[isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware
- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
- To: <isapros@xxxxxxxxxxxxx>
- Date: Fri, 13 Apr 2007 11:42:40 -0700
No; forward it to the Yahoo SBS list; it's sure to cause many an SBS machine to
catch fire...
:-p
-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On
Behalf Of Gerald G. Young
Sent: Friday, April 13, 2007 7:14 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware
Hmmm...
Should I forward this to the honorable Reverend Sharpe?
Hmmm...
I suppose Imus not.
Cordially yours,
Jerry G. Young II
Application Engineer, Platform Engineering and Architecture
NTT America, an NTT Communications Company
22451 Shaw Rd.
Sterling, VA 20166
Office: 571-434-1319
Fax: 703-333-6749
Email: g.young@xxxxxxxx
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder
> Sent: Friday, April 13, 2007 10:06 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: OT: Fw: [ISN] Vista DRM could hide malware
>
> So he's tested it, it doesn't work, and therefore it's a story about
> "Microsoft Security Flaws".
>
> Sounds like a nappy headed ho to me.
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
>
>
>
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor
> > (Hammer of God)
> > Sent: Friday, April 13, 2007 9:01 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] OT: Fw: [ISN] Vista DRM could hide malware
> >
> > Friday and slow, thought I would opine:
> >
> > It is really amazing when supposed journalism hits this
> > level. An entire
> > article based on screenshots and speculation- particularly
> > when the guy
> > couldn't even get the thing to work. Yet, we're supposed to
> > be worried
> > about malware hiding itself. And just how did the malware
> > get on the system
> > in the first place to then be hidden? Hmmmm.
> >
> > t
> >
> > ----- Original Message -----
> > From: "InfoSec News" <alerts@xxxxxxxxxxxxxxx>
> > To: <isn@xxxxxxxxxxxxxxx>
> > Sent: Friday, April 13, 2007 12:28 AM
> > Subject: [ISN] Vista DRM could hide malware
> >
> >
> > > http://news.zdnet.co.uk/security/0,1000000189,39286677,00.htm
> > >
> > > By Tom Espiner
> > > ZDNet UK
> > > 12 April 2007
> > >
> > > A security researcher has released a proof-of-concept program that
> > > hackers could use to exploit Windows Vista digital rights
> management
> > > processes to hide malware.
> > >
> > > Alex Ionescu claims to have developed the program D-Pin
> > Purr v1.0 that
> > > will arbitrarily enable and disable protected processes in Vista,
> > > Microsoft's latest operating system.
> > >
> > > Screenshots on Ionescu's blog suggest the program can be run
> > > successfully. Ionescu included stack information related to
> > one of the
> > > processes that is by default protected on Vista. Try to
> > retrieve that
> > > information using Process Explorer and you get an error message. In
> > > Ionescu's screenshot, taken after allegedly removing the
> > protection, the
> > > information is visible.
> > >
> > > The binary for the program, which is available for download, is
> > > currently being tested by security experts. Fraser Howard,
> > a principal
> > > virus researcher at security vendor Sophos, told ZDNet UK that the
> > > program looks feasible. At the time of writing Howard had
> > managed to get
> > > it running, but had not managed to successfully protect and
> > unprotect
> > > processes on his machine.
> > >
> > > "I have not confirmed it, but I have little doubt it will work as
> > > intended [to remove protection]," said Howard. "This should
> > mean it is
> > > perfectly possible to add protection to processes as well."
> > >
> > > The source code for the program is not available. Should
> > the source code
> > > of the program become available to hackers, this could mean
> > that other
> > > processes would not be able to properly "inspect" the
> > hacked protected
> > > process, according to Howard.
> > >
> > > "The fact that the DRM within Vista presents a mechanism
> > through which
> > > code may attempt to restrict what other processes
> > including security
> > > applications are able to do, is a problem in itself. The
> > presence of
> > > that problem creates a hive of activity with people trying
> > to hijack the
> > > mechanism, either as a proof of concept, or as a malicious attack,"
> > > Howard said. "In this case, the source code has not been
> > released, just
> > > a binary which can be used to demonstrate the issue. Had there been
> > > source code, I am sure we would see malware authors trying
> > to add that
> > > functionality to malware. As it is, supposing the claims are valid,
> > > there will no doubt be authors looking to include such
> functionality
> > > themselves into their malware."
> > >
> > > With no release of any source code or details, Howard was unable to
> > > comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The
> > > binary deliberately uses obfuscation to limit the number of
> > people who
> > > could reverse engineer and misuse that knowledge," said
> > Howard. "But it
> > > does use a driver Microsoft states in its documentation that
> people
> > > should not use a driver to bypass the protection mechanism."
> > >
> > > Howard said that to run the binary to add and remove
> > protection, users
> > > need to be running the code with elevated privileges.
> > >
> > > Microsoft could offer no comment at the time of writing.
> > >
> > >
> > > __________________________
> > > Subscribe to InfoSec News
> > > http://www.infosecnews.org
> > >
> > >
> >
> >
> >
> >
All mail to and from this domain is GFI-scanned.
Other related posts:
