Eeeeeek! Imus and 1d10t in the same thread! -----Original Message----- From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, April 13, 2007 7:06 AM To: isapros@xxxxxxxxxxxxx Subject: [isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware So he's tested it, it doesn't work, and therefore it's a story about "Microsoft Security Flaws". Sounds like a nappy headed ho to me. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- Microsoft Firewalls (ISA) > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Friday, April 13, 2007 9:01 AM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] OT: Fw: [ISN] Vista DRM could hide malware > > Friday and slow, thought I would opine: > > It is really amazing when supposed journalism hits this > level. An entire > article based on screenshots and speculation- particularly > when the guy > couldn't even get the thing to work. Yet, we're supposed to > be worried > about malware hiding itself. And just how did the malware > get on the system > in the first place to then be hidden? Hmmmm. > > t > > ----- Original Message ----- > From: "InfoSec News" <alerts@xxxxxxxxxxxxxxx> > To: <isn@xxxxxxxxxxxxxxx> > Sent: Friday, April 13, 2007 12:28 AM > Subject: [ISN] Vista DRM could hide malware > > > > http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm > > > > By Tom Espiner > > ZDNet UK > > 12 April 2007 > > > > A security researcher has released a proof-of-concept program that > > hackers could use to exploit Windows Vista digital rights management > > processes to hide malware. > > > > Alex Ionescu claims to have developed the program D-Pin > Purr v1.0 that > > will arbitrarily enable and disable protected processes in Vista, > > Microsoft's latest operating system. > > > > Screenshots on Ionescu's blog suggest the program can be run > > successfully. Ionescu included stack information related to > one of the > > processes that is by default protected on Vista. Try to > retrieve that > > information using Process Explorer and you get an error message. In > > Ionescu's screenshot, taken after allegedly removing the > protection, the > > information is visible. > > > > The binary for the program, which is available for download, is > > currently being tested by security experts. Fraser Howard, > a principal > > virus researcher at security vendor Sophos, told ZDNet UK that the > > program looks feasible. At the time of writing Howard had > managed to get > > it running, but had not managed to successfully protect and > unprotect > > processes on his machine. > > > > "I have not confirmed it, but I have little doubt it will work as > > intended [to remove protection]," said Howard. "This should > mean it is > > perfectly possible to add protection to processes as well." > > > > The source code for the program is not available. Should > the source code > > of the program become available to hackers, this could mean > that other > > processes would not be able to properly "inspect" the > hacked protected > > process, according to Howard. > > > > "The fact that the DRM within Vista presents a mechanism > through which > > code may attempt to restrict what other processes > including security > > applications are able to do, is a problem in itself. The > presence of > > that problem creates a hive of activity with people trying > to hijack the > > mechanism, either as a proof of concept, or as a malicious attack," > > Howard said. "In this case, the source code has not been > released, just > > a binary which can be used to demonstrate the issue. Had there been > > source code, I am sure we would see malware authors trying > to add that > > functionality to malware. As it is, supposing the claims are valid, > > there will no doubt be authors looking to include such functionality > > themselves into their malware." > > > > With no release of any source code or details, Howard was unable to > > comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The > > binary deliberately uses obfuscation to limit the number of > people who > > could reverse engineer and misuse that knowledge," said > Howard. "But it > > does use a driver Microsoft states in its documentation that people > > should not use a driver to bypass the protection mechanism." > > > > Howard said that to run the binary to add and remove > protection, users > > need to be running the code with elevated privileges. > > > > Microsoft could offer no comment at the time of writing. > > > > > > __________________________ > > Subscribe to InfoSec News > > http://www.infosecnews.org > > > > > > > > All mail to and from this domain is GFI-scanned.