DRM protection abused by Trojan.DRMLive

Using DRM protection applied to multimedia files to prevent illegal copies and to block piracy has always been in the storm centre between who wants to preserve their rights and protect their intellectual properties and who wants to preserve their right to watch or listen what they have bought as many times as they want.

We've seen in the past questionable use of DRM protections, above all there's the one used by Sony some years ago which stirred up quite a storm.

Lately, we've been investigating an interesting case. We've got some reports of strange infections apparently coming from movie files downloaded from peer to peer networks.

After we've had an in depth look at one of these files, everything became clear. The movie has been signed and protected using DRM protection. The problem arises when media player tried to acquire relative licenses.

It connected to a fake website and, after a few redirects, an executable download started. The executable looks like a license installer, while instead it's only a Trojan. We've identified this Trojan as Trojan.DRMLive.

We've investigated who protected this movie and we discovered that vidlock.com is the owner of the service. Vidlock is a DRM provider and it's giving out a free service to those who want to protect their audio or video properties using Microsoft's DRM Technology for up to 50 licenses at month.

Now, looks like the service has been abused by some malware writers, because when the protected (fake) movie tries to acquire the license, some page redirects happen and the player is redirected to a fake website - cleanlive.net - that downloads the Trojan.

After the fake installer is run, a setup process window is shown and the user needs to proceed to install the license. Truth is that the setup process doesn't install anything , it just creates C:\Program Files\HomeView and uninstall.exe file inside the new directory.

Anyway, behind the setup window, the Trojan is installing its components. The first thing it does is inject a dll inside spoolsv.exe process. The way it injects the dll is quite original and it has been seen recently by some Rustock installers.

It stops the spoolsv service, then it makes a copy of advapi32.dll system library and patches it so that it loads the malware dll. Then it deletes and re-create \KnownDlls\advapi32.dll section object so that it points to patched advapi32.dll. At the end it restarts spoolsv service.

By doing so, malware's payload is loaded inside spoolsv.exe process, because it loads advapi32.dll at startup. Malware's dll has some anti-debugging routines and it checks if it's loaded inside spoolsv.exe, otherwise it exits.

Main malware's payload set up two threads, which are responsible to download from the Internet more infections and to secure the infection inside the machine.

To secure it, the malware scans the system for available disk drives and it installs on every drive it finds an autorun.inf file at the root of the drive and the directory X:\resycled\ with boot.com file inside it.

All autorun.inf, boot.com and resycled directory have hidden attributes. To make things more difficult, DRMLive changes files’ permissions on these files, removing the owner account all permissions to modify or delete them.

Every minute, the Trojan checks if all files are still presents on all present drives. Doing so, every time a user opens one of the drives, autorun.inf will be run and the Trojan will be executed.

The other malware's thread, after it gets running Windows version and some information, such as the serial number - about C: drive, connects to a remote website where it download other malware. Malware files are created inside %windir%\temp as tempo-[random].tmp.

Here we've observed that lot of different infections are downloaded. We've seen DNSChangers that change network DNS configurations and try dictionary attacks to log into routers to change the DNS.

Most of the code is quite obfuscated, to prevent easy reversing of the malware.

If the use of DRM to protect multimedia files has been a hot topic for a long time because of ideological problems, now it turned out it could become a real problem and a vehicle that could be used to spread malware.

Like a Trojan we've analyzed before, Trojan.GetCodec, this is another malware that uses multimedia files to spread - even if this one is not infecting other movie files when it run on the system. Users must be more careful than ever when downloading from peer to peer networks, because the chances to get a malware infection - directly or indirectly - are not anymore narrowed down to executable files.

All Prevx products are able to intercept, block and remove this infection.