Infected DRM Files Can Reveal Tor Data

February 6, 2017 @ 12:40 PM
| |
2 min read

Cybercriminals have been using digital rights management (DRM) files in Windows to transport malware for a while. Social engineering was often an integral part of this process since any attempt to open these files in Windows Media Player (WMP) would then generate a pop-up that redirected the target’s default browser to an attacker-controlled website. That website was the beginning of an infection.

Now, attackers are using this process for more than just malware. Researchers recently found that the Tor browser and privacy controls can be affected by a malicious DRM file.

Malicious DRM Files

Malicious DRM files work by causing Windows Media Player (WMP) to generate a pop-up requesting permission to redirect the default browser “to the content provider’s website to find out how to obtain the necessary play rights,” Hacker House reported. Once a user agrees, he or she is sent to a malware-laden page and the infection process begins. However, this only happens when users attempt to open unlicensed files.

But now, cybercriminals have devised a way for a file with a proper DRM license to redirect the browser without so much as a prompt. Not only could this lead to malware, but it could also contribute to a massive loss of privacy for certain users.

Tor Troubles

Bleeping Computer, reporting on the Hacker House findings, noted that these DRM files can cause problems when opened in the privacy-enhanced Tor browser. Attackers can capture victims’ credentials surreptitiously by using cryptographically signed DRM files.

The attackers’ website appears legitimate to detract attention from the fraudulent URL. Users who interact with the site risk revealing their IP addresses or other credentials through normal system calls. For Tor users, many of whom are using the browser specifically to hide these details, this is a worst case scenario.

Hacker House posted a short video that showed how the malware operators can extract a victim’s IP with a single click. It’s easy to see how a malicious, signed DRM file might also silently ping an attacker-controlled URL to report a victim’s status and location.

Big Money Malware

Since the DRM signing process can cost around $10,000, only cybercriminals with deep pockets can fund such a scheme. Those who can afford it, however, have a significant advantage when it comes to spreading malware.

This social engineering scheme is sneaky enough to fool even security-savvy Tor users. To be safe, everyone should avoid all unknown DRM files, no matter how enticing the title may be.

Larry Loeb
Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE mag...
read more