the program  D-Pin Purr v1.0  that 
will arbitrarily enable and disable protected processes in Vista, 
Microsoft's latest operating system.

Screenshots on Ionescu's blog suggest the program can be run 
successfully. Ionescu included stack information related to one of the 
processes that is by default protected on Vista. Try to retrieve that 
information using Process Explorer and you get an error message. In 
Ionescu's screenshot, taken after allegedly removing the protection, the 
information is visible.

The binary for the program, which is available for download, is 
currently being tested by security experts. Fraser Howard, a principal 
virus researcher at security vendor Sophos, told ZDNet UK that the 
program looks feasible. At the time of writing Howard had managed to get 
it running, but had not managed to successfully protect and unprotect 
processes on his machine.

"I have not confirmed it, but I have little doubt it will work as 
intended [to remove protection]," said Howard. "This should mean it is 
perfectly possible to add protection to processes as well."

The source code for the program is not available. Should the source code 
of the program become available to hackers, this could mean that other 
processes would not be able to properly "inspect" the hacked protected 
process, according to Howard.

"The fact that the DRM within Vista presents a mechanism through which 
code may attempt to restrict what other processes  including security 
applications  are able to do, is a problem in itself. The presence of 
that problem creates a hive of activity with people trying to hijack the 
mechanism, either as a proof of concept, or as a malicious attack," 
Howard said. "In this case, the source code has not been released, just 
a binary which can be used to demonstrate the issue. Had there been 
source code, I am sure we would see malware authors trying to add that 
functionality to malware. As it is, supposing the claims are valid, 
there will no doubt be authors looking to include such functionality 
themselves into their malware."

With no release of any source code or details, Howard was unable to 
comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The 
binary deliberately uses obfuscation to limit the number of people who 
could reverse engineer and misuse that knowledge," said Howard. "But it 
does use a driver  Microsoft states in its documentation that people 
should not use a driver to bypass the protection mechanism."

Howard said that to run the binary to add and remove protection, users 
need to be running the code with elevated privileges.

Microsoft could offer no comment at the time of writing.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Fri Apr 13 2007 - 00:44:10 PDT