Vista DRM could hide malware

Vista DRM could hide malware

Summary: Security researcher releases proof-of-concept program that hackers could exploit to target Microsoft Vista systems

TOPICS: Security

A security researcher has released a proof-of-concept program that hackers could use to exploit Windows Vista digital rights management processes to hide malware.

Alex Ionescu claims to have developed the program — D-Pin Purr v1.0 — that will arbitrarily enable and disable protected processes in Vista, Microsoft's latest operating system.

Screenshots on Ionescu's blog suggest the program can be run successfully. Ionescu included stack information related to one of the processes that is by default protected on Vista. Try to retrieve that information using Process Explorer and you get an error message. In Ionescu's screenshot, taken after allegedly removing the protection, the information is visible.

The binary for the program, which is available for download, is currently being tested by security experts. Fraser Howard, a principal virus researcher at security vendor Sophos, told ZDNet UK that the program looks feasible. At the time of writing Howard had managed to get it running, but had not managed to successfully protect and unprotect processes on his machine.

"I have not confirmed it, but I have little doubt it will work as intended [to remove protection]," said Howard. "This should mean it is perfectly possible to add protection to processes as well."

The source code for the program is not available. Should the source code of the program become available to hackers, this could mean that other processes would not be able to properly "inspect" the hacked protected process, according to Howard.

"The fact that the DRM within Vista presents a mechanism through which code may attempt to restrict what other processes — including security applications — are able to do, is a problem in itself. The presence of that problem creates a hive of activity with people trying to hijack the mechanism, either as a proof of concept, or as a malicious attack," Howard said. "In this case, the source code has not been released, just a binary which can be used to demonstrate the issue. Had there been source code, I am sure we would see malware authors trying to add that functionality to malware. As it is, supposing the claims are valid, there will no doubt be authors looking to include such functionality themselves into their malware."

With no release of any source code or details, Howard was unable to comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The binary deliberately uses obfuscation to limit the number of people who could reverse engineer and misuse that knowledge," said Howard. "But it does use a driver — Microsoft states in its documentation that people should not use a driver to bypass the protection mechanism."

Howard said that to run the binary to add and remove protection, users need to be running the code with elevated privileges.

Microsoft could offer no comment at the time of writing.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Vista DRM could hide malware

    The most secure version of windows ever, win95, win98, win98SE, win ME, win2000, winXP, VISTA. Windows security is a contradiction of terms.