By Tom Espiner
12 April 2007
A security researcher has released a proof-of-concept program that
hackers could use to exploit Windows Vista digital rights management
processes to hide malware.
Alex Ionescu claims to have developed the program D-Pin Purr v1.0 that
will arbitrarily enable and disable protected processes in Vista,
Microsoft's latest operating system.
Screenshots on Ionescu's blog suggest the program can be run
successfully. Ionescu included stack information related to one of the
processes that is by default protected on Vista. Try to retrieve that
information using Process Explorer and you get an error message. In
Ionescu's screenshot, taken after allegedly removing the protection, the
information is visible.
The binary for the program, which is available for download, is
currently being tested by security experts. Fraser Howard, a principal
virus researcher at security vendor Sophos, told ZDNet UK that the
program looks feasible. At the time of writing Howard had managed to get
it running, but had not managed to successfully protect and unprotect
processes on his machine.
"I have not confirmed it, but I have little doubt it will work as
intended [to remove protection]," said Howard. "This should mean it is
perfectly possible to add protection to processes as well."
The source code for the program is not available. Should the source code
of the program become available to hackers, this could mean that other
processes would not be able to properly "inspect" the hacked protected
process, according to Howard.
"The fact that the DRM within Vista presents a mechanism through which
code may attempt to restrict what other processes including security
applications are able to do, is a problem in itself. The presence of
that problem creates a hive of activity with people trying to hijack the
mechanism, either as a proof of concept, or as a malicious attack,"
Howard said. "In this case, the source code has not been released, just
a binary which can be used to demonstrate the issue. Had there been
source code, I am sure we would see malware authors trying to add that
functionality to malware. As it is, supposing the claims are valid,
there will no doubt be authors looking to include such functionality
themselves into their malware."
With no release of any source code or details, Howard was unable to
comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The
binary deliberately uses obfuscation to limit the number of people who
could reverse engineer and misuse that knowledge," said Howard. "But it
does use a driver Microsoft states in its documentation that people
should not use a driver to bypass the protection mechanism."
Howard said that to run the binary to add and remove protection, users
need to be running the code with elevated privileges.
Microsoft could offer no comment at the time of writing.
Subscribe to InfoSec News