Copyright protected files could mask viruses

Digital rights management could prevent anti-virus applications from stopping virus outbreaks according to an anti-virus researcher.

Dave Marcus, security research manager at anti-virus firm McAfee's Avert research labs said that rules under the US DCMA Act could prevent anti-virus companies scanning suspected malware-infected files if they were copy protected.

"To scan past DRM would be illegal under the DCMA Act, but this is not going to affect criminals. It makes a real interesting combination where malware writers use copyright protection to mask payloads," he said.

He said this would leave an anti-virus application waiting for a virus to run before it could take any action.

"Usually you would scan a file, but with DRM you are not allowed to as it is protected content," said Marcus. "And we've all seen what happens to people who break the DCMA."

But other experts said that is about the outlawing and distribution of software whose primary purpose is to circumvent copyright-protection techniques.

"There is no way that anti-virus software can be described as having such a primary purpose and should therefore be exempt from the act," said Darren Harter, security architect at malware research company Prevx. "However, there is a vague area here. If anti-virus software contained routines to break such DRM-protection that part of the software could be considered as breaching the act."

Harter said it would be up to the anti-virus vendor to demonstrate that such routines are suitably protected from reverse engineering and exploitation.

"It is possible that a test-case could be required to set legal precedence," said Harter. "One interesting angle here is what the legal position would be if a malware author cracked the DRM-protection mechanism, inserted their malware and re-protected the modified infected file."

According to Raimund Genes, CTO of Trend Micro embedding malware in DRM protected files is no different to embedding malware in unrecognisable self extracting file formats.

"The malware writers write their own unpackers to hide their traces, or they put malware into password protected .ZIP files and ask the users via e-mail to type in the password - several Bagle variants did this," he said.

Genes said that this was less a legal challenge and more a detection problem.

"And if it is known that a certain DRM file contains malware, it could be detected by creating an MD5 checksum (pattern matching technology) for it, so as long as it is not altered it will be detected as containing malicious content," said Genes.

Email to a friend

Print this page