Windows DRM Files Used to Decloak Tor Browser Users

[Disassembled 249]

Windows DRM Files Used to Decloak Tor Browser Users

 

Attacks using DRM-protected multimedia files in Windows have been known since 2005, but until recently, they've only been used to spread malware.

 

Past attacks tried to lure users into opening and playing DRM-protected files. In default scenarios, these files would open in the Windows Media Player, and users would see a popup that asked them to visit a URL to validate the file's license.

 

Users who agreed were redirected to an "authorization URL." Unknown to users is that malware authors could modify these links and point users to exploit kits or malware-laced files.

 

Hacker House researchers found out that this popup asking users if they wanted to visit the authorization URL would only appear for DRM files that have not been signed with the proper tools.

 

If the attacker signed the DRM-protected multimedia files with official Microsoft SDKs such as Windows Media Encoder or Microsoft Expression Encoder, the popup would not show, and the user's player would automatically open an Internet Explorer instance and access the authorization URL.

 

Deanonymization attack is expensive

 

Hacker House researchers say the cost of properly signing DRM multimedia files ranges around $10,000, a sum that many low-end malware authors aren't willing to pay for such a niche attack.

 

Nonetheless, the same is not true for determined state-sponsored attackers or law enforcement agencies, who have the financial and physical resources to support such an attack infrastructure.

 

For example, law enforcement could host properly signed DRM-protected files on sites pretending to host child pornography. When a user would try to view the file, the DRM multimedia file would use Internet Explorer to ping a server belonging to the law enforcement agency.

 

The same tactic can also be used to target ISIS militants trying to view propaganda videos, illegal drug and weapons buyers trying to view video product demos, political dissidents viewing news videos, and more.

 

A video showcasing the deanonymization attack is available below, courtesy of Hacker House researchers.

 

 

 

Unless M$ does something about this to fix it, the same thing will happen to Windows DRM protected files that happened to wma files back in the day.

 

When DRMed wma files first came out, no protections were put on going to an authorzied server for a license. It would display a message saying you didn't have a license and ask if you wanted to go buy one and had it set up as an autoconnect link if you said yes.

 

An outfit called Loudeye started hijacking those connections to distribute a trojan. Since there were no protections to prevent it from doing so, they were free to do that for the major entertainment companies that paid them to do it.

 

It got to where no one would accept a wma file. It was a dying format till Microsoft put in protections to prevent such hijacks. Seems old things are readapted for new uses time and again.