Vista DRM could hide malware

A security researcher has released a proof-of-concept program that hackers could use to exploit Windows Vista digital rights management processes to hide malware.

Alex Ionescu claims to have developed the program — D-Pin Purr v1.0 — that will arbitrarily enable and disable protected processes in Vista, Microsoft's latest operating system.

Screenshots on Ionescu's blog suggest the program can be run successfully. Ionescu included stack information related to one of the processes that is by default protected on Vista. Try to retrieve that information using Process Explorer and you get an error message. In Ionescu's screenshot, taken after allegedly removing the protection, the information is visible.

The binary for the program, which is available for download, is currently being tested by security experts. Fraser Howard, a principal virus researcher at security vendor Sophos, told ZDNet UK that the program looks feasible. At the time of writing Howard had managed to get it running, but had not managed to successfully protect and unprotect processes on his machine.

"I have not confirmed it, but I have little doubt it will work as intended [to remove protection]," said Howard. "This should mean it is perfectly possible to add protection to processes as well."

The source code for the program is not available. Should the source code of the program become available to hackers, this could mean that other processes would not be able to properly "inspect" the hacked protected process, according to Howard.

"The fact that the DRM within Vista presents a mechanism through which code may attempt to restrict what other processes — including security applications — are able to do, is a problem in itself. The presence of that problem creates a hive of activity with people trying to hijack the mechanism, either as a proof of concept, or as a malicious attack," Howard said. "In this case, the source code has not been released, just a binary which can be used to demonstrate the issue. Had there been source code, I am sure we would see malware authors trying to add that functionality to malware. As it is, supposing the claims are valid, there will no doubt be authors looking to include such functionality themselves into their malware."

With no release of any source code or details, Howard was unable to comment on how Ionescu had managed to develop D-Pin Purr v1.0. "The binary deliberately uses obfuscation to limit the number of people who could reverse engineer and misuse that knowledge," said Howard. "But it does use a driver — Microsoft states in its documentation that people should not use a driver to bypass the protection mechanism."

Howard said that to run the binary to add and remove protection, users need to be running the code with elevated privileges.

Microsoft could offer no comment at the time of writing.