[isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 13 Apr 2007 11:42:05 -0700
Eeeeeek!
Imus and 1d10t in the same thread!
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Friday, April 13, 2007 7:06 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware
So he's tested it, it doesn't work, and therefore it's a story about
"Microsoft Security Flaws".
Sounds like a nappy headed ho to me.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> (Hammer of God)
> Sent: Friday, April 13, 2007 9:01 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] OT: Fw: [ISN] Vista DRM could hide malware
>
> Friday and slow, thought I would opine:
>
> It is really amazing when supposed journalism hits this
> level. An entire
> article based on screenshots and speculation- particularly
> when the guy
> couldn't even get the thing to work. Yet, we're supposed to
> be worried
> about malware hiding itself. And just how did the malware
> get on the system
> in the first place to then be hidden? Hmmmm.
>
> t
>
> ----- Original Message -----
> From: "InfoSec News" <alerts@xxxxxxxxxxxxxxx>
> To: <isn@xxxxxxxxxxxxxxx>
> Sent: Friday, April 13, 2007 12:28 AM
> Subject: [ISN] Vista DRM could hide malware
>
>
> > http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm
> >
> > By Tom Espiner
> > ZDNet UK
> > 12 April 2007
> >
> > A security researcher has released a proof-of-concept program that
> > hackers could use to exploit Windows Vista digital rights management
> > processes to hide malware.
> >
> > Alex Ionescu claims to have developed the program D-Pin
> Purr v1.0 that
> > will arbitrarily enable and disable protected processes in Vista,
> > Microsoft's latest operating system.
> >
> > Screenshots on Ionescu's blog suggest the program can be run
> > successfully. Ionescu included stack information related to
> one of the
> > processes that is by default protected on Vista. Try to
> retrieve that
> > information using Process Explorer and you get an error message. In
> > Ionescu's screenshot, taken after allegedly removing the
> protection, the
> > information is visible.
> >
> > The binary for the program, which is available for download, is
> > currently being tested by security experts. Fraser Howard,
> a principal
> > virus researcher at security vendor Sophos, told ZDNet UK that the
> > program looks feasible. At the time of writing Howard had
> managed to get
> > it running, but had not managed to successfully protect and
> unprotect
> > processes on his machine.
> >
> > "I have not confirmed it, but I have little doubt it will work as
> > intended [to remove protection]," said Howard. "This should
> mean it is
> > perfectly possible to add protection to processes as well."
> >
> > The source code for the program is not available. Should
> the source code
> > of the program become available to hackers, this could mean
> that other
> > processes would not be able to properly "inspect" the
> hacked protected
> > process, according to Howard.
> >
> > "The fact that the DRM within Vista presents a mechanism
> through which
> > code may attempt to restrict what other processes
> including security
> > applications are able to do, is a problem in itself. The
> presence of
> > that problem creates a hive of activity with people trying
> to hijack the
> > mechanism, either as a proof of concept, or as a malicious attack,"
> > Howard said. "In this case, the source code has not been
> released, just
> > a binary which can be used to demonstrate the issue. Had there been
> > source code, I am sure we would see malware authors trying
> to add that
> > functionality to malware. As it is, supposing the claims are valid,
> > there will no doubt be authors looking to include such functionality
> > themselves into their malware."
> >
> > With no release of any source code or details, Howard was unable to
> > comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The
> > binary deliberately uses obfuscation to limit the number of
> people who
> > could reverse engineer and misuse that knowledge," said
> Howard. "But it
> > does use a driver Microsoft states in its documentation that people
> > should not use a driver to bypass the protection mechanism."
> >
> > Howard said that to run the binary to add and remove
> protection, users
> > need to be running the code with elevated privileges.
> >
> > Microsoft could offer no comment at the time of writing.
> >
> >
> > __________________________
> > Subscribe to InfoSec News
> > http://www.infosecnews.org
> >
> >
>
>
>
>
All mail to and from this domain is GFI-scanned.
Other related posts:
